Is OFAC compliance really that important?
What is OFAC and Why Should I Care?
As a business, you are responsible for knowing who your customers are and whether or not they are on the OFAC list. OFAC is the Office of Foreign Assets Control, and it maintains a list of individuals and businesses that are sanctioned by the United States government. Sanctions can include anything from economic restrictions to a full travel ban. If you do business with someone or some entity or accept payment with a digital currency that is on the OFAC list, you could face heavy fines. So it’s important to check your customers against the list regularly to avoid any run-ins with the law.
You don’t want to get caught doing business with a sanctioned entity because first of all, you don’t want to aid the enemy, but secondarily you don’t want to pay the hefty fines that might be levied
against you. How big are the fines you may ask? We did a quick check of the fines levied in 2022. The smallest fine we saw was over $45,000 and this was to a very small company with annual revenue of less than $150,000 per year! Furthermore, this company was taking reasonable efforts to check its customers against prevailing lists but made some mistakes. A fine resulted.
This Blog will be divided into Two Parts
This subject is both complex and timely. We considered editing this blog down but decided this would be the rare candidate to post in a two-part series. In Part 1 we will focus on who needs to comply and what it takes to write a Sanctions Compliance Program (SCP). In Part 2, we will finish up by discussing the SCP, the different types of violations, how fines are structured, and how you should respond to notices.
Who Needs to Comply with OFAC?
Who must comply with OFAC regulations? According to the US Treasury, “all U.S. persons must comply with OFAC regulations, including all U.S. citizens and permanent resident aliens regardless of where they are located, all persons and entities within the United States, all U.S. incorporated entities and their foreign branches.”
This may be one of the best-kept secrets of the US government! But if you ignore this requirement the fines can be astronomical. If you do comply you may still get fined, but an honest effort gets you a big reduction in fines. But they can still be very large.
You will Need a Sanctions Compliance Program
In order to mitigate the possibility of very large fines, you must create a documented Sanctions Compliance Program or “SCP.” Having such a plan in place and following the plan goes a long way in preventing being fined in the first place. And if you still have an infraction despite trying to prevent it, having an SCP that you can show to the US Treasury investigators will go a long way to either get the fine waived altogether or at least to get the fine reduced.
An SCP has five (5) sections at a minimum. Feel free to add additional sections to fit your situation. This is a quote from the US Treasury’s own Framework for OFAC Compliance Commitment:
“OFAC strongly encourages organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States, U.S. persons, or using U.S.-origin goods or services, to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP). While each risk-based SCP will vary depending on a variety of factors—including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations—each program should be predicated on and incorporate at least five essential components of compliance:”
- Senior Management Commitment
- Risk Assessment
- Internal Controls
- Testing Processes
- How you Periodically Train your Staff
We could not state that better. But now let’s look at each of those five sections and provide a little more content.
Senior Management Commitment
The US Treasury regards this as one of the most important aspects of the SCP. But this cannot just be a bunch of nice-sounding words in a document that you pull out and show an investigator should the unthinkable happen. This has to be a real commitment that you and your company adhere to on a daily basis.
You must show that all of your senior managers have read and approved the SCP. You can put this into an Executive Summary at the start of the document. Each of the senior managers along with the names and titles should sign this. We suggest keeping the Executive Summary current. That is provide a new Executive Summary each year plus whenever there is a turnover in senior management.
Designate some of your senior management to head up your OFAC risk reduction effort. Designate someone to be your OFAC Sanctions Compliance Officer. The OFAC Sanctions Compliance Officer should also have a deputy that is fully capable of fulfilling that position when the OFAC Sanctions Compliance Officer is not available. Whoever your designate, those people cannot just have those titles in name only. They must stay on top of the actual risk reduction efforts. They will have to be able to clearly explain to a US Treasury investigator if and when the time comes to do so. In fact, the US Treasury describes the OFAC Sanctions Compliance Officer in these terms:
- The technical knowledge and expertise of this personnel with respect to OFAC’s regulations, processes, and actions.
- The ability of this personnel to understand complex financial and commercial activities, apply their knowledge of OFAC to these items, and identify OFAC-related issues, risks, and prohibited activities.
- The efforts to ensure that personnel dedicated to the SCP have sufficient experience and an appropriate position within the organization are an integral component of the organization’s success.
The SCP should also describe your information technology software and related systems that will provide the ability to enforce OFAC-risk controls.
The SCP should explain the lines of authority between the OFAC Sanctions Compliance Officer and anyone who takes part in any portion of your business that is subject to risk. For example, anyone in your organization that adds or maintains customer lists must have a documented method of checking such customers against a current OFAC SDN and SSI list. We will talk about the process of making those checks later in this blog in the section labeled Internal Controls.
Your SCP should explain how your senior management fosters a “culture of compliance” throughout your organization. Assume that anytime a US Treasury investigator comes into your organization, anyone involved with your processes could be questioned. The more clearly your staff can explain your strategies for controlling risk, the better off you are.
This is a direct quote from the US Treasury’s A Framework for OFAC Compliance Commitments:
“Risks in sanctions compliance are potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations and negatively affect an organization’s reputation and business. OFAC recommends that organizations take a risk-based approach when designing or updating an SCP. One of the central tenets of this approach is for organizations to conduct a routine, and if appropriate, ongoing “risk assessment” for the purposes of identifying potential OFAC issues they are likely to encounter. As described in detail below, the results of a risk assessment are integral in informing the SCP’s policies, procedures, internal controls, and training in order to mitigate such risks.”
According to the US Treasury, there isn’t a One Size Fits All method for assessing risk. Different businesses will interact with sanctioned entities in different ways. Consider the following entities that can be sanctioned:
- Digital Currency
- Geographic Areas
Furthermore, the US Treasury has this to say about how to address the subject of risk assessment within the SCP: “the exercise should generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world. This process allows the organization to identify potential areas in which it may, directly or indirectly, engage with OFAC-prohibited persons, parties, countries, or regions. For example, an organization’s SCP may conduct an assessment of the following:
- Customers, supply chain, intermediaries, and counterparties
- Its products and services offer including how and where such items fit into other financial or commercial products, services, networks, or systems
- The geographic locations of the organization, as well as its customers, supply chain, intermediaries, and counterparties. Risk assessments and sanctions-related due diligence are also important during mergers and acquisitions, particularly in scenarios involving non-U.S. companies or corporations.”
Assessing risk is not trivial. Consider a hypothetical business transaction with a foreign business. The transaction will involve individuals and businesses. But it also may involve vessels and/or aircraft. And if the payment is being made by digital currency, well those will also have to be checked.
Let’s consider individuals with whom you are doing business. It is very common for sanctioned individuals to use aliases in an attempt to thwart detection of their sanctions. And sometimes the spelling of the names could vary in an attempt to avoid detection by a simple data search. Just matching on a name may not be sufficient as many different people may have the same names. Sanctioned people may have multiple passports, use a variety of dates of birth, declare different citizenships, and a variety of different titles. All of this is intended to prevent detection. But you are still on the hook so beware.
There are other considerations. Sometimes the individual, business, vessel, or aircraft has not been sanctioned directly, but they are from a country or region where US affiliated businesses have been prohibited from doing business. Doing business with them is going to be problematic.
Last but not least is digital currency. This is a relatively new problem. In the old days, payments went through banks and other financial institutions. The banks and financial institutions would also be on the hook to verify that the entity with which you are doing business was not sanctioned and therefore the transaction was legal. But now much of this can be bypassed with less regulated digital currency. Before you accept such payments, you will have to make sure that the Digital Currency Address is not an address listed by OFAC. Conducting a business transaction with any of these specific Digital Currencies is not legal.
It is of utmost importance that your SCP clearly identifies how you will perform assessments of “specific clients, products, services, and geographic locations in order to determine potential OFAC sanctions risk. Please refer to Appendix A of 31 C.F.R. Part 501. This document provides an OFAC Risk Matrix that can be used to evaluate your own compliance program. A copy of this from the US Government is readily available online. However, you may find an alternate version published by the Cornell Law School to be far more readable. The link to this document is:
According to the “Framework for OFAC Compliance Commitments” available from the US Treasury Department (https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf), “An effective SCP should include internal controls, including policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that may be prohibited by the regulations and laws administered by OFAC. The purpose of internal controls is to outline clear expectations, define procedures and processes pertaining to OFAC compliance (including reporting and escalation chains), and minimize the risks identified by the organization’s risk assessments. Policies and procedures should be enforced, weaknesses should be identified (including through root cause analysis of any compliance breaches) and remediated, and internal and/or external audits and assessments of the program should be conducted on a periodic basis.”
Because of the nature of US trade, the SCP must be a living document that can be updated as the nature of trade changes. Consider formatting your SCP with attachments that cover the areas that are likely to change frequently.
Your Sanctions Compliance Program will include policies and procedures for:
- Internal controls including policies and procedures used to check individuals and entities against the various OFAC sanctions lists.
- Descriptions of your records keeping pertaining to your business dealings with all individuals and entities.
- Descriptions of how you will report any activity that is prohibited by sanctions programs administered by OFAC.
Your SCP should clearly outline your procedures and processes associated with how you will minimize risks. The procedures should include details of how you will report, especially self-report, and violations. Also included should be how you will enforce adherence to these policies.
Any known weaknesses should be identified including how the weaknesses will be mitigated and corrected. According to the US Treasury Department “A Framework for OFAC Compliance Commitments,” the following should be included in the SCP:
- The organization has designed and implemented written policies and procedures outlining the SCP. These policies and procedures are relevant to the organization, capture the organization’s day-to-day operations and procedures, are easy to follow, and are designed to prevent employees from engaging in misconduct.
- The organization has implemented internal controls that adequately address the results of its OFAC risk assessment and profile. These internal controls should enable the organization to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activities that may be prohibited by OFAC. To the extent information technology solutions factor into the organization’s internal controls, the organization has selected and calibrated the solutions in a manner that is appropriate to address the organization’s risk profile and compliance needs, and the organization routinely tests the solutions to ensure effectiveness.
- The organization enforces the policies and procedures it implements as part of its OFAC compliance internal controls through internal and/or external audits.
- The organization ensures that its OFAC-related recordkeeping policies and procedures adequately account for its requirements pursuant to the sanctions programs administered by OFAC.
- The organization ensures that, upon learning of a weakness in its internal controls pertaining to OFAC compliance, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
- The organization has clearly communicated the SCP’s policies and procedures to all relevant staff, including personnel within the SCP program, as well as relevant gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.) and to external parties performing SCP responsibilities on behalf of the organization.
- The organization has appointed personnel for integrating the SCP’s policies and procedures into the daily operations of the company or corporation. This process includes consultations with relevant business units and confirms the organization’s employees understand the policies and procedures.
Your SCP will focus on the following as source documents for determining if entities with which you do business or are considering doing business are in fact sanctioned entities. The primary source for this data includes:
- OFAC’s List of Specially Designated Nationals and Blocked Persons referred to as the “SDN List”
- OFAC’s Sectoral Sanctions Identification List is referred to as the “SSI List.” This list is also included as part of the Consolidated Sanctions list.
- A list of other sanctions programs can be found at:
These data sources contain lots of information. Unfortunately, the data is not laid out where it can just be easily searched to determine if there is a sanction in place. For example, information about sanctioned individuals. The data within a single record for an individual as received from OFAC frequently contains far more than just their name, date of birth, passport number, and the like. A single OFAC record often has additional information, frequently compressed into a single “Remarks” column. This additional data includes but is not limited to the following:
- Any number of alias and nicknames
- Multiple dates of birth that have been known to be used by the individual
- Multiple places of birth that have been known to be used by the individual
- Multiple passport numbers including issuing countries used by the individual
- Multiple passports and other identification numbers
- Multiple citizenships claimed by the individual
- Multiple titles claimed by the individual
- Multiple Digital Currency Addresses used by the individual
- Any number of Secondary Sanctions related to the individual
- Any number of other entities to which the individual is linked but may or may not have a legal relationship with the entity.
This can be further exacerbated by the fact that alternate spellings can be used. For example, some known examples are spelling Cuba as Kuba or Havana as Habana. But you are still on the hook for identifying the applicable sanctions.
Checking individuals and other entities against the lists published by OFAC is a core requirement. If you do not have a high volume of checks to be made you can do a manual search, but we do not recommend doing so. There are too many permutations as listed above and it is just too easy to miss a data match. There are two sites that are available without charge from which to make fundamental checks:
The first is OFAC’s own “Sanctions List Search.” This can be accessed at:
Protect with TARGE also has a basic site that may also be used without charge. The advantage to using this site is that the search form is simpler and allows you to quickly enter multiple names of individuals. It also provides a printed report of all of the names that have been entered and the search results. The printed reports are in PDF format which allows you to save them and/or print them for later referral.
Both sites do a good job of checking primary names as well as checking all of the known aliases and nicknames. Both sites will also do searches on partial names however the Protect with TARGE site has an advantage in that it allows for partial names for both given names and surnames. It also uses more advanced queries that will do a better job of finding matches even when the spellings are not exactly the same.
Although using the Protect with TARGE site is free, you will have to apply for an account. The process is simple and quick. You can find the application HERE:
Depending on your needs you may want to consider other versions of the Protect with TARGE OFAC Sanctions Investigator that have even greater functionality. These more advanced versions can help reduce the work required to perform the requisite due diligence necessary to stay in compliance with OFAC.
The subject of sanctions and penalties levied by violating sanctions is a highly complex topic. Protecting against committing a violation involves a dedicated effort by senior management, lawyers, and accountants. Sanctions have been talked about a lot in the news these days but very little gets said about preventing committing a violation against one or more of the sanctions. No matter your course of action, it is imperative that you are aware of your customer base and how well you determine if any of your customers are subject to any of the prevailing sanctions.
Please contact us if you would like to know more about vetting your customers against the many sanction lists published by OFAC.