ACSS Risk Assessment Chapter 4 PDF

Certified Sanctions Specialist (CSS) 131 ESSENTIAL COMPONENTS OF RISK-BASED SANCTIONS COMPLIANCE PROGRAMS IN DIFFERENT INDUSTRY SETTINGS Association of Certified Sanctions Specialists (ACSS) 7950 NW 53rd Street Suite 337 Miami, FL 33166 Phone: +1 305 433 7187 [email protected] www.sanctionsassociation.org www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 132 Sanctions Compliance Programs: An Introduction OFAC strongly encourages organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States, U.S. persons, or using U.S.- origin goods or services, to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP). A Framework for OFAC Compliance Commitments (2019) Compliance with sanctions laws does not just happen. Full and effective compliance requires the creation, implementation, and operation within an organization of a program to ensure compliance. Indeed, the aim of a sanction compliance program is exactly that – to ensure full and effective compliance with all applicable sanctions laws. In the absence of such a program, an organization could easily find itself in violation, with potentially serious consequences. There is no “one size fits all” sanctions compliance program. Indeed, neither the European Union nor the United States have imposed specific requirements for a sanctions compliance program. Both have identified the essential components of such a program, though. One thing both emphasize is that the program must reflect the organization’s specific risks, so that what constitutes an effective sanctions compliance program will vary greatly. The factors that can affect the program include the organization’s location, its size, its business, and whether it engages in substantial cross-border transactions. This chapter will discuss the basic components of an effective sanctions compliance system, and identify specific features of the system which may be necessary for organizations in different industries, including finance, manufacturing, and shipping. The Essential Components of a Sanctions Compliance System Neither the EU nor the United States mandate the form and contents of a sanctions compliance program; in fact, neither imposes any legal duty to have such a program. However, both have provided guidance on what the components of an effective sanctions compliance system are likely to include. In addition, the Wolfsberg Group, an association of thirteen global banks which aims to develop frameworks and guidance for the management of financial crime risks, has published recommendations the major features of a sanctions compliance system for financial institutions. The three sets of guidance share many common features, but it is worthwhile to examine them separately, as each covers slightly different issues. A Framework for OFAC Compliance Commitments The OFAC guidance, A Framework for OFAC Compliance Commitments, is addressed specifically to compliance with U.S. sanctions. As such, it is a useful source of guidance for any organization doing business with the United States, www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 133 including selling into the United States, selling U.S. products, purchasing U.S. products, or even simply using U.S. dollars. Beyond this, the OFAC guidance in many ways represents a distillation of international best practices. OFAC has identified five major components: 1. Management commitment 2. Risk assessment 3. Internal controls 4. Testing and auditing 5. Training Draft EU Guidance on Best Practices for “Internal Compliance Programmes” The EU guidance is technically directed toward compliance programs for organizations exporting dual use products, and is so primarily concerned with compliance with export controls. However, the guidance addresses sanctions compliance as well, and practically all of the principles and recommendations are applicable to sanctions compliance programs as well. As discussed in Chapter 6 below, sanctions and export control compliance programs have many similarities, and may in fact be part of a single compliance system, so the EU guidance is another relevant source of information. The main components of a compliance program under the EU guidance are: 1. Top-level management commitment to compliance 2. Organization structure, responsibilities and resources commensurate to the entity’s risk profile 3. Training and awareness raising 4. Transaction screening process and procedures 5. Performance review, audits, reporting and corrective actions 6. Recordkeeping and documentation Wolfsberg Guidance on Sanctions Screening The Wolfsberg Guidance on Sanctions Screening focuses on the role of screening customers and transactions at banks to detect and prevent sanctions violations. The guidance notes, though, that screening is simply one component of a larger sanction program. The components of such a program should include: 1. Policies and procedures 2. Responsible person 3. Risk assessment 4. Internal controls 5. Testing www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 134 A link to the Wolfsberg guidance is included in the reference materials. FFIEC BSA/AML Examination Manual Other sources contain useful guidance on the necessary components of a sanctions compliance program. For U.S. financial institutions in particular, probably the most important is the FFIEC BSA/AML Examination Manual, which is the official manual used by the U.S. government for examining bank’s systems for complying with anti-money laundering and sanctions laws. The manual contains several pages on the OFAC Compliance Program. It starts with a general statement on the OFAC compliance program and then continues with the several pillars of a sound OFAC compliance program. Below are excerpts from the manual: OFAC compliance program While not required by specific regulation, but as a matter of sound banking practice and in order to mitigate the risk of noncompliance with OFAC requirements, banks should establish and maintain an effective, written OFAC compliance program that is commensurate with their OFAC risk profile (based on products, services, customers, and geographic locations). The program should identify higher-risk areas, provide for appropriate internal controls for screening and reporting, establish independent testing for compliance, designate a bank employee or employees as responsible for OFAC compliance, and create training programs for appropriate personnel in all relevant areas of the bank. OFAC risk assessment A fundamental element of a sound OFAC compliance program is the bank’s assessment of its specific product lines, customer base, and nature of transactions and identification of the higher-risk areas for potential OFAC sanctions risk. The initial identification of higher-risk customers for purposes of OFAC may be performed as part of the bank’s CIP and CDD procedures. As OFAC sanctions can reach into virtually all areas of its operations, banks should consider all types of transactions, products, and services when conducting their risk assessment and establishing appropriate policies, procedures, and processes. An effective risk assessment should be a composite of multiple factors (as described in more detail below), and depending upon the circumstances, certain factors may be weighed more heavily than others. Another consideration for the risk assessment is account and transaction parties. New accounts should be compared with OFAC lists prior to being opened or shortly thereafter. However, the extent to which the bank includes account parties other than accountholders (e.g., beneficiaries, guarantors, principals, www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 135 beneficial owners, nominee shareholders, directors, signatories, and powers of attorney) in the initial OFAC review during the account opening process, and during subsequent database reviews of existing accounts, will depend on the bank’s risk profile and available technology. Based on the bank’s OFAC risk profile for each area and available technology, the bank should establish policies, procedures, and processes for reviewing transactions and transaction parties (e.g., issuing bank, payee, endorser, or jurisdiction). Currently, OFAC provides guidance on transactions parties on checks. The guidance states if a bank knows or has reason to know that a transaction party on a check is an OFAC target, the bank’s processing of the transaction would expose the bank to liability, especially personally handled transactions in a higher-risk area. For example, if a bank knows or has a reason to know that a check transaction involves an OFAC-prohibited party or country, OFAC would expect timely identification and appropriate action. In evaluating the level of risk, a bank should exercise judgment and take into account all indicators of risk. Although not an exhaustive list, examples of products, services, customers, and geographic locations that may carry a higher level of OFAC risk include: International funds transfers. Nonresident alien accounts. Foreign customer accounts. Cross-border automated clearing house (ACH) transactions. Commercial letters of credit and other trade finance products. Transactional electronic banking. Foreign correspondent bank accounts. Payable through accounts. Concentration accounts. International private banking. Overseas branches or subsidiaries. Appendix M ("Quantity of Risk — OFAC Procedures") provides guidance to examiners on assessing OFAC risks facing a bank. The risk assessment can be used to assist the examiner in determining the scope of the OFAC examination. Additional information on compliance risk is posted by OFAC on its Web site under " Frequently Asked Questions". Once the bank has identified its areas with higher OFAC risk, it should develop appropriate policies, procedures, and processes to address the associated risks. Banks may tailor these policies, procedures, and processes to the specific nature of a business line or product. Furthermore, banks are encouraged to periodically reassess their OFAC risks. Internal Controls An effective OFAC compliance program should include internal controls for identifying suspect accounts and transactions, as well as reporting blocked and www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 136 rejected transactions to OFAC. Internal controls should include the following elements: Identifying and reviewing suspect transactions. The bank’s policies, procedures, and processes should address how the bank will identify and review transactions and accounts for possible OFAC violations, whether conducted manually, through interdiction software, or a combination of both. For screening purposes, the bank should clearly define its criteria for comparing names provided on the OFAC list with the names in the bank’s files or on transactions and for identifying transactions or accounts involving sanctioned countries. The bank’s policies, procedures, and processes should also address how it will determine whether an initial OFAC hit is a valid match or a false hit. A high volume of false hits may indicate a need to review the bank’s interdiction program. The screening criteria used by banks to identify name variations and misspellings should be based on the level of OFAC risk associated with the particular product or type of transaction. For example, in a higher-risk area with a high-volume of transactions, the bank’s interdiction software should be able to identify close name derivations for review. The SDN list attempts to provide name derivations; however, the list may not include all derivations. More sophisticated interdiction software may be able to catch variations of an SDN’s name not included on the SDN list. Banks with lower OFAC risk and those with low volumes of transactions may decide to manually filter for OFAC compliance. Decisions to use interdiction software and the degree of sensitivity of that software should be based on a bank’s assessment of its risk and the volume of its transactions. In determining the frequency of OFAC checks and the filtering criteria used (e.g., name derivations), banks should consider the likelihood of incurring a violation and available technology. In addition, banks should periodically reassess their OFAC filtering system. For example, if a bank identifies a name derivation of an OFAC target, then OFAC suggests that the bank add the name to its filtering process. New accounts should be compared with the OFAC lists prior to being opened or shortly thereafter (e.g., during nightly processing). Banks that perform OFAC checks after account opening should have procedures in place to prevent transactions, other than initial deposits, from occurring until the OFAC check is completed. Prohibited transactions conducted prior to completing an OFAC check may be subject to possible enforcement action. In addition, banks should have policies, procedures, and processes in place to check existing customers when there are additions or changes to the OFAC list. The frequency of the review should be based on the bank’s OFAC risk. For example, banks with a lower OFAC risk level may periodically (e.g., weekly, monthly or quarterly) compare the customer base against the OFAC list. Transactions such as funds transfers, letters of credit, and noncustomer transactions should be checked against OFAC lists prior to being executed. When developing OFAC policies, procedures, and processes, the bank should keep in mind that OFAC www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 137 considers the continued operation of an account or the processing of transactions post-designation, along with the adequacy of the bank's OFAC compliance program, to be a factor in determining the appropriate enforcement response to an apparent violation of OFAC regulations. The bank should maintain documentation of its OFAC checks on new accounts, the existing customer base and specific transactions. If a bank uses a third party, such as an agent or service provider, to perform OFAC checks on its behalf, as with any other responsibility performed by a third party, the bank is ultimately responsible for that third party’s compliance with the OFAC requirements. As a result, banks should have a written agreement in place and establish adequate controls and review procedures for such relationships. Updating OFAC lists. A bank's OFAC compliance program should include policies, procedures, and processes for timely updating of the lists of sanctioned countries and blocked entities, and individuals, and disseminating such information throughout the bank's domestic operations and its offshore offices, branches and, in the case of Iran and Cuba, foreign subsidiaries. This would include ensuring that any manual updates of interdiction software are completed in a timely manner. Screening Automated Clearing House (ACH) transactions. ACH transactions may involve persons or parties subject to the sanctions programs administered by OFAC. Refer to the expanded overview section, "Automated Clearing House Transactions," page 216, for additional guidance. OFAC has clarified its interpretation of the application of OFAC's rules for domestic and cross-border ACH transactions and provided more detailed guidance on international ACH transactions. 162 With respect to domestic ACH transactions, the Originating Depository Financial Institution (ODFI) is responsible for verifying that the Originator is not a blocked party and making a good faith effort to ascertain that the Originator is not transmitting blocked funds. The Receiving Depository Financial Institution (RDFI) similarly is responsible for verifying that the Receiver is not a blocked party. In this way, the ODFI and the RDFI are relying on each other for compliance with OFAC regulations. If an ODFI receives domestic ACH transactions that its customer has already batched, the ODFI is not responsible for unbatching those transactions to ensure that no transactions violate OFAC's regulations. If an ODFI unbatches a file originally received from the Originator in order to process "on-us" transactions, that ODFI is responsible for the OFAC compliance for the on-us transactions because it is acting as both the ODFI and the RDFI for those transactions. ODFIs acting in this capacity should already know their customers for the purposes of OFAC and other regulatory requirements. For the residual unbatched transactions in the file that are not "on-us," as well as those situations where banks deal with unbatched ACH records for reasons other than to strip out the on-us transactions, banks should determine the level of their OFAC risk and develop appropriate policies, procedures, and processes to address the www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 138 associated risks. Such policies might involve screening each unbatched ACH record. Similarly, banks that have relationships with third-party service providers should assess those relationships and their related ACH transactions to ascertain the bank's level of OFAC risk and to develop appropriate policies, procedures, and processes to mitigate that risk. With respect to cross-border screening, similar but somewhat more stringent OFAC obligations hold for International ACH transactions (IAT). In the case of inbound IATs, and regardless of whether the OFAC flag in the IAT is set, an RDFI is responsible for compliance with OFAC sanctions programs. For outbound IATs, however, the ODFI cannot rely on OFAC screening by an RDFI outside of the United States. In these situations, the ODFI must exercise increased diligence to ensure that illegal transactions are not processed. Due diligence for an inbound or outbound IAT may include screening the parties to a transaction, as well as reviewing the details of the payment field information for an indication of a sanctions violation, investigating the resulting hits, if any, and ultimately blocking or rejecting the transaction, as appropriate. Refer to the expanded overview section, "Automated Clearing House Transactions," page 216, for additional guidance. Additional information on the types of retail payment systems (ACH payment systems) is available in the FFIEC Information Technology Examination Handbook. 163 In guidance issued on March 10, 2009, OFAC authorized institutions in the United States when they are acting as an ODFI/Gateway Operator (GO) for inbound IAT debits to reject transactions that appear to involve blockable property or property interests. 164 The guidance further states that to the extent that an ODFI/GO screens inbound IAT debits for possible OFAC violations prior to execution and in the course of such screening discovers a potential OFAC violation, the suspect transaction is to be removed from the batch for further investigation. If the ODFI/GO determines that the transaction does appear to violate OFAC regulations, the ODFI/GO should refuse to process the transfer. The procedure applies to transactions that would normally be blocked as well as to transactions that would normally be rejected for OFAC purposes based on the information in the payment. Reporting. An OFAC compliance program should also include policies, procedures, and processes for handling validly blocked or rejected items under the various sanctions programs. When there is a question about the validity of an interdiction, banks can contact OFAC by phone or e-hot line for guidance. Most other items should be reported through usual channels within ten days of the occurrence. The policies, procedures, and processes should also address the management of blocked accounts. Banks are responsible for tracking the amount of blocked funds, the ownership of those funds, and interest paid on those funds. Total amounts blocked, including interest, must be reported to OFAC by September 30 of each year (information as of June 30). When a bank acquires or merges with www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 139 another bank, both banks should take into consideration the need to review and maintain such records and information. Banks no longer need to file SARs based solely on blocked narcotics- or terrorism-related transactions, as long as the bank files the required blocking report with OFAC. However, because blocking reports require only limited information, if the bank is in possession of additional information not included on the OFAC blocking report, a separate SAR should be filed with FinCEN that would include such information. In addition, the bank should file a SAR if the transaction itself would be considered suspicious in the absence of a valid OFAC match. 165 Maintaining license information. OFAC recommends that banks consider maintaining copies of customers' OFAC licenses on file. This will allow the bank to verify whether a customer is initiating a legal transaction. Banks should also be aware of the expiration date on the OFAC license. If it is unclear whether a particular transaction would be authorized under the terms of the license, the bank should contact OFAC. Maintaining copies of OFAC licenses will also be useful if another bank in the payment chain requests verification of a license's validity. Copies of OFAC licenses should be maintained for five years, following the most recent transaction conducted in accordance with the license. Independent Testing Every bank should conduct an independent test of its OFAC compliance program that is performed by the internal audit department, outside auditors, consultants, or other qualified independent parties. For large banks, the frequency and area of the independent test should be based on the known or perceived risk of specific business areas. For smaller banks, the audit should be consistent with the bank’s OFAC risk profile or be based on a perceived risk. The person(s) responsible for testing should conduct an objective, comprehensive evaluation of OFAC policies, procedures, and processes. The audit scope should be comprehensive enough to assess OFAC compliance risks and evaluate the adequacy of the OFAC compliance program. Responsible Individual It is recommended that every bank designate a qualified individual(s) to be responsible for the day-to-day compliance of the OFAC compliance program, including changes or updates to the various sanctions programs, and the reporting of blocked or rejected transactions to OFAC and the oversight of blocked funds. This individual should have an appropriate level of knowledge about OFAC regulations commensurate with the bank's OFAC risk profile. Training The bank should provide adequate training for all appropriate employees on its OFAC compliance program, procedures and processes. The scope and frequency www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 140 of the training should be consistent with the bank's OFAC risk profile and appropriate to employee responsibilities. The entire manual is available online at https://bsaaml.ffiec.gov/manual. A link to the individual chapter on compliance with U.S. sanctions laws is included in the reference materials. The following article from SanctionsAlert, ACSS’ newsletter, explains how a review by bank examiners may results in an OFAC enforcement action. Reviews by bank examiners may result in action by OFAC Date: August 17, 2016 US financial institutions regularly undergo examinations by federal and state banking agencies, such as the FDIC, OCC, Federal Reserve, as well as their state financial regulator. These “examiners” are tasked with reviewing records, policies, accounts, and documents to evaluate whether an institution’s internal procedures are in line with applicable laws and regulations, including those of OFAC. The lack of written safeguards and policies against backlisted persons and entities can be a risky move for banks and other financial institutions. BSA/AML examinations by bank regulators Though OFAC regulations do not fall under the scope of AML laws, evaluation of OFAC compliance is frequently included in AML examinations. The Bank Secrecy Act (BSA) is a federal law that requires banks and other financial institutions to bring large cash transactions and other dubious activity to the attention of regulators. The BSA also requires financial institutions to have complex controls in place to detect any criminal activity, including an “anti-money laundering program”. In order to assess compliance with the BSA, and AML laws, an assessment is conducted called the BSA/ AML Examination. Federal bank regulators conduct formal assessments for adherence to AML laws and the BSA. In order to make sure that the examiners use uniform standards, the Federal Financial Institutions Examination Council (FFIEC), an interagency body, has issued the FFIEC BSA/AML Examination Manual (the Manual). The Manual, first issued in 2005, and last updated in 2014, provides vital information on what to expect from the examiner with respect to their review of an institution’s OFAC/sanctions compliance program. Even though OFAC is not part of the FFIEC, it assists in the development of the sections of the manual that relate to OFAC reviews. OFAC assessment takes a front seat Despite their name, BSA/AML examinations test for more than just AML compliance. The examination of the compliance program for adherence to OFAC rules by the examiner takes a primary role during the review. In fact, the Manual www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 141 mentions the word “OFAC” 316 times, including in the first sentence, which reads: “This Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Examination Manual provides guidance to examiners for carrying out BSA/ AML and Office of Foreign Assets Control examinations.” The Manual’s section “Core Examination Overview and Procedures for Regulatory Requirements and Related Topics” consists of 14 sections, one of which is entirely devoted to OFAC compliance called “OFAC Overview and Examination Procedures”. This section takes up 10% of the Core Procedures, and consists of 11 pages. Based on the number of pages, it is the 2nd largest section, only surpassed by the section on Suspicious Activity Reports. At the start of the examination, as part of the scoping and planning procedures, the examiner must take a look at the institution’s OFAC risk assessment procedures and independent testing. To facilitate the examiner’s understanding of the bank’s risk profile and to adequately establish the scope of the OFAC examination, the examiner completes several steps, including: A review of the bank’s OFAC risk assessment. The risk assessment, which may be incorporated into the bank’s overall BSA/AML risk assessment, should consider the various types of products, services, customers, entities, transactions, and geographic locations in which the bank is engaged, including those that are processed by, through, or to the bank, to identify potential OFAC exposure. Though not specifically stated in the manual, best practice dictates that a larger financial institution creates a stand-alone OFAC Risk Assessment Policy with an in-depth review of sanctions risks. A review of the bank’s independent testing of its OFAC compliance program. This refers to supporting documents of the independent testing (audit) of the institution’s OFAC compliance program. The federal banking agencies’ reference to “audit” does not confer an expectation that the required independent testing be done by a specifically designated external or internal auditor, however, the person performing the independent testing must not be involved in any part of the bank’s OFAC compliance program. This includes both persons developing policies and procedures and conducting training. A review of the civil penalties area on the OFAC website. This is to determine whether the bank has had any warning letters, fines, or penalties imposed by OFAC since the most recent examination. A review of correspondence between the bank and OFAC. The examiner will be looking for relevant communications, including periodic reporting of prohibited transactions to OFAC and, if applicable, annual OFAC reports on blocked property. www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 142 OFAC training requirements The federal bank examiner will ask financial institutions to show evidence of OFAC of training as part of the BSA/AML Examination. According to the Manual, the examiner will: request an “OFAC training schedule with dates, attendees, and topics”, request “a list of persons in positions for which the bank typically requires OFAC training but who did not participate in the training.”; and “review the adequacy of the bank’s OFAC training program based on the bank’s OFAC risk assessment.” Potential actions by bank regulators The federal banking agencies can issue enforcement actions for non-compliance, including requirements to reform the bank’s OFAC program and impose civil money penalties. In a case involving Deutsche Bank AG, the Federal Reserve imposed a $58 million penalty and consent cease and desist order against the German banking giant, related to violations of US sanctions. The 2015 order required Deutsche Bank to implement and enhanced program to ensure global compliance with US sanctions administered by OFAC. Informing OFAC of irregularities Federal banking agencies also often have a duty to inform OFAC when they spot problematic behavior, for example involving transactions to or from sanctioned countries or a lack of written controls to comply with sanctions laws. This duty is usually derived from an agreement made with OFAC called a “Memorandum of Understanding” (MOU). These MOU agreements set forth procedures for the exchange of certain information between the parties, including a full report of the findings during an examination as they relate to sanctions enforcement. Such agreements exist with institutions like the Federal Reserve and the FDIC as well as almost every state financial regulator. For a list of state and federal agencies with which OFAC currently has an MOU, please click here. The MOU between OFAC and the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), the National Credit Union (NCUA), the Office of Comptroller of the Currency (OCC) and the now defunct Office of Thrift Supervision (OTS) was signed ten years ago, in 2006. To see it, please click here. Information that can be shared includes unreported violations of sanctions, and other examination findings, such as “significant deficiencies in a banking organization’s policies, procedures, and processes for ensuring compliance with OFAC regulations.” www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 143 OFAC compliance program as a mitigating factor In identifying a potential sanctions violation, OFAC uses “Enforcement Guidelines,” the framework for the enforcement of all economic programs it administers. This document says that OFAC will consider some general factors in determining an enforcement action for an apparent breach of sanctions. One of the factors is General Factor E, Compliance Program: the existence, nature and adequacy of a risk-based OFAC compliance program at the time of the apparent violation, where relevant. OFAC will follow the procedures set forth in the MOU and consults the regulator on the quality and effectiveness of the compliance program in place. Even in the absence of an MOU, OFAC may take into consideration the views of federal, state, or foreign regulators, where relevant. In case of a breach of sanctions laws, having a sound OFAC compliance program can mitigate an OFAC enforcement action. Salvatore Scotto explains that “OFAC, with its MOUs with various federal, state and other regulators relies on their examinations for insight to a financial institution’s ability to effectively comply with the regulations. We are at a state where sanctions programs are more complicated and technology has become more sophisticated, an institution can no longer just buy an off the shelf interdiction tool and issue a compliance policy statement. Sanctions compliance programs require comprehensive governance to meet regulatory expectations. While a regulatory examination can be a bit stressful, the regulators may see something you do not see, embrace their findings as an opportunity to strengthen your sanctions program and hopefully the strength of your sanctions program may one day mitigate an OFAC Enforcement Action”. Another important source are the Superintendent’s Banking Regulations of the New York Division of Financial Services (NYDFS) concerning transaction screening. A link is included in the reference materials. Because branches of many major banks, both domestic and international, are located in New York, NYDFS has played a major role in defining the obligations of banks with respect to compliance systems. Although both the AML/BSA Examination Manual and the NYDFS Regulations are focused on banks, many of these points are relevant to compliance systems in other industries as well. The U.S. Department of Justice investigates and prosecutes especially significant possible violations of U.S. sanctions laws. One thing the Department will consider in deciding whether to apply penalties is the strength of the compliance program of the company being investigated. The Department’s Evaluation of Corporate Compliance Programs provides guidance regarding what the Department has concluded a robust sanctions compliance program requires. A link to this document is included in the reference materials. www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 144 A comprehensive sanctions compliance program will combine the components from all of these sources, as well as guidance provided by industry groups. Penalty notices and settlement agreements by government authorities identify specific violations, providing still more examples of the sort of issues a robust sanctions compliance system must address. Management Commitment Both the EU and the OFAC guidance emphasize the importance of a commitment by senior management to compliance with economic sanctions. The term “senior management” may differ among various organizations, but typically the term should include senior leadership, executives, and/or the board of directors. The OFAC Framework sets out the responsibilities of senior management: Senior Management’s commitment to, and support of, an organization’s risk- based SCP is one of the most important factors in determining its success. This support is essential in ensuring the SCP receives adequate resources and is fully integrated into the organization’s daily operations, and also helps legitimize the program, empower its personnel, and foster a culture of compliance throughout the organization. OFAC has identified several steps that are necessary to demonstrate this commitment. 1. Senior management has reviewed and approved the organization’s sanctions compliance program. 2. Senior management ensures that compliance units receive sufficient authority and autonomy to act in a manner that effectively controls the organization’s OFAC risk. 3. Senior management ensures the existence of direct reporting lines between the SCP function and senior management, including routine and periodic meetings. 4. Senior management takes steps to ensure that the sanctions compliance function receives adequate resources, including human capital, expertise, and information technology. OFAC identifies three criteria for satisfying this requirement. 5. The organization has a designated OFAC compliance officer. This officer can fulfill other functions as well, but overseeing OFAC compliance must be one of their duties. 6. Personnel in sanctions compliance have the necessary knowledge and expertise. 7. Sufficient control functions exist that support the organization’s sanctions compliance program, including but not limited to information technology software and systems. 8. Senior management promotes a “culture of compliance” throughout the organization. To establish this culture, the sanctions compliance program should include the following features www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 145 9. There is a mechanism for the organization’s personnel to report sanctions related misconduct to senior management so that they can do so without fear of reprisal. 10. Senior management takes actions that discourage misconduct and prohibited activities, and highlight the potential repercussions of non- compliance with OFAC sanctions. 11. The sanctions compliance function has the authority to oversee the actions of the entire organization, including senior management, for purposes of sanctions compliance. 12. Senior management demonstrates that it recognizes the seriousness of apparent violations of the sanctions laws, acts against violations, and implements the measures necessary to prevent future violations The EU guidance identifies some additional specific steps, including: 1. Develop a corporate commitment statement stating that the company complies with all EU and Member State dual-use trade control laws and regulations. 2. Define the management’s specific compliance expectations and convey the importance and value placed on effective compliance procedures. 3. Clearly and regularly communicate the corporate commitment statement to all employees (also employees with no role in dual-use trade control) in order to promote a culture of compliance with the EU and Member State dual- use export control laws and regulations. New York DFS Stresses “Tone at the Top” On June 30, 2016, the New York Department of Financial Services (DFS) issues a final rule on BSA/AML transaction monitoring and OFAC filtering and screening. The regulation includes an annual mandated submission by the Board of Directors or a Senior Officer certifying compliance with the regulations and the measures taken to achieve it. The rule, effective as of January 1, 2017, applies to all banks, trust companies, savings banks, and savings and loan associations chartered pursuant to the NY Banking Law…and all branches and agencies of foreign banking corporations licensed…to conduct banking operations in New York. The first compliance findings was due April 15, 2018. An additional step that both demonstrates and enhances management’s commitment to sanction compliance is the provision of sanctions training for top management. www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 146 Even if all employees receive basic sanctions training, training aimed specifically at top management can explain how sanctions can affect the company and what their responsibilities are. Directed training is an excellent way to show the commitment of management to sanctions compliance. Another useful measure is the inclusion of sanctions data in key performance indicators (KPIs). Top management should routinely receive information showing the effectiveness of the company’s sanctions compliance system, including transactions and customers rejected and, of course, any violations. A discussion of these KPIs, and of sanctions compliance in general, should be a regular item on board agendas. Sanctions Risk Assessment Both the EU and OFAC guidance emphasize the importance of risk assessment in designing and operating a sanctions compliance system. As the EU guidance explains, a sanctions compliance program “needs to be tailored to the size, the structure and scope of the business, and especially, to the company’s specific business activity.” A risk assessment allows a company to determine its sanctions risk profile, and enables the company to see how each of its units fits into the sanction compliance program. According to OFAC, the risk assessment should address key risk areas, including 1. Customers, supply chain, intermediaries, and counter-parties 2. The products and services the organization offers, including how and where such items fit into other financial or commercial products, services, networks, or systems; and 3. The geographic locations of the organization, as well as its customers, supply chain, intermediaries, and counter-parties. www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 147 Holistic view of the organization from top to bottom and assess its touch- Allows the organization to points to the outside world identify potential areas in No one size fits all (1) Customers, supply chain, which it may engage with intermediaries and counter OFAC prohibited entities, parties (2) Products and services parties, countries or regions (3) Geographic locations International exposure Size and stability Volume and value of customer base of transactions Customers outside the US? Operations outside the US? More customers, Bigger numbers crossing Transactions outside the US? especially outside the borders contains greater risk US, contains greater risk Source: ACSS OFAC Essentials Online Certificate Course The ultimate aim of the assessment is to identify vulnerabilities and risks so that the company can implement ways to mitigate them into the sanctions compliance program. The risk assessment should be designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business” and regulatory environment. OFAC has provided a good deal of detail on what the risk assessment should cover and how it should be conducted: 1. The organization conducts, or will conduct, an OFAC risk assessment in a manner, and with a frequency, that adequately accounts for the potential risks. Such risks could be posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization. As appropriate, the risk assessment will be updated to account for the root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business. 2. In assessing its OFAC risk, organizations should leverage existing information to inform the process. In turn, the risk assessment will generally inform the extent of the due diligence efforts at various points in a relationship or in a transaction. This may include: a. On-boarding: The organization develops a sanctions risk rating for customers, customer groups, or account relationships, as appropriate, by leveraging information provided by the customer (for example, through a Know Your Customer or Customer Due Diligence process) and independent research conducted by the organization at the initiation of the customer relationship. This information will guide the timing and scope of future due diligence efforts. b. Mergers and Acquisitions (M&A): As noted above, proper risk assessments should include and encompass a variety of factors and data points for each organization. One of the multitude of www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 148 areas organizations should include in their risk assessments— which, in recent years, appears to have presented numerous challenges with respect to OFAC sanctions—are mergers and acquisitions. Compliance functions should also be integrated into the merger, acquisition, and integration process. Whether in an advisory capacity or as a participant, the organization engages in appropriate due diligence to ensure that sanctions-related issues are identified, escalated to the relevant senior levels, addressed prior to the conclusion of any transaction, and incorporated into the organization’s risk assessment process. After an M&A transaction is completed, the organization’s Audit and Testing function will be critical to identifying any additional sanctions- related issues. 3. The organization has developed a methodology to identify, analyze, and address the particular risks it identifies. As appropriate, the risk assessment will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business, for example, through a testing or audit function. While the nature and scope of the risk assessment will vary, any risk assessment should take the following factors into account: Locations of the institution’s businesses The institution’s size Staffing (both compliance and otherwise) Governance: how the institution is managed The institution’s businesses, including the services and products it offers The details of the institution’s operations Its customers Counterparties Other business relations and their locations The purposes of a risk assessment are to identify the sanctions risks an organization faces and to enable it to determine how best to mitigate those risks. It is unlikely that an organization will be able to eliminate risk completely. Rather, it may decide to classify risks. It can apply its risk assessment methodology to a customer, for example, and then decide whether the customer is low, medium, or high risk. The procedures and requirements applying to the customer may vary according to the risk classification. Onboarding a low-risk customer may not need any approval at all, for example, while accepting a medium-risk customer requires a review by Compliance, and a high-risk customer a decision by higher management. Risk assessment is not a one-time thing. An organization certainly needs an initial risk assessment when it first sets about designing a sanctions compliance system. The organization should regularly update the risk assessment, either on a periodic www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 149 basis or in response to developments in the organizations business or in sanctions laws. Organizational Structure and Internal Controls Effectively complying with sanctions laws requires an organization to create and allocate the human, technical, and organizational resources needed. The sanctions compliance The EU guidance states that an organization should have a structure that “allows for conducting internal compliance controls.” Organizational Structure Every organization needs some sort of structure for complying with its sanctions obligations. The structure can vary greatly across organizations, depending upon their size, business, location, and level of sophistication. Compliance does not necessarily require individuals or units within the organization specifically dedicated solely to sanctions compliance. It does require, though, that the organization 1. Identify its sanctions risks, 2. Determine how best to mitigate those risks, and 3. Design and implement a structure that assigns personnel and resources to sanctions compliance. The EU guidance gives a number of steps that will help ensure that the organization’s internal structure can be effective in ensuring sanctions compliance. These steps are: 1. Determine the number of sanctions compliance staff (legal and technical). 2. Entrust at least one person in the company with the company’s sanctions compliance, and ensure that an equally qualified substitute can assume the task in case of absence (sickness, holidays etcetera). Depending on the average volume of orders, this person may only have to handle tasks relating to sanctions compliance on a part-time basis. 3. Clearly identify, define and assign all compliance related functions, duties and responsibilities. An organizational chart may be useful in doing this. Clearly identify back-up functions whenever possible. 4. Make sure that the internal organizational structure for sanctions compliance is known throughout the organization. Make the contact details of the responsible person sanctions questions known within the company. If sanctions compliance duties are being outsourced, the interface to and the communication with the company needs to be organized. 5. Define the knowledge and skills needed by legal and technical dual-use trade control staff. Job descriptions are recommended. www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 150 6. Make sure that sanctions compliance staff is protected from conflicts of interest. 7. Locate the responsibility for compliance in a suitable department or division. This may involve personnel in one department – Legal – for example, authorizing transactions by another department. Enable this staff to function as expert advisors to guide company decisions resulting in compliant transactions. 8. Draw up a compliance manual to describe the operational and organizational processes that must be followed by the dual-use export control staff and other affected employees. The structure an organization creates to ensure compliance with sanctions depends upon the unique characteristics of the organization. Some organizations, such as large international banks, have a department specifically dedicated to sanctions compliance, with other personnel responsible for compliance spread throughout the organization. In smaller organizations, sanctions compliance may be one of a number of duties a team member has. In any case, the organization should designate one person as being specifically responsible for the overall operation of the sanctions compliance system, even if many others are involved, and even if that team member has other duties as well. While there is no “one size fits all” solution for sanctions compliance, larger organizations usually adopt a “three lines of defense” model, where responsibility for sanctions compliance is distributed throughout the organization. The three lines of defense are: 1. First Line: The business, which is responsible initially for reviewing customers and transactions for possible sanctions issues, and for making the initial decision about whether to proceed with a customer or transaction. 2. Second Line: Compliance, fills a number of vital functions, including 3. Reviewing decisions by the business 4. Answering questions and responding to requests for guidance 5. Periodically reviewing compliance decisions by the business 6. Creating, maintaining and updating the organizations sanctions policies and procedures 7. Third Line: Audit (either internal or external), which regularly reviews the operation of the entire sanctions compliance system. Policies and Procedures As well as a compliance structure, an organization needs policies and procedures detailing how it mitigates sanctions risks and addresses specific situations. The OFAC guidance provides the following guidelines for these policies and procedures: www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 151 1. The organization has designed and implemented written policies and procedures outlining the SCP. These policies and procedures are relevant to the organization, capture the organization’s day-to-day operations and procedures, are easy to follow, and designed to prevent employees from engaging in misconduct. 2. The organization has implemented internal controls that adequately address the results of its OFAC risk assessment and profile. These internal controls should enable the organization to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activity that may be prohibited by OFAC. To the extent information technology solutions factor into the organization’s internal controls, the organization has selected and calibrated the solutions in a manner that is appropriate to address the organization’s risk profile and compliance needs, and the organization routinely tests the solutions to ensure effectiveness. 3. The organization enforces the policies and procedures it implements as part of its OFAC compliance internal controls through internal and/or external audits. 4. The organization ensures that its OFAC-related recordkeeping policies and procedures adequately account for its requirements pursuant to the sanctions programs administered by OFAC. 5. The organization ensures that, upon learning of a weakness in its internal controls pertaining to OFAC compliance, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated. 6. The organization has clearly communicated the SCP’s policies and procedures to all relevant staff, including personnel within the SCP program, as well as relevant gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.) and to external parties performing SCP responsibilities on behalf of the organization. 7. The organization has appointed personnel for integrating the SCP’s policies and procedures into the daily operations of the company or corporation. This process includes consultations with relevant business units, and confirms the organization’s employees understand the policies and procedures. While the OFAC guidance refers to internal controls, policies, and procedures, it provides relatively little direction regarding what those policies and procedures should be. In general, policies are broad statements regarding how the organization addresses various compliance issues. Procedures refer to specific methods for dealing with various situations. www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 152 Compliance Policy The first component of internal controls is a general sanctions policy. A policy is a statement of corporate intent or series of commitments of the company.. Such policies in connection with sanctions compliance are usually adopted by the Board of Directors or Senior Management of the organization, who are then deemed responsible and accountable for that policy. The purpose of creating an sanctions policy is to communicate to the organization and the general public the organization’s stance towards sanctions compliance. The contents of a sanctions compliance policy can vary, but generally include: A purpose statement, outlining why the organization is issuing the policy, and what its desired effect or outcome of the policy should be. An applicability and scope statement, describing who the policy affects and which actions are impacted by the policy. The applicability and scope may expressly exclude certain people, organizations, or actions from the policy requirements. Applicability and scope is used to focus the policy on only the desired targets, and avoid unintended consequences where possible. An effective date which indicates when the policy comes into force. A responsibilities section, indicating which parties and organizations are responsible for carrying out individual policy statements. Many policies may require the establishment of some ongoing function or action. For example, a third party supplier policy might specify that a purchasing office be created to process purchase requests, and that this office would be responsible for ongoing actions. Responsibilities often include identification of any relevant oversight and/or governance structures. The compliance policy may address general matters, such as whether the organization will do business with certain countries or involving certain types of products, such as arms or nuclear materials. The sanctions compliance policy may include provisions regarding The organization’s commitment to compliance with the letter and spirit of applicable laws The organization’s decision to comply with other measures, such as the sanctions laws of other countries and industry best practices The organization’s willingness to provide sufficient resources for compliance with sanctions laws and regulations Cooperation with the agencies that administer the sanctions or export controls program, law enforcement and investigating authorities where necessary Respect for client confidentiality, which should be breached only where necessary Clearly defined responsibilities and accountabilities for sanctions compliance within the business www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 153 The parameters within the company is willing to operate which defines what business the company will and, more importantly, will not, accept The acceptance of new business subject to compliance with appropriate Customer Due Diligence (CDD) and risk assessment procedures The continuation of existing business only where such business complies with appropriate CDD, sanctions regimes, risk assessment and monitoring procedures The approach to the education, training and awareness maintenance of all staff and management Recognition of the importance that staff promptly report their suspicions of any sanctions violation internally The organization’s attitude towards persistent non-compliance with sanctions procedures, and A positive indication of the cultural and moral attitude that the organization wishes to create towards compliance with sanctions regimes and contributions towards national security. To implement the compliance policy, the organization should: Circulate a summary of the financial institution or company’s approach to assessing and managing its OFAC/sanctions risk Allocate of responsibilities to specific persons department and functions Circulate a summary of the firm’s procedures for carrying out appropriate identification and monitoring checks in line with their risk-based approach, and Circulate a summary of the appropriate monitoring arrangements in place to ensure that the firm’s OFAC/sanctions policies and procedures are being carried out. Circulate a summary of license, blocking, reporting and rejecting duties. Procedures Procedures are documents detailing how issues are handled and responsibilities performed. Neither the EU nor the OFAC guidance require specific procedures. An effective sanctions compliance program will require at least the following procedures. This list is by no means exhaustive; rather, it represents the basic procedures a compliance program should include: 1. The allocation of compliance responsibilities. This procedure identifies who or where in the organization is responsible for various aspects of sanctions compliance. 2. Monitoring of changes to the applicable laws and other relevant developments. Sanctions laws change frequently. In addition, external developments, such as political changes in a country, can also have sanctions implications. There must be a way for the organization to monitor changes in sanctions laws and relevant developments on an www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 154 ongoing basis; to revise policies and procedures as necessary; and to communicate those changes to the rest of the organization. 3. Risk assessment methodology, timing, etc. 4. Review of existing policies and procedures in light of the results of risk assessments. It is important that policies and procedures reflect the findings of risk assessments. This requires a procedure for reviewing existing policies and procedures after a risk assessment has been completed. Ideally, this will happen at least once a year. 5. Customer due diligence. To mitigate sanctions risks, it may be necessary to conduct some sort of due diligence regarding customers and potential customers, to ensure that they are not subject to sanctions. This issue is covered in detail in Chapter 6 below on screening. 6. Review and approval of individual transactions. Depending upon the nature of an organization’s business, it may be advisable to review at least some types of transactions that present a potential sanctions risk, and to require some sort of non-routine approval of medium- and high-risk transactions. 7. Assignment of risk classification. Classifying customers, business relations, and transactions as low, medium, or high risk allows an organization to devote its sanctions compliance resources to focusing on the riskiest. This requires a procedure explaining when and how the organization applies a risk classification. 8. Applying for a license. If the organization ever decided to do business with sanctioned countries, entities, or individuals, it may need a license to do so. This in turn requires a procedure that defines who makes the decision to apply for a license, and who is responsible for the application. 9. Maintaining information on what sanctions licenses and exemptions apply to the organization’s business. Conversely, if licenses or exemptions apply to an organization’s business, there must be readily available information within the organization regarding the scope of the license or exemption, as well as what procedures are required with respect to customers or transactions involving the license or exemption. 10. Handling transactions where a license authorizes an otherwise- prohibited activity. Transactions subject to a license may require special measures, such as reporting to the authorities. This procedure should specify those measures. 11. Rejecting customers or transactions, including what the customer or counterparty should be told. Inherent in the review of customers and transactions is the possibility that customers will be declined or transactions rejected. A procedure should identify who makes these decisions and what the customer or other parties are told about the decision. In general, it is considered wise to say as little as possible, so as not to give potential sanctions evaders any information about how an organization makes decisions regarding sanctions compliance. www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 155 12. Resolving disputes within the organization. Different parts of an organization may disagree over matters of sanctions compliance, such as whether a customer or transaction should be rejected. A procedure can specify how such disputes are resolved. 13. Blocking (freezing) transactions and administering frozen property. Persons in the EU, the United States, and other countries may be required by national law to freeze the funds or other assets of sanctioned parties. A procedure should identify when an asset must be frozen; exactly what the process is for freezing it (by placing in a special account, for example); and how the property is handled while it is frozen. 14. Records retention. U.S. law, for example, requires that records regarding transactions potentially subject to sanctions be kept for five years. In addition, many organizations have their own records retention policies. The records retention procedure should identify a. What records must be retained b. How they will be retained (electronically, hard copy) c. How long they must be retained d. What should be done with them after the retention period has ended 15. Training. The procedure should specify who is responsible for preparing and providing training; what types of training will be provided; who is to receive training and on what schedule; and what records of training should be maintained. 16. Periodic review (audit). The performance of periodic reviews of the operation of the sanctions compliance system requires its own detailed set of procedures. While Audit may be primarily responsible, the involvement of the compliance and legal functions is also necessary to ensure that the audit procedures reflect the legal requirements applying to the organization. 17. “Whistleblower” procedures. There must be a procedure that enables personnel to report possible sanctions violations or practices against organization policy anonymously and without fear of retribution 18. Internal investigations. The first step when a potential violation of sanctions laws or the organization’s policies and procedures is uncovered is to conduct an internal investigation. The procedure should specify when such an investigation should occur; who has the power to initiate it; who conducts the investigation; what the procedures for the investigation are; the form of the final report; who the report goes to; and who has the power to act upon the report. 19. Reporting (both regular and of potential or actual violations). As discussed above, regular reporting to management about the operation of the sanctions compliance system is highly advisable. This may include such Key Performance Indicators as the number of transactions reviewed, the number rejected, the number of apparent violations observed, etc. In addition, a separate procedure should describe reports of potential violations. www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 156 20. Reporting to regulators. Depending upon national law, organizations may be required to report to regulators instances where they have frozen assets or rejected transactions. A procedure should provide the details for this. 21. Voluntary disclosures. There may be times when an organization decides to voluntarily disclose to the appropriate authorities potential sanctions violations. The voluntary disclosure procedure should provide the details for this, including who has the authority to make a disclosure and what the disclosure should contain. 22. Correcting weaknesses in the sanctions compliance system. Audits and internal investigations may identify deficiencies in the sanctions compliance system. A procedure should ensure that, after the completion of an audit or an internal investigation, any deficiencies identified in the sanctions compliance system are corrected. 23. Communications with clients. Communication with clients on sanctions matters is a delicate issue. An organization may want customers to understand its overall policies, such as a refusal to do business with specific countries. However, it should not divulge too much information regarding either the overall operation of its sanctions compliance system or how it handles individual transactions, as such information can help sanctions evaders. The communications procedure should detail what information will be provided to clients and business partners, especially with respect to individual transactions. 24. Coordination of sanctions policies within a corporate group. Members of a corporate group may well be located in different countries and subject to different sanctions regimes. It is important that a policy or procedure describe how they shall coordinate policies, and in particular whether and to what extent subsidiaries must comply with the sanctions laws of the corporate parent. OFAC has repeatedly penalized U.S. companies for violations of U.S. sanctions by their foreign affiliates. Testing and Audit Periodic testing of the performance of the sanctions compliance system is essential. As the EU guidance explains, Performance reviews and audits verify whether the ICP is implemented to operational satisfaction and is consistent with the applicable national and EU export control requirements. A well-functioning ICP has clear reporting procedures about the notification and escalation actions of employees when a suspected or known incident of non-compliance has occurred. As part of a sound compliance culture, employees must feel confident and reassured when they raise questions or report concerns about compliance in good faith. Performance reviews, www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 157 audits and reporting procedures are designed to detect inconsistencies to clarify and revise routines if they (risk to) result in non-compliance. Testing and audit can either be performed internally or by an outside body. Similarly, the testing may be specific to the sanctions compliance function, or conducted as part of an enterprise-wide review. According to OFAC, an in-depth audit of each department in the bank should probably be conducted at least once a year. What is essential is that the testing cover sanctions compliance, and that it fulfill certain basic criteria, as identified by OFAC: 1. The organization commits to ensuring that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, resources, and authority within the organization. 2. The organization commits to ensuring that it employs testing or audit procedures appropriate to the level and sophistication of its SCP and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of the organization’s OFAC-related risk assessment and internal controls. 3. The organization ensures that, upon learning of a confirmed negative testing result or audit finding pertaining to its SCP, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated. No matter who conducts the audit, the individuals performing audits should have a well-developed understanding of the applicable sanctions laws, the company's risk profile, and the company's relevant policies and procedures. The contents of testing will naturally vary by the organization and the structure of its compliance system. Among other forms of testing, auditors can analyze customer and transaction records and sales data to confirm that the company has not engaged in prohibited transactions or accepting customers outside of its risk profile. If a company utilizes a screening software, the auditor should verify that the restricted party screening is operating effectively and that the company has developed an effective way to establish whether potential hits are actual matches or false positives. Training Training is the final essential component of an effective sanctions compliance system. The EU guidance includes the following recommendations with respect to training: www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 158 1. Provide compulsory, periodic training for all sanctions compliance staff to ensure they possess the knowledge to be compliant with the regulations and the company’s ICP. 2. Ensure via training that all concerned employees are aware of all relevant dual-use trade control laws, regulations, policies, control lists and all amendments to them as soon as they are made public by the competent authorities. If possible, consider customized trainings. 3. Develop general awareness raising for all employees and dedicated training activities for e.g. purchasing, engineering, project management, shipping, customer care and invoicing. 4. Consider, whenever appropriate, to make use of national or EU training initiatives. 5. Incorporate lessons learnt from performance reviews, audits, reporting and corrective actions, whenever possible, in your training or export awareness programs. The OFAC guidance elaborates on these points in terms of commitments by the organization to training. While OFAC speaks in terms of an OFAC-related compliance program, these principles apply to all sanctions compliance programs, regardless of the applicable sanctions: 1. The organization commits to ensuring that its OFAC-related training program provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties) in order to support the organization’s OFAC compliance efforts. Such training should be further tailored to high-risk employees within the organization. 2. The organization commits to provide OFAC-related training with a scope that is appropriate for the products and services it offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates. 3. The organization commits to providing OFAC-related training with a frequency that is appropriate based on its OFAC risk assessment and risk profile. 4. The organization commits to ensuring that, upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its SCP, it will take immediate and effective action to provide training to or other corrective action with respect to relevant personnel. 5. The organization’s training program includes easily accessible resources and materials that are available to all applicable personnel. This guidance leaves organizations a great deal of flexibility in deciding who and how to train. Training may be on-line or in person. At a minimum, though, an organization should consider these categories of training: www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 159 1. General sanctions training for all employees. This training familiarizes employees with the general requirements of sanctions law, as well as the organization’s policies and procedures. 2. Specialized training for employees with responsibilities that may require them to make sanctions decisions. These may include sales and marketing personnel, order processing, exports, and legal. If testing of the system is being performed internally, audit should receive specialized training as well. The nature and content of the training called for will vary by function. 3. Detailed training for compliance staff. No matter how the sanctions function is staffed, its personnel require a high degree of knowledge. They should receive detailed training on the applicable laws and on the requirements for the various aspects of the organization’s operations. 4. Sanctions training for top management. Violating sanctions can have very negative consequences for an organization. Training directed at upper management, including corporate boards, will sensitize them to the importance of sanctions compliance and demonstrate the importance of compliance to the rest of the organization. It is important to keep complete records of sanctions training, so that the organization can demonstrate to audit and to any government regulators that adequate and relevant training is being provided. At the least, training documentation should show 1. The names and titles of persons receiving training 2. What type of training was received (general, specialized, senior management, etc.) 3. The date of the training 4. How the training was provided (live or on-line). Customer Due Diligence Customer due diligence is also an important pillar of a sound sanctions compliance program, especially in the light of the OFAC 50% Rule. OFAC 50% Guidance Because OFAC’s lists are not exhaustive Issued February 2008, revised August 2014 https://www.treasury.gov/resource- center/sanctions/Documents/licensing_guidance.pdf An Entity that is owned 50% or greater by a sanctions target is treated as a sanctions target. Underscores the need for thorough due diligence www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 160 The OFAC guidance, revised in 2014, states that the property and interests in property of entities directly or indirectly owned 50 percent or more in the aggregate by one or more blocked persons are considered blocked regardless of whether such entities appear on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List) or the annex to an Executive order. The revised guidance expands upon the earlier guidance by addressing entities owned 50 percent or more in the aggregate by more than one blocked person. Note that OFAC’s 50% rule speaks only to ownership and not control. An entity that is controlled (but not owned 50 percent or more) by one or more blocked persons is not considered automatically blocked pursuant to OFAC's 50 Percent Rule. (note however: A U.S. persons should be careful when conducting business with non-blocked entities in which blocked individuals are involved; U.S. persons may not, for example, enter into contracts that are signed by a blocked individual. See OFAC FAQ 398). OFAC also applies a 50 percent rule to entities on the Sectoral Sanctions Identifications List (SSI List) created in July 2014 in the Ukraine-/Russia- related sanctions context. The property and interests in property of persons on the SSI List (and entities owned 50 percent or more in the aggregate by one or more persons subject to the SSI List restrictions) are not required to be blocked; instead a more limited set of transaction restrictions applies to them. In the context of the SSI List restrictions, therefore, these FAQs can be used to identify which subordinate entities are subject to the SSI List restrictions only and are not meant to suggest that any additional actions (such as blocking) apply to those entities. OFAC has issued Frequently Asked Questions (FAQs) to respond to inquiries relating to the status of entities owned by individuals or entities whose property and interests in property are blocked under Executive orders and regulations administered by OFAC (blocked persons). These FAQs provide additional clarity regarding revised guidance that OFAC issued on August 13, 2014, amending earlier guidance that had been issued on February 14, 2008 (OFAC’s 50 Percent Rule). Examples: www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 161 Source: ACCS OFAC Essentials Online Certificate Course Source: ACCS OFAC Essentials Online Certificate Course Considerations for Specific Industries The creation of a compliance program of course depends upon the organization’s risk assessment. While risks vary even between companies within the same industry, certain risks are prevalent throughout certain industries. OFAC has provided guidance for the financial and securities industries in particular in the form of a risk matrix. The risk matrix identifies certain types of common risks, and shows the circumstances under which the risk should be considered low, medium, or high. Finance Because of its central role in the global economy, the financial sector also plays a pivotal role in sanctions compliance. The following are some of the activities www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 162 carried out by banks and other financial institutions that may pose an additional risk of potential sanctions violations: International funds transfers. Nonresident alien accounts Foreign customer accounts Cross-border ACH transactions Commercial letters of credit and other trade finance products Transactional electronic banking Foreign correspondent bank accounts Payable through accounts Concentration accounts International private banking Overseas branches or subsidiaries OFAC has released the following matrix showing the risks associated with particular types of customers and transactions that financial institutions can use to evaluate their sanctions compliance systems. While this risk matrix was developed specifically for financial institutions, the same principles and conclusions may apply to other industries as well Low Risk Moderate Risk High Risk Customer base changing A large, fluctuating Stable, well-known due to branching, merger, client base in an customer base in a or acquisition in the international localized environment domestic market environment. Few high-risk customers; these may include nonresident aliens, foreign customers A moderate number of A large number of (including accounts with high-risk customers high-risk customers. U.S. powers of attorney), and foreign commercial customers Overseas branches or No overseas branches Overseas branches or multiple and no correspondent correspondent accounts correspondent accounts with foreign with foreign banks accounts with foreign banks banks. www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 163 Low Risk Moderate Risk High Risk The institution offers a wide array of No electronic services electronic (e.g., e- The institution offers (e.g., e-banking) offered, banking) products and limited electronic (e.g., e- or products available are services (i.e., account banking) products and purely informational or transfers, e-bill services non-transactional payment, or accounts opened via the Internet). Limited number of funds A moderate number of A high number of transfers for customers funds transfers, mostly customer and non- and non-customers, for customers. Possibly, a customer funds limited third-party few international funds transfers, including transactions, and no transfers from personal international funds international funds or business accounts transfers. transfers No other types of international A high number of transactions, such as Limited other types of other types of trade finance, cross- international international border ACH, and transactions transactions. management of sovereign debt A small number of recent Multiple recent actions (i.e., actions actions by OFAC, within the last five years) where the institution No history of OFAC by OFAC, including has not addressed the actions. No evidence of notice letters, or civil issues, thus leading to apparent violation or money penalties, with an increased risk of circumstances that evidence that the the institution might lead to a violation institution addressed the undertaking similar issues and is not at risk of violations in the similar violations in the future. future Management has fully Management exhibits a Management does not assessed the institution's reasonable understand, or has level of risk based on its understanding of the key chosen to ignore, key customer base and aspects of OFAC aspects of OFAC www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 164 Low Risk Moderate Risk High Risk product lines. This compliance and its compliance risk. The understanding of risk commitment is generally importance of and strong commitment clear and satisfactorily compliance is not to OFAC compliance is communicated emphasized or satisfactorily throughout the communicated communicated organization, but it may throughout the throughout the lack a program organization. organization appropriately tailored to risk The board of directors, The board has approved or board committee, has an OFAC compliance The board has not approved an OFAC program that includes approved an OFAC compliance program that most of the appropriate compliance program, includes policies, policies, procedures, or policies, procedures, controls, controls, and information procedures, controls, and information systems systems necessary to and information that are adequate, and ensure compliance, but systems are consistent with the some weaknesses are significantly deficient. institution's OFAC risk noted profile Management has Staffing levels appear Staffing levels appear failed to provide adequate to properly generally adequate, but appropriate staffing execute the OFAC some deficiencies are levels to handle compliance program noted workload. Authority and accountability for Authority and Authority and compliance have not accountability for OFAC accountability are been clearly compliance are clearly defined, but some established. No OFAC defined and enforced, refinements are needed. compliance officer, or including the designation A qualified OFAC officer an unqualified one, of a qualified OFAC has been designated has been appointed. officer The role of the OFAC officer is unclear. Training is appropriate Training is conducted and Training is sporadic and effective based on management provides and does not cover the institution's risk adequate resources important regulatory www.sanctionsassociation.org Certified Sanctions Specialist (CSS) 165 Low Risk Moderate Risk High Risk profile, covers applicable given the risk profile of and risk areas or is personnel, and provides the organization; nonexistent. necessary up-to-date however, some areas are information and not covered within the resources to ensure training program compliance The institution employs The institution employs The institution does strong quality control limited quality control not employ quality methods methods control methods. Financial institutions should of course have all of the procedures identified above. In addition, they should implement the following procedures as well, which can address at least some of the risks identified above: Certain additional procedures are advisable for the finance industry in particular: 1. Screening transactions. Banks may handle transactions through a variety of different systems, depending upon whether the transaction is purely domestic, regional (as with SEPA in Europe), or international (through the SWIFT system). The bank’s procedures should specify which types of payments and other messages are screened. The procedures should also identify what types of transactions are screened, and how. 2. A policy prohibiting stripping. OFAC has repeatedly imposed very large penalties on foreign banks for stripping. Every financial institution needs a policy strictly prohibiting stripping, with procedures describing how to determine if stripping has occurred. 3. Detection of resubmitted payments. As discussed above, one way individuals or entities may seek to evade sanctions is to resubmit a transaction, such as a payment, with altered names. The financial institution should have a procedure in place for identifying payments that appear to have been resubmitted with changed information, stopping those payments, and taking action against the parties involved.

ACSS Risk Assessment Chapter 4 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue