When creating or enhancing a U.S. economic sanctions compliance program, businesses will typically refer to certain published guidance from the U.S. Government that may include the U.S. Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) A Framework for OFAC Compliance (“Compliance Framework”), the U.S. Department of Justice’s Evaluation of Corporate Compliance Programs (Updated June 2020), and/or the U.S. Federal Sentencing Guidelines for Organizations’ section 8B2.1’s Effective Compliance and Ethics Programs. However, while these publications may serve as helpful high-level outlines to follow, they don’t provide specific guidance for businesses based on their respective size, industry, customer-base, supply chain, products and services, or other operational idiosyncrasies.

With the countless varieties of potential sanctions risks in existence, the ever-changing laws and regulations, and the evolving nature of third-party compliance software and services, it would be a monumental feat to create an “off the shelf” sanctions compliance program. The risk profiles of a cryptocurrency exchange, an international shipping and logistics company, and a U.S. lobbying firm are going to be very different from one another. As OFAC cautions in its Compliance Framework, there is indeed no “one-size-fits all” risk assessment. Once a business does undergo its own sanctions risk assessment, it must then also concern itself with tailoring and implementing internal controls specific to mitigating all its identified risks.

While customizing relevant sanctions compliance controls, one major difficulty faced by businesses is determining what specific control(s) to implement for each risk area. For example, questions that businesses’ compliance professionals may be asking themselves once they’ve conducted a risk assessment include: “how should we manage sanctions-related training?”; “how should we prevent diversion of exported goods and services to prohibited end-users and destinations?”; “how should we calibrate our third-party screening tool?” Unfortunately, answering such questions can feel like a guessing game, as OFAC is unlikely to provide anyone with a specific answer (and who can blame them?).

As a result, compliance professionals attempt to benchmark for the right answer by: (1) relying on their own personal experiences in dealing with other businesses’ compliance programs; (2) conferring with other experienced compliance professionals in their network; and/or (3) retaining the services of external professionals who can provide insight based on their experiences in supporting other similar businesses’ compliance programs. However, OFAC’s published civil enforcement actions are another valuable resource often overlooked for benchmarking purposes.

OFAC has been publishing certain civil penalty enforcement information since 2003, when it amended its own regulations to do so (See 31 C.F.R. § 501.805(d)). What started as periodically published spreadsheets with very limited amounts of information related to persons subject to civil enforcement actions, has since evolved into individualized enforcement action publications providing many useful compliance data points. Specifically, as of 2018 OFAC has regularly detailed the lessons to be learned from a respective enforcement action, while also including comprehensive details on the subject’s specific compliance failures and corresponding remedial measures implemented.

These additional data points can provide sanctions compliance professionals with more than 4 years of useful compliance information. Here are a just a few hypothetical scenarios to help illustrate their utility in benchmarking, even across industries:

Example 1: Use of IP Blocking Controls

            Based on your most recent risk assessment you identify that your internet-based business operations are susceptible to the inadvertent supply of services to comprehensively sanctioned and embargoed countries/regions such as Iran, North Korea, Cuba, Syria, and the Crimea region, even though your company prohibits dealings with these destinations as a matter of policy. Sifting through OFAC’s prior enforcement actions you will be able to identify similar compliance gaps that facilitated numerous apparent violations, and how IP screening and blocking controls were implemented as a remediating measure to help identify sanctioned countries/regions moving forward. Several such actions involved digital currency and payment service providers (See e.g., BitPay, Inc. (2021); Payoneer Inc. (2021)), and businesses operating in various other industries (See e.g., Airbnb Payments (2022); SAP SE (2021)).

Example 2: Anti-Diversion Controls

            Your business engages in the leasing of aircraft engines, and is unclear what compliance measures it should put in place after the point-of-sale, if any. In OFAC’s enforcement action against Apollo Aviation Group, LLC, the company was alleged to have violated the now rescinded Sudanese Sanctions Regulations when it initially leased certain aircraft engines to a U.A.E. entity that were then subleased to a Ukrainian airline, who later installed them on an aircraft it had wet leased to then sanctioned Sudan Airways. Although Apollo’s lease agreements with the U.A.E. entity included a U.S. sanctions compliance clause, OFAC reprimanded Apollo for not having obtained a U.S. law export compliance certificate from lessees and any sub-lessees during the lease term, and found that it had otherwise failed to monitor/verify adherence to the compliance clause. Nevertheless, OFAC noted that Apollo had remediated the underlying compliance issue, in part, by obtaining U.S. law export compliance certificates both from lessees and any sub-lessees moving forward.  

            There are countless other sanctions compliance risk and control parallels that can be drawn from OFAC’s published enforcement history. Although it may feel impossible to be able to identify the perfect controls and live in a risk free (sanctions) world, reference to such history can be a very useful benchmarking tool.

The author of this blog post is Kian Meshkat, an attorney specializing in U.S. economic sanctions and export controls matters. If you have any questions please contact him at 202-440-2591 or meshkat@falawpc.com.

The post Benchmarking Sanctions Compliance Programs with the Help of Prior OFAC Enforcement Actions appeared first on .