Sanctions compliance is more important than ever. As a result, companies need to spend more time to review, assess and enhance their sanctions compliance programs.
Most companies know how to screen potential customers, business partners, vendors and suppliers against Office of Foreign Assets Control (OFAC) lists of prohibited persons and entities.
However, while such a process is important to a compliance program, much more is needed to ensure compliance throughout a company’s operations.
“Check-the-box” type programs are a thing of the past
Gone are the days when a sales clerk ran a customer’s name on a purchase order through a trade compliance database to ensure that the customer was not a prohibited sanctions list.
Companies are required to do much more than that if they want to get full credit from the government for its sanctions compliance strategies.
Under OFAC rules and Department of Justice guidelines, a company has to design and implement an effective sanctions compliance program.
This cannot be a mere check-the-box type of program – it requires a full complement of compliance program elements, most of which are already known to the business community.
I do not intend to list here the elements of an effective program as required under the U.S. Sentencing Guidelines and the DOJ/SEC FCPA Guidance. We all are familiar with those requirements.
Instead, I want to suggest some helpful practical steps.
There are many lessons from recent OFAC enforcement actions. Perhaps the most significant and consistent theme is the fact that many companies have little to no commitment to OFAC compliance other than a basic screening protocol.
Beyond that, companies have focused on anti-corruption, third-party payments and other “more” significant risks.
Here’s where that mindset has to change:
1. Company Culture:
Everyone’s favorite compliance-related topic these days is promoting a “culture of compliance”. That is a welcome development, but there needs to be more to it than just saying culture is important.
Culture is created by actions and communications surrounding conduct and accountability.
When it comes to sanctions compliance, companies have to add the importance of sanctions to the “culture of compliance” message.
2. Risk Assessment:
In many situations, I urge companies not to expend significant resources on a risk assessment. However, in the sanctions area, a risk assessment could be critical, depending on the business’ global operations and potential risks.
For global companies, it is important to examine closely its operations and identify situations where sanctions risks exist.
3. Policies and Procedures:
Too often, companies relegate sanctions enforcement to lower-level managers or employees. A Chief Compliance Officer has to take responsibility for this substantive area and work closely with trade compliance staff to ensure standards are being met.
As part of this effort, a company has to adopt specific policies and procedures for its sanctions compliance program.
The government requires companies to develop trade compliance “manuals,” which need not be exhaustively detailed, but should be drafted to provide procedural guidance for compliance with sanctions.
A sanctions compliance program must name a specific individual, the CCO in most cases, as the person responsible for sanctions compliance.
4. OFAC Database Screening:
Companies rely on database services to conduct OFAC checks. That is all well and good. However, your program is only as strong as your data, and not all data services are infallible.
Companies need to double-check these services, conduct random audits of the checks, and make sure there are adequate reviews of the screening process.
Recent OFAC enforcement actions have highlighted the failure of a company to ensure appropriate training of managers and employees.
This is a requirement that has to be satisfied and documented to demonstrate to the government, if necessary, that training has been conducted.
6. Documentation and Advice of Counsel:
I tend to repeat myself (just ask my wife), but here is a mantra that I say all the time,
A compliance program by definition is ineffective if it is not documented.
Further, to provide additional legal protection, a written “advice of counsel” memo, letter or email should be obtained in any situation where there is a significant question as to the legality of going forward with a transaction.
7. Internal Audit:
A company should audit its sanctions compliance program in accordance with appropriate auditing risk formulas.
If deficiencies are identified, managers should be held accountable for completing any remediation as directed by the internal audit staff.
8. Investigation and Remediation:
A company has to promote a “speak-up culture” and investigate complaints relating to sanctions compliance, remedying any violations that are discovered.
[Tweet “A company has to promote a “speak-up culture” and investigate complaints relating to sanctions compliance”]
9. Contract Management System:
A company has to maintain a robust contract management system so that it can review contracts in order to ensure compliance with sanctions restrictions.
Once approved, the contract has to be managed to protect against sanctions violations and any attempt by a customer to evade sanctions requirements, either by facilitating a violation for the benefit of an otherwise prohibited person, or by failing to confirm end user identities and requirements.
Is your sanctions compliance program up to date? Does your company’s “culture of compliance” cover sanctions?
Want to read more about ethics and compliance?
The Revolution in Ethics and Compliance includes a collection of recent essays and blog posts aimed at encouraging corporate leaders to understand how a culture of compliance is not only the best best protection against code of conduct and legal violations, but also how such a culture creates sustainable financial benefits to a company and its employees.