Sanctions compliance: How to raise your game to meet OFAC’s high expectations

Start adding items to your reading lists:
or
Save this item to:
This item has been saved to your reading list.

The US sanctions landscape continues to create complex risk management hurdles. In May, the US Treasury’s Office of Foreign Assets Control (OFAC)  issued its most prescriptive guidance on sanctions compliance. That clarity was much-needed for OFAC, historically an enforcement agency, has provided limited prescriptive guidance itself. OFAC has imposed penalties over $1-billion for sanctions violations just this year alone.  But any relief companies felt proved to be short-lived.

In a seemingly technical update on June 21, 2019, OFAC significantly expanded the scope of sanctions reporting requirements. The new rules are sweeping. Previously, U.S. entities were required to file reports when a transaction was "blocked," or put into frozen accounts due to a direct connection with persons on OFAC’s Specially Designated Nationals list. Now even “rejected” transactions have to be reported. The reporting requirement has broadened in two ways: 

  1. It applies to not just rejected fund transfers but any type of transaction, from wire transfers and checks to trade finance and goods and services.
  2. It extends to all US persons or entities — not only US financial institutions

Why should you care?

  • The regulatory amendment is ambiguous. It does not provide details such as under which circumstances companies would be required to report rejected transactions. Taken at face value, companies would have to report them all,  including, for example, transactions from foreign subsidiaries of US firms involving sanctioned countries or individuals.
  • Expect to see a significant increase in reporting-related violations:  In many instances, these violations will be picked up through the banks' reporting of rejected transactions, where OFAC could look for corresponding reporting from underlying companies and begin investigating.
  • OFAC is telling you what to do:  The new rule would push companies to enhance their risk management frameworks to report all blocked and rejected transactions to OFAC. It comes very soon after OFAC issued its framework, outlining the essential components of robust sanctions compliance.  According to OFAC, the root causes for common sanctions compliance deficiencies and violations include: the lack of a formal sanctions compliance program, misunderstanding OFAC requirements, technological issues related to sanctions screening software, failure to properly conduct customer due diligence and a decentralized sanctions compliance function
  • Sanctions have become a policy tool of choice:. Companies should be diligent about reporting rejecting transactions as new sanctions programs continue to roll out. The Trump administration is relying heavily on sanctions to achieve its foreign policy objectives with broad embargoes affecting economic activity as well as narrowly-targeted ones on individuals. Sanctions interact with a complex array of US customs compliance and export controls regulations as well as evolving local watch-lists.  Companies facing public enforcement actions could lose the ability to export to key markets, face heightened due diligence from financial institutions you work with and damaged reputations. 

What should you do?

  • Make yourself heard: OFAC was accepting comments on this issue until July 22, 2019, and some companies used the opportunity to make a case for narrowing the rule’s scope. When new guidance comes out,  seek clarity from OFAC. In parallel,  increase staff and strengthen your risk management framework to comply.
  • Adopt a global sanctions policy standard: OFAC has an expansive view of its jurisdiction and it may be prudent to implement US standards globally as US sanctions come with the heftiest civil and criminal penalties. For example, though the EU last year implemented a “blocking statute” to prevent EU firms from complying with certain US sanctions on Iran, it is seen as ineffectual as EU firms have largely disengaged from Iran. Special purpose vehicles such as Europe-based clearing houses for transactions with Iran are mainly serving the political purpose of keeping Iran interested in the nuclear deal.
  • Monitor compliance from the center:  Allocate more time and resources to trade compliance monitoring at the corporate risk and compliance level. After an issue is remediated, revamp the policies, procedures and controls around that area, and roll it out across the company’s global operations. Relying on country-level business units to manage trade transactions and related compliance requirements creates inefficiencies.
  • Explore automation of screening and alert processes: Consider how to improve screening procedures by automating data aggregation and generating high-quality alerts. Simultaneously, develop breach reporting procedures to speed up company responses to incidents to help minimize  and protect the company brand.
Follow us