Editor's Note: Part I of this article appeared in the April, 2007 issue of The Metropolitan Corporate Counsel discussing the importance of constructing internal compliance programs ("ICP"s) to detect and prevent a company from violating economic sanctions or export laws in keeping with the regulations set forth by the U.S. Treasury's Office of Foreign Assets Control ("OFAC"). Parts I and II are a condensation of a longer article by the same authors. An HTML version containing the full text of the longer article is posted on our website.
Elements Of An Effective ICP
While various businesses have different risk areas, as a general rule, ICPs should contain a variant of each of the elements listed below.
A. Policy Statement
An ICP should require the development of a policy statement regarding its approach to OFAC compliance in order to communicate management's commitment to the ICP, indicating what the company hopes to achieve, to outline its basic guiding principles and naming the officer or office responsible. In short, the ICP should set up the procedures to ensure that the policy statement communicates the current substantive position of the company regarding its ICP to employees.
Several elements are suggested for the substance of the statement itself: it should be issued by an officer or director of the company on company letterhead and should highlight the existence of a formal ICP; it should emphasize the role international trade or transactions play in the company's business, and note that these transactions expose the company and its employees and officers to risks when they involve sanctioned countries or individuals; it should also identify the person(s) or office(s) to which employees should direct questions or potential OFAC violations; finally, the statement should include a list of the consequences for OFAC violations, including fines and the possibility of criminal prosecution as well as internal sanctions for failing to follow the ICP or committing an OFAC violation.
B. ICP Infrastructure and Delegation of Authority
The presence of a centralized administrator of an ICP is a crucial element in making an ICP manageable, developing the responsibilities to be delegated to a central compliance officer or office. When deciding what degree of authority should be vested in the central OFAC officer or office, the following benefits of centralized compliance decision-making should be kept in mind:
Identifiable Resource: The more authority vested in a central OFAC compliance officer or division, the more readily recognizable the compliance officer is to the general workforce.
Coordination and Consistency: A centralized OFAC compliance center increases the consistency of OFAC compliance decisions and efforts.
Efficient OFAC Monitoring: Vesting a central compliance office with responsibility for monitoring and disseminating OFAC regulations and SDN ("Specially Designated Nationals") list changes eliminates unnecessary duplication.
Institutional Knowledge: As a centralized office begins to see repetitive issues, it becomes more efficient in analyzing such issues. Central compliance officers also begin to develop a working knowledge of OFAC compliance personnel and OFAC procedures for receiving guidance on compliance issues.
By assigning OFAC compliance responsibility specifically to at least one high-ranking officer or director such an assignment enhances compliance efforts in two ways: (1) it communicates the company's commitment to OFAC compliance and the serious nature of the issue; and (2) the career and legal liability placed on the official for OFAC violations increases the likelihood of strict enforcement of ICP procedures. Though the ICP may wish to vest responsibility in an office rather than officer, it should clearly state one person who holds overall responsibility for the program and serves as the external contact person for OFAC.
C. Education and Training
Among the most important provisions of an ICP are the procedures providing for the education and training of employees regarding OFAC compliance. Employees often possess the most information relevant to identifying potential OFAC violations and employees incapable of recognizing and addressing those concerns often mean OFAC violations go unidentified until an OFAC penalty notice is received. In order to ensure effective employee participation in an ICP, an ICP should, at a minimum, address three areas:
1. Scope of Education and Training
A company should provide OFAC training for employees in all areas identified by the company as "at-risk" for OFAC violations when making its initial ICP assessment, including all areas where employees process transactions, make contact with present or potential clients, have authority to bind the company, or process the shipment of goods. Again, a company may wish to vary the depth of training based on the relative risks associated with particular departments. An ICP should also appoint an officer(s) or office(s) responsible for developing and updating training programs.
2. Frequency of Education and Training
All relevant employees should be provided education and training regarding OFAC issues at an orientation or other similar introductory training. The ICP should also provide for a periodic "refresher" or continuing education, on a timely basis dependent on the degree of OFAC risk in the business or department. The ICP should also allow management to conduct ad hoc compliance programs following major revisions to OFAC regulations.
3. Methods of Education and Training
Most ICPs provide for the development of a written OFAC compliance manual which ensures that the compliance information transmitted to the employee is consistent and allows the employee to make quick reference to basic OFAC procedures, eliminating unnecessary calls to the OFAC compliance officer. Compliance manuals need not be issued to every employee, but where employees travel often and/or operate in areas at high risk for OFAC violations, a condensed manual or "red-flag" sheet can be produced to provide constant reminders of OFAC issues.While the contents of an OFAC employee manual may differ widely based on his OFAC responsibilities, certain information should probably be contained in every manual: the range of penalties for OFAC violations; detail all persons who can be personally liable for both intentional and inadvertent infractions; a sample SDN list, a description of its contents, and instructions for its use; an employee certification that they have read, understand, and promise to abide by the ICP and other OFAC procedures; finally, a list of sample transactions or situations that raise OFAC issues and an answer sheet providing suggestions for dealing with these situations.
In addition to employee training manuals, most training and education provisions of ICPs allow for employee training sessions. Initial sessions typically review the employee manual, and both initial and subsequent sessions may focus on specific OFAC situations or experiences. It is suggested that an ICP also provide a mechanism for employee feedback regarding the ICP itself. These feedback sessions are critical for providing information to the compliance officer or office from employees that are charged with detecting OFAC issues regarding what procedures work as well as new methods to deal with OFAC compliance.
Though employee manuals and training sessions are the traditional method of disseminating OFAC compliance information, modern media tools allow for additional methods to educate and train employees, e.g. training videos, intranet web sites, e-mail, software training programs.
D. Screening of Customers and Transactions
The central goal of sanctions regulations is to prevent commercial contact with targeted countries, individuals, and entities. Therefore, the most important tool in avoiding OFAC violations is the proper screening of customers and transactions. Screening of customers can be accomplished by two methods: the use of "interdiction" software and manual screening against a printed list.
Interdiction software is probably an ICP requirement for sophisticated large businesses and banks that process contracts, customers, or other information electronically. OFAC would likely view an ICP for these businesses that does not use this software as deficient, especially where a database of customer information exists. Even small businesses and banks should evaluate the marginal preventative effect of interdiction software versus manual screening.
Interdiction software may be developed by in-house computer programmers or purchased from a variety of commercial vendors, allowing the computer to scan customer, transaction, or contract databases for names and locations that could point to a possible contact with a sanctioned country, transaction, or SDN. More sophisticated programs also check for misspelled names that may be SDNs or sanctioned country locations and can filter out search terms that consistently provide false "red flags."
Manual interdiction or screening can also be effectively used for some businesses. An ICP that uses a manual interdiction process should generally allow for multiple checks on a transaction to lessen the possibility of human error. The ICP should direct key employees to flag transactions with suspicious information. Employees can be reminded of targeted countries by posting or providing quick access to a list of the sanctioned countries and prominent cities within those countries. However, since many SDNs go by seemingly benign names and reside in countries friendly to the United States, a number of OFAC-prohibited transactions will go undetected under this method. Therefore, it is imperative that at least once prior to execution of a transaction the relevant parties are checked against the full SDN list - between 60 and 70 pages long.
Once an ICP sets out the method of screening clients, it must identify which client information will be screened. Customers themselves must first be screened, and then any known connections between customers and other individuals or entities should be screened. Length of the customer relationship should not bar screening, especially since customers themselves may be unaware of the nature of their connections and may appreciate notice regarding OFAC violations. The ICP should also provide for checks of existing customers against subsequent changes to the SDN list.
Finally, an ICP must set out when to conduct customer and contract screening. Generally, the ICP should require customer screening at the first available point after contact in order to prevent the relationship from progressing to the point that would be prohibited by OFAC regulations. In some instances, initial screening may be required because a transaction may occur at the point of initial contact, such as certain banking transactions. In these instances, it may be necessary to utilize interdiction software. The ICP can also call for follow-up customer screens during the application or bid process or at the conclusion of negotiations or a contract.
E. Order Processing and Export Clearance
Though an ICP may set out the methods and timing of screening procedures, a company may wish to include further procedures governing order processing in its ICP, especially after evaluating the various risk levels for OFAC violations among its departments. High-risk areas may warrant additional safeguards. Where a transaction is nearing completion faster than the normal processing time of the OFAC compliance officer, a risk-averse company may wish to provide suspension of a transaction based on discovery of potential OFAC problems. ICPs may also require that all or select customers provide destination control statements, client certifications regarding product use and reexport, and other assurances against diversion.
F. Internal Audits
Each ICP should provide for periodic auditing of the ICP and the company's adherence to its conditions. The frequency and depth of internal audits depends in large part on the volume and/or value of business at-risk for OFAC violations. Companies should use internal audits to both identify problem officers or employees for sanction or retraining and to determine fundamental structural flaws in the ICP itself which tend to allow violations to recur. The ICP may also require audits more frequently during the early stages of a new program in order to uncover structural problems.
OFAC programs generally require the retention of all records relating to a transaction covered by OFAC regulations for five years. At a minimum, an ICP should require the OFAC compliance officer or office to archive business records relating to transactions concluded under a specific or general OFAC license. Businesses should also archive business records relating to "red-flagged" transactions that the internal OFAC compliance officer later determined to be permitted under OFAC regulations, as OFAC may subsequently take a different view of the transaction. OFAC recordkeeping provisions are also broad and vague as to exactly which records must be maintained. Therefore, the ICP should at least require the preservation of core documents, and should probably reflect a preference for inclusion of other business documents.
Violations of recordkeeping provisions constitute a separate OFAC regulations violation, even if the underlying transaction was OFAC-consistent, such as transactions undertaken under an OFAC general license. Therefore, businesses with lax record control procedures may find themselves facing OFAC penalties despite never engaging in a violation.
In addition, OFAC regimes require that a specific company contact be designated by the company to be responsible for the gathering and turning over of documents at OFAC request. Also, holders of blocked property must register under many OFAC schemes and file annual statements. Therefore, an ICP should also provide procedures for the immediate freezing of the assets of customers that are subsequently listed as SDNs and notification of OFAC through its record procedures.
H. Notification and Reporting
ICPs must provide procedures to deal with violations once they are unearthed. First, the ICP should provide clear guidelines for reporting violations internally, such as setting out the officer or office to which the violation should be reported, allowing for confidential reporting, and providing for reduced employer penalties where violations are self-reported.
An ICP should also provide procedures for the internal OFAC compliance officer or office regarding reporting of violations to OFAC by (1) setting out procedures for determining whether an OFAC violation has occurred (the ICP should take into account that self-disclosure is a mitigating factor when OFAC chooses possible penalties); (2) it should also encourage self-disclosure since failure to report an ongoing transaction that violates OFAC strictures makes the violation "willful," and therefore subject to stiffer penalties and prison terms; (3) an ICP should provide specific guidance as to when and how a violation is reported to OFAC with a designated officer directed to gather relevant documents and prepare a disclosure notice; (4) the ICP may also require the OFAC compliance officer to prepare a cost-benefit report to be forwarded to the president or board of directors for further action, and, finally, the ICP should provide procedures for gathering mitigating evidence for the potential OFAC investigation.
Edward L. Rubinoff focuses on international trade policy and regulation and heads the firm's export control and economic sanctions practice. Tamer A. Soliman, Counsel, advises clients on U.S. law and policy affecting international trade and business.