of the Standard Chartered settlement with OFAC – it’s a roadmap to what real remediation looks like, and the standards for a firm of size and commercial sophistication are:
Specifically, OFAC and Respondent understand that the following compliance commitments have been made:
a. Management Commitment:
i. Respondent commits that Senior Management has reviewed and approved Respondent’s sanctions compliance program.
ii. Respondent commits to ensuring that its senior management. including senior leadership, executives, and/or the board of directors, are committed to supporting Respondent’s sanctions compliance program.
iii. Respondent commits to ensuring that its compliance unit(s) are delegated sufficient authority and autonomy to deploy its policies and procedures in a manner that effectively controls Respondent’s OFAC risk.
iv. Respondent commits to ensuring that its compliance unit(s) receive adequate resources-tncluding in the form of human capital, expertise, information technology, and other resources, as appropriate- that are relative to Respondent’s breadth of operations, target and secondary markets, and other factors affecting its overall risk profile.
v. Respondent commits to ensuring that Senior Management promotes a “culture of compliance” throughout the organization.
vi. Respondent’s Senior Management demonstrates recognition of the seriousness of apparent violations of the laws and regulations administered by OFAC, and acknowledges its understanding of the apparent violations at issue, and commits to implementing necessary measures to reduce the risk of reoccurrence of similar conduct and apparent violations from occurring in the future.
b. Risk Assessment:
i. Respondent conducts an OF AC risk assessment in a manner, and with a frequency, that adequately accounts for potential risks. Such risks could be posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization. The risk assessment will be updated to account for the root causes of any apparent violations or systemic deficiencies identified by Respondent during the routine course of business.
ii. Respondent has developed a methodology to identify,,analyze, and address the particular risks it identifies. The risk assessment will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by Respondent during the routine course of business, for example, through a testing or audit function.
c. Internal Controls:
i. Respondent has designed and implemented written policies and procedures outlining its sanctions compliance program. These policies and procedures are relevant to the organization. capture Respondent’s day-to-day operations and procedures, are easy to follow, and prevent employees from engaging in misconduct.
ii. Respondent has implemented internal controls that adequately address the results of its OF AC risk assessment and profile. These internal controls should enable Respondent to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activity that may be prohibited by OF AC. To the extent information technology solutions factor into Respondent•s internal controls, Respondent has selected and calibrated the solutions in a manner that is appropriate to address Respondent’s risk profile and compliance needs, and Respondent routinely tests the solutions to ensure effectiveness.
iii. Respondent commits to enforcing the policies and procedures it implements as part of its sanctions compliance internal controls through internal and/or external audits.
iv. Respondent commits to ensuring that its OF AC-related recordkeeping policies and procedures adequately account for its requirements pursuant to the sanctions programs administered by OF AC.
v. Respondent commits to ensuring that, upon learning of a weakness in its internal controls pertaining to sanctions compliance, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
vi. Respondent has clearly communicated the sanctions compliance program’s policies and procedures to all relevant staff, including personnel within the sanctions compliance function, as well as relevant gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.) and to external parties performing sanctions compliance responsibilities on behalf of Respondent.
vii. Respondent has appointed personnel to integrate the sanctions compliance program’s policies and procedures into Respondent’s daily operations. This process includes consultations with relevant business units, and ensures that Respondent’s employees understand the policies and procedures.
d. Testing and Audit:
i. Respondent commits to ensuring that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, and resources within the organization.
ii. Respondent commits to ensuring that it employs testing or audit procedures appropriate to the level and sophistication of its sanctions compliance program and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of Respondent’s OFAC-related risks and internal controls.
iii. Respondent commits to ensuring that, upon learning of a confirmed negative testing or audit result pertaining to its sanctions compliance program, it will take immediate and effective action to identify and implement compensating controls until the root cause of the weakness can be detennined and remediated.
i. Respondent commits to ensuring that its OF AC-related training program provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties) in order to support Respondenes sanctions compliance efforts.
ii. Respondent commits to providing OF AC-related training with a scope that is appropriate for the products and services it offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.
m. Respondent commits to providing OF AC-related training with a frequency that is appropriate based on its OFAC risk assessment and risk profile and, at a minimum, at least once a year to all relevant employees.
iv. Respondent commits to ensuring that, upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its sanctions compliance program, it will take immediate and effective action to provide training to relevant personnel.
v. Respondent’s training program includes easily accessible resources and materials that are available to all applicable personnel.
In addition, the agreed to annual certifications to OFAC for 5 years attesting to the implementation and maintenance of the compliance measures.
Mr. Watchlist is impressed.