4. Essential Components of a Risk-Based Sanctions Compliance Program in Different Industry Settings

Question 1

What are some Key Points of a Sanctions Compliance Program?

Answer 1

§ Some sort of compliance program is necessary to comply with sanctions requirements.

§ Neither the EU nor the US regulations or laws require such a system (not mandatory or written in a law), but it is practically impossible to ensure compliance without one.

§ While there are no legal requirements regarding the structure of a sanctions compliance program (“SCP”), the EU, the United States, and the Wolfsberg Group have provided useful guidance.

§ All three agree that a system should be “risk-based” – it should reflect the specific sanctions risks the firm faces.

Question 2

What is the OFAC Compliance Framework?

Answer 2

~ Issued in 2019
~ Has Five Essential Components
1. Management Commitment
2. Risk Assessment
3. Internal Controls
4. Testing and Audit
5. Training

Question 3

What comprises Component 1: Management Commitment of the OFAC Compliance Framework?

Answer 3

§ One of the most important factors in determining the success of SCP.

§ Essential to ensure SCP receives adequate resources and is fully integrated into the organization’s daily operations

§ The term “senior management” may differ among various organizations, but typically the term should include senior leadership, executives, and/or the board of directors.

Question 4

What are the steps necessary to Demonstrate Senior Mgmt Commitment?

Answer 4

Include:

§ Senior management reviews and approves the SCP.

§ Direct reporting lines between SCP function and senior management.

§ Senior management assures SCP has adequate resources/human capital.

§ There is a designated OFAC compliance officer.

§ Sanctions compliance team has necessary knowledge/expertise.

§ There is a “culture of compliance.”

Question 5

What comprises Component 2: Risk Assessment of the OFAC Compliance Framework?

Answer 5

Risks = Potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC regulations and negatively affect an organization’s reputation and business.

OFAC recommends a risk-based approach when designing or updating an Sanctions Compliance Program (SCP)

Question 6

What should the Risk Assessment Exercise Entail?

Answer 6

1) No one size fits all

2) Have a holistic view - look at everybody:
~ Customer
~ Supply Chain
~ Intermediaries and counter parties
~ Products and Services
~ Geographic locations

3) Allows the organization to identify potential areas in which it may engage with OFAC prohibited entities, parties, countries or regions

4) Look at the International exposure

5) Look at the Size and stability of customer base

6) Look at the Volume and value of transactions

Question 7

How is Risk Recognized?

Answer 7

Transactions to Consider: Any business transaction or service could potentially violate OFAC. There is no minimum dollar amount.

§ HOWEVER, certain transactions may pose a higher risk.

Examples:
* Initiated from foreign countries
* Cash only, especially for large or luxury items that are easily liquidated (e.g. Germany does everything in cash but in Netherland someone using cash has a different risk since everyone usually uses cards).
* International wire transfers involving international parties
* Trade finance
* Real estate deals, especially where the borrower or seller isn’t personally known
* Loan transactions, especially if the proceeds go to a third party
* With entities known to conduct business in sanctioned countries
* With a party who is anonymous or attempts to conceal his identity or location

*OFAC has a Risk Matrix how you can rate yourself based on your institution with (Low, Moderate, High) ratings

Question 8

What comprises Component 3: Internal Controls of the OFAC Compliance Framework?

Answer 8

Detailed policies and procedures how you mitigate sanctions risks and addresses specific situations.

Guidelines :
1. Most Important, the organization has designed written policies and procedures outlining the SCP.

 2. The organization has implemented controls that address the results of its OFAC risk assessment and profile.

 3. The organization enforces the policies and procedures through internal and/or external audits.

 4. recordkeeping policies and procedures adequately account for its OFAC requirements

 5. Upon learning of a weakness in its internal controls pertaining to OFAC compliance, it will take immediate and effective action

 6. The organization has clearly communicated the SCP’s policies and procedures to all relevant staff

 7. The organization has appointed personnel for integrating the SCP’s policies and procedures into the daily operations of the company or corporation.

*Note: Screening is an important Internal Controls

Question 9

What are the method (3 Lines of Defense) for a sanctions compliance program?

Answer 9

First Line: The Business
~ Initially reviews customers and transactions for possible sanctions issues, and for making the initial decision about whether to proceed with a customer or transaction.

Second Line: Compliance
~ Reviews decisions by the business;
~ Answers questions and responds to requests for guidance;
~ Periodically reviews compliance decisions by the business; and
~ Creates, maintains and updates the organizations sanctions policies and procedures.

Third Line: Audit
~ Regularly reviews the operation of the entire sanctions compliance system.

Question 10

What does a Compliance Policy entail?

Answer 10

§ Statement of corporate intent.

§ Usually adopted by the Board of Directors or Senior Management of the organization. § Purpose: to communicate to the organization its stance towards sanctions compliance.

Generally includes:
o A purpose statement - why do we comply?
o An applicability and scope statement; - What laws apply or not
o An effective date - when do we start?
o A responsibilities section - who is responsible

Question 11

What comprises Component 4: Testing and Audit of the OFAC Compliance Framework?

Answer 11

Audit - a front to back review of the system
Testing - Seeing if individual process worked on a periodic basis

ESSENTIALS:
~ covers sanctions compliance, and
~ fulfills certain basic criteria, as identified by OFAC:

A. accountable to senior management;
B. independent, and
C. sufficient authority, and resources.

~ appropriate to level and sophistication of its SCP.

~ upon learning of a confirmed negative testing result or audit finding pertaining to its SCP, it will take immediate and effective action

*Results have to be applied - take immediate and effective action.

Question 12

What comprises Component 5: Training of the OFAC Compliance Framework?

Answer 12

§ provides adequate information and instruction to employees and, as appropriate, stakeholders

§ scope that is appropriate

§ frequency that is appropriate based on its OFAC risk assessment and risk profile.

§ easily accessible resources and materials available to all applicable personnel.

§ Upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its SCP, take immediate and effective action

Question 13

What kind of training should an organization consider at a minimum?

Answer 13

4 Categories must be considered:

1. General sanctions training for all employees (foundations of sanctions)
2. Specialized training for employees with responsibilities that may require them to make sanctions decisions
3. Detailed training for all compliance staff
4. Sanctions training for top mgmt.

NOTE: It is important to keep complete records of sanctions training

Question 14

What is the EU Sanctions Guidance on Best Practices for “Internal Compliance Program”?

Answer 14

§ The EU guidance is technically directed toward compliance programs for organizations exporting dual use products, however, the guidance addresses sanctions compliance as well.

§ Practically, all of the principles and recommendations are applicable to sanctions compliance programs as well.

The main components of a compliance program under the EU guidance are:

1. Top-level management commitment to compliance
2. Organization structure, responsibilities and resources commensurate to the entity’s risk profile
3. Training and awareness raising
4. Transaction screening process and procedures
5. Performance review, audits, reporting and corrective actions
6. Recordkeeping and documentation
7. Physical security

Question 15

What is Wolfsberg Guidance on Sanctions Screening - (look at notes on wolfsberg in main notes)?

Answer 15

§ Focuses on the role of screening customers and transactions at banks to detect and prevent sanctions violations.

§ The guidance notes, that screening is simply one component of a larger sanction program.

The components of such a program should include:
1. Policies and procedures
2. Responsible person
3. Risk assessment
4. Internal controls
5. Testing

Question 16

What is the FFIEC BSA/AML Examination Manual on Sanctions Screening?

Answer 16

Though OFAC regulations do not fall under the scope of AML (anti-money laundering) laws, evaluation of OFAC compliance is frequently included in AML examinations.

The Bank Secrecy Act (BSA):
- U.S. federal law that requires banks and other financial institutions to bring large cash
transactions and other dubious activity to the attention of regulators.

• also requires FIs to have complex controls in place to detect any criminal activity, including an AML Program

Question 17

How do you assess compliance with BSA and AML Laws?

Answer 17

An assessment by the regulator is conducted called the BSA/ AML Examination.

U.S. FFIEC AML/BSA Examination Manual: Available online at https://bsaaml.ffiec.gov/manual The Manual provides vital information on what to expect from the examiner with respect to their review of an institution’s OFAC/sanctions compliance program.

Even though OFAC is not part of the FFIEC, it assists in the development of the sections of the manual that relate to OFAC reviews.

Federal banking agencies also often have a duty to inform OFAC when they spot problematic behavior, for example involving transactions to or from sanctioned countries or a lack of written controls to comply with sanctions laws.

This duty is usually derived from an agreement made with OFAC called a “Memorandum of Understanding” (MOU).

Question 18

What was NYDFS final rule on a sanctions compliance program?

Answer 18

Superintendent’s Banking Regulations of the New York Division of Financial Services (NYDFS) concerning transaction screening.

NYDFS has played a major role in defining the obligations of banks with respect to compliance systems.

On June 30, 2016, the New York Department of Financial Services (DFS) issued a final rule on BSA/AML transaction monitoring and OFAC filtering and screening.

*All NY Banks must have a screening program

§ Effective as of January 1, 2017.

§ Annual mandated submission by the Board of Directors or a Senior Officer certifying
compliance with the regulations and the measures taken to achieve it.

§ Applies to all banks, trust companies, savings banks, and savings and loan associations chartered pursuant to the NY Banking Law…AND all branches and agencies of foreign banking corporations licensed to conduct banking operations in New York.
Key Performance Indicators (KPIs): should be a regular item on Board agendas!!

§ Top management should routinely receive information showing effectiveness of company’s SCP, including:
o Transactions and customers rejected; and
o Any violations.

Question 19

What is Customer Due Diligence?

Answer 19

OFAC’s 50% Guidance
§ Because OFAC’s lists are not exhaustive.
§ Issued February 2008, revised August 2014.
§ An Entity that is owned 50% or greater by a sanctions target is treated as a sanctions target.
§ Underscores the need for thorough due diligence
§ OFAC’s 50% rule speaks only to ownership and not
control.
§ Also applies to SSI

Question 20

What are OFAC’s 50 Percent Guidance?

Answer 20

Direct Ownership: One or more blocked persons own shares in an entity.

Indirect Ownership: One or more blocked persons’ ownership of shares of an entity through another entity or entities that are 50 % or more owned in the aggregate by the blocked person(s).

Question 21

What is an example of OFAC 50% Guidance and
Indirect Ownership in Complex Ownership Structures?

Answer 21

SDN Company A (red box) has Direct ownership 50% of Company C (should also be red).
Company C has Indirect Ownership 50% of Company D (should be red)
Company D has a cascading ownership to Company E 50% (should be red)

In addition Company A has an aggregate Ownership 15% with Company B and the SDN Mr. X also has an aggregate ownership 40% of Company B (Should be red)

*B, C, D, and E are considered to be blocked.

Question 22

What are the compliance considerations for specific Industries?

Answer 22

OFAC released a risk matrix to help the finance industry with sanctions compliance

The matrix shows risk associated with particular types of customer and transactions

The FI can use the risk matrix to determine what sort of compliance system they need and

to identify their risk using the Risk Matrix

Compliance should be risk based

*This is what my risk profile looks like and here is what I need to do to address those risks.

Question 23

What guidance has provided for the Securities Industry?

Answer 23

OFAC has identified a number of risk factors for securities transactions:

1. International transactions, including wire transfers;
2. Foreign customers/accounts;
3. Foreign broker-dealers who are not subject to OFAC regulations;
4. Risks of investments in foreign securities;
5. Personal investment by corporations or personal holding companies;
6. Very high net worth institutional accounts, hedge funds, funds of hedge funds and other
   alternative investment funds (private equity, venture capital funds) and intermediary
   relationships;
7. Omnibus accounts/use of intermediaries;
8. Third party introduced business; and
9. Confidential accounts

Question 24

What guidance has OFAC provided for the Maritime Industry?

Answer 24

§ Shipping industry faces especially complicated sanctions risks.

§ For sanctions purposes, the “shipping industry” includes, not just companies operating ships, but
all the related services, including chartering, insurance, freight forwarding, loading and
unloading, bunkering, and repair services.

§ Along with the normal risks factors, such as the identity of the parties to transactions and the
origin and destination of goods, the nature of the commodities being shipped can pose a particular sanctions risk.

Examples of commodities that may pose particular sanctions (and export control) risks include:
* Military items;
* Dual-use items, including nuclear, biochemical, WMD, missile technology;
* Drug precursors and certain general chemicals; and/or
* Otherwise bulk standard generic items that become an issue because of a targeted sanction on a single country.

Question 25

What measures has OFAC identified to the Shipping Industry so they can mitigate their risks?

Answer 25

OFAC has identified a number of measures the shipping industry can take to mitigate these risks.

• Insurance
• Verify cargo origin
• StrengthenAnti-MoneyLaundering/Countering the Financing of Terrorism
  (AML/CFT) compliance
• Monitor for AIS manipulation - Maritime Automatic Identification System - a ship’s transponder
• Review all applicable shipping documentation
• KnowYourCustomer(KYC)
• Clear communication with international partners
• Leverage available resources

Question 26

What guidance has OFAC provided for the Commercial Insurance Industry?

Answer 26

• The (re)insurance market provides significant support to the global maritime industry. For this reasons, there is a risk to this sector of exposure to prohibited or sanctionable activity.
• Obtaining commercial insurance is not likely to be the primary goal of those involved in the movement of illicit goods, but it can be exploited to obtain the necessary permits to initiate voyages and enter ports to transfer prohibited goods.

Question 27

What is the Commercial Insurance Risk from a jurisdiction perspective?

Answer 27

Jurisdiction risk:
~ Geographical location of asset/risk
~ Geographical location (re)insured
~ Legal and Regulatory obligations - which sanctions laws or regulations are applicable to carrier or broker

Product Risk:
~ Class of business (consider likely activities goods
~ Equipment, services or trade covered
~ Type of product

Client/Customer Risk:
~ Policy holder
~ Counterparty risk

Question 28

What other areas pose sanctions risk?

Answer 28

Exporters/Importers:

*Companies involved in international trade, such as exporters and importers are particularly vulnerable for sanctions violations.

Case Study: 2018 OFAC’s $1.5M Fine on Epsilon
* A U.S.car audio and video equipment manufacturer
*Provides vital lessons for U.S. exporters whose products maybe found in sanctioned countries
*Epsilon broke the law by selling audio and video equipment to Asra International, LLC. In Dubai, UAE, despite having reason to know that this company would more than likely distribute the goods to Iran.

Actual delivery of U.S. origin products to Iran is not required for the regulation to be violated. Instead, court said that it’s sufficient that exporter knows or should know that a third country specifically intends to re-export the goods to Iran, regardless of whether the goods ultimately arrive in Iran.

While an exporter may satisfy themselves that its exports to a third country are not specifically intended for Iran, some due diligence is required to demonstrate the exporter had no “reason to know” that a customer was exclusively or predominantly doing business with Iran.

Case underscores the importance of proper due diligence with regard to foreign distributors that are not similarly restricted under their local law in doing business with Iran.