After a short visit to Val Lewton’s Cat People, I return to conclude this multipart series on the Framework for OFAC Compliance Commitments (Framework). Every compliance professional of any stripe needs to read, understand and implement some of the key concepts of the Framework into your corporate compliance program. It does not matter if its trade controls, anti-corruption or anti-money laundering (AML). This Framework has much to offer that you should consider. Mike Volkov has called it a “game-changer” and said, “Together with its aggressive enforcement of economic sanctions, OFAC has set a new standard for [sanctions compliance programs] SCPs, and has “strongly encourage[d]” companies and individuals subject to OFAC jurisdiction to implement a “risk- based approach to sanctions compliance by developing, implementing and routinely updating a SCP.” Today we will consider Element 4, Testing and Auditing and Element 5, Training, as set out the Framework.
Element 4 – Testing and Auditing
OFAC requires companies to assess the effectiveness of current processes and check for inconsistencies between these and day-to-day operations. A comprehensive and objective testing or audit function within the compliance program ensures that a company has identified program weaknesses and deficiencies and it is the company’s responsibility to enhance its program, including all program-related software, systems, and other technology, to remediate any identified compliance gaps. Such enhancements might include updating, improving, or recalibrating compliance program elements to account for a changing risk assessment or sanctions environment. Testing and auditing can be conducted on a specific element of the compliance program or at the enterprise-wide level.
Under this element a company has to implement three specific prongs:
- A company ensures that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, resources, and authority within the organization. There are three general requirements under this prong. First, both the testing and audit functions for trade control must have a line of sight into senior management. Second, the testing and audit function is separate from design and application of the trade control functions (akin to auditor independence). Finally, the testing and audit function must not only have authority to do their job but they must be capable of doing so; both from an ability and staffing view.
- A company employs testing or audit procedures appropriate to the level and sophistication of its compliance group and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of the organization’s OFAC-related risk assessment and internal controls. The key under this prong is “comprehensive and objective”. Your audit team must be able to do a robust and thorough audit of your trade compliance program. Further, it must be truly objective.
- A company ensures that upon learning of a confirmed negative testing result or audit finding pertaining to its compliance program, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated. If you find a deficiency or a gap you must move forward to remedy it. But more than simply implementing a remedy, you perform a root cause analysis to understand the true cause of any failure.
Element 5 – Training
Under the Training element, a company must, at a minimum, annually conduct training for relevant employees and personnel. To meet this requirement, a company must satisfy five basic criteria:
- A company must ensure that its OFAC-related training program provides adequate information and instruction to employees and other stakeholders, such as clients, suppliers, business partners, and counterparties. Such training should be further tailored to high-risk employees within the organization. This prong presents two requirements: (1) effective training and (2) tailored training. Obviously high-risk employees should have high risk training. But you need to find a way to ensure and then document that you have provided training that actually informs on not only trade compliance risks but the requirements of your trade compliance program. Finally, what training, if any, have you considered or put on for other stakeholders?
- A company commits to provide OFAC-related training with a scope that is appropriate for the products and services it offers for customers, clients, and partner relationships it maintains in the geographic regions in which it operates. This requirement suggests that there must be a robust risk management system in place to continually assess the ever-changing trade sanctions risks for your company’s business model. Certainly, the US trade sanction policy is foremost and paramount but you should be cognizant of other countries as well. Moreover, you must have your finger on the pulse of the business to know and understand what risks are changing in your organization.
- A company commits to providing OFAC-related training with a frequency that is appropriate based on its OFAC risk assessment and risk profile. Obviously, this will vary from company to company and even position to position. However, in this now daily landscape of changing trade sanctions by the current administration, there clearly needs to be both ongoing internal dialogue and internal training to fit the current political circumstances.
- A company must ensure that when it becomes aware of a confirmed negative testing result or audit finding, or other deficiency pertaining to its compliance program, it will take immediate and effective action to provide training to or other corrective action with respect to relevant personnel. This makes clear not only the need for testing but also follow up on that testing to determine if the students actually passed or even if they might have some deficiency which needs to be remediated.
- A company’s training program includes easily accessible resources and materials that are available to all applicable personnel. This means that the materials should be written in plain English and not legalese. It also means you must translate the training materials into the native language of your employee base. This is true even if your company has an English only policy for corporate communications, all your training materials need to be available and accessible in local languages.
I hope you have enjoyed and found useful this multipart exploration of the OFAC Framework. There is quite a bit in this Framework for the anti-trust/anti-bribery (ABC) compliance practitioner. In future episodes, I will be looking at the Framework, the Evaluation of Corporate Compliance Programs-2019 Guidance and the Antitrust Division’s Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations. While they each have different foci they provide the ABC compliance practitioner with solid information about not only what the Department of Justice (DOJ) is thinking when it comes to its expectations around a compliance program but also benchmarks for best practices.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2019