The Office of Foreign Assets Control (OFAC) has issued its most comprehensive compliance guidance to date, following a period of exceptionally active enforcement to begin 2019. Published on May 2, 2019, the new guidance titled "A Framework for OFAC Compliance Commitments" presents a more useful and practical tool for companies and compliance professionals to leverage in both day-to-day and long-term sanctions compliance decision-making than the previously published OFAC Enforcement Guidelines. While the Enforcement Guidelines explain the mitigating and aggravating factors critical to OFAC in evaluating its enforcement decisions, the Framework lays out more concrete objectives that organizations can readily translate into their operations and sanctions compliance strategy. U.S. and foreign organizations alike would be well advised to analyze the compliance program priorities that OFAC details in the Framework, as well as the common root causes for sanctions compliance breakdowns. Now that the Framework has been published—and a clear roadmap of best practices has been provided by OFAC—all companies, both U.S. and non-U.S., with any U.S. sanctions exposure have been put on notice by OFAC that they will be held to a higher standard in the future when it comes to defending the strength and effectiveness of their sanctions compliance programs. Failure to adopt and implement the priorities set forth in the Framework, could lead to serious OFAC enforcement risk and is more likely to lead OFAC to determine that apparent sanctions violations should be deemed "egregious" under the Enforcement Guidelines.

Our summary below proceeds as follows: First, we set forth the five sanctions program priorities identified in the Framework. Second, we detail the root causes identified by OFAC that commonly occur when sanctions compliance programs suffer lapses or are otherwise deficient. Third, we highlight several recent OFAC enforcement actions to demonstrate how the considerations in the Framework apply to real world scenarios faced by U.S. and foreign companies.

Five Sanctions Compliance Program Priorities

Initially, OFAC details the five facets of sanctions compliance programs it views as indispensable. If nothing else, organizations should carefully review these priorities and consider whether they may be lacking in any of the critical areas.

• Management commitment and support: As the first criteria enumerated by OFAC, management's role in an organization's compliance program is vital to its success. OFAC lists several ways that management can demonstrate its commitment, such as the allocation of adequate resources, fostering a culture of compliance, appointment and empowerment of compliance officer(s), the quality and experience of selected compliance personnel, and the provision of communication channels including reporting mechanisms.
• Risk assessment: OFAC describes the scope of an effective risk assessment, in order to properly design and maintain a risk-based compliance program. Conducting routine assessments of the potential threats and vulnerabilities specific to an organization is a central tenet of a healthy sanctions compliance program.
• Internal controls: Upon a thorough risk assessment, written policies and procedures should address the results in order to better "identify, interdict, escalate, report, and keep records concerning" problematic activity. OFAC outlines the primary objectives of internal controls, emphasizing their practicability and enforcement, and advises that programs be adjusted to reflect changes in sanctions (e.g., list updates, issuance of licenses, etc.).
• Testing and auditing: In addition to routinely conducting risk assessments of their operations, organizations should regularly test and audit the effectiveness of their compliance program. OFAC makes clear that organizations have a "responsibility to enhance" their compliance programs based on the results of such testing (e.g., updating or recalibrating program-related software).
• Training: All relevant employees should receive training on a periodic basis, which OFAC considers to be annually at a minimum. OFAC also urges companies to provide information and instruction to other stakeholders, such as clients, suppliers, business partners, and counterparties.

Common Root Causes of Sanctions Violations

Beyond providing insight into sanctions compliance program priorities, OFAC included an overview of common root causes for sanctions compliance deficiencies, which should be leveraged by organizations in seeking to adjust their programs going forward to avoid these common pitfalls.

• Lack of formal OFAC sanctions compliance program: While the sanctions regulations do not mandate formal programs, OFAC cites that the lack of one as among the most common root causes of apparent violations that result in civil monetary penalties.
• Misinterpreting or failing to understand the applicability of OFAC regulations: Misunderstanding of the specific touchpoints that bring an organization and its activities within OFAC's jurisdiction tend to be particularly problematic. Relevant considerations include status as U.S. person, dealings with U.S. persons, being a U.S.-owned or controlled subsidiary, or the involvement of the U.S. financial system or U.S.-origin goods and technology.
• Facilitating transactions by non-U.S. persons, including through or by overseas subsidiaries or affiliates: Multi-national organizations' U.S. locations or personnel often cause compliance issues by referring opportunities to or somehow facilitating dealings between its non-U.S. locations and sanctioned parties/countries.
• Exporting or re-exporting U.S.-origin goods, technology, or services to OFAC-sanctioned persons or countries: OFAC notes its public enforcement has focused on large, sophisticated companies that engage in a pattern of such behavior over a period of years and that utilize non-routine business practices to conceal the activity. These actions particularly include non-U.S. persons that do so despite contractual language expressly prohibiting such dealings.
• Utilizing the U.S. financial system, or processing payment to or through U.S. financial institutions, for commercial transactions involving OFAC-sanctioned persons or countries: OFAC stresses that even if no party to a transaction is otherwise subject to U.S. jurisdiction, the inclusion of a U.S. financial institution in associated payments often results in a prohibited activity and a sanctions violation.
• Sanctions screening software or filter faults: Improper maintenance or use of such tools often results in failures to timely identify prohibited locations, parties or dealings.
• Improper or incomplete due diligence on customers, clients, the supply chain, intermediaries, and counter parties: Inadvertent violations can often stem from a failure to adequately review product sourcing or pertinent parties' information, such as ownership information, business dealings, geographic location, etc.
• De-centralized compliance functions and inconsistent application of a sanctions compliance program: The effectiveness of compliance programs is often undermined by inconsistent application, which OFAC notes has often resulted from the scattering of compliance personnel and decision-makers throughout various offices.
• Utilizing non-standard payment or commercial practices: Such practices inconsistent with industry norms and practices can appear to OFAC as attempting to evade or circumvent sanctions or conceal prohibited activity.
• Individual liability: OFAC can take enforcement action against not only organizations engaged in prohibited activity but also individual(s) – particularly in supervisory, managerial, or executive level positions – that play integral roles in causing or facilitating violations. An individual's efforts to obfuscate and conceal activities from others within organization serve to aggravate such potential liability.

Recent OFAC Enforcement Examples

Recent OFAC enforcement actions and settlements in 2019 illustrate many of the sanctions compliance program essentials and root causes identified by OFAC in the Framework. Such "real world" applications of OFAC's enforcement decisions, coupled with the details of sanctions compliance program missteps, are invaluable as companies seek to build and refine their own sanctions compliance programs.

• The proper scope of due diligence, specifically to include all relevant aspects of one's supply chain, was at issue in the January 2019 settlement for $1 million with e.l.f. Cosmetics, Inc., whose audits of suppliers in China failed to even address the risk of sanctioned North Korean content, much less detect the 156 apparent violations involving its importation of false eyelash kits containing materials illicitly sourced from North Korea.
• The importance of routine audits of foreign subsidiaries for sanctions compliance, which should reveal management misdirection and non-standard commercial practices, was highlighted in the $1.8 million settlement with Stanley Black & Decker in March 2019. Stanley Black & Decker's newly acquired foreign subsidiary continued to sell products to Iran for at least two years despite the U.S. parent's warning and policies against it. The subsidiary's leadership actively participated in Iran business, which entailed non-routine business practices to conceal it, such as utilizing intermediaries in other countries as conduits, fictitious bills of lading with false ports and delivery locations, and even instructing customers not to write "Iran" on any related documents. OFAC noted that Stanley Black & Decker failed to conduct audits of its subsidiary to ensure that any Iranian business permanently ceased after the acquisition.
• The export or re-export of U.S. origin goods and technology centered in OFAC's concurrent enforcement action with the U.S. export control authorities against the China-based Yantai Jereh Oilfield Services Group in December 2018. According to the combined $3.4 million settlements, Yantai Jereh unlawfully shipped oilfield service products with some U.S.-origin content to Iran through an overseas intermediary over a period of several years, and then attempted to mislead U.S. investigating authorities and conceal its Iran business, including falsifying its U.S. export filings.
• Several other large recent enforcement actions entail the use of the U.S. financial system by non-U.S. entities in transactions with sanctioned parties/countries, which the entities attempted to hide by using non-standard business practices: the February 2019 settlement with AppliChem GmbH for $5 million, the April 2019 settlements with three UniCredit Group Banks totaling $661 million, and the April 2019 settlement with Standard Chartered Bank for $639 million.
• OFAC's position on individual liability was demonstrated by its first-time designation of an individual as a "Foreign Sanctions Evader," who was a Turkish national managing director of a newly acquired Turkish subsidiary of Kollmorgen Corp. According to the OFAC settlement in February 2019, the manager was primarily responsible for the subsidiary's conduct that led to several apparent Iran sanctions violations, which he ordered and attempted to conceal. This conduct, which went undetected by the company for a period of time post-merger, led OFAC to designate him in his individual capacity and impose a civil monetary penalty against the company.

For more information, please contact:

Timothy P. O'Toole, totoole@milchev.com, 202-626-5552

Caroline J. Watson, cwatson@milchev.com, 202-626-6083

Brian J. Fleming*

Collmann Griffin*

Aiysha S. Hussain*

*Former Miller & Chevalier attorney

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.