The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) administers and enforces U.S. economic and trade sanctions programs against targeted foreign governments, individuals, groups, and entities in accordance with national security and foreign policy goals and objectives.
OFAC strongly encourages organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States, U.S. persons, or using U.S.-origin goods or services, to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP). While each risk-based SCP will vary depending on a variety of factors—including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations—each program should be predicated on and incorporate at least five essential components of compliance: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
If after conducting an investigation and determining that a civil monetary penalty (“CMP”) is the appropriate administrative action in response to an apparent violation, the Office of Compliance and Enforcement (OCE) will determine which of the following or other elements should be incorporated into the subject person’s SCP as part of any accompanying settlement agreement, as appropriate. As in all enforcement cases, OFAC will evaluate a subject person’s SCP in a manner consistent with the Economic Sanctions Enforcement Guidelines (the “Guidelines”).
When applying the Guidelines to a given factual situation, OFAC will consider favorably subject persons that had effective SCPs at the time of an apparent violation. For example, under General Factor E (compliance program), OFAC may consider the existence, nature, and adequacy of an SCP, and when appropriate, may mitigate a CMP on that basis. Subject persons that have implemented effective SCPs that are predicated on the five essential components of compliance may also benefit from further mitigation of a CMP pursuant to General Factor F (remedial response) when the SCP results in remedial steps being taken.
Finally, OFAC may, in appropriate cases, consider the existence of an effective SCP at the time of an apparent violation as a factor in its analysis as to whether a case is deemed “egregious.”
This document is intended to provide organizations with a framework for the five essential components of a risk-based SCP, and contains an appendix outlining several of the root causes that have led to apparent violations of the sanctions programs that OFAC administers. OFAC recommends all organizations subject to U.S. jurisdiction review the settlements published by OFAC to reassess and enhance their respective SCPs, when and as appropriate.