Risks in sanctions compliance are potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations and negatively affect an organization’s reputation and business. OFAC recommends that organizations take a risk-based approach when designing or updating an SCP. One of the central tenets of this approach is for organizations to conduct a routine, and if appropriate, ongoing “risk assessment” for the purposes of identifying potential OFAC issues they are likely to encounter. As described in detail below, the results of a risk assessment are integral in informing the SCP’s policies, procedures, internal controls, and training in order to mitigate such risks.
While there is no “one-size-fits all” risk assessment, the exercise should generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world. This process allows the organization to identify potential areas in which it may, directly or indirectly, engage with OFAC-prohibited persons, parties, countries, or regions. For example, an organization’s SCP may conduct an assessment of the following: (i) customers, supply chain, intermediaries, and counter-parties; (ii) the products and services it offers, including how and where such items fit into other financial or commercial products, services, networks, or systems; and (iii) the geographic locations of the organization, as well as its customers, supply chain, intermediaries, and counter-parties. Risk assessments and sanctions-related due diligence is also important during mergers and acquisitions, particularly in scenarios involving non-U.S. companies or corporations.
General Aspects of an SCP: Conducting a Sanctions Risk Assessment
A fundamental element of a sound SCP is the assessment of specific clients, products, services, and geographic locations in order to determine potential OFAC sanctions risk. The purpose of a risk assessment is to identify inherent risks in order to inform risk-based decisions and controls. The Annex to Appendix A to 31 C.F.R. Part 501, OFAC’s Economic Sanctions Enforcement Guidelines, provides an OFAC Risk Matrix that may be used by financial institutions or other entities to evaluate their compliance programs:
I. The organization conducts, or will conduct, an OFAC risk assessment in a manner, and with a frequency, that adequately accounts for the potential risks. Such risks could be posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization. As appropriate, the risk assessment will be updated to account for the root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business.
A. In assessing its OFAC risk, organizations should leverage existing information to inform the process. In turn, the risk assessment will generally inform the extent of the due diligence efforts at various points in a relationship or in a transaction. This may include:
1. On-boarding: The organization develops a sanctions risk rating for customers, customer groups, or account relationships, as appropriate, by leveraging information provided by the customer (for example, through a Know Your Customer or Customer Due Diligence process) and independent research conducted by the organization at the initiation of the customer relationship. This information will guide the timing and scope of future due diligence efforts. Important elements to consider in determining the sanctions risk rating can be found in OFAC’s risk matrices. [insert hyperlink]
2. Mergers and Acquisitions (M&A): As noted above, proper risk assessments should include and encompass a variety of factors and data points for each organization. One of the multitude of areas organizations should include in their risk assessments—which, in recent years, appears to have presented numerous challenges with respect to OFAC sanctions—are mergers and acquisitions. Compliance functions should also be integrated into the merger, acquisition, and integration process. Whether in an advisory capacity or as a participant, the organization engages in appropriate due diligence to ensure that sanctions-related issues are identified, escalated to the relevant senior levels, addressed prior to the conclusion of any transaction, and incorporated into the organization’s risk assessment process. After an M&A transaction is completed, the organization’s Audit and Testing function will be critical to identifying any additional sanctions-related issues.
II. The organization has developed a methodology to identify, analyze, and address the particular risks it identifies. As appropriate, the risk assessment will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business, for example, through a testing or audit function.