I am in a multipart series on the Framework for OFAC Compliance Commitments (Framework). Every compliance professional of any stripe needs to read, understand and implement some of the key concepts of the Framework into your corporate compliance program. It does not matter if its trade controls, anti-corruption or anti-money laundering (AML). This Framework has much to offer that you should consider. Mike Volkov has called it a “game-changer” and said, “Together with its aggressive enforcement of economic sanctions, OFAC has set a new standard for [sanctions compliance programs] SCPs, and has “strongly encourage[d]” companies and individuals subject to OFAC jurisdiction to implement a “risk- based approach to sanctions compliance by developing, implementing and routinely updating a SCP.” In this blog post we will consider Element 2 of the Framework, Risk Assessment.
In any compliance regime, the starting point is a risk assessment. That is no different and certainly no surprise in the Framework. OFAC itself “recommends that organizations conduct a routine and ongoing risk assessment to inform its compliance program policies, procedures, internal controls and training.” In this respect, OFAC explained that such a risk assessment should consist of a “holistic review of the organization from top-to-bottom and asses its touchpoints to the outside world.”
Further, as you would expect, the Framework has a slightly different focus on risk than that articulated in Hallmark IV of the Ten Hallmarks of an Effective Compliance Program as initially formulated in the 2012 FCPA Resource Guide. Under the Framework, your compliance regime should assess the five following prongs: “(i) customers, supply chain, intermediaries, and counter-parties; (ii) the products and services it offers, including how and where such items fit into other financial or commercial products, services, networks or systems; (iii) the geographic locations of the organization, as well as its customers, supply chain, intermediaries and counter-parties; and (iv) potential merger and acquisitions, especially those involving non-U.S. companies or corporations.”
Under Prong 1, you need to consider not so much how you do business but with whom you do business. This is a slightly different focus on risk than under a Foreign Corrupt Practices Act (FCPA) risk assessment where the question is usually more focused on the use of third-party agents, distributors or others to sell to foreign officials or state-owned enterprises (SOEs). Yet the Framework focus is one that every compliance practitioner should consider as many bribery schemes now actively involve the customers and companies which enter into a relationship with your company through the supply chain.
Under Prong 2, you need to take a much more holistic view of your products and services than you would under a FCPA compliance program risk assessment. It is far beyond selling to foreign governments or SOEs. This Prong mandates you assess what you sell, where you sell it and how you sell it. However, from an overall business impact, this is certainly a much more business impactful manner to assess risk.
Prong 3 asks you to once again consider your “customers, supply chain, intermediaries and counter-parties” but this time from their home domicile or where they are providing goods or services to you. In this era of increasing transparency around extractive and other minerals, knowing where your products and services derive has moved from a nice piece of information to a mandatory inquiry.
Finally, under Prong 4, you should risk assess all merger and acquisition (M&A) candidates. Not only should you look at them from the ethics and compliance perspective but also from the trade sanctions perspective. Obviously, non-US companies will probably not have followed US export control or trade sanctions laws so you will need to be prepared to remediate as quickly as possible.
The next step is that an entity conducts, or will conduct, an OFAC risk assessment in a manner and with a frequency that adequately accounts for the potential risks. You should update your risk assessment to account for the root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business. In addition to the M&A component, there should be a similar exercise for third parties. The Framework noted, “On-boarding: The organization develops a sanctions risk rating for customers, customer groups, or account relationships, as appropriate, by leveraging information provided by the customer [ for example, through a Know Your Customer or Customer Due Diligence process] and independent research conducted by the organization at the initiation of the customer relationship. This information will guide the timing and scope of future due diligence efforts.” This means you should develop a protocol for the risk rating of customers, vendors, or other relationships based on the due diligence process and independent research conducted by the organization at the initiation of the relationship. This information will guide the timing and scope of future due diligence efforts.
Finally, each organization should develop a “methodology to identify, analyze, and address the particular risks it identifies. As appropriate, the risk assessment will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business, for example, through a testing or audit function.” In other words, you cannot sit or stand still. Just as your business is ever evolving your Framework risk assessment should evolve to meet business opportunities and challenges.