A Framework for OFAC Compliance Commitments
The U.S. Department of the Treasury'sOffice of Foreign Assets Control (OFAC) administers and enforces U.S. economicand trade sanctions programs against targeted foreign governments individuals,groups, and entities in accordance with national security and foreign policygoals and objectives.
OFAC strongly encouragesorganizations subject to U.S. jurisdiction, as well as foreign entities thatconduct business in or with the United States. U.S. persons, or usingU.S.-origin goods or services, to employ a risk-based approach to sanctionscompliance by developing, implementing, and routinely updating a sanctions complianceprogram (SCP). While each risk-based SCP will vary depending on a variety offactors-including the company's size and sophistication, products and services,customers and counterparties, and geographic locations-each program should bepredicated on and incorporate at least five essential components of compliance:
(1) management commitment:
(2) riskassessment:
(3) internal controls:
(4) testing and auditing;and
(5) training.
If after conductingan investigation and determining that a civil monetary penalty("CMP")is the appropriate administrative action in response to an apparent violation,the Office of Compliance and Enforcement (OCE) will determine which of thefollowing or other elements should be incorporated into the subject person'sSCP as part of any accompanying settlement agreement, as appropriate. As in allenforcement cases, OFAC will evaluate a subject person's SCP in a mannerconsistent with the Economic Sanctions Enforcement Guidelines(the"Guidelines")
When applying the Guidelines
to a given factual situation, OFAC will consider favorably subject persons that
had effective SCPs at the time of an apparent violation. For example, under
General Factor E (compliance program), OFAC may consider the existence, nature,
and adequacy of an SCP. and when appropriate, may mitigate a CMP on that basis.在将OFAC在将指南适用于特定事实情况时,会把被处罚人在明显违规行为发生时所拥有的有效SCP作为一个有力因素进行考虑。例如,在通用因素E(合规方案)下,OFAC可以对SCP的存在、性质及充分性进行考虑。适当时,可以基于这个因素减轻民事经济处罚。
Subject persons that have implemented
effective SCPs that are predicated on the five essential components of
compliance may also benefit from further mitigation of a CMP pursuant to
General Factor F (remedial response) when the SCP results in remedial steps being
Finally, OFAC may, in appropriate cases,
consider the existence of an effective SCP at the time of an apparent violation
as a factor in its analysis as to whether a case is deemed
This document is intendedto provide organizations with a framework for the five essential components ofa risk-based SCP, and contains an appendix outlining several of the root causesthat have led to apparent violations of the sanctions programs that OFACadministers. OFAC recommends all organizations subject to U.S. jurisdictionreview the settlements published by OFAC to reassess and enhance theirrespective SCPs, when and as appropriate.
Senior Management'scommitment to, and support of, an organization's risk-based SCP is one of the mostimportant factors in determining its success. This support is essential in ensuringthe SCP receives adequate resources and is fully integrated into the organization'sdaily operations, and also helps legitimize the program, empower its personnel,and foster a culture of compliance throughout the organization.
General Aspects of an SCP: Senior
Management Commitment
Senior management commitment to supporting
an organization's SCP is a critical factor in determining the success of the
SCP. Effective management support includes the provision of adequate resources
to the compliance unit(s) and support for compliance personnel's authority
within an organization. The term "senior management" may differ among
various organizations, but typically the term should include senior leadership,
executives, and/or the board of directors.
1.Senior management has reviewed and
approved the organization's SCP.
1. 高级管理层审查并批准了该企业的SCP。
2.Senior management ensures that its compliance
unit(s) is/are delegated sufficient authority and autonomy to deploy its
policies and procedures in a manner that effectively controls the
organization's OFAC risk. As part of this effort, senior management ensures the
existence of direct reporting lines between the SCP function and senior
management, including routine and periodic meetings between these two elements
of the organization.
3.Senior management has taken, and will
continue to take, steps to ensure that the organization's compliance unit(s)
receive adequate resources-including in the form of human capital, expertise,
information technology, and other resources, as appropriate-that are relative
to the organization's breadth of operations, target and secondary markets, and
other factors affecting its overall risk profile.
These efforts could generally be measured
by the following criteria:
A. The organization has appointed a dedicated OFAC sanctions
compliance officer1;
A. 该企业已任命了专门的OFAC制裁合规官;
1 This may bethe same person serving in other senior compliance positions, e.g., the BankSecrecy Act Officer or an Export Control Officer, as many institutions,depending on size and complexity, designate a single person to oversee allareas of financial crimes or export control compliance.
B. The quality and experience of the
personnel dedicated to the SCP, including: (1) the technical knowledge and expertise
of these personnel with respect to OFAC's regulations, processes, and actions:
(ii) the ability of these personnel to understand complex financial and
commercial activities, apply their knowledge of OFAC to these items, and
identify OFAC-related issues, risks, and prohibited activities: and(ii) the
efforts to ensure that personnel dedicated to the SCP have sufficient experience
and an appropriate position
C. Sufficient controlfunctions exist that support the organization's SCP-including but not limitedto information technology software and systems-that adequately address theorganization's OFAC-risk assessment and levels
4. Senior management
promotes a "culture of compliance" throughout the organization.
4. 高级管理层在整个企业内推广“合规文化”。
These efforts couldgenerally be measured by the following criteria:
A. The ability of personnel to reportsanctions related misconduct by the organization or its personnel to seniormanagement without fear of reprisal.
A. 员工有能力向高级管理层汇报由企业或员工实施的制裁相关不当行为,而不必担心遭到报复。
B. Seniormanagement messages and takes actions that discourage misconduct and prohibitedactivities, and highlight the potential repercussions of non-compliance with OFACsanctions; and
C. The ability of theSCP to have oversight over the actions of the entire organization, includingbut not limited to senior management, for the purposes of compliance with OFACsanctions.
C. SCP拥有为实现OFAC制裁合规性目的而监督整个企业(包括但不限于高级管理层)行动的能力。
5. Seniormanagement demonstrates recognition of the seriousness of apparent violationsof the laws and regulations administered by OFAC, or malfunctions deficiencies,or failures by the organization and its personnel to comply with the SCP'spolicies and procedures, and implements necessary measures to reduce theoccurrence of apparent violations in the future. Such measures should addressthe root causes of past apparent violations and represent systemic solutionswhenever possible.
Risks in sanctions complianceare potential threats or vulnerabilities that, ignored or not properly handled,can lead to violations of OFAC's regulations and negatively affect anorganization's reputation and business. OFAC recommends that organizations takea risk-based approach when designing or updating an SCP. One of the central tenetsof this approach is for organizations to conduct a routine, and if appropriateongoing ""risk assessment" for the purposes of identifyingpotential OFAC issues they are likely to encounter. As described in detailbelow. the results of a risk assessment are integral in informing the SCP'spolicies, procedures, internal controls, and training in order to mitigate suchrisks
While there is no "one-size-fitsall "risk assessment, the exercise should generally consist of a holisticreview of the organization from top-to-bottom and assess its touchpoints to theoutside world. This process allows the organization to identify potential areasin which it may, directly or indirectly, engage with OFAC-prohibited persons,parties, countries, or regions. For example an organization's SCP may conductan assessment of the following:
(i) customers, supplychain intermediaries, and counter-parties; (ii) the products and services itoffers, including how and where such items fit into other financial orcommercial products, services, networks, or systems; and (iii) he geographic locationsof the organization, as well as its customers, supply chain, intermediaries, andcounter-parties. Risk assessments and sanctions-related due diligence is alsoimportant during mergers and acquisitions, particularly in scenarios involvingnon-U.S companies or corporations.
General Aspects of
an SCP: Conducting a Sanctions Risk Assessment
A fundamental elementof a sound SCP is the assessment of specific clients, products, services andgeographic locations in order to determine potential OFAC sanctions risk. Thepurpose of a risk assessment is to identify inherent risks in order to informrisk-based decisions and controls.
The Annex to AppendixA to 31 C.F.R. Part 501, OFAC's Economic Sanctions Enforcement Guidelines,provides an OFAC Risk Matrix that may be used by financial institutions or otherentities to evaluate their compliance programs:
I. The organization
conducts or will conduct, an OFAC risk assessment in a manner and with a
frequency, that adequately accounts for the potential risks. Such risks could
be posed by its clients and customers, products, services, supply chain intermediaries,
counter-parties, transactions, and geographic locations, depending, on the
nature of the organization. As appropriate, the risk assessment will be updated
to account for the root causes of any apparent violations or systemic
deficiencies identified by the organization during the routine course of
A. In assessing itsOFAC risk, organizations should leverage existing information to inform the process.In turn, the risk assessment will generally inform the extent of the duediligence efforts at various points in a relationship or in a transaction. Thismay include:
1. On-boarding: Theorganization develops a sanctions risk rating for customers, customer groups,or account relationships, as appropriate, by leveraging information provided bythe customer (for example, through a Know Your Customer or Customer Due Diligenceprocess) and independent research conducted by the organization at the initiationof the customer relationship.
This information willguide the timing and scope of future due diligence efforts. Important elementsto consider in determining the sanctions risk rating can be found in OFAC'srisk matrices
2. Mergers and Acquisitions(M&A): As noted above, proper risk assessments should include and encompassa variety of factors and data points for each organization. One of themultitude of areas organizations should include in their risk assessments-which,in recent years, appears to have presented, numerous challenges with respect toOFAC sanctions-are mergers and acquisitions. Compliance functions should alsobe integrated into the merger, acquisition, and integration process. Whether inan advisory capacity or as a anticipant, the organization engages inappropriate due diligence to ensure that sanctions-related issues areidentified, escalated to the relevant senior levels, addressed prior to theconclusion of any transaction, and incorporated into the organization's riskassessment process. After an M&A transaction is completed, theorganization's Audit and Testing function will be critical to identifying anyadditional sanctions-related issues.
II. The organization
has developed a methodology to identify, analyze, and address the particular
risks it identifies. As appropriate, the risk assessment will be updated to
account for the conduct and root causes of any apparent violations or systemic
deficiencies identified by the organization during the routine course of
business, for example, through a testing or audit function.
An effective SCP shouldinclude internal controls, including policies and procedures, in order toidentify, interdict, escalate, report (as appropriate), and keep records pertainingto activity that may be prohibited by the regulations and laws administered byOFAC. The purpose of internal controls is to outline clear expectations, defineprocedures and processes pertaining to OFAC compliance(including reporting andescalation chains), and minimize the risks identified by the organization'srisk assessments. Policies and procedures should be enforced, weaknesses shouldbe identified (including through root cause analysis of any compliancebreaches) and remediated and internal and/or external audits and assessments ofthe program should be conducted on a periodic basis.
Given the dynamic natureof U.S. economic and trade sanctions, a successful and effective SCP should becapable of adjusting rapidly to changes published by OFAC. These include thefollowing: (i) updates to OFAC's List of Specially Designated Nationals andBlocked Persons(the "SDN List"), the Sectoral Sanctions IdentificationList ("SSI List"), and other sanctions-related lists:(ii new.amended, or updated sanctions programs or prohibitions imposed on targetedforeign countries, governments, regions, or persons, through the enactment ofnew legislation, the issuance of new Executive orders, regulations, orpublished OFAC guidance or other OFAC actions: and (iii) the issuance ofgeneral licenses.
General Aspects of an SCP: Internal
Effective OFAC complianceprograms generally include internal controls, including policies and procedures,in order to identify, interdict, escalate, report (as appropriate),and keeprecords pertaining to activity that is prohibited by the sanctions programs administeredby OFAC. The purpose of internal controls is to outline clear expectations,define procedures and processes pertaining to OFAC compliance, and minimize therisks identified by an entity's OFAC risk assessments. Policies and proceduresshould be enforced, and weaknesses should be identified(including through rootcause analysis of any compliance breaches) and remediated in order to preventactivity that might violate the sanctions programs administered by OFAC.
I The organization has designed and
implemented written policies and procedures outlining the SCP. These policies
and procedures are relevant to the organization. Capture the organization's day-to-day operations and
procedures, are easy to follow,and designed to prevent employees from engaging in misconduct.
II The organization
has implemented internal controls that adequately address the results of its
OFAC risk assessment and profile. These internal controls should enable the
organization to clearly and effectively identify. interdict, escalate. and
report to appropriate personnel within the organization transactions and
activity that may be prohibited by OFAC. To the extent information technology
solutions factor into the organization's internal controls, the organization
has selected and calibrated the solutions in a manner that is appropriate to
address the organization's risk profile and compliance needs, and the
organization routinely tests the solutions to ensure effectiveness.
III The organization
enforces the policies and procedures it implements as part of its OFAC compliance
internal controls through internal and/or external audits.
V. The organization
ensures that its OFAC-related recordkeeping policies and procedures adequately
account for its requirements pursuant to the sanctions programs administered by
VI. The organization has clearly communicated
the SCP's policies and procedures to all relevant staff, including personnel
within the SCP program, as well as relevant gatekeepers and business units
operating in high-risk areas (e-g., customer acquisition, payments, sales, etc.)
and to external parties performing SCP responsibilities on behalf of the
VII. The organization
has appointed personnel for integrating the SCP's policies and procedures into
the daily operations of the company or corporation. This process includes
consultations with relevant business units, and confirms the organization's
employees understand the policies and procedures.
Audits assess the effectivenessof current processes and check for inconsistencies between these and day-to-dayoperations. A comprehensive and objective testing or audit function within anSCP ensures that an organization identifies program weaknesses anddeficiencies, and it is the organization's responsibility to enhance itsprogram, including all program-related software, systems, and other technology,to remediate any identified compliance gaps. Such enhancements might includeupdating, improving, or recalibrating SCP elements to account fora changingrisk assessment or sanctions environment. Testing and auditing can be conductedon a specific element of an SCP or at the enterprise-wide level.
General Aspects of
an SCP: Testing and Auditing.
comprehensive, independent,and objective testing or audit function within an SCP ensures at entities areaware of where and how their programs are performing and should be updated,enhanced, or recalibrated to account for a changing risk assessment or sanctionsenvironment, as appropriate. Testing or audit, whether conducted on a specificelement of a compliance program or at the enterprise-wide level, are importanttools to ensure the program is working as designed and identify weaknesses anddeficiencies within a compliance program.
1. The organization
commits to ensuring that the testing or audit function is accountable to senior
management, is independent of the audited activities and functions, and has
sufficient authority, skills, expertise, resources, and authority within the
II. The organization
commits to ensuring that it employs testing or audit procedures appropriate to
the level and sophistication of its SCP and that this function, whether deployed
internally or by an external party, reflects a comprehensive and objective assessment
of the organization's OFAC-related risk assessment and internal controls.
III. The organization
ensures that, upon learning of a confirmed negative testing result or audit
finding pertaining to its SCP, it will take immediate and effective action, to
the extent possible, to identify and implement compensating controls until the
root cause of the weakness can be determined and remediated.
An effective training program is anintegral component of a successful SCP. The training program should be providedto all appropriate employees and personnel on aperiodic basis (and at aminimum, annually) and generally should accomplish the following:
(i) provide job-specific knowledge basedon need; (ii) communicate the sanctions compliance responsibilities for eachemployee; and (iii) hold employees accountable for sanctions compliancetraining through assessments.
General Aspects of an SCP: Training
An adequatetraining program, tailored to an entity's risk profile and all appropriateemployees and stakeholders. is critical to the success of an SCP.
1. The organization
commits to ensuring that its OFAC-related training program provides adequate
information and instruction to employees and, as appropriate, stakeholders (for
example, clients, suppliers, business partners, and counterparties)in order to
support the organization's OFAC compliance efforts. Such training should be
further tailored to high-risk employees within the organization.
II. The organization
commits to provide OFAC-related training with a scope that is appropriate for
the products and services it offers; the customers, clients, and partner
relationships it maintains; and the geographic regions in which it operates.
III. The organization
commits to providing OFAC-related training with a frequency that is appropriate
based on its OFAC risk assessment and risk profile.
VI. The organization
commits to ensuring that, upon learning of a confirmed negative testing result
or audit finding, or other deficiency pertaining to its SCP, it will take
immediate and effective action to provide training to or other corrective
action with respect to relevant personnel.
Root Causes of OFAC
Sanctions Compliance Program Breakdowns or Deficiencies Based on Assessment of
Prior OFAC Administrative Actions
Since its publication of the Economic
Sanctions Enforcement Guidelines31 C.F.R. part 501,App. A (the
"Guidelines"), OFAC has finalized numerous public enforcement actions
in which it identified deficiencies or weaknesses within the subject person's
SCP. These items, which are provided in a non-exhaustive list below, are
provided to alert persons subject to U.S. jurisdiction, including entities that
conduct business in or with the United States, U.S. persons, or U.S.-origin
goods or services, about several specific root causes associated with apparent
violations of the regulations it administers in order to assist them in
designing, updating, and amending their respective SCP.
I. Lack of a Formal OFAC SCP
未设立正式的OFAC SCP
OFAC regulations donot require a formal SCP: however. OFAC encourages organizations subject toU.S. jurisdiction (including but not limited to those entities that conductbusiness in, with, or through the United States or involving U.S.-origin goods,services. or technology)and particularly those that engage in international tradeor transactions or possess any clients or counter-parties located outside ofthe United States, to adopt a formal SCP. OFAC has finalized numerous civil monetarypenalties since publicizing the Guidelines in which the subject person's lackof an SCP was one of the root causes of the sanctions violations identifiedduring the course of the investigation. In addition, OFAC frequently identifiedthis element as an aggravating factor in its analysis of the General Factorsassociated with such administrative actions.
II. Misinterpreting, or Failing to
Understand the Applicability of, OFAC's Regulations
Numerous organizationshave committed sanctions violations by misinterpreting OFAC's regulations,particularly in instances in which the subject person determined thetransaction, dealing, or activity at issue was either not prohibited or did notapply to their organization or operations. For example, several organizations havefailed to appreciate or consider (or, in some instances, actively disregarded)the fact that OFAC sanctions applied to their organization based on theirstatus as a U.S. person, a U.S.-owned or controlled subsidiary (in the Cuba andIran programs), or dealings in or with U.S. persons, the U.S. financial system,or U.S.-origin goods and technology.
With respect tothis specific root cause, OFAC's administrative actions have typically identified,additional aggravating factors, such as reckless conduct, the presence of numerouswarning signs that the activity at issue was likely prohibited, awareness bythe organization's management of the conduct at issue, and the size andsophistication of the subject person.
III. Facilitating Transactions by Non-U.S.
Persons (Including Through or By Overseas Subsidiaries or Affiliates).
Multiple organizationssubject to U.S. jurisdiction--specifically those with foreign-based.
Operations and subsidiarieslocated outside of the United States-have engaged in transactions or activitythat violated OFAC's regulations by referring business opportunities to,approving or signing off on transactions conducted by, or otherwisefacilitating dealings between their organization's non-U.S. locations and OFAC-sanctionedcountries, regions, or persons. In many instances, the root cause of theseviolations stems from a misinterpretation or misunderstanding of OFAC'sregulations. Companies and corporations with integrated operations, particularlythose involving or requiring participation by their U.S.-based headquarters,locations, or personnel, should ensure any activities they engage in (i.e.,approvals, contracts, procurement, etc.) are compliant with OFAC's regulations.
IV Exporting or Re-exporting
U.S.-origin Goods, Technology, or Services to OFAC-
Sanctioned Persons
or Countries
V Utilizing the U.S.
Financial System, or Processing Payments to or through U,S.
Financial Institutions,
for Commercial Transactions Involving OFAC-Sanctioned Persons or Countries
Many non-U.S. personshave engaged in violations of OFAC's regulations by processing financialtransactions (almost all of which have been denominated in U.S. Dollars) to orthrough U.S. financial institutions that pertain to commercial activityinvolving an OFAC-sanctioned country, region, or person. Although no organizationssubject to U.S. jurisdiction may be involved in the underlying transaction--suchas the shipment of goods from a third-country to an OFAC-sanctioned country-theinclusion of a U.S. financial institution in any payments associated with thesetransactions often results in a prohibited activity (e.g., the exportation orre-exportation of
services from the UnitedStates to a comprehensively sanctioned country, or dealing in blocked propertyin the United States). OFAC has generally focused its enforcement investigationson persons who have engaged in willful or reckless conduct, attempted toconceal their activity (e.g., by stripping or manipulating payment messages, ormaking false representations to their non-U.S. or U.S. financial institution),engaged in a pattern or practice of conduct for several months or years,ignored or failed to consider numerous warning signs that the conduct wasprohibited, involved actual knowledge or involvement by the organization's management,caused significant harm to U.S. sanctions program objectives, and were large orsophisticated organizations.
VI. Sanctions Screening Software or Filter
Many organizations conduct screening of
their customers, supply chain, intermediaries, counter-parties, commercial and
financial documents, and transactions in order to identify OFAC-prohibited
locations, parties. or dealings. At times organizations have failed to update
their sanctions screening software to incorporate updates to the SDN List or
SSI List, failed to include pertinent identifiers such as SWIFT Business
Identifier Codes for designated, blocked or sanctioned financial institutions. or
did not account for alternative spellings of prohibited countries or parties-particularly
in instances in which the organization is domiciled or conducts business in
geographies that frequently utilize such alternative spellings (i.e., Habana
instead of Havana, Kuba instead of Cuba, Soudan instead of Sudan, etc.).
VII. Improper Due Diligence on
Customers/Clients (e.g., Ownership, Business Dealings, etc.)
One of the fundamental components of an
effective OFAC risk assessment and SCP is conducting due diligence on an
organization's customers, supply chain, intermediaries, and counter-parties.
Various administrative actions taken by OFAC involved improper or incomplete
due diligence by a company or corporation on its customers, such as their
ownership, geographic location(s),counter-parties, and transactions, as well as
their knowledge and awareness of OFAC sanctions.
VIII. De-Centralized Compliance Functions and Inconsistent
Application of an SCP
While each organization should design,
develop, and implement its risk-based SCP based on its own characteristics, several
organizations subject to U.S. jurisdiction have committed apparent violations
due to a de-centralized SCP. often with personnel and decision-makers scattered
in various offices or business units. In particular, violations have resulted
from this arrangement due to an improper interpretation and application of
OFAC's regulations, the lack of a formal escalation process to review high-risk
or potential OFAC customers or transactions, an inefficient or incapable oversight
and audit function, or miscommunications regarding the organization's
sanctions-related policies and procedures.
IX. Utilizing Non-Standard Payment or
Commercial Practices
Organizations subject to U.S. jurisdiction
are in the best position to determine whether a particular dealing,
transaction, or activity is proposed or processed in a manner that is consistent
with industry norms and practices. In many instances, organizations attempting
to evade or circumvent OFAC sanctions or conceal their activity will implement
non-traditional business methods in order to complete their transactions.
X. Individual Liability
In several instances,individual employees-particularly in supervisory, managerial, or executive-levelpositions-have played integral roles in causing or facilitating violations ofthe regulations administered by OFAC. Specifically OFAC has identifiedscenarios involving U.S.-owned or controlled entities operating outside of theUnited States, in which supervisory, managerial or executive employees of theentities conducted or facilitated dealings or transactions with OFAC-sanctionedpersons, regions, or countries, notwithstanding the fact that the U.S. entityhad a fulsome sanctions compliance program in place. In some of these cases,the employees of the foreign entities also made efforts to obfuscate andconceal their activities from others within the corporate organization,including compliance personnel, as well as from regulators or law enforcement.In such circumstances, OFAC will consider using its enforcement authorities notonly against the violating entities, but against the individuals as well.