Yesterday, while honoring Ginger Baker who passed away this weekend, I began a multipart series on the Framework for OFAC Compliance Commitments (Framework). Mike Volkov has called this Framework a “game-changer” and has said, “Together with its aggressive enforcement of economic sanctions, OFAC has set a new standard for [sanctions compliance programs] SCPs, and has “strongly encourage[d]” companies and individuals subject to OFAC jurisdiction to implement a “risk- based approach to sanctions compliance by developing, implementing and routinely updating a SCP.” In this blog post we will consider Element 1 of the Framework, Management Commitment.
Under Management Commitment, a company must ensure that senior management demonstrates its commitment to, and support of, the organization’s SCP. This commitment is critical to ensure that the compliance program receives “adequate resources and is fully integrated into the day-to-day operations,” and helps “legitimize the program, empower its personnel, and foster a culture of compliance throughout the organization.” Effective management support includes the provision of adequate resources to the compliance unit(s) and support for compliance personnel’s authority within an organization. The term senior management itself is expansive including “senior leadership, executives, and/or the board of directors.”
To meet this requirement, there are five specific elements:
- Senior management has reviewed and approved the organization’s compliance program. This means that the overall SCP should be reviewed, discussed and approved at the highest level of an organization. You should also be prepared to document those steps so be sure there are Board meeting minutes and other notations that all levels of senior management has actually performed this review and approval.
- Senior management ensures that its compliance unit(s) have been delegated sufficient authority and autonomy to deploy the policies and procedures in a manner that effectively controls its OFAC risks. Senior management has to ensure the existence of direct reporting lines between compliance program functions and senior management, including routine and periodic meetings between these two elements of the organization.
This element requires two considerations. First, does the Chief Compliance Officer (CCO) or whoever heads up the SCP, have access to senior management about the status of the company’s sanctions compliance risk management program? More than simply access, are there actual meetings where there is substantive discussion on issues around the SCP? This means more than simply quarterly, semi-annually or annually making a 15-minute presentation to the Board of Directors. Further, the prong of this element requires senior management to sit up and pay attention to trade sanction risk management.
- Senior management has taken and will continue to take steps to ensure that the compliance unit(s) receive adequate resources – including in the form of human capital, expertise, information technology and other resources, as appropriate – that are relative to the organization’s breadth of operations, target and secondary markets, and other factors affective its overall risk profile. Under this element, OFAC outlined the following criteria: (a) The organization has appointed a dedicated OFAC sanctions compliance officer (who can also be responsible for other compliance programs); (b) The quality and experience of the compliance program personnel, including their technical knowledge and expertise, the ability of the personnel to understand complex financial and commercial activities, apply their OFAC knowledge, and identify OFAC-related issues, risks and prohibited activities; (c) The efforts to ensure that personnel dedicated to the compliance program have sufficient experience and appropriate “position” within the organization; and (d) Sufficient control functions exist to support the SCP, including but not limited to information technology software and systems.
This prong has multiple elements as well. First, does the person in charge of trade sanctions have real knowledge in the area or are those resources available to them? This is more than simply technical expertise, which is now simply table stakes. Do your trade compliance resource(s) understand the business well enough to understand both the trade compliance and business side? Put another way, can they read a spreadsheet in addition to understanding OFAC regulations. Next, are there sufficient resources put into a company’s trade sanctions risk management program, both from a budgetary perspective and a head count perspective? Finally, do you have an appropriate level of technological solutions delivered to and for the trade sanctions compliance program? If you are still using spreadsheets, you probably do not meet this requirement.
- Senior management promotes a “culture of compliance” through the organization. Under this element, OFAC outlined the following criterial: (a) The ability of personnel to report sanctions related misconduct by the organization or its personnel to senior management without fear of reprisal; (b) Senior management messages and takes actions that discourage misconduct and prohibited activities, and highlight the potential repercussions of non-compliance with OFAC sanctions; and (c) The ability of the compliance program to have oversight over the actions of the entire organization, including but not limited to senior management, for the purposes of compliance with OFAC sanctions.
Both the Department of Justice’s (DOJ) Criminal Division’s Evaluation of Corporate Compliance Programs, 2019 Guidance, and the Antitrust Division’s Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations focused on corporate culture as a key element of any best practices compliance program in their respective disciplines. It is therefore no surprise to see OFAC focus on it also, since it is now well-recognized of the need for a culture respecting and doing compliance in every organization. This prong requires senior management to fully embrace and support an internal reporting system for trade compliance issues and makes clear the repercussions for the failure to comply with a corporate trade SCP. Finally, does your trade SCP apply equally to everyone in the organization, literally from the shop floor up to the Boardroom?
- Senior management demonstrates recognition of the seriousness of apparent violations of the laws and regulations administered by OFAC, or malfunctions, deficiencies, or failures by the organization and its personnel to comply with the SCP’s policies and procedures and implements necessary measures to reduce the occurrence of apparent violations in the future. Such measures should address the root causes of past violations and represent systemic solutions whenever possible.
This this final prong of Element 1, demonstrates that OFAC has moved aggressively to remediate any trade sanction program violation, including discipling those involved. But more than simply personnel disciplines, OFAC mandates a root cause analysis (RCA) to understand the structural failures which may have led to, caused or allowed the violation(s) to occur. The final step is did senior management take what was learned in the RCA and use it to remediate the system?
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2019