From 2019 to 2020, Office of Foreign Assets Control (OFAC), the financial intelligence and enforcement agency of the U.S. Treasury Department, pursued multiple enforcement actions. Just sixteen percent of those actions related to financial institutions, most were against Multinational Corporations (MNCs). This was a wake-up call for corporate risk and compliance departments everywhere who had thought cross-border sanctions list was something only banks had to worry about.
They should have seen it coming. Sanctions have steadily moved from the periphery of MNC risk to its center. A watershed moment in this shift was the publishing of “A Framework for OFAC Compliance Commitments” by OFAC in 2019. This framework comprehensively defines OFAC’s perspective on the essential components of a sanctions compliance program for companies across the corporate spectrum, especially Multinationals, who, by the nature of their business models, face more significant risk. This framework applies to any company subject to U.S. jurisdiction and any foreign entities that conduct business in or with the United States or U.S. persons or use U.S. origin goods or services.
The uncertain certainty
Multinationals worldwide have long operated on the premise that so long as they avoided certain jurisdictions and lines of businesses, sanctions were not a part of their risk and compliance strategies. They now need to prepare for an uncertain future as adaptive sanctioned actors spread their operations to new geographies and sectors where their activities can intersect with global value chain MNCs.
What is certain is that the U.S. government is aggressively pursuing enforcement action and that sanctions will become a primary lever in U.S. foreign policy. Allied to this apparent reality is the U.S. government’s expectation that multinational corporations worldwide need to implement robust and effective compliance programs that protect U.S. institutions and systems from abuse. Companies to whom OFAC’s framework applies need to take preventative measures now. Having a robust updated sanctions compliance program is the absolute minimum action item for MNCs. OFAC has made it clear that it will link the severity of penalties to the existence of such programs and an MNC’s commitment to it.
Designing an effective Sanctions Compliance Program (SCP)
OFAC’s framework lays out five clear pieces that need to be put together to make an effective compliance program:
- Management commitment: Senior management from CXO’s to the board level needs to own the sanctions compliance program. This means they need to discuss, review, and approve the SCP, ensure it’s funded and resourced, and that there is governance around measuring its effectiveness.
- Risk assessment: A complete “vulnerability audit” of the entire organization and functions must be undertaken to identify any existing violations and systematic weaknesses. The risk assessment needs to go beyond geography and cover products and services, customers and clients, supply chain, and all related intermediaries, parties, and transactions.
- Internal controls: Policies, procedures, and documentation controls need to be in place to ensure SCP is effective. Clear communication is a part of internal control. This means internally, and externally all stakeholders must be clear about the policies and procedures in place.
- Testing and Auditing: The governance of SCP should be robust and capable. It should involve internal and external auditors, and any infractions identified need to be dealt with comprehensive root cause analysis and remedial actions taken to ensure it isn’t repeated.
- Training: All human capital related to SCP needs to be annually trained and should have access to resources that allow them to perform their duties excellently.
Organizations need to personalize their program based on their sector, strategy, and exposure because of customers, alliances and third-party interactions, and their geographies.
Prevent, not repent
The U.S. government’s focus on corporate compliance with sanctions has grown proportionately in the last couple of years, and that pace is set to continue. With penalties that can go up to millions of dollars and up to thirty years imprisonment for violators, the stakes are real. Even beyond that, the damage through reputation and loss of brand equity is significant, as are the costs for complying with OFAC’s rehabilitation plan. Smart play is a preventative posture that includes an effective Sanctions Compliance Program augmented by the right technology tools and partnerships. This is a point that is emphasized by the OFAC Framework. The Specially Designated Nationals and Blocked Persons List (SDN list) is rightly famous as the major list companies need to be aware of to avoid doing business with illicit parties. However, OFAC has eight other lists, and its programs and lists are dynamic. Thus, robust, accurate screening capability backed by real-time business intelligence becomes key to making MNC Sanctions Compliance Program proactive and effective.