When thinking about risk management strategies for your company in 2018, don’t forget about risks associated with U.S. sanctions compliance. The potential penalties violating U.S. sanctions are significant; in recent years, settlements between companies and the U.S. Treasury Department, Office of Foreign Assets Control (OFAC) have included penalties in the hundreds of millions of dollars. Ensuring that your compliance program adequately addresses risks under U.S. sanctions is critical to minimizing such penalties.
OFAC’s 2017 settlements provide valuable insight for companies across all industries regarding the agency’s priorities and highlight areas of potential risk that risk management and compliance professionals should consider when evaluating the adequacy of their compliance programs. The following are some key themes from OFAC’s published settlements in 2017 to consider when evaluating sanctions risks and reviewing and updating your compliance programs.
Does your compliance program address screening and due diligence related to counterparties and transactions?
A central element of any compliance program should be processes for screening counterparties and transactions to confirm that they do not involve persons or destinations subject to sanctions. Screening only the name of a particular counterparty might not be sufficient; screening should also identify and address whether individuals with whom you will deal are designated under U.S. sanctions and whether there are red flags that those individuals or the transaction are associated with sanctioned persons or destinations.
OFAC’s settlements underscore the importance of screening and conducting due diligence of counterparties and transactions. In July, OFAC published a penalty assessment in which it stated that there is no distinction in a designation between an individual’s personal and professional capacities and that entry by a U.S. person into a contract signed by a Specially Designated National (SDN) individual constitutes a prohibited dealing in the services of an SDN, even if the contract was signed by the SDN on behalf of a non-designated entity. To address the risk of providing a prohibited service to an SDN in such circumstances, companies should identify and screen individuals with whom they will deal and who will be signatories to contracts or other legal documents in addition to the entities with which they conduct business.
In addition, OFAC’s settlements indicated the importance that companies include in their screening any references to a sanctioned destination or any red flags that a transaction may involve a sanctioned destination.
Does your compliance program address risks associated with facilitation, evasion, and causing a violation of the sanctions?
Compliance programs should also address risks related to the prohibitions under U.S. sanctions on actions that evade or avoid the sanctions, that facilitate an activity that would be prohibited if performed in the United States or by a U.S. person, or that cause a violation of the sanctions. These prohibitions encompass a broad range of activities—some examples of prohibited facilitation cited in 2017 settlements include involvement in discussing, arranging and executing export transactions, and reviewing, approving and initiating payments by foreign subsidiaries to service providers located in sanctioned destinations. Examples in 2017 settlements of actions that implicate the prohibitions on evading, avoiding, or causing a violation of the sanctions include ordering goods specifically intended for a sanctioned destination and providing such goods to that sanctioned destination, despite language in relevant documents stating that the goods could not be provided to such destinations and obfuscating or misrepresenting conduct with respect to sanctioned destinations, including in connection with financial transactions denominated in U.S. dollars.
Companies should ensure that their compliance programs address the risks associated with these prohibitions, including the risk of personnel engaging in or assisting indirectly activities in which they cannot engage directly. For example, processes should address activities like referring inquiries received from individuals located in sanctioned destinations or conducting activities through a party in a third country where the ultimate recipient is in a sanctioned destination.
Does your compliance program address risks related to operations outside the United States or activities by non-U.S. subsidiaries of U.S. companies?
In certain circumstances, activities by companies located outside the United States, including non-U.S. subsidiaries of U.S. companies, may be subject to OFAC jurisdiction, even if they occur entirely outside of the United States. Five OFAC settlements in 2017 cited activities by non-U.S. subsidiaries of U.S. companies, and another seven involved activities by companies located outside the United States. Companies should ensure that their compliance programs address such risks.
Companies located outside the United States should be aware of any U.S. persons that they employ and ensure that their compliance programs reflect the prohibitions that apply to such persons in their individual capacity. Companies should ensure that U.S. persons are not involved in transactions involving sanctioned persons or destinations and do not engage in prohibited facilitation. Further, companies should be aware of other potential circumstances in which the United States may assert jurisdiction over a transaction, including, for example, the involvement of a U.S. bank at any point in the transaction.
Understand enforcement actions
OFAC’s enforcement actions can provide valuable insight for companies seeking to develop or update their compliance programs to ensure that they are effectively managing relevant risk areas. Reviewing and understanding enforcement actions can give companies insight into OFAC’s priorities and expectations and help them identify best practices and incorporate them into their processes and procedures related to sanctions compliance.
Megan Barnhill is a partner with Bryan Cave.