OFAC’s New Framework Heightens Need For International Companies To Review Existing Sanctions Controls.

Legal News & Analysis - Asia Pacific - Regulatory & Compliance

14 May, 2019


International companies who conduct business in the US or use US-origin goods or services should maintain a robust, risk-based US economic sanctions compliance programme according to the US Treasury’s Office of Foreign Assets Control (OFAC). Its new Framework for OFAC Compliance Commitments (framework) sets out key components of a sanctions compliance programme. International companies should review their existing procedures and make changes where necessary to bring them in line with the framework.


As the number and scale of US sanctions enforcement actions increase, maintaining an effective sanctions compliance framework is an essential tool for managing sanctions risk. Further, in the context of any enforcement action, the framework makes clear that the absence of an adequate framework will be viewed negatively by OFAC pursuant to its earlier Economic Sanctions Enforcement Guidelines.

The framework includes a discussion of the typical “root causes” of sanctions violations leading to OFAC enforcement action and, in most cases, compliance framework deficiencies are key factors. All companies whose business directly or indirectly involves the US or US persons should review their frameworks carefully in light of the identified root causes.



Key take-aways for non-US companies



OFAC “strongly encourages” “organiszations subject to US jurisdiction, as well as foreign entities that conduct business in or with the United States, US persons, or using US-origin goods or services” to implement a sanctions compliance framework. This will be evaluated in an enforcement action, and is a substantial factor in OFAC’s analysis as to whether a case is deemed “egregious,” meriting higher penalties.




Most non-US companies doing business internationally have a nexus to the US which can expose them to criminal and civil risks under US law, especially in the absence of a sanctions compliance framework. A nexus may arise from the fact that: 





almost all transactions denominated in US dollars are processed by banks based in the US who are US persons.





many companies use US-based computer servers and other IT infrastructure.





many non-US companies also have employees who are US citizens or permanent residents.




Causing US persons to violate US sanctions requirements, as well as causing the prohibited export of services from the US in aid of sanctioned transactions, may lead to liability for non-US persons.




A number of the root causes identified are more relevant to non-US persons. For example, non-US persons might re-export US-origin goods, technology or services to, or use the US financial system for commercial transactions with, OFAC-sanctioned persons or countries.




Even though OFAC has in the past focused on organisations that are large and sophisticated, even smaller companies should be cognisant that, in light of the framework, they are on fair notice of OFAC’s expectations.


Essential aspects of a sanctions compliance programme


The framework makes clear that:


  1. There is no one-size-fits-all programme and companies must take a risk-based approach.

  2. Essential components include: (i) management commitment including formal approval of the programme; (ii) risk assessment; (iii) internal controls (including written policies and procedures); (iv) testing and auditing; and (v) training.

  3. Organisations should appoint a dedicated OFAC sanctions compliance officer with a regular and direct reporting line to senior management (eg not via the General Counsel or a business head). The officer could be the same person serving in other senior compliance positions, such as the Bank Secrecy Act Officer (for financial institutions) or export control officers. OFAC compliance responsibility should be clearly assigned to named personnel within the organisation, who are themselves adequately trained to implement and administer the policy.

  4. IT software and systems should be used to support sanctions compliance. Screening software has now been commonly adopted by many large organisations; however, companies should avoid simply using standard software without attention to its suitability to the company.

  5. Companies should conduct a routine sanctions risk assessment, taking into consideration specific clients, products, services, and geographic locations. The Economic Sanctions Enforcement Guidelines provide a useful OFAC Risk Matrix for this purpose. Guidance from other US regulators, such as the Justice Department, characterises the process of risk assessment as the “starting point” for a prosecutor’s evaluation of a company’s compliance programme.

  6. Companies must adjust swiftly to changes in US economic sanctions. This is an issue that merits particular attention compared to other financial crimes, because sanctions are usually put in place at short notice and can be complex. The relevant gatekeepers should stay alert for changes.

  7. At a minimum, companies should provide annual training to appropriate employees and personnel on sanctions compliance. It also encourages companies to train other stakeholders, such as clients, suppliers, business partners, and counterparties.

  8. Many key internal controls, reporting and training could use a shared structure within the company’s general compliance system. This is highlighted in the recently updated guidance by the Justice Department (see our e-bulletin here). For example, the risk assessment for third parties could be an integrated step considering all relevant information relating to sanctions, corruption and other reputational risks. Likewise, a company’s financial control policies (preventing payments to accounts in sanctioned countries without proper review and approval) should address myriad compliance matters, including sanctions.




Designing and implementing an effective compliance programme is not an easy task. In the area of sanctions, compliance requires a thorough understanding of evolving sanctions regimes, operational integration, robust implementation, and continuing improvements.


Both the framework and the updated guidance from the Justice Department serve as valuable resources in this area, but every company must tailor its programmes to its risk profile, resources, and structure. Despite the challenges, the reward for an effective compliance programme is tremendous – not only does it help with the resolution of specific enforcement actions, but it also increases a company’s operation efficiency, promotes a better culture and raises a company’s profile with its partners and counterparties.


Companies should seriously evaluate their investment in this area.


herbert smith Freehills


For further information, please contact:


Kyle Wombolt, Partner, Herbert Smith Freehills