As businesses struggle with the challenges posed by COVID 19, it is imperative to reassess the need for better OFAC compliance controls. More corporations are facing the threat of sanctions from the US Department of Treasury for violations. This underlines the need for businesses to update their reporting systems for better compliance with OFAC programs.

Businesses can improve control measures based on their individual business model, customer base, and geographic operations.

In this short blog, we examine OFAC expectations and ways to implement the necessary compliance measures.

Implement a Risk-Based Approach

The new guidelines from OFAC emphasize that financial businesses must take a risk-based approach for complying with sanctions. This can be achieved by developing, implementing, and routinely updating a compliance program.

The 2019 framework laid down the foundation for what a risk-based approach to compliance meant in practice. It highlighted five areas that businesses should focus on.

1. Risk Assessment

2. Management Commitment

3. Internal Controls

4. Testing and Auditing

5. Training

The framework is meant as a blueprint and there is a lot of room for customizing risk compliance to a company’s business model.

Benefits of Risk Assessment

Businesses and other organizations can get two main benefits from periodic risk assessment.

First, OFAC sanctions fluctuate based on changes in the OFAC sanctions program and the growth of businesses. Without an understanding of the current risks, a company will not be able to adjust its controls and remain compliant.

For example, acquiring a new foreign subsidiary may change business circumstances. Previously permissible activities may no longer be allowed and a reassessment can help the business stay compliant.

Second, a continuous risk assessment process can lower liability in case of inadvertent future violations. Recent OFAC enforcements show that businesses that apply a standard policy and fail to account for the unique business model were still penalized for violations.

On the other hand, organizations that displayed a good faith effort to customize their compliance programs for the business were shown leniency, even if they fell short in some areas.

Designing the OFAC Risk Assessment Process

The OFAC framework suggests that risk assessment should address three main risk factors.

1. Risks posed by the geographic location of business operations

2. Risks posed by third parties including suppliers, customers, and intermediaries

3. Risks posed by products and services

An effective risk assessment program should gather information from all three categories.

Risk assessments should also consider the causes of any past violations or systemic deficiencies identified in day-to-day operations. It is strongly advised to review the recent enforcement actions, as well as policy updates from the OFAC.

Lastly, businesses should look at how often they will carry out a risk assessment to determine compliance.

Implementing the Risk Assessment Program

There are many areas where businesses can apply for the risk assessment program. Good places to start include enterprise resource planning systems, customer files, and employees.

Other areas for execution include mergers and acquisitions, where the business can carry out due diligence exercises. Financial metrics from foreign subsidiaries should be included in the assessment by examining data on high-volume customers, revenues, and product sales.

Employee interviews on customers or other third party facing activities can reveal valuable human intelligence on risk factors. As your business develops new customers, expands to new geographic locations, and becomes a part of new shipping routes or distribution channels, the need for risk assessment gets higher.

Documenting Results

Creating an appropriate record of your findings is crucial. Your risk assessment teams should carefully document their observations in reports. The documentation exercise provides evidence that any changes you made to the compliance program were based on an actual risk assessment.

Documentation also creates a record of your company’s good faith efforts to implement the OFAC framework.

Lastly, documentation provides a reference point for risk assessments in the future, which will help expedite future efforts.