Sanctions compliance program failures have risen to the top of the risk agenda over the last decade, becoming one of the most significant risks for any business operating in multiple jurisdictions. The expanded sanctions imposed against Russia in 2022 emphasized this, with businesses across all sectors evaluating sanctions risk and compliance.
Once only a real concern for regulated financial institutions, the proliferation of enforcement action, particularly by the Office of Foreign Assets Control (OFAC), has forced all businesses, regardless of sector, to consider the adequacy of their sanctions compliance programs.
Typical Root-Causes for Sanctions Compliance Program Failures
Lack of a Formal OFAC Sanction Compliance Program SCP
OFAC encourages organizations subject to U.S. jurisdiction (including but not limited to those entities that conduct business in, with, or through the United States or involving U.S. origin goods, services, or technology), and particularly those that engage in international trade or transactions or possess any clients or counter-parties located outside of the United States, to adopt a formal SCP.
OFAC has finalized numerous civil monetary penalties since publicizing the Guidelines in which the subject person’s lack of an SCP was one of the root causes of the sanction violations identified during the investigation. In addition, OFAC frequently identified this element as an aggravating factor in its analysis of the General Factors associated with such administrative actions.
Misinterpreting, or Failing to Understand the Applicability of, OFAC’s Regulations
Numerous organizations have committed sanctions violations by misinterpreting OFAC’s regulations, particularly in instances in which the subject person determined the transaction, dealing, or activity at issue was either not prohibited or did not apply to their organization or operations. For example, several organizations have failed to appreciate or consider (or, in some instances, actively disregarded) the fact that OFAC sanctions applied to their organization based on their status as a U.S. person, a U.S.-owned or controlled subsidiary (in Cuba and Iran programs), or dealings in or with U.S. persons, the U.S. financial system, or U.S.-origin goods and technology.
Facilitating Transactions by Non-U.S. Persons (Including Through or By Overseas Subsidiaries or Affiliates)
Multiple organizations subject to U.S. jurisdiction specifically those with foreign-based operations and subsidiaries located outside of the United States have engaged in transactions or activity that violated OFAC’s regulations by referring business opportunities to, approving, or 10 signing off on transactions conducted by, or otherwise facilitating dealings between their organization’s non-U.S. locations and OFAC-sanctioned countries, regions, or persons. In many instances, the root cause of these violations stems from a misinterpretation or misunderstanding of OFAC’s regulations.
Companies and corporations with integrated operations, particularly those involving or requiring participation by their U.S.-based headquarters, locations, or personnel, should ensure any activities they engage in (i.e., approvals, contracts, procurement, etc.) are compliant with OFAC’s regulations.
Exporting or Re-exporting U.S.-origin Goods, Technology, or Services to OFAC Sanctioned Persons or Countries
Non-U.S. persons have repeatedly purchased U.S.-origin goods with the specific intent of re-exporting, transferring, or selling the items to a person, country, or region subject to OFAC sanctions. In several instances, this activity occurred despite warning signs that U.S. economic sanctions laws prohibited the activity, including contractual language expressly prohibiting any such dealings.
Compliance programs for sanctions should be risk-based and proportionate. What applies to one organization may not apply to another, and enforcement agencies have noted that an adequate compliance program will rely heavily on factors unique to each organization (including their products, customers and nature of their business). This concept appears to be shared by all regulators and enforcement agencies.