The Treasury Department’s Office of Foreign Assets Control (OFAC) and the U.S. Department of Justice’s (DOJ) Criminal Division both recently reinforced their expectations for companies to maintain robust risk-based compliance programs to uphold sanctions and curtail corporate crime, respectively. Every board member, senior executive, compliance officer, and chief audit executive of organizations operating in or through the United States needs to understand these agencies’ expectations under two new releases: OFAC’s “A Framework for OFAC Compliance Commitments”1 and the DOJ’s “Evaluation of Corporate Compliance Programs.”2 The documents intersect to provide critical guidance for ensuring that organizations implement sustainable compliance programs.
Organizations should proactively identify areas in their programs that require enhancement and commit to operationalizing the elements enumerated in the OFAC and DOJ documents. For their programs to succeed, risk-based training of employees in an organization’s first, second, and third lines of defense is critical to establish clear roles and obligations. There are commonalities between the two documents that are worth noting, since organizations subject to the OFAC document will likely be subject to the DOJ document, and vice versa. Also, enforcement activity by OFAC and the DOJ could be individual or concurrent, so the importance of understanding both agencies’ expectations cannot be overstated.
Office of Foreign Assets Control
While there is currently no statutory requirement for a sanctions compliance program, OFAC, bank supervisors, and the DOJ have long expected organizations to have programs in place to mitigate sanctions risk. Up to this point, regulatory expectations have been carried out through enforcement activity and the Bank Secrecy Act/Anti-Money Laundering Examination Manual3 adopted by federal banking supervisors.4 OFAC’s recent release reiterates regulatory expectations, alerts organizations to historically observed violations, and encourages them to utilize its framework to enhance their programs.
Sanctions have long been part of the U.S. government’s foreign policy. Understanding their importance to foreign policy is key to ensuring that boards and senior management appreciate the urgency of implementing an effective risk-based and sustainable sanctions compliance program. The OFAC document makes clear which components are expected in such programs. These components should not come as a surprise to anyone, since they are the foundational elements of every sanctions compliance program. Yet organizations continue to miss the mark in the implementation and oversight of sustainable programs.
Department of Justice, Criminal Division
The DOJ’s recent release is an update to a prior release. As background, in 1991 the U.S. Sentencing Commission issued Chapter 8 of the Organizational Sentencing Guidelines, which set forth the elements of an effective compliance program.5 These guidelines established the baseline framework for corporate compliance programs, including elements ranging from a risk assessment to independent auditing. The sentencing guidelines further outlined fines and penalties for not maintaining an effective compliance program. The U.S. Supreme Court struck down the guidelines’ mandatory sentencing aspects. However, the guidelines continue to be leveraged by federal prosecutors and judges. The DOJ subsequently issued further guidance for prosecuting corporations.
The recently issued DOJ document provides more color as to the specific areas that a compliance program should cover in order for it to be considered effective. The guidelines pose three fundamental questions that prosecutors should consider in evaluating a company’s compliance program:
1.Is the corporation’s compliance program well-designed?
2.Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
3.Does the corporation’s compliance program work in practice?
The DOJ document contains detailed topics to consider in the development of compliance programs. The topics are common framework elements that should be familiar to every board member, senior executive, compliance officer, and audit executive. These individuals in every type of organization—regulated and unregulated, for-profit and not-for-profit—should become familiar with the DOJ document and ensure that their compliance programs, no matter the type of risk they face, consider each topic outlined in the guidance. The document is a blueprint for every compliance program to the extent that each topic is applicable to the specific risks of the organization. The measurement resides in whether or not the compliance program is well-designed and sustained.
Commonalities in the OFAC and DOJ Documents
Compliance programs should be rooted in robust risk assessments, which should be dynamic documents driving a solid system of internal controls. Both the OFAC and DOJ recognize risk assessments as the foundational element of an effective compliance program. Both agencies’ documents prescribe similar, familiar program expectations (with some important nuances), including the following:
•Management Oversight and Commitment
•Compliance Officer (with authority and direct access to senior management and board)
•Policies and Procedures
•Testing and Auditing
•Tools and Automation
Since the DOJ document is broader, in that it applies to all organizations and contains additional expectations, those organizations with sanctions risk should undertake a gap analysis of their compliance programs against both documents.
How Treliant Can Help
Treliant’s subject matter experts have extensive corporate and sanctions compliance expertise derived from their experience as former in-house compliance, audit, investigations, and operations executives. We have partnered with organizations as consultants and acted as independent consultants and monitors for bank supervisors and law enforcement authorities. Our expertise covers every element of compliance program frameworks, including, but not limited to, risk assessment design and methodology, sanctions screening tools and investigations, and independent audits. We conduct compliance program rapid assessments, gap analysis, and deep dives to help organizations ensure that their programs meet regulatory and law enforcement expectations.
4 While OFAC regulations are not part of the U.S. Bank Secrecy Act, the core sections include pillars of an OFAC compliance program and overview and examination procedures for examining a bank’s policies, procedures, and processes for ensuring compliance with OFAC regulations.