The United States imposes sanctions against foreign governments, individuals, and organizations to achieve specific foreign policy objectives, either unilaterally or as part of a coalition. Since these sanctions have the force of law, they prohibit or restrain certain actions of ordinary U.S. persons (citizens and permanent residents), companies, and organizations that might have dealings with the foreign entities. The government publishes a list of foreign countries, persons, or organizations (Specially Designated Nationals, or “SDNs”) whose assets are blocked and who cannot be part of a transaction.
Sanctions are administered and enforced by the Department of the Treasury’s Office of Foreign Assets Control (OFAC). It’s important to understand that OFAC operates under the President’s national security mandate, so it has wide latitude to devise and enforce guidelines for financial institutions’ compliance. The coverage of this authority is very broad, including all U.S. persons and organizations, including foreign branches. It even prohibits a U.S. entity from facilitating a sanctioned activity by a 3rd party foreign entity.
Financial institutions are especially affected by these restrictions because economic sanctions are only effective when private financial entities comply with them. Sanctions aimed at controlling drugs, weapons, or terrorism have to restrict cross border flows of money or trade, financing for sanctioned activities, asset control, and the activities of specific persons or groups. Therefore, financial institutions cannot provide normal services to sanctioned entities either intentionally or by failure to implement effective compliance policies.
Given the critical importance of financial institutions for sanction effectiveness, OFAC is highly vigilant about compliance with its guidelines. The agency will review the compliance programs of financial institutions, so organizations have to create, implement, and document their activities. Financial officers will want to note that OFAC enforcement actions do impose significant penalties (6 or 7 figures, or higher) for violations such as fund transfers that benefit a sanctioned entity.
Compliance Based on Risk Assessment
OFAC “agrees that financial institutions should take a risk-based approach” in evaluating their compliance with OFAC mandates. The agency’s adherence to this approach is confirmed in several publications, and is reaffirmed in updated enforcement guidelines published in the Federal Register in 2009 (see page 5).
The background information can be tedious, but it is extremely important to be aware of the legal grounds for OFAC enforcement. The agency issued risk matrices for financial institutions in 2005, and published a rule on Economic Sanctions Enforcement Procedures in 2006 in the Federal Register, including guidance on compliance programs based on risk assessment which incorporate the risk matrices. This is not the same thing as the ACH risk management guidance or the BSA/AML compliance program, but uses similar methodology. Compliance officers should consider all of these related regulations simultaneously in designing and evaluating a risk-based compliance program.
The risk matrices describe risk as “low, moderate, or high” based on the exposure to violation a risk factor imposes. For example, a low risk entity would have a “stable, well-known customer base in a localized environment” while a high risk one would have “a large, fluctuating client base in an international environment.” The matrices outline numerous dimensions of risk from the business and/or its markets and environment, and also add several factors related to management and staffing that can affect risk.
OFAC realizes that each at-risk entity has to assess its unique risk profile. However, in its enforcement actions it makes plain that it will impose penalties for transactions that should have been flagged in a compliance program. Further, its 2009 regulation update emphasizes that the degree of harm in a prohibited transaction is a relevant consideration in evaluating a program. This means that financial institutions can design compliance programs that treat transactions differently depending on the level of risk—and the value—of that transaction.
OFAC requirements change with the changes in the international landscape. Congressional or Presidential actions will add or subtract sanctioned entities, and organizations will be expected to comply.
Like all other aspects of risk management, continuous effort is required to design and maintain an effective OFAC compliance program. To paraphrase, risk never sleeps.