OFAC Puts Asian Companies on Notice with “Compliance Framework”

with co-authors Ali Burney and Nick Turner

Officials from the U.S. Office of Foreign Assets Control (OFAC) have been teasing for months that they would issue guidelines to help companies comply with U.S. sanctions regulations. On May 2, 2019, OFAC made good and published the much-anticipated “A Framework for OFAC Compliance Commitments” (the Framework), outlining the five essential components of an effective sanctions compliance program.

The Framework comes at a time when OFAC is more focused than ever on bringing enforcement actions against companies in Asia-Pacific, as illustrated by the cases we discuss below. The Framework puts companies on notice that OFAC expects non-U.S. companies, especially those in higher-risk industries, to adopt risk-based compliance programs to minimize the risk of violations. For companies with nonexistent or weak sanctions compliance programs, it’s never too late to start building one, using the Framework as a handy blueprint.

Optional – In Theory, but Not in Practice

A company does not violate any law or regulation by ignoring the Framework, but failing to follow it will have a detrimental impact in the event of an OFAC enforcement action. In particular, any company appearing before OFAC in settlement discussions will need to justify their decision to deviate from the Framework’s five components or risk a harsher penalty, or at least a harshly worded rebuke in the compliance section of any settlement announcement.

Moreover, OFAC could directly target management for failure to implement a compliance program. This flows directly from OFAC’s Enforcement Guidelines, which judge management’s involvement in or knowledge of the sanctions violations as follows:

“If the apparent violation was undertaken without the knowledge of senior management, was there oversight intended to detect and prevent violations, or did the lack of knowledge by senior management result from disregard for its responsibility to comply with applicable sanctions laws?” (emphasis added)

The good news: OFAC makes clear that the Framework does not mandate a one-size-fits-all approach, and it is not a checklist. Rather, sanctions compliance should be tailored to a comprehensive assessment of a company’s risks.

The Five Components and How They Apply

The Framework is built around five “essential components:”

1. management commitment,
2. risk assessment,
3. internal controls,
4. testing and auditing and
5. training

A key theme throughout is identification of “root causes” and “systemic deficiencies.”

According to OFAC, management commitment is one of the most important factors for a successful sanctions compliance program. Management must promote a “culture of compliance” by appointing a dedicated OFAC sanctions compliance officer and qualified team, with authority, autonomy, regular access to management and – most critically – adequate resources and technology.

Next, OFAC considers the sanctions risk assessment to be “one of the central tenets” of the Framework. A sanctions risk assessment should consider risks associated with geographies, products and services, supply chains and customers. This is not a “one and done” exercise. Risk assessment should take place periodically to help a company address new or changing risks.

The third element, internal controls, refers to regularly updated written policies and procedures, recordkeeping and other measures to mitigate a company’s sanctions risks.

The fourth element, testing and auditing, is essential to ensuring that the controls are functioning as designed. It must be comprehensive and objective, whether internally or externally conducted. Importantly, OFAC expects that the results of audits and testing will be used to inform and immediately and effectively improve the sanctions compliance program.

Finally, the Framework calls for training, at least annually, that reflects the company’s risk assessment and past audit and testing findings. Training materials should be made easily accessible and available to employees on an ongoing basis.

OFAC states that it will apply the Framework in enforcement cases in three situations:

• In determining what compliance commitments a company must make as part of a settlement.
• In evaluating mitigating factors under OFAC Enforcement Guidelines, including (most importantly) whether the company had an effective compliance program at the time of the violation.
• In evaluating whether a case involves “egregious” violations under the Enforcement Guidelines.

Heads Up, Asia

While the Framework hardly breaks new ground in the eyes of sanctions compliance gurus, it serves as a timely summary and reinforcement of compliance efforts in light of OFAC’s heightened interest in bringing enforcement cases against companies based or operating in Asia-Pacific.

Of most interest, the document includes a list of “root causes” gleaned from past enforcement actions. Some of these root causes were illustrated in three cases over the past three months with an Asia-Pacific nexus.

• In March 2019, OFAC announced a US$1,869,144 settlement with U.S.-based Stanley Black & Decker, Inc. for 23 apparent violations of the Iranian Transactions and Sanctions Regulations (ITSR) caused by the company’s China subsidiary, which shipped equipment to Iran through third parties. Though voluntarily disclosed, the violations were deemed egregious, and OFAC called out the company’s lack of post-acquisition monitoring, the participation of management and its use of fictitious documents and trading companies to conceal the Iran business. (Read the Clifford Chance briefing on this case here.)
• In April 2019, OFAC announced two settlements totaling US$441,366 with U.K.-based Acteon Group Ltd. for 20 apparent violations of the ITSR and the Cuban Assets Control Regulations (CACR) by its Malaysian affiliates and U.K., U.S. and Singapore subsidiaries. Acteon Group, which is majority owned by a U.S.-based private equity firm, KKR [NB: the company was owned by a different U.S. private equity firm at the time of the Malaysia violations.], voluntarily disclosed the violations, some of which were found to be egregious due to concealment, the group’s ineffective compliance program and management awareness. OFAC recommended private equity firms conduct regular audits and due diligence of their non-U.S. subsidiaries. (Read the Clifford Chance briefing on this case here.)
• In May 2019, OFAC announced a US$871,837 settlement with U.S.-based MID-SHIP Group LLC for five apparent violations of the Weapons of Mass Destruction Proliferators Sanctions Regulations. The company made five electronic funds transfers in relation to charter party agreements entered into by its Turkey and China subsidiaries. The agreements involved Islamic Republic of Iran Shipping Lines (IRISL) vessels that were on the List of Specially Designated Nationals and Blocked Persons (the SDN List). OFAC deemed the violations egregious due to MID-SHIP’s deficient culture of compliance despite its position as a global, commercially sophisticated shipping and logistics company and imposed significant ongoing compliance undertakings. (Read the Clifford Chance briefing on this case here.)

Meanwhile, media have widely reported that OFAC and other U.S. sanctions authorities such as the Department of Justice and Federal Bureau of Investigation are aggressively investigating companies in Asia-Pacific for potential violations of the Iran and North Korea sanctions programs, among others, as evidenced by multiple DOJ indictments and asset forfeiture actions involving Singaporean, Russian and Chinese companies involved in petroleum sales to North Korea.

The message? Companies in Asia-Pacific that have yet to invest time and resources into building up their sanctions compliance programs are sitting ducks for new OFAC violations and more serious penalties.

Still waiting to do that risk assessment? There’s no time like the present.