Last year the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued a new Framework for OFAC Compliance Commitments, outlining the five essential components of a sanctions compliance program and the root causes of compliance violations.
The framework made it clear that all organisations need to implement a risk-based approach to sanctions compliance, or they may leave themselves vulnerable to penalties.
The guidance outlined five essential components of compliance:
- Senior management commitment
Ensure your sanctions compliance program receives adequate support and resources and is integrated into your company’s processes.
- Risk assessment
Conduct a routine risk assessment to identify potential risks and develop procedures, internal controls, and training to mitigate them.
- Internal controls
Establish policies and procedures that identify, prohibit, report, and keep records of all activity.
- Testing and auditing
Assess processes regularly to identify inconsistencies and program deficiencies; ensure all software and data solutions are up to date.
Provide all appropriate employees with adequate information and instruction on the company’s compliance program.
Accuity is working with clients to ensure they have implemented OFAC’s five components of compliance effectively and they’re set up for a successful, and compliant, 2020.
Review your risk assessment
Conducting a comprehensive company-wide risk assessment is the first step to building an appropriate sanctions compliance program.
Begin by evaluating your organisation’s lines of business and reviewing the sanctions compliance requirements for the jurisdictions in which you operate. Then, look at current internal controls and address any feedback or findings you have gained since putting them in place. This information will provide a holistic view of the entire organisation’s risk profile and will enable you to create a robust risk-based assessment to act upon.
The risk assessment should be a living document that is reviewed regularly and maintained to ensure it remains appropriate as your business, and the regulatory landscape, evolves.
Implement internal controls
The next step is to design a set of measures that mitigate the risks identified by the risk assessment. The assessment should have revealed whether you have the right policies and procedures in place to identify, escalate, and report prohibited activity effectively.
It is essential to test and audit your internal controls, to ensure they are effective in mitigating risk. You may find you need to remediate deficiencies or add to the existing internal controls to ensure they fully cover your organisation’s obligations.
For some firms this may mean supplementing the OFAC screening program with additional sanctions lists, such as those issued by the European Union, United Nations, Her Majesty’s Treasury in the UK, or others around the world for more comprehensive sanctions coverage.
Other organisations may need to upgrade their sanctions screening software to eliminate weaknesses, integrate disparate systems, or introduce automation for greater efficiency.
Create a culture of compliance
Changing the culture of an organisation starts at the top and, according to the OFAC compliance framework, senior management commitment is one of the most important aspects of any sanctions compliance program.
Once you have determined the necessary steps to bring your firm’s internal controls in line with the risk-based assessment, it is important to ensure senior leadership are bought-in and prepared to allocate the necessary resources.
Clear communication, comprehensive training, and readily available resources are also incredibly important to embedding the culture of compliance across the entire organisation and ensuring the sanctions program is executed effectively. The US Treasury requires detailed proof that everyone – from the company’s compliance officer to the front-line employees – understands their role in the organisation’s sanctions compliance program.
Additionally, it can be beneficial to put in place channels through which employees can report compliance concerns confidentially. This helps to foster a culture of compliance by ensuring there is an easy way to disclose policy breaches and those responsible can be held to account.
While there are many reasons why your organisation should be diving into the full OFAC documentation, following these simple steps will help to kickstart your compliance approach in 2020.
Want to learn more?
View our ‘Sanctions Pulse: Three Key Trends in Regulator Behaviour’ infographic or contact one of our experts today.