C. Compliance Commitments: Respondent has terminated the conduct described above and has established, and agrees to maintain for at least five years following the date this Agreement is executed, sanctions compliance measures that are designed to minimize the risk of recurrence of similar conduct in the future. Specifically, OFAC and Respondent understand that the following compliance commitments have been made:
a. Management Commitment:
i. Respondent commits that senior management has reviewed and approved Respondent’s sanctions compliance program.
ii. Respondent commits to ensuring that its senior management, including senior leadership, executives, and the board of directors, are committed to supporting Respondent’s OFAC compliance program.
iii. Respondent commits to ensuring that its compliance unit(s) are delegated sufficient authority and autonomy to deploy its policies and procedures in a manner that effectively controls Respondent’s OFAC risk.
iv. Respondent commits to ensuring that its compliance unit(s) receive adequate resources—including in the form of human capital, expertise, information technology, and other resources, as appropriate—that are relative to Respondent’s breadth of operations, target and secondary markets, and other factors affecting its overall risk profile.
v. Respondent commits to ensuring that senior management promotes a “culture of compliance” throughout the organization.
vi. Specifically with respect to the conduct outlined above as reflective of senior management’s commitments, in April 2020 Respondent added a Vice President tasked with trade compliance at its Arizona facility, will add an additional trade compliance position in Arizona to support the new Vice President, and created a new position of Senior Trade and/or Chief Trade Compliance Officer at their New York headquarters.
b. Risk Assessment:
i. Respondent represents that it will conduct an OFAC risk assessment in a manner, and with a frequency, that adequately accounts for potential risks. Such risks could be posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization. The risk assessment will be updated to account for the root causes of any apparent violations or systemic deficiencies identified by Respondent during the routine course of business.
ii. Respondent represents that it has developed a methodology to identify, analyze, and address the particular risks it identifies. The risk assessments will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by Respondent during the routine course of business, for example, through a testing or audit function.
C. Internal Controls:
i. Respondent has designed and implemented written policies and procedures outlining its sanctions compliance program. These policies and procedures are relevant to the organization, capture Respondent’s day-to-day operations and procedures, are easy to follow, and designed to prevent employees from engaging in misconduct.
ii. The organization has implemented internal controls that adequately address the results of its OFAC risk assessment and profile. These internal controls should enable Respondent to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activity that may be prohibited by OFAC. To the extent information technology solutions factor into Respondent’s internal controls, Respondent has selected and calibrated the solutions in a manner that is appropriate to address Respondent’s risk profile and compliance needs, and Respondent routinely tests the solutions to ensure effectiveness.
iii. Respondent commits to enforcing the policies and procedures it implements as part of its sanctions compliance internal controls through internal or external audits.
iv. Respondent commits to ensuring that its OFAC-related recordkeeping policies and procedures adequately account for its requirements pursuant to the sanctions programs administered by OFAC.
v. Respondent commits to ensuring that, upon learning of a weakness in its internal controls pertaining to sanctions compliance, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
vi. Respondent has clearly communicated the sanctions compliance program’s policies and procedures to all relevant staff, including personnel within the sanctions compliance function, as well as relevant gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.) and to external parties performing sanctions compliance responsibilities on behalf of Respondent.
vii. Respondent has appointed personnel to integrate the sanction compliance program’s policies and procedures into Respondent’s daily operations. This process includes consultations with relevant business units and confirms that Respondent’s employees understand the policies and procedures.
viii. Specifically with respect to the conduct outlined above, the Respondent has updated its global trade compliance program to address compliance requirements under the OFAC regulations, as well as export control, anti- bribery/anticorruption and import requirements. The updated compliance program now requires that any indirect export to a comprehensive sanctioned destination requires both a copy of an OFAC license and each such export must now be reviewed and approved by Comtech’s Office of Trade Compliance before shipment. Comtech’s also now requires end-user and location screening for all international returns from customers who acquired Comtech equipment indirectly.
d. Testing and Audit:
i. Respondent commits to ensuring that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, resources, and authority within the organization.
ii. Respondent commits to ensuring that it employs testing or audit procedures appropriate to the level and sophistication of its sanctions compliance program and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of Respondent’s OFAC- related risk assessment and internal controls.
iii. Respondent commits to ensuring that, upon learning of a confirmed negative testing result or audit finding pertaining to its sanctions compliance program, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
i. Respondent commits to ensuring that its OFAC-related training program provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties) in order to support Respondent’s sanctions compliance efforts.
ii. Respondent commits to providing OFAC-related training with a scope that is appropriate for the products and services it offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.
iii. Respondent commits to providing OFAC-related training with a frequency that is appropriate based on its OFAC risk assessment and risk profile and, at a minimum, at least once a year to all relevant employees.
iv. Respondent commits to ensuring that, upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its sanctions compliance program, it will take immediate and effective action to provide training to relevant personnel.
v. Respondent’s training program includes easily accessible resources and materials that are available to all applicable personnel.
vi. Specifically with respect to the conduct outlined above, Respondent is facilitating a number of training sessions tailored to senior management and line employees to enhance their understanding of OFAC’s requirements.
f. Annual Certification: On an annual basis, for a period of five years, starting from 180 days after the date the Agreement is executed, a senior-level executive or manager of Respondent will submit a certification confirming that Respondent has implemented and continued to maintain the sanctions compliance measures as committed above.
D. Should OFAC determine, in the reasonable exercise of its discretion, that Respondent appears to have materially breached its obligations or made any material misrepresentations under Subparagraph C (Compliance Commitments) above, OFAC shall provide written notice to Respondent of the alleged breach or misrepresentations and provide Respondent with 30 days from the date of Respondent’s receipt of such notice, or longer as determined by OFAC, to determine that no material breach or misrepresentations has occurred or that any breach or misrepresentation has been cured.
E. In the event OFAC determines that a material breach of, or misrepresentation in, this Agreement has occurred due to a failure to perform the Compliance Commitments, OFAC will provide notice to Respondent of its determination and whether OFAC is re-opening its investigation. The statute of limitations applying to the Apparent Violations shall be deemed tolled until a date 180 days following Respondent’s receipt of notice of OFAC’s determination that a breach of, or misrepresentation in, this Agreement has occurred.
Surprise, surprise – it lines up with the Framework document! I like that consistency.