By Sven Stumbauer, Director in the Financial Crimes Compliance Practice at AlixPartners, LLP
INSIGHT: Financial Advisory Services
In the past several years, the volume and monetary value of enforcement actions by the Office of Foreign Assets Control (OFAC) seem to have risen dramatically. In fact, civil penalties and settlements have grown from several million dollars in 2008 to billions of dollars in 2014.
OFAC violations can carry stiff penalties and may include both civil and criminal liabilities. Depending on the sanction program, criminal penalties for willful violations can include fines of up to $20 million and imprisonment of up to 30 years. Worse yet, a single transaction can produce multiple violations, placing a company at risk of significant liability. Given those risks, many boards and senior executives have moved OFAC compliance to the top of their agendas.
OFAC administers and enforces economic and trade sanctions— based on US foreign policy and national security goals—against targeted foreign countries and regimes, terrorists, and other threats to the United States. The sanctions prohibit or restrict US persons from engaging in transactions involving certain countries, groups, and individuals. OFAC maintains a sanctions program against such countries as Iran, Syria, and Cuba as well as against a host of individuals and entities. In July 2014, the United States began to implement sectoral sanctions by targeting certain entities in the Russian financial, energy, and defense sectors, thereby adding a new level of complexity to sanction compliance that financial institutions have to deal with. The sectoral sanctions represent just one example of a host of challenges companies face in their OFAC compliance programs. Following are five areas that could pose challenges for companies in 2015.
- Navigating Change
OFAC’s sanctions programs are continually evolving. Companies should make sure their compliance programs keep pace with changes in OFAC requirements by revising those programs to be able to deal with changes in the OFAC Specially Designated Nationals (SDN) list and country program. Companies should also ensure that OFAC compliance considerations get included in their development and introduction of new products and services—and incorporated into customer onboarding. Failure to update the company’s OFAC program, such as by failing to monitor changes to suppression lists as sanctions change, could lead to risks.
- Handling Expanded Sectoral Sanctions
In light of sanctions against Russia, companies should consider both jurisdictional sanction programs and sectoral and entityor person-based sanctions. For example, a risk assessment may require closer scrutiny of individual transactions given those sanctions that prohibit transactions of or dealings with new debt of longer than 90 days’ maturity or with new equity with those listed on OFAC’s new Sectoral Sanctions Identifications List.1 Financial institutions should be mindful of OFAC’s definition of debt and of the necessity to evaluate transactions for potential violations of the sectoral sanctions, especially in the context of trade financing given the inclusion of letters of credit and the extension of credit. Last, financial institutions may need to reevaluate their existing due diligence efforts with clients or entities that may be affected by the new sectoral sanctions or if clients or entities have been added to the SDN list. Prohibitions may not be limited to named persons or entities but may include entities that are 50% or more owned by the SDN-listed persons or entities. Consequently, it may be prudent for companies to observe those individuals or entities being targeted for sanctions and ensure they are not owned or controlled by SDNs.
- Establishing a Culture of and Responsibility for OFAC Compliance
For an OFAC compliance program to be effective, it should have demonstrable support from the company’s leadership. Boards of directors and senior management should set the tone for their organization by creating a culture of compliance. To comply with OFAC sanctions, frontline staff and key personnel should be familiar with requirements and prohibitions and understand the potential impact that violations can have on the company. To gain that familiarity, employees should receive training on an ongoing basis.
- Conducting a Risk Assessment
It is important that a company assess potential risk exposure not only across the entire organization but also in its dealings with business partners such as vendors and suppliers. Given the dynamic nature of OFAC sanctions and SDN lists, a company’s risk profile may change. As a result, it may become necessary for a company to revise policies and procedures based on those regions in which it conducts business. Further, it may be prudent to evaluate both inherent and perceived risks associated with given business activities and/or relationships. For example, how should a financial institution adjust its operations in light of sanctions against Russia? Several regulatory bodies have mandated that adequate risk assessments form the core of any OFAC compliance program and that such assessments be tailored to the company’s operations and third-party relationships.
- Implementing Information Technology
Information technology (IT) is quickly becoming a critical component in OFAC and sanctions compliance. By checking on vendors, customers, and even employees against the SDN list and/or other restricted party lists through the use of certain software, companies can confirm that they are not doing business with entities or people on sanctions lists. It’s important to note that IT carries with it certain limitations, including the potential for false positives that could be generated by a screening process that is automated. Therefore, in some cases, it might be necessary to perform manual reviews of entities or persons to identify potential red flags. Still, the costs associated with the implementation of software could be significantly lower than those incurred as a result of OFAC violations.
Recent OFAC enforcement actions spotlight the potential dangers associated with an organization’s failure to recognize and respond appropriately to potential risk factors. Though we have discussed various challenges companies face, those challenge areas might also present opportunities. By performing an assessment of OFAC compliance programs and establishing a culture of compliance throughout the organization, a company can position itself to better understand and identify potential risk exposure. At the same time, by properly using technology, a company can develop a better understanding of its underlying customer bases and achieve a higher level of preparedness at lower cost.