Earlier this year the Treasury Department’s Office of Foreign Assets Control published A Framework for OFAC Compliance Commitments. It describes essential components of a sanctions compliance program (management commitment, risk assessment, internal controls, testing and auditing, and training). There’s also a neat section about “root causes” of sanctions violations that OFAC found during actual investigations.
To paraphrase Bismarck, it’s great to learn from mistakes, especially when the mistakes aren’t yours. Here then are the mistakes of others, accidental or otherwise, behind most OFAC violations:
No sanctions compliance program. Incredible but true. After nearly 70 years of OFAC regulations, “numerous” enforcement actions still involve companies with no formal sanctions compliance program. OFAC regulations don’t require companies to adopt a program and a lot of them don’t. But it’s a no brainer that companies subject to OFAC jurisdiction and doing anything that crosses borders should have a formal sanctions compliance program.
Improper due diligence. Some companies with cross-border businesses are still failing to ask and answer basic sanctions-related questions. OFAC found violators that didn’t know who owned their customers or intermediaries, where they were physically located, and whether the counter-parties and agents were even aware of OFAC regulations.
Bad information and the wrong tools. Outdated lists of sanctioned people and organizations caused violations. As did search software that didn’t account for alternative or regional spellings of prohibited countries or parties — Habana instead of Havana, Kuba instead of Cuba, Soudan instead of Sudan, and so on.
Being wrong about who and what are covered by OFAC regulations. Numerous violators concluded wrongly that they weren’t subject to OFAC regulations, or that the regulations didn’t apply to or prohibit their specific deal. Multiple organizations violated sanctions by shifting deals to their foreign units. “In many instances,” OFAC said, “the root cause of these violations stems from a misinterpretation or misunderstanding of OFAC’s regulations.”
Being willfully blind about where U.S.-origin goods, technology, or services will end up. OFAC said even large and sophisticated companies sold controlled items to buyers (often repeatedly and over several years) who had “the specific intent” of re-selling or transferring the items to blocked people, organizations, or countries.
De-centralized and inconsistent compliance functions and programs. At some violators, OFAC found compliance staff and decision-makers scattered across offices or business units. The organizations lacked a formal escalation process to review high-risk customers or transactions. OFAC also found “inefficient or incapable oversight and audit function” in some violators, and frequent miscommunication about the organization’s sanctions-related policies and procedures.
Bosses going rogue. Employees — particularly in supervisory, managerial, or executive-level positions — played “integral roles” in causing or abetting some violations. It happened even in companies that had “a fulsome sanctions compliance program in place.” Compounding the problem, the bad bosses usually did their best to “obfuscate and conceal” their activities from compliance personnel and from regulators and law enforcement. OFAC calls this root cause “individual liability” but said it can hold the employers liable for the violations (see respondeat superior), as well as the rogue employees.
A final caveat: OFAC’s Framework lists ten “root causes” behind sanctions violations and describes them in more complete and technically accurate language. I’ve shortened OFAC’s list by combining items and dropping others. This summary is only an introduction to OFAC’s guidance and isn’t a substitute for the original, available here.