VI. Sanctions Screening Software or Filter Faults
Many organizations conduct screening of their customers, supply chain, intermediaries, counter- parties, commercial and financial documents, and transactions in order to identify OFAC- prohibited locations, parties, or dealings. At times, organizations have failed to update their sanctions screening software to incorporate updates to the SDN List or SSI List, failed to include pertinent identifiers such as SWIFT Business Identifier Codes for designated, blocked, or sanctioned financial institutions, or did not account for alternative spellings of prohibited countries or parties—particularly in instances in which the organization is domiciled or conducts business in geographies that frequently utilize such alternative spellings (i.e., Habana instead of Havana, Kuba instead of Cuba, Soudan instead of Sudan, etc.),
VII. Improper Due Diligence on Customers/Clients (e.g., Ownership, Business Dealings, etc.)
One of the fundamental components of an effective OFAC risk assessment and SCP is conducting due diligence on an organization’s customers, supply chain, intermediaries, and counter-parties. Various administrative actions taken by OFAC involved improper or incomplete due diligence by a company or corporation on its customers, such as their ownership, geographic location(s), counter-parties, and transactions, as well as their knowledge and awareness of OFAC sanctions.
VIII. De-Centralized Compliance Functions and Inconsistent Application of an SCP
While each organization should design, develop, and implement its risk-based SCP based on its own characteristics, several organizations subject to U.S. jurisdiction have committed apparent violations due to a de-centralized SCP, often with personnel and decision-makers scattered in various offices or business units. In particular, violations have resulted from this arrangement due to an improper interpretation and application of OFAC’s regulations, the lack of a formal escalation process to review high-risk or potential OFAC customers or transactions, an inefficient or incapable oversight and audit function, or miscommunications regarding the organization’s sanctions-related policies and procedures.
IX. Utilizing Non-Standard Payment or Commercial Practices
Organizations subject to U.S. jurisdiction are in the best position to determine whether a particular dealing, transaction, or activity is proposed or processed in a manner that is consistent with industry norms and practices. In many instances, organizations attempting to evade or circumvent OFAC sanctions or conceal their activity will implement non-traditional business methods in order to complete their transactions.
X. Individual Liability
In several instances, individual employees—particularly in supervisory, managerial, or executive-level positions—have played integral roles in causing or facilitating violations of the regulations administered by OFAC. Specifically, OFAC has identified scenarios involving U.S.- owned or controlled entities operating outside of the United States, in which supervisory, managerial or executive employees of the entities conducted or facilitated dealings or transactions with OFAC-sanctioned persons, regions, or countries, notwithstanding the fact that the U.S. entity had a fulsome sanctions compliance program in place. In some of these cases, the employees of the foreign entities also made efforts to obfuscate and conceal their activities from others within the corporate organization, including compliance personnel, as well as from regulators or law enforcement. In such circumstances, OFAC will consider using its enforcement authorities not only against the violating entities, but against the individuals as well.