6 Rules to Build OFAC Compliance into Your Third-Party Risk Management
Firms that do business with people or companies outside the United States must comply with OFAC regulations connected to sanctions and embargoes.
To be compliant, you need to create policies and procedures for your staff to follow. They need to be customized to the type of business you run, the types of products and services you sell, and the countries in which your customers, suppliers, vendors, and outsourcing partners are based.
In this article, we cover:
- What OFAC compliance is
- Which companies are most vulnerable to non-compliance
- Why OFAC compliance is critical
- How to establish your own internal sanctions compliance program
- What happens when things go wrong
What Is OFAC Compliance?
Part of the U.S. Department of Treasury, the Office of Foreign Assets Control (OFAC) is the responsible body for administering and enforcing economic and trade sanctions. They work with government agencies and international organizations to identify individuals, entities, and countries that pose a threat to U.S. interests.
OFAC’s sanctions programs target individuals and entities suspected of involvement in activities like corruption, human rights abuses, weapons proliferation, people and narcotics trafficking, and terrorism.
Foreign countries are not officially targeted by U.S. sanctions. But where the U.S. has a serious disagreement with a particular country, individuals and entities from that country are often targeted. For example, there are severe restrictions on dealing with individuals and companies from North Korea for their part in the proliferation of weapons of mass destruction.
To be OFAC compliant, you must not engage in any business activity with an individual or entity subject to economic sanctions. Otherwise, you face significant penalties and reputational damage.
Which Companies Need Their Own OFAC Compliance Program?
Any U.S. company or U.S. person trading with overseas businesses or people needs a compliance program. That’s whether you purchase from them or they purchase for you.
Certain firms, especially financial services companies, are more vulnerable than others. As a result, they have to perform additional anti-money laundering (AML) checks. Technology companies, insurance companies, and shipping and logistics providers are also at risk.
Financial institutions like banks also must comply with the Bank Secrecy Act. This places additional responsibilities on them over and above OFAC requirements.
Why OFAC Compliance Is Critical
The U.S. government considers sanctions non-compliance a threat to national security and U.S. foreign policy.
If you deal with sanctioned individuals in certain geographic locations, like Iran and Cuba, expect the full force of the government to come down on you. The penalties for doing business with people or entities subject to U.S. sanctions can run into billions of dollars. Financial transactions with parties on OFAC’s sanctions list may also attract criminal and civil penalties.
Depending on the severity of the offense, you may be subject to prison time.
Establishing Your Own Internal Sanctions Compliance Program
Your sanctions compliance program should be fully aligned with your company, its line of business, and the geographic locations of your customers and suppliers.
For the program to be effective, follow the six rules below.
1. Get Management Commitment
The impetus for OFAC compliance must come from the very top of your business.
That’s because compliance requires an ongoing commitment to invest in:
- A designated compliance officer: They’re responsible for overseeing the compliance program, providing compliance training and resources to employees, and ensuring that policies and procedures are kept up-to-date and effective. They also regularly report back to the C-suite, senior management, and procurement leaders.
- Database subscriptions: You’ll need to subscribe to six OFAC lists. Specifically, the specially designated national list (SDN list), the politically exposed people (PEP) list, the blocked persons list, the Non-SDN Consolidated Sanctions List, the Foreign Sanctions Evaders List, and the Sectoral Sanctions Identifications List. OFAC provides these lists for free, but they’re not always up to date. Consider also subscribing to paid-for sanction database services from providers like Dun & Bradstreet, Dow Jones Risk Database, and U.S. Bancorp.
- Software: Compliance makes the work of sourcing/category management and procurement/payment teams more complicated. Consider investing in risk management or GRC software/plug-ins to help your team monitor supplier and vendor activity so they can flag real-time issues when they arise.
2. Carry Out an Organizational Risk Assessment
Start by carrying out a risk assessment to discover where your business may be at risk of potential OFAC violations.
Reassess every individual and entity you do business with — paying specific attention to their geographic location, what you buy and sell to each other, and how you pay each other. Run them against the databases listed above.
3. Create Customized Policies and Procedures
Create policies and procedures to reduce the level of risk your business is exposed to.
Consider how rigorous the due diligence procedure you use should be for customers and suppliers prior to the initial transaction. Check regularly for changes in ultimate beneficial ownership to overseas entities and their subsidiaries that pose a higher risk.
Also, create a procedure for how and when you report potential violations like a prohibited transaction to OFAC.
4. Train Your Staff
You’ll need to train your staff on how to meet OFAC obligations. Clearly communicate your internal policies and procedures to employees in training. Educate them on how to use tools like the SDN list and the software platform you use to monitor compliance on an ongoing basis.
Monitor how well managers and their staff who are responsible for adhering to policies and procedures are performing. Offer top-up training where necessary. Re-train staff on a regular basis, especially when there are significant changes to sanctions policies, embargo regulations, or company policies.
5. Review and Stress Test Your Procedures
You should review regularly the level of risk you’re willing to accept to reflect changes to OFAC regulations or your business activities.
Where possible, run regular sanctions compliance program test exercises to ensure that it’s effective in identifying potential OFAC regulations violations. Stress test screening processes and review transaction records again to look for potential violations. When you do find issues, implement actions to correct them as soon as possible.
6. Respond to Potential Violations
OFAC compliance is difficult to manage. It’s possible to make mistakes, even with robust policies and procedures in place. When you suspect a potential violation, you need a response plan.
You should conduct an internal investigation when one occurs and report them to OFAC without delay. Take steps to understand how the violation took place and take remedial steps to mitigate the risk of them happening again. You should document all actions you take when a violation is discovered and involve senior management or legal counsel without delay.
When OFAC Compliance Goes Wrong
When OFAC compliance goes wrong, the financial cost can be eye-watering. Here are three examples:
- Standard Chartered Bank, 2019: Standard Chartered Bank agreed to pay $639 million in fines to settle allegations that it violated U.S. sanctions against Iran, Sudan, Cuba, Syria, Zimbabwe, and Burma. OFAC was accused of processing thousands of transactions worth billions of dollars despite knowing they were prohibited.
- ZTE Corporation, 2017: Chinese telecommunications company ZTE Corporation agreed to pay $1.19bn for shipping U.S.-made equipment to Iran and North Korea without the necessary licenses.
- Société Générale, 2018: Société Générale paid $1.34 billion in fines for processing thousands of transactions worth billions of dollars on behalf of customers in Cuba, Iran, Libya, and Sudan.
6 Rules to Build OFAC Compliance into Your Third-Party Risk Management
Firms that do business with people or companies outside the United States must comply with OFAC regulations connected to sanctions and embargoes.
To be compliant, you need to create policies and procedures for your staff to follow. They need to be customized to the type of business you run, the types of products and services you sell, and the countries in which your customers, suppliers, vendors, and outsourcing partners are based.
In this article, we cover:
- What OFAC compliance is
- Which companies are most vulnerable to non-compliance
- Why OFAC compliance is critical
- How to establish your own internal sanctions compliance program
- What happens when things go wrong
What Is OFAC Compliance?
Part of the U.S. Department of Treasury, the Office of Foreign Assets Control (OFAC) is the responsible body for administering and enforcing economic and trade sanctions. They work with government agencies and international organizations to identify individuals, entities, and countries that pose a threat to U.S. interests.
OFAC’s sanctions programs target individuals and entities suspected of involvement in activities like corruption, human rights abuses, weapons proliferation, people and narcotics trafficking, and terrorism.
Foreign countries are not officially targeted by U.S. sanctions. But where the U.S. has a serious disagreement with a particular country, individuals and entities from that country are often targeted. For example, there are severe restrictions on dealing with individuals and companies from North Korea for their part in the proliferation of weapons of mass destruction.
To be OFAC compliant, you must not engage in any business activity with an individual or entity subject to economic sanctions. Otherwise, you face significant penalties and reputational damage.
Which Companies Need Their Own OFAC Compliance Program?
Any U.S. company or U.S. person trading with overseas businesses or people needs a compliance program. That’s whether you purchase from them or they purchase for you.
Certain firms, especially financial services companies, are more vulnerable than others. As a result, they have to perform additional anti-money laundering (AML) checks. Technology companies, insurance companies, and shipping and logistics providers are also at risk.
Financial institutions like banks also must comply with the Bank Secrecy Act. This places additional responsibilities on them over and above OFAC requirements.
Why OFAC Compliance Is Critical
The U.S. government considers sanctions non-compliance a threat to national security and U.S. foreign policy.
If you deal with sanctioned individuals in certain geographic locations, like Iran and Cuba, expect the full force of the government to come down on you. The penalties for doing business with people or entities subject to U.S. sanctions can run into billions of dollars. Financial transactions with parties on OFAC’s sanctions list may also attract criminal and civil penalties.
Depending on the severity of the offense, you may be subject to prison time.
Establishing Your Own Internal Sanctions Compliance Program
Your sanctions compliance program should be fully aligned with your company, its line of business, and the geographic locations of your customers and suppliers.
For the program to be effective, follow the six rules below.
1. Get Management Commitment
The impetus for OFAC compliance must come from the very top of your business.
That’s because compliance requires an ongoing commitment to invest in:
- A designated compliance officer: They’re responsible for overseeing the compliance program, providing compliance training and resources to employees, and ensuring that policies and procedures are kept up-to-date and effective. They also regularly report back to the C-suite, senior management, and procurement leaders.
- Database subscriptions: You’ll need to subscribe to six OFAC lists. Specifically, the specially designated national list (SDN list), the politically exposed people (PEP) list, the blocked persons list, the Non-SDN Consolidated Sanctions List, the Foreign Sanctions Evaders List, and the Sectoral Sanctions Identifications List. OFAC provides these lists for free, but they’re not always up to date. Consider also subscribing to paid-for sanction database services from providers like Dun & Bradstreet, Dow Jones Risk Database, and U.S. Bancorp.
- Software: Compliance makes the work of sourcing/category management and procurement/payment teams more complicated. Consider investing in risk management or GRC software/plug-ins to help your team monitor supplier and vendor activity so they can flag real-time issues when they arise.
2. Carry Out an Organizational Risk Assessment
Start by carrying out a risk assessment to discover where your business may be at risk of potential OFAC violations.
Reassess every individual and entity you do business with — paying specific attention to their geographic location, what you buy and sell to each other, and how you pay each other. Run them against the databases listed above.
3. Create Customized Policies and Procedures
Create policies and procedures to reduce the level of risk your business is exposed to.
Consider how rigorous the due diligence procedure you use should be for customers and suppliers prior to the initial transaction. Check regularly for changes in ultimate beneficial ownership to overseas entities and their subsidiaries that pose a higher risk.
Also, create a procedure for how and when you report potential violations like a prohibited transaction to OFAC.
4. Train Your Staff
You’ll need to train your staff on how to meet OFAC obligations. Clearly communicate your internal policies and procedures to employees in training. Educate them on how to use tools like the SDN list and the software platform you use to monitor compliance on an ongoing basis.
Monitor how well managers and their staff who are responsible for adhering to policies and procedures are performing. Offer top-up training where necessary. Re-train staff on a regular basis, especially when there are significant changes to sanctions policies, embargo regulations, or company policies.
5. Review and Stress Test Your Procedures
You should review regularly the level of risk you’re willing to accept to reflect changes to OFAC regulations or your business activities.
Where possible, run regular sanctions compliance program test exercises to ensure that it’s effective in identifying potential OFAC regulations violations. Stress test screening processes and review transaction records again to look for potential violations. When you do find issues, implement actions to correct them as soon as possible.
6. Respond to Potential Violations
OFAC compliance is difficult to manage. It’s possible to make mistakes, even with robust policies and procedures in place. When you suspect a potential violation, you need a response plan.
You should conduct an internal investigation when one occurs and report them to OFAC without delay. Take steps to understand how the violation took place and take remedial steps to mitigate the risk of them happening again. You should document all actions you take when a violation is discovered and involve senior management or legal counsel without delay.
When OFAC Compliance Goes Wrong
When OFAC compliance goes wrong, the financial cost can be eye-watering. Here are three examples:
- Standard Chartered Bank, 2019: Standard Chartered Bank agreed to pay $639 million in fines to settle allegations that it violated U.S. sanctions against Iran, Sudan, Cuba, Syria, Zimbabwe, and Burma. OFAC was accused of processing thousands of transactions worth billions of dollars despite knowing they were prohibited.
- ZTE Corporation, 2017: Chinese telecommunications company ZTE Corporation agreed to pay $1.19bn for shipping U.S.-made equipment to Iran and North Korea without the necessary licenses.
- Société Générale, 2018: Société Générale paid $1.34 billion in fines for processing thousands of transactions worth billions of dollars on behalf of customers in Cuba, Iran, Libya, and Sudan.
OFAC Compliance Is Built Into Certa
Enhance your company's sanctions compliance with Certa. The Certa platform:
- Automates 80% of third-party risk management while providing full organization visibility for senior team members and stakeholders
- Helps your people perform ongoing monitoring against U.S. sanctions lists as well as other countries' watchlists (when you subscribe to OFAC lists and other third-party list services)
- Monitors beneficial ownership in real time, consolidating and deduplicating live ultimate beneficial ownership databases
- Makes it hard for blocked persons and entities to conceal non-compliant ownership
- Automates payment blocking when appropriate, ensuring ongoing OFAC compliance
Learn more about always-on OFAC compliance management with Certa, and schedule a demo to see it in action.
