OFAC’s Compliance Guidance in Action

Reviewing OFAC’s Five Compliance Pillars on the Five-Year Anniversary

📅 June 18, 2024

The Treasury Department’s Office of Foreign Assets Control (OFAC) five years ago published its Framework for OFAC Compliance Commitments (“OFAC Compliance Guidance”). This guidance remains the most comprehensive articulation of OFAC’s compliance expectations to date. Although it notably stopped short of mandating a sanctions compliance program (SCP), recent enforcement actions demonstrate the implications of not having an SCP in place.

U.S. regulators in November 2023 reached a record settlement with the world’s largest cryptocurrency exchange, Binance. The company agreed to pay more than $968 million to settle its potential civil liability for more than 1.5 million apparent violations of multiple sanctions programs. In its settlement agreement, OFAC noted that Binance failed to establish an SCP at the time it began operations in 2017, and when it created a sanctions compliance program in 2018, the efforts remained inadequate and ineffective.
OFAC in May 2023 settled with cosmetics company Murad LLC, which agreed to pay $3.3 million to settle its potential civil liability for an apparent violation of Treasury’s Iran sanctions. OFAC assessed that the company’s compliance deficiencies, including its lack of an SCP, contributed to the violations.

Aggravating and Mitigating Factors

Although OFAC recognizes that its regulations do not require a formal sanctions compliance program, it makes clear in its guidance and enforcement actions that lack of an effective compliance program is a root cause for sanctions violations and a factor in pursuing enforcement actions. At the same time, OFAC has considered the existence and implementation of an SCP as a mitigating factor when calculating financial penalties for violations.

An examination of OFAC’s settlements since publicizing the Guidelines shows that the complete lack of a SCP was one of the root causes of the sanctions violations identified during the course of the investigation in nine—or 11 percent—of the settlements. In addition, OFAC frequently identified this element as an aggravating factor in its analysis of the General Factors associated with such administrative actions, according to Treasury.
Microsoft in April 2023, agreed to pay a nearly $3 million settlement for potential violations of multiple OFAC sanctions programs. The penalty was a fraction of the more than $404 million statutory maximum civil monetary penalty applicable in the case, and OFAC noted the company’s self-initiated lookback of transactions upon discovering possible violations and significant remedial measures Microsoft undertook to improve its already robust SCP.
OFAC in a July 2020 settlement noted Amazon’s significant remedial measures to address its sanctions screening deficiencies, including investing “substantial resources” to improve the company’s overall compliance program as a mitigating factor. The Washington-based e-commerce giant agreed to pay $134,523 to settle its potential civil liability for apparent violations of multiple OFAC sanctions programs. The statutory maximum civil monetary penalty amount for Amazon’s apparent violations was more than $1billion.

Russia’s War Highlights Sanctions and AML Convergence

The OFAC Compliance Guidance is more relevant than ever as sanctions are being used more aggressively in the wake of Russia’s full-scale invasion of Ukraine, including by targeting central banks, companies with significant market shares in major industries, and sanctions evaders who use front and shell companies to hide their illicit activities.

Russia’s war against Ukraine has complicated compliance efforts with more than 18,000 individual designations imposed on Russian persons and companies by global powers since the invasion began in February 2022. In addition to blocking sanctions, compliance officers must also monitor strategic trade control developments, additions to the Bureau of Industry and Security’s (BIS) Entity List, sectoral sanctions, secondary sanctions, new embargoes, and violations of the $60 per barrel price cap on Russian-origin oil.

AML regimes, once seen as separate from sanctions compliance programs, can help U.S. firms and financial institutions enhance their compliance and financial risk management. U.S. financial institutions and other firms should consider their compliance programs holistically, linking their AML/CFT, trade finance, and sanctions compliance efforts to share information and analysis. Treasury during the past two years stressed the importance of implementing customer due diligence (CDD) procedures and other AML controls to mitigate sanctions risk.

In a speech at an anti-money laundering conference in October 2023, now-former Assistant Secretary for Terrorist Financing and Financial Crimes Elizabeth Rosenberg, stressed the importance of effective AML/CFT and sanctions programs to deprive Russia of its military-industrial resources. She highlighted that sanctions and AML/CFT regimes in the United States are linked and that continued siloing of AML/CFT and sanctions teams at some financial institutions can lead to witting or inadvertent violations.
In a sanctions advisory in December 2023, OFAC directed financial institutions to identify and minimize their exposure to activity involving Russia’s military-industrial base, including conducting customer due diligence, and using their AML controls to minimize the risk of secondary sanctions after President Biden signed EO 14114.
OFAC’s guidance for an effective SCP also stresses that an organization may conduct an assessment of customers, supply chains, intermediaries, and counterparties; the products and services it offers; and its geographic locations. These assessments are consistent with guidance FinCEN has been issuing that help identify indicators of money laundering, as well as identify sanctions evasion.

Both sanctions and AML compliance require heightened transparency, accountability, and information-sharing. AML and sanctions programs share essential elements or pillars and associated red flags. FinCEN in March 2022 issued an alert advising vigilance for potential Russian sanctions evasion attempts. The agency highlighted select indicators common to both money laundering and sanctions evasion.

🚩 The use of corporate vehicles and legal arrangements to obscure ownership, the source of funds, and countries involved.

🚩 The use of shell companies and third parties to shield the involvement of sanctioned persons in the transaction.

🚩 Jurisdictions previously associated with Russian financial flows that are identified as having a notable recent increase in new company formations.

🚩 Non-routine foreign exchange transactions that may indirectly involve sanctioned Russian financial institutions, including transactions that are inconsistent with activity over the prior 12 months.

The Five SCP Pillars

OFAC’s “five-pillar” framework for compliance programs, which is similar to the one required for AML programs in most jurisdictions, continues to be the foundational guide for implementing strong SCPs.

Senior management commitment. Like other regulatory agencies, OFAC expects senior management to review and approve its company’s program, maintain an autonomous and well-resourced compliance unit, and promote a culture of compliance within its organization. This means designating a specific OFAC compliance officer (who could also serve in other compliance functions, such as the Bank Secrecy Act officer) and ensuring that compliance staff sufficiently understand OFAC regulations and can identify OFAC-related issues, risks, and prohibited activities.

Senior Binance management knew about and permitted the presence of both U.S. and embargoed jurisdiction users on its platform, according to OFAC’s November settlement. Binance management also undermined its own compliance function, encouraging users to circumvent the company’s ostensible controls. In a Finding of Violation to Mashreq bank in 2021, OFAC also noted that some senior-level Mashreq branch employees had actual knowledge of the conduct giving rise to the violations.

Routine risk assessments. Organizations should conduct routine risk assessments to help identify potential sanctions risks.

OFAC’s settlement with Murad LLC highlights not just the importance of conducting sufficient pre- and post-acquisition due diligence, but also conducting risk assessments to identify and remediate compliance deficiencies. Unilever US, which acquired the company in 2015, did not know and was not informed about Murad’s unauthorized exports to or involvement with Iran and did not discover this conduct during its preacquisition due diligence. Murad’s website in Iran, including an Iranian domain, was active for more than three years following the acquisition, according to the settlement. OFAC also noted that the compliance reporting structures Murad had in place following its acquisition by Unilever US were inadequate in relation to the sanctions risks the company faced.

Internal controls. Compliance efforts that “identify, interdict, escalate, report (as appropriate), and keep records” of activity implicating OFAC regulations should go beyond basic screening requirements, depending on the organization’s risk assessment. Internal controls must be monitored for effectiveness and any weaknesses addressed through “immediate and effective action” targeting root causes.

OFAC’s settlement with Microsoft reflects the significant remedial measures the company undertook after it discovered apparent sanctions violations during the course of a self-initiated lookback. The company examined the root causes of the violations, improved its trade compliance program and increased its resources, and improved the methods by which it researches potential sanctions matches. Microsoft not only enhanced the procedures it used to respond to matches and expanded the scope and volume of data screened, but also deployed an internal investigative team with multiple linguistic expertise to aid its contractors and full-time employees in reviewing and researching potential restricted-party hits.

Testing and auditing. Organizations should have a comprehensive, independent, and objective testing or audit function to gauge the effectiveness of internal controls. Where there are negative findings, OFAC expects “immediate and effective” remedial action.

After Amazon was penalized for sanctions violations in July 2020, the company employed internal and third-party sources to conduct a thorough review of Amazon’s sanctions compliance program and its automated screening systems to address the screening failures that gave rise to the apparent violations. In addition, Amazon enhanced its sanctioned jurisdiction Internet Protocol (IP) blocking controls and implemented automated processes to update continually its mapping of IP ranges associated with sanctioned jurisdictions.

Training. An organization’s sanctions compliance program requires sanctions-specific training that is tailored for different employees and scoped to the organization’s particular products, services, clients, and geographic areas.

Both Microsoft and Amazon implemented additional training processes for their teams to help mitigate their compliance failures. Microsoft began providing detailed sanctions compliance training for certain employees and jurisdictions, which is designed to take account of specific vulnerabilities identified throughout this disclosure process. Amazon improved its training programs by providing training tailored to the roles of specific teams and specialized ad-hoc training to personnel responsible for sanctions and export control compliance.

SCPs Applicable to Non-US Firms

OFAC “strongly” encourages anyone subject to U.S. jurisdiction—as well as foreign entities that conduct business in or with the United States, U.S. persons, or entities using U.S.-origin goods or services—to implement a sanctions compliance program. OFAC stated in the 2019 guidance what has long been seen in practice through high-profile civil and criminal cases against non-U.S. persons who rely on U.S. financial institutions to perform U.S. dollar-clearing activities or who use U.S.-origin products or services in contravention of U.S. sanctions prohibitions. In practice, this means that non-U.S. persons should have programs in place to determine if a U.S. jurisdictional nexus exists for any given transaction and, if so, to apply relevant U.S. sanctions requirements. These compliance programs are important for any person engaged in international trade, given the central role of the United States and the U.S. dollar in the global financial system and international supply chains.

Conclusion

Five years after OFAC released its framework for compliance, the guidance is even more critical because of Russia’s invasion of Ukraine. Compliance officers face an increasingly complex sanctions environment and must continue to understand and mitigate these risks by using the resources and tools common to AML and sanctions to target illicit conduct. Including sanctions compliance in an AML compliance program and sharing information between teams will help enhance both compliance efforts. The Institute for Financial Integrity’s proprietary Dedicated Online Financial Integrity Network (DOLFIN) platform features learning plans, policy alerts, expert insights, and other continuing education resources that focus on regulatory requirements, risk mitigation, and strategies to counter financial crime. DOLFIN also offers certification programs in Financial Crimes Risk Management, global sanctions, and other critical programs to help users remain compliant and enhance their expertise.

Interested in learning more about AML, sanctions and compliance?

Sign up for the Dedicated Online Financial Integrity Network (DOLFIN). A powerful resource for industry professionals, membership grants unlimited access to our extensive library spanning the core financial integrity topics.

Explore DOLFIN

Recommended Blogs

Unverified and Unsure

November 7, 2024

The Commerce Department’s Bureau of Industry and Security maintains and administers several lists that involve goods, software, and technology, governed by the Export Administration Regulations. The Unverified List is just one of these. What is the Unverified List and what due diligence obligations do entities that transact with parties on the Unverified List have?

Onerous Ownership

November 5, 2024

New U.S. beneficial ownership reporting requirements went into effect on January 1, 2024, obliging many small businesses to report to FinCEN identifying information about the individuals who directly or indirectly own or control 25% or more of the company. This article explores what you need to know as well as concerns company owners have expressed about the privacy, security, and regulatory scrutiny that accompanies the new regulations.

Risky Convergences

October 28, 2024

New digital solutions in money laundering and underground banking have facilitated the expansion of the criminal business environment in Southeast Asia, integrate billions of criminal proceeds into the formal financial system and enabling the growth of new criminal organizations.

Beneficial Ownership: Who Owns What?

October 17, 2024

U.S. efforts to curb illicit finance are in full swing, as the requirement to reveal the beneficial owners of certain entities registered or operating in the United States came into effect this year. In this article, we explore key requirements, benefits, and deadlines as well as address some of the concerns organizations may have about the new regulation.

New BIS Export Compliance Guidance for Financial Institutions

October 15, 2024

The U.S. Bureau of Industry and Security recently published guidance for financial institutions on complying with strategic trade controls and discussing best practices, red flags, screening, and reporting. The latest guidance provides greater detail on due diligence and risk management to help financial institutions detect and deter emerging and evolving export controls evasion.

The Risks of De-Risking

September 18, 2024

Compliance officers are guardians at the gate: protecting their organization and the global financial system from abuse while also ensuring that licit funds flow undisturbed. This is a delicate balance, as global regulations continue to grow in complexity, prompting some financial institutions to de-risk from high-risk clients. What are high-risk clients? Must a bank cease its relationships with these clients?

AML Compliance for Small Businesses

September 4, 2024

Small businesses face the challenge of navigating the intricate landscape of anti-money laundering (AML) regulations. Despite the challenges posed by evolving global standards and limited resources, small businesses can use tailored strategies to fortify their compliance frameworks and thrive in a complex regulatory environment.

Elevating Defenses

August 22, 2024

Dive into the cutting-edge strategies that financial institutions are implementing to combat the evolving threat of AI-driven fraud. From deploying advanced detection technologies to fostering robust networks of allies, learn how the financial sector is bolstering its defenses against sophisticated scams like deepfakes and biometric fraud.

Deepfakes and Dollars

August 20, 2024

While AI has the potential for transformative impact in the financial sector, it also introduces new challenges. From biometric mimicry to the alarming rise of deepfakes, this blog highlights emerging threats and challenges in countering AI-driven fraud.