How can a compliance professional navigate an increasingly complex sanctions landscape around a best practices sanctions compliance program and what happens if there is a compliance failure? I recently visited with Adam Frey, Managing Director, and Eric Lorber, Vice President at K2 Intelligence Financial Integrity Network (FIN) on this topic.

 Sanctions Compliance Program

How can you construct an effective sanctions compliance program? Typically, a sanctions compliance program will be part of the Financial Crimes Compliance (FCC) team. It can be sometimes also known as financial security compliance team within a larger compliance department. Another approach is to have a  dedicated sanctions team within the FCC unit. Other times there may be a little bit more of a crossover between multiple FCC topics, such as AML and anti-bribery/anti-corruption (ABC) or a similar approach.

These teams work closely with the “Know Your Customer” (KYC) teams since the underlying customer information is such a critical component of insurance sanctions compliance. Then in that structure, the FCC team will report up ultimately to the Chief Compliance Officer (CCO). In terms of responsibility, at the end of the day it is up to every person in the organization to be aware of and own the sanctions risk of their business activity or their job function. The goal is really for the first line of defense to internalize the importance and the need for sanctions compliance and the sanctions risk in the same way they do for credit risk and other types of operational risks that they own. It is tone from the top or rather tone from management that is really critical in this regard.

Whatever the structure might be, Frey emphasized the critical nature of operationalizing your sanctions compliance program down to the front-line of defense. In this way, the goal is really for the first line of defense to internalize the importance and the need for sanctions compliance. Frey compared the sanctions risk, to be managed in the same way financial institutions manage credit risk. That is; it is managed down to the individual employee. This is something every regulator is focused on, moving the risk management process literally to the front lines of an organization, with multiple lines of back up.

The importance of sanctions compliance should be communicated to the first line of defense and throughout the entire organization, from the highest levels of the organization, from the Chief Executive Officer (CEO) to the senior business leaders and all the way down to employees dealing with the customer base. These are not compliance issues to be handled exclusively by the compliance function. Frey emphasized, “the compliance department is empowered to enforce the sanctions compliance program throughout the organization.”

Obviously, this requires the correct tone from senior management but there must also be targeted training. It really should be tailored to the exposure and the risk level of the activity or job function, additionally the people who are exposed to more risk should get more comprehensive, more nuanced detailed training. Your typical awareness training, that should be the baseline that all employees should have.

What about the constant pressure for cost-cutting in the compliance function, which has been made more acute during the time of Covid-19. Frey noted, “it is a consistent pressure. But I think it’s important to emphasize organizations really have to resist the urge to, to cut costs.” The reason is the cost of a compliance failure is so high and the regulators have said that all businesses must remain ever vigilant. The idea of cutting corners now in an attempt to reduce costs could really end up adding costs down the line in terms of fines and penalties down the road.

If You Have a Sanctions Violation?

What to do if you have a sanctions violation or think you may have violated a sanctions program?

This is always a difficult proposition; you find out about a sanctions violation or even a potential violation. What steps should you take? Lorber began with what he termed “Core Lesson No. 1 – Do Not Ignore It”. You have to make a determination as to whether or not there has been a breach or whether or not you assess there has been a breach and then take appropriate steps accordingly. Lorber has seen situations where individuals have isolated sanctions and try to potentially cover it up, or management has not paid sufficient attention to it. He cautioned this type of response almost always leads to additional interest and potential enforcement activity, by OFAC, the relevant regulator or enforcement agencies. After you make an initial assessment, be prepared to escalate it up your internal chain and also potentially to notify the regulators.  You may want to get your internal counsel involved to protect privilege and potentially outside counsel as well.

Lorber noted that one of the things which is so tricky about the sanction space is just how confusing some of the sanctions laws and regulations are coupled with what is, and is not, permissible. Oftentimes one might look at an OFAC sanctions regulation and then you look at a general license. It can be very difficult to decipher exactly what is and is not permissible. Moreover, the regulations themselves are often written in a fairly broad manner.

The next lesson is to figure out exactly what happened and it is critical to conduct a robust internal investigation for this exercise. The purpose of the investigation should be multi-fold. First is getting a sense of exactly what has and has not happened. This means getting the facts straight because these facts are going to be incredibly important in determining internally whether or not you think a violation has occurred. It will also be critical for an eventual determination by OFAC or other sanctions enforcement agency, as to whether or not a violation has occurred. A second key reason is actually to get a sense of if this is a systemic violation as opposed to a one off.

Self-disclosure is always a difficult conversation and it is one of the trickiest areas as there are multiple competing considerations to muse over. It is important point to note on this point, the OFAC process for self-disclosure, which is called a Voluntary Self-Disclosure (VSD), creates an incentive structure for companies to self-report. The big incentive is that you get 50% off the base penalty. Additionally, if a company self-reports OFAC has flexibility in its final decision. This includes making the enforcement action public or not. OFAC will take into account the fact that you filed a VSD in making a determination as to whether or not to engage in public enforcement activity at all.

Two additional considerations by OFAC will be in the areas of remediation and cooperation. Remediation means correcting the problem after an investigation and root cause analysis (RCA). For cooperation, Lorber noted this can include actions such as tolling the statute of limitations to providing an open flow of all the information requested by those agencies. Establishing to the extent you can establish a cooperative relationship is smart. OFAC will take these various different factors into consideration when establishing the civil monetary penalty and whether or not to engage in enforcement activity, up to and including the requirement for a monitor.

Lorber concluded by stating, “these are the types of proactive steps that I think OFAC and the regulatory authorities would really like to see. It is signaling we are taking this seriously. It’s very much a sort of a signal that we are on your side enforcement agencies and regulatory authorities.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2020