The Department of the Treasury’s Office of Foreign Assets Control (OFAC) published a framework for sanctions compliance yesterday which describes the sanctions compliance program standards for US legal and natural persons and for US-origin goods or services. The framework mirrors the requirements for a competence AML program and includes:
- commitment from the top down in writing.
- creation of sanctions committee of senior management to drive and support the sanctions compliance program and inculcate a culture of compliance.
- undertaking a risk assessment to identify risks of sanctions exposure.
- creation of internal controls, including policies and procedures after the risk assessment.
- testing and auditing of the program to ensure that it is effective, responds to the risk assessment and can identify weaknesses and gaps for remediation.
- training on an on-going basis of personnel across the organization.
The framework also describes the most common ways in which sanctions are violated, inadvertently or otherwise and those include lack of a program, lack of legal advice in respect of the law of sanctions or a misinterpretation of sanctions law, facilitating sanctions using foreign subsidiaries or affiliates (meaning in Canada, for example, a Canadian company with ties to the US may not realize it is subject to US sanctions), using payment processors that go through the US financial system (by virtue of correspondent banking, most financial transaction that are not cash, go through the US financial system and are thereby subject to US sanctions), exporting tech to sanctions countries (digital currency technology and mining equipment to Iran may be a problematic area where sanctions advice should be obtained – both photos below appeared on Twitter depicting the setting up of Bitcoin mining operation in Iran with equipment imported from outside Iran) and inadequate due diligence.
As noted in the framework, personal and criminal liability attaches to legal and natural persons, including those in Canada and elsewhere, for violations of US sanctions law where it is applicable. Very often organizations believe they are not subject to US financial crime law – the Wegelin & Co. bank prosecution, and its closure, is illustrative on this issue.