导航

美高梅手机娱乐观点

中国企业如何防范和应对美国政府制裁风险?——美国财政部《OFAC合规承诺框架》解读 编辑:刘相文 Graham•Adria 王涛 王妙婷 2019-07-02

2019年5月2日,美国财政部海外资产控制办公室(下称“OFAC”)发布了《OFAC合规承诺框架》(下称“OFAC框架”)。OFAC框架为企业如何建立有效的制裁合规体系提供了指引,对与美国政府/私人开展业务、使用美国原产货物/服务或者借助美国金融系统开展活动而受美国管辖的中国国有和民营企业非常关键。近年来,少数中国企业被美国政府指控违反其制裁规定,引发了市场关注。尤其值得一提的是,目前三家金融机构作为证人,收到了美国当局要求提交其前客户违反OFAC对朝鲜制裁的相关银行记录的传票。这三家金融机构并未遭到指控,甚至可能对其前客户违反OFAC制裁的行为毫不知情,但还是作为证人被动卷入了美国的法院诉讼程序。

 

On May 2, 2019, the U.S. Treasury Department’s Office of Foreign Asset Control (“OFAC”) released “A Framework for OFAC Compliance Commitments” (the “OFAC Framework”).[1] The OFAC Framework provides guidance on how companies can implement a successful sanction compliance program (“SCP”). This guidance is critical for Chinese companies, private or state-owned, that are doing business with the United States or U.S. persons, use U.S. origin goods or services, or otherwise find themselves under U.S. jurisdiction through activities such as using the U.S. financial system. There have been a few incidents of Chinese companies getting caught up in U.S. sanction investigations in the last few years. Notably, three financial institutions are currently embroiled in a U.S. court case over subpoenas they received to provide evidence relating to OFAC sanction violations by their former client for a North Korean entity. The three financial institutions have not committed any crimes nor are they under investigation. Indeed, it is very likely that they were unaware of the OFAC violations committed by their former customer that is the subject of the investigation.

 

OFAC是实行美国经济和贸易制裁的机构,负责维护特别指定国民名单(下称“SDN名单”)、部门制裁识别名单(下称“SSI名单”)和其他制裁名单。OFAC有权对违反制裁者进行民事处罚或者行政执法;而且,在适当的情形下,OFAC可以将潜在违反制裁的行为移交美国司法部等执法机关进行刑事调查或者指控。近年来,中国企业因违反美国经济和贸易制裁规定屡遭执法,损失了超过十亿美金。

 

OFAC is the U.S. civil enforcement agency tasked with implementing and enforcing American economic and trade sanctions and is responsible for maintaining the List of Specially Designated Nationals and Blocked Persons (the “SDN List”), the Sectoral Sanctions Identification List (the “SSI List”), and other sanctions-related lists. OFAC can impose civil penalties or other administrative actions for sanction violations and, when it deems appropriate, refer potential sanction violations to appropriate law enforcement agencies, such as the U.S. Department of Justice, for criminal investigation and/or prosecution. Violation of U.S. economic and trade sanctions by Chinese companies have contributed to enforcement actions that have cost the companies more than a billion dollars in recent years.

 

OFAC框架对受美国管辖的中国企业具有以下三点重要意义:一是按照OFAC框架建立的强大的制裁合规体系能够帮助中国企业避免卷入美国司法系统。故意违反美国制裁规定的中国企业往往备受关注,但有些中国企业也可能在毫不知情的情况下参与违反美国的制裁规定,而有效的制裁合规体系能够帮助中国企业防微杜渐,从源头上减少违反美国制裁规定的风险。二是OFAC衡量对违反制裁者的处罚时,会将强有力的制裁合规体系视为减轻处罚的因素。三是因违反制裁规定而与OFAC达成和解协议的企业经常被要求按照OFAC合规框架的标准来建立或者改进其制裁合规体系。

 

The OFAC Framework is a critical tool for Chinese companies operating under U.S. jurisdiction. First, a strong SCP developed in accordance with the OFAC Framework can help Chinese companies avoid getting tangled up in the U.S. legal system. Often, there is a focus on Chinese companies that are caught violating U.S. sanctions on purpose, but it is prudent to remember that Chinese companies can be caught up as unknowing participants. An effective SCP can help prevent sanction violations from the beginning. Second, a robust SCP can act as a mitigating factor when OFAC considers the appropriate response for a sanction violation. Third, companies that enter into settlement agreements with OFAC for sanction violations are often required to implement or improve their SCPs to meet the standards as set out in the OFAC Framework.

 

OFAC最近的决定通知愈来愈多描述了受罚企业补救措施的得失,对此有所了解的跨境合规律师对OFAC框架的内容应该并不陌生。OFAC框架集中并扩展了前述补救措施中的得失,因而成为一个实用的参考文件。在就OFAC框架发布的资讯稿中,OFAC的主任Andrea M. Gacki称,“这凸显了大家致力于与私营部门合作,以进一步推动对制裁要求的理解和遵守。”除了引导OFAC评估制裁合规体系外,OFAC框架还包含了一份常见违规行为成因清单。结合美国司法部于2019年4月30日最新发布的《企业合规程序评估》,中国企业比以往任何时候都更能采取有效措施以减少美国政府的指控。(关于司法部合规指南的更新,详见大家之前发表的文章:《美国司法部发布新版企业合规指南——<企业合规程序评估>》)。

 

The content of the OFAC Framework will be familiar to experienced cross-border compliance lawyers who have read recent OFAC decision notices which have increasingly described the positive and negative features of penalized companies’ remediation efforts. The OFAC Framework centralizes this guidance and expands on it, making it a helpful reference document. In the OFAC Framework’s press release, Director of the Office of Foreign Assets Control Andrea M. Gacki stated that “[t]his underlines our commitment to engage with the private sector to further promote understanding of, and compliance with, sanctions requirements.”[2] In addition to its guidance on how OFAC will evaluate SCPs, the OFAC Framework also includes a list of frequent sources of sanction violations. Combined with the release of the updated DOJ guidelines on compliance (you can see our article here) on April 30, 2019,[3] Chinese companies are better positioned than ever to take effective steps to reduce their exposure to American prosecutors.

 

 

OFAC框架

The OFAC Framework

 

OFAC框架“强烈鼓励”企业开展风险导向的制裁合规,在此过程中考虑企业的规模和复杂程度、产品和服务、客户和交易对方以及地理位置。


 

The OFAC Framework “strongly encourages” companies to take a risk-based approach to sanctions compliance that takes into consideration a company’s size and sophistication, products and services, customers and counterparties, and geographic locations.

 

无论企业如何,OFAC框架建议所有制裁合规体系应包括五个“基本”组成部分:1)管理层承诺;2)风险评估;3)内部控制;4)测试和审计;5)培训。

 

Regardless of the company, the OFAC Framework suggests that all SCPs should include five “essential” components: 1) management commitment; 2) risk assessment; 3) internal controls; 4) testing and auditing; and 5) training.

 

1) 高级管理层承诺

Senior Management Commitment

 

高级管理层的支撑力度是决定企业制裁合规体系是否成功的“最重要因素”。高级管理层包括高级领导层、经理层和/或董事会。OFAC框架列出了有效高层承诺的五个基本方面: 

 

One of the “most important factors” in determining the success of a company’s SCP is the level of support from senior management. Senior management includes senior leadership, executives, and/or the board of directors. The OFAC Framework lists five general aspects of effective senior management commitment:

 

I.审查

Review

 

高级管理层应审查和批准企业的制裁合规体系。

 

Senior management should review and approves the company’s SCP.

 

II.授权与自主权

Authority and Autonomy

 

高级管理层应确保企业的合规部门有足够的权力和自主性来实行制裁合规体系,并有效控制OFAC风险,其中应当包括合规工作人员和高级管理层之间的直接报告渠道,例如两者之间的定期会议。

 

Senior management should ensure that the company’s compliance units are delegated sufficient authority and autonomy to implement the SCP and effectively control OFAC risk. This should include direct reporting lines between the SCP personnel and senior management, including regular meetings between the two.

 

III.足够的资源

Adequate Resources

 

高级管理层应采取措施确保企业的合规部门根据需要分配到足够的资源,包括人员、专业常识和IT支撑。这是一项持续性的投资,并应与企业的“业务范围、目标市场与二级市场以及影响其整体风险状况的其他因素”相匹配。

 

Senior management should take steps to ensure that the company’s compliance units are allocated adequate resources as needed, including personnel, expertise, and IT support. This should be an ongoing investment that is appropriate for the company’s “breadth of operations, target and secondary markets, and other factors affecting its overall risk profile.”

 

OFAC框架列出了衡量一家企业是否配备足够资源的三项标准。

 

The OFAC Framework lists three criteria for measuring whether a company has provided adequate resources.

 

A.企业应任命一名专门的OFAC制裁合规官,根据企业的规模和复杂程度,可以由出口管制官等高级合规官员担任。

   The company should appoint a dedicated OFAC sanctions compliance officer. Depending on the size and complexity of a company, this may be a person serving in other senior compliance positions, such as an Export Control Officer.

 

B.合规工作人员具有适当的常识、经验、专业能力和职位,能够理解和识别OFAC相关的问题、风险和禁止的活动。

   The personnel dedicated to the SCP have the appropriate knowledge, experience, expertise, and position to understand and identify OFAC-related issues, risks, and prohibited activities.

 

C.企业应有足够的控制功能来支撑企业的制裁合规体系,包括ITApp和系统,以充分处理企业的OFAC风险评估和风险级别。

   There are sufficient control functions to support a company’s SCP, including IT software and systems, that adequately address the company’s OFAC-risk assessment and levels. 

 

IV.合规学问

Culture of Compliance

 

与所有合规活动一样,高级管理层应在企业推广“合规学问”。OFAC框架列出了衡量一家企业是否正在推广合规学问的三项标准。

 

As is the case with all compliance activities, senior management should promote a “culture of compliance” at the company. The OFAC Framework lists three criteria for measuring whether a company is promoting a culture of compliance.

 

A.员工可以举报企业或员工的OFAC相关违规行为,而不必担心报复。

   Personnel can report OFAC related misconduct by the company or personnel without fear of reprisal.

 

B.高级管理层宣贯并采取行动以预防OFAC相关违规行为,并强调不合规行为的潜在影响。

   Senior management communicates and takes actions that discourage OFAC related misconduct and highlight potential repercussions for non-compliance.

 

C.制裁合规体系为遵守OFAC规定而监督包括高级管理层在内的整个企业的行为。

   The SCP has oversight over the actions of the entire company, including senior management, for the purposes of OFAC compliance.

 

V.违规的认识

Recognition of Violations 

 

高级管理层应认识到企业及企业员工违反或未能遵守必要的合规政策和程序的严重性。他们应该采取必要的措施,以减少过往违规行为再次发生,并提出系统的解决方案。

 

Senior management should recognize the seriousness of OFAC violations or failures by the company and its personnel from failing to comply with necessary SCP policies and procedures. They should implement necessary measures to reduce the occurrence of past violations and represent systemic solutions.

 

2) 风险评估

Risk Assessment

 

OFAC框架鼓励企业在设计或更新其制裁合规体系时采用“风险导向的方法”。在此语境下,风险是指“如果忽视或处理不当,可能导致违反OFAC规定的潜在威胁或漏洞”。OFAC推荐的最佳方法是进行持续的“风险评估”,以宣贯合规政策、程序、内部控制,并通过培训降低风险。

 

The OFAC Framework recommends that companies take a “risk-based approach” when designing or updating their SCP. Risks in this context are “potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations”. OFAC recommends that the best way to do this is to conduct ongoing “risk assessments” to inform SCP policies, procedures, internal controls, and training to mitigate risks.

 

虽然OFAC框架承认不存在通用的风险评估方法,但企业通常应对自身进行全面审查,并评估其外部风险所在,以识别与OFAC所禁止人员、缔约方或国家/地区的潜在互动领域,包括客户、产品、服务和地理位置。企业还应在兼并收购期间尤其是并购对象位于风险多发区域时,进行风险评估和OFAC相关尽职调查。

  

Although the OFAC Framework acknowledges that there is no “one-size-fits all” for risk assessment, companies should generally conduct a holistic review of the entire company and assess where it has external exposure. This allows for the identification of potential areas of interaction with OFAC-prohibited persons, parties, or countries/regions, including clients, products, services, and geographic locations. Companies should also conduct risk assessments and OFAC-related due diligence during mergers and acquisitions, especially if the other company is in geographically at-risk areas.

 

OFAC框架列出了有效评估OFAC风险的两个一般方面:

 

The OFAC Framework lists two general aspects of conducting an effective OFAC risk assessment:

 

I.评估OFAC风险

Assessing OFAC Risk 

 

OFAC风险评估的方式和频率应与潜在风险相匹配。这些风险可能来自“客户、产品、服务、供应链、中介机构、交易对手、交易本身和地理位置,具体取决于组织性质。”通过不断更新以确保风险评估的充分性,从而暴露被识别的任何明显违规或系统缺陷的“根源”。

 

OFAC risk assessment should be conducted in a manner and with a frequency that adequately accounts for potential risk. These risks could be posed by its “clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization.” An adequate risk assessment will be updated for the “root causes” of any apparent violations or systemic deficiencies identified.

 

在评估OFAC风险时,各企业应利用现有信息确定在客户关系或交易中所需的尽职调查程度。企业可以利用客户在“了解您的客户”或“客户尽职调查”以及建立客户关系伊始时企业进行的独立研究等程序中提供的信息,评估客户、客户群体或客户关系的风险概述。这些信息可用于引导未来的OFAC风险尽职调查工作。此外,前述合规尽职调查应成为企业兼并、收购和整合工作的必要组成部分。《美国联邦法规》第31卷第501部分附录A—“经济制裁实行指南”中的OFAC风险矩阵,列明了风险评级时需要考虑的重要因素,具体如下:

 

When assessing OFAC risk, companies should leverage existing information to determine the extent of due diligence required in a customer relationship or transaction. Companies can develop a sanctions risk profile for customers, customer groups, or account relationships by leveraging information provided by the customer through procedures such as “Know Your Customer” or “Customer Due Diligence” as well as independent research conducted by the organization at the initiation of the customer relationship. This information can be used to guide future OFAC risk due diligence efforts. Additionally, this compliance due diligence should be integrated into merger, acquisition, and integration processes. The important elements to consider when determining the sanctions risk rating can be found in the OFAC’s risk matrix provided by 31 CFR Appendix A to part 501 - Economic Sanctions Enforcement Guidelines. We have included a translated version below.

 

风险矩阵

OFAC Risk Matrix OFAC

Low

Moderate

High

在地区范围内稳定、知名的客户群

Stable, well-known customer base in a localized environment

由于在国内市场分立、兼并或收购而发生变化的客户群

Customer base changing due to branching, merger, or acquisition in the domestic market

在国际环境中巨大、波动的客户群

A large, fluctuating client base in an international environment

少有非居民外国人、外国客户(包括拥有美国委托书的账户)和外国商业客户等高风险客户

Few high-risk customers; these may include nonresident aliens, foreign customers (including accounts with U.S. powers of attorney), and foreign commercial customers

中等数量的高风险客户

A moderate number of high-risk customers

大量的高风险客户

A large number of high-risk customers

无境外分支机构,无外国银行代理账户

No overseas branches and no correspondent accounts with foreign banks

有境外分支机构或外国银行代理账户

Overseas branches or correspondent accounts with foreign banks

有境外分支机构或多个外国银行代理账户

Overseas branches or multiple correspondent accounts with foreign banks

没有提供电子服务(如电子银行),或提供的产品是纯粹信息性或非交易性的

No electronic services (e.g., e-banking) offered, or products available are purely informational or non-transactional

提供有限的电子产品(如电子银行)和服务

The institution offers limited electronic (e.g., e-banking) products and services

该机构提供各种电子产品(如电子银行)和服务(如转账、电子账单支付或通过互联网开立的账户)

The institution offers a wide array of electronic (e.g., e-banking) products and services (i.e., account transfers, e-bill payment, or accounts opened via the Internet)

客户和非客户的转账金额有限,第三方交易有限,无跨境转账

Limited number of funds transfers for customers and non-customers, limited third-party transactions, and no international funds transfers

存在主要为服务客户而进行的适量转账,可能有一些从个人或商业账户的跨境转账

A moderate number of funds transfers, mostly for customers; possibly, a few international funds transfers from personal or business accounts

大量的客户和非客户资金转移,包括国际资金转移

A high number of customer and non-customer funds transfers, including international funds transfers

没有其他类型的国际交易,如贸易融资、跨境自动清算中心和主权债务管理

No other types of international transactions, such as trade finance, cross-border ACH, and management of sovereign debt

有限的其他类型国际交易

Limited other types of international transactions

大量其他类型的国际交易

A high number of other types of international transactions

没有OFAC执法记录;没有明显违规或存在可能导致违规情况的相关证据

No history of OFAC actions; no evidence of apparent violation or circumstances that might lead to a violation.

OFAC最近采取了少量执法行动(近五年),包括通知函或民事罚款,且有证据表明该机构处理了相关问题,未来不会有类似违规风险

A small number of recent actions (i.e., actions within the last five years) by OFAC, including notice letters, or civil money penalties, with evidence that the institution addressed the issues and is not at risk of similar violations in the future

OFAC最近采取了多次执法行动,但该机构并未解决相关问题,因此导致该机构今后实施类似违规行为的风险增加

Multiple recent actions by OFAC, where the institution has not addressed the issues, thus leading to an increased risk of the institution undertaking similar violations in the future

管理层已根据该机构的客户群和生产线全面评估其风险水平。这种对风险的理解和对OFAC合规的坚定承诺在整个组织中得到令人满意的宣贯。

Management has fully assessed the institution’s level of risk based on its customer base and product lines. This understanding of risk and strong commitment to OFAC compliance is satisfactorily communicated throughout the organization.

管理层展现出对OFAC合规要点的合理理解,其承诺基本明确并且在整个组织中得到令人满意的宣贯,但可能缺乏与风险适当匹配的合规体系。

Management exhibits a reasonable understanding of the key aspects of OFAC compliance and its commitment is generally clear and satisfactorily communicated throughout the organization, but it may lack a program appropriately tailored to risk.

管理层不理解或选择忽视OFAC合规风险的关键方面。合规的重要性没有在整个组织中得到强调或传达。

Management does not understand, or has chosen to ignore, key aspects of OFAC compliance risk. The importance of compliance is not emphasized or communicated throughout the organization.

董事会或董事会专业委员会已经批准了包括充分且与该机构OFAC风险状况相一致的政策、程序、控制和信息系统在内的OFAC合规体系。

The board of directors, or board committee, has approved an OFAC compliance program that includes policies, procedures, controls, and information systems that are adequate, and consistent with the institution’s OFAC risk profile.

董事会已批准了OFAC合规体系,其中包括确保合规所需的大部分适当政策、程序、控制和信息系统,但出现一些不足。

The board has approved an OFAC compliance program that includes most of the appropriate policies, procedures, controls, and information systems necessary to ensure compliance, but some weaknesses are noted.

董事会尚未批准OFAC合规体系,或者相关政策、程序、控制和信息系统严重不足。

The board has not approved an OFAC compliance program, or policies, procedures, controls, and information systems are significantly deficient.

人员配备足以合理实行OFAC合规体系。

Staffing levels appear adequate to properly execute the OFAC compliance program.

人员配备总体充分,但出现一些不足。

Staffing levels appear generally adequate, but some deficiencies are noted.

管理层未能配备足够的人员以开展工作。

Management has failed to provide appropriate staffing levels to handle workload.

明确界定和实行OFAC合规的权限和责任,包括指定合格的OFAC合规官。

Authority and accountability for OFAC compliance are clearly defined and enforced, including the designation of a qualified OFAC officer.

界定了权限和责任,但需要一些改进。已指定合格的OFAC合规官。

Authority and accountability are defined, but some refinements are needed. A qualified OFAC officer has been designated.

尚未明确规定合规权限和责任。未任命任何OFAC合规官或者任命的合规官不合格。OFAC合规官的角色尚不清楚。

Authority and accountability for compliance have not been clearly established. No OFAC compliance officer, or an unqualified one, has been appointed. The role of the OFAC compliance officer is unclear.

根据机构的风险状况进行适当、有效的培训,涵盖相关人员,并提供必要的最新信息和资源以确保合规。

Training is appropriate and effective based on the institution’s risk profile, covers applicable personnel, and provides necessary up-to-date information and resources to ensure compliance.

存在培训,并且管理层提供了与组织风险状况相匹配的充足资源;但是,培训项目没有涵盖部分领域。

Training is conducted and management provides adequate resources given the risk profile of the organization; however, some areas are not covered within the training program.

培训分散且遗漏重要的监管和风险领域,或者没有培训。

Training is sporadic and does not cover important regulatory and risk areas or is nonexistent.

机构运用了强有力的质量控制方法

The institution employs strong quality control methods.

机构运用了有限的质量控制方法

The institution employs limited quality control methods.

机构未运用质量控制方法

The institution does not employ quality control methods.

 

II.风险评估

Risk Assessment 

 

Companies should develop methods to identify, analyze, and address risks. This risk assessment should be updated regularly though testing or auditing.

 

企业应制定识别、分析和处理风险的方法。风险评估应通过测试或审计进行定期更新。

 

3) 内部控制

Internal Controls

 

企业应就可能被OFAC规定禁止的活动进行内部控制,包括“识别、阻断、升级、报告和记录”该等活动的政策和程序。内部控制的作用是“提出明确的预期,规定OFAC合规相关的程序和流程”,并将风险最小化。应定期进行内外部审计和评估,以确保内部控制合理运作。

 

Companies should include internal controls related to activity that may be prohibited by OFAC regulations. This includes policies and procedures to “identify, interdict, escalate, report, and record” such activity. The role of internal controls is to “outline clear expectations, define procedures and processes pertaining to OFAC compliance,” and minimize risks. Internal and/or external audits and assessments should be conducted regularly to ensure that the internal controls are working properly.

 

成功的制裁合规体系应该能够根据OFAC更新的信息迅速作出调整,包括制裁名单、SDN名单和SSI名单的更新;出于任何原因启动的新制裁计划;以及颁发通用许可证。OFAC框架列出了有效内部控制的七个一般方面:

 

A successful SCP program should be capable of adjusting rapidly to changes published by OFAC, including updates to sanction lists, the SDN list and the SSI List; new sanctions programs initiated for any reasons; and the issuance of general licenses.[4] The OFAC Framework lists seven general aspects of effective internal controls:

 

I.书面政策和程序

Written Policies and Procedures

 

企业应制定和实施概述制裁合规体系的书面政策和程序。这些书面政策和程序应该具有相关性,具体到日常操作和程序,易于遵循,并有助于预防违规行为。

 

Written policies and procedures should be created and implemented that outline the SCP. They should be relevant, capture day-to-day operations and procedures, are easy to follow, and designed to prevent misconduct.

 

II.充分的内部控制

Adequate Internal Controls

 

企业应实施能充分处理其OFAC风险评估结果和状况的内部控制。内部控制应有效为相关人员“识别、阻断、升级和报告”OFAC禁止的活动。IT解决方案的选择应符合企业的风险状况和合规需求。与制裁合规体系的其他方面一样,应定期对内部控制进行测试,以确保其有效性。

 

Internal controls should be implemented that adequately address the results of its OFAC risk assessment and profile. The internal controls should effectively “identify, interdict, escalate, and report” to appropriate personnel OFAC prohibited activity. IT solutions should be selected in a manner that is appropriate to the company’s risk profile and compliance needs. As with all aspects of a compliance program, it should be regularly tested to ensure effectiveness.

 

III.审计

Audits

 

作为OFAC合规内部控制的一部分而被实施的政策和程序应通过内外部审计来实行。

 

The policies and procedures implemented as part of an OFAC compliance internal controls should be enforced through internal and/or external audits.

 

IV.记录保存

Recordkeeping 

 

与OFAC相关的记录保存政策和程序应充分体现OFAC规定中的要求。

 

OFAC-related recordkeeping policies and procedures should adequately account for its requirements under OFAC regulations.

 

V.应对

Response

 

一旦发现内部控制漏洞,企业应采取“迅速有效”的措施,以确定和实施补充控制。

 

Companies should take “immediate and effective” action to identify and implement compensating controls upon learning of a weakness in its internal controls.

 

VI.沟通

Communication

 

制裁合规体系的政策和程序应明确传达给所有相关员工、在高风险领域运营的业务单位以及代表企业履行合规职责的外部主体,前述高风险领域包括客户开发、支付和销售等。

 

SCP’s policies and procedures should be clearly communicated to all relevant staff as well as business units operating in high-risk areas and to external parties performing SCP responsibilities on behalf of the company. High-risk areas include, among others, customer acquisition, payments, and sales.

 

VII.整合

Integration 

 

企业应指定人员将制裁合规体系的政策和程序融入企业日常运营,包括与相关业务部门进行协商,并确认员工了解政策和程序。

 

Personnel should be appointed for integrating the SCP’s policies and procedures into the daily operations of the company. This process should include consultations with relevant business units and confirms that employees understand the policies and procedures.

 

4) 测试与审计

Testing and Auditing

 

全面、独立和客观的测试或审计功能,对于确保企业了解其制裁合规体系是否按预期实施至关重要。测试或审计能够让企业决定何时更新、增强或进一步调整其制裁合规体系,以应对不断变化的风险评估或制裁。OFAC框架列出了测试和审计有效性的三个一般方面:

 

Comprehensive, independent, and objective testing or audit function for an SCP is vital for ensuring that companies understand whether their compliance program is working as intended. Testing or auditing allows companies to determine when they should update, enhance, or recalibrate their SCP in response to changing risk assessments or sanctions. The OFAC Framework lists three general aspects of an effective testing and auditing program:

 

I.独立负责

Independent and Accountable

 

测试和审计应向高级管理层负责;应独立于被审计行为;应由具备足够权限、技能、专业能力和资源的人员进行。

 

Testing and auditing should be accountable to senior management; independent of the audited activities; and should done by personnel with sufficient authority, skills, expertise, and resources.

 

II.复杂性

Sophistication

 

测试和审计程序应与制裁合规体系的复杂性相匹配,并对OFAC相关风险评估和内部控制进行“全面而客观”的评估。

 

Testing and auditing procedures should be appropriate for the sophistication of its SCP and reflect a “comprehensive and objective” evaluation of the organization’s OFAC-related risk assessment and internal controls.

 

III.应对

Response 

 

在获悉关于制裁合规体系的确定负面测试结果或审计后,企业应采取“迅速有效的行动”来确定和实施补偿控制,直到合规漏洞的根源得到确定和纠正。

 

Upon learning of a confirmed negative testing result or audit related to its SCP, companies should take “immediate and effective action” to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.

 

5) 培训

Training

 

成功制裁合规体系的最后一个方面是有效的培训项目。企业应根据自身风险状况定期为所有相关员工和人员提供培训。培训项目应根据岗位需要提供相关常识,宣贯合规责任,并通过评估强化员工合规培训。OFAC框架列出了有效培训项目的五个一般方面:

 

The final aspect of a successful SCP is an effective training program. A training program should be provided to all appropriate employees and personnel on a periodic basis and should be tailored to the company’s risk profile. A training program should aim to provide job-specific knowledge as needed; communicate sanctions compliance responsibilities; and hold employees accountable for sanctions compliance training through assessments. The OFAC Framework lists five general aspects of an effective training program:

 

I.员工及利益相关者培训

Training for Employees and Stakeholders

 

OFAC合规培训项目应视情况向员工和利益相关者提供充分的信息和引导。利益相关者包括客户、供应商、业务合作伙伴和交易对手。企业尤其要为高风险员工提供专门的培训。

 

OFAC-related training programs should provide adequate information and instruction to employees and, as appropriate, stakeholders. Stakeholders include, among others, clients, suppliers, business partners, and counterparties. Specific, tailored training should be provided to high-risk employees.

 

II.适当的范围

Appropriate Scope

 

OFAC合规培训应与企业实际情况相匹配,包括提供产品和服务的范围,顾客、客户及其维持的伙伴关系,以及运营区域。

 

OFAC-related training should be appropriate for the scope for the products and services a company offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.

 

III.培训频率

Training Frequency

 

企业组织培训的频率应与OFAC风险评估和风险状况相匹配,但是每年需至少组织一次培训。

 

Training frequency should be appropriate based on its OFAC risk assessment and risk profile. At a minimum, training should occur annually.

 

IV.纠正措施

Corrective Actions 

 

企业在获悉经确认的负面测试、审计结果,或者其他制裁合规体系缺陷后,应马上采取有效措施,向相关人员提供培训或采取其他纠正措施。

 

Upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its SCP, a company should take immediate and effective action to provide training to or other corrective action to relevant personnel.

 

V.可利用的资源

Accessible Resources

 

培训项目应包括容易为所有相关人员获取的资源和材料。

 

A training program should include easily accessible resources and materials that are available to all applicable personnel.

 

 

OFAC违规的常见原因

Common Causes of OFAC Violations

 

OFAC框架非穷尽列举了制裁合规体系失败或缺陷的十个常见“根源”。

 

The OFAC Framework contains a non-exhaustive list of ten common “root causes” of compliance program breakdowns or deficits.

 

I.缺乏正式的OFAC制裁合规体系

Lack of a Formal OFAC SCP

 

最常见的问题之一是缺乏正式的制裁合规体系。这不仅会导致制裁违规的发生,而且OFAC还将其视为行政执法中的加重情节。

 

One of the most common problems is simply the lack of a formal SCP. Not only does this result in sanction violations occurring, OFAC treats it as an aggravating factor in administrative actions.

 

II.误读或不理解OFAC规定的适用

Misinterpreting, or Failing to Understand the Applicability of, OFAC’s Regulations

 

对OFAC规定的误读是另一个常见问题,该问题时常发生在案涉主体认为案涉交易或活动或者未被禁止,或者不适用于其组织机构或操作过程时。“行为不考虑后果,许多警示信号表明案涉行为可能被禁止,企业管理层对案涉行为有所预知,案涉企业规模较大且复杂度较高”等因素也被视为加重情节。

 

Misinterpretation of OFAC’s regulations is another common problem. This often occurs when the subject person determined the transaction, dealing, or activity at issue was either not prohibited or did not apply to their organization or operations. This too can be treated as an aggravating factoring when there is “reckless conduct, the presence of numerous warning signs that the activity at issue was likely prohibited, awareness by the organization’s management of the conduct at issue, and the size and sophistication of the subject person.”

 

III.促进非美国主体(包括通过或者由海外子企业或附属企业)进行交易

Facilitating Transactions by Non-U.S. Persons (Including Through or By Overseas Subsidiaries or Affiliates) 

 

企业有时会被发现从事违反OFAC规定的交易或其他活动,这些行为包括向OFAC制裁对象先容、批准或者签署业务,或者通过其他方式促成组织的非美国分支与OFAC制裁人员、当事方或国家/地区之间的交易。

 

Companies are sometimes caught engaging in transactions or activities that violated OFAC’s regulations by referring business opportunities to, approving, or signing off on transactions conducted by, or otherwise facilitating dealings between their organization’s non-U.S. locations and OFAC-sanctioned persons, parties, or countries/ regions.

 

IV.向OFAC制裁对象出口或者再出口美国原产货物、技术或服务

Exporting or Re-exporting U.S.-origin Goods, Technology, or Services to OFAC-Sanctioned Persons or Countries

 

非美国主体的一个常见问题是,以向OFAC制裁人员、当事方或国家/地区再出口、转让或出售为目的,购买原产于美国的货物。前述情况甚至在已有警示表明禁止这种活动时,例如禁止再出口的合同条款,仍有发生。

 

A common problem for non-U.S. persons is the purchase of U.S.-origin goods with the specific intent of re-exporting, transferring, or selling the items to persons, parties, or countries/regions subject to OFAC sanctions. This has occurred at times when there were warning signs that this activity was prohibited, such as clauses in contracts prohibiting re-exporting.

 

V.为与OFAC制裁对象相关的商业交易利用美国金融系统、向或者通过美国金融机构进行支付

Utilizing the U.S. Financial System, or Processing Payments to or through U.S. Financial Institutions, for Commercial Transactions Involving OFAC-Sanctioned Persons or Countries

 

许多非美国主体在与受OFAC制裁人员、当事方或者国家/地区相关的商业活动中,开展通过美国金融机构或者与美国金融机构进行的金融交易,同样违反OFAC的规定。

 

Many non-U.S. persons have also violated OFAC’s regulations by processing financial transactions to or through U.S. financial institutions that pertain to commercial activity involving an OFAC-sanctioned persons, parties, or countries/regions.

 

VI.制裁筛查App或者过滤器错误

Sanctions Screening Software or Filter Faults

 

企业有时未能更新其制裁筛查App以纳入更新的SDN名单或SSI名单;未能包括相关的识别符,例如被指定、封锁或制裁金融机构的SWIFT商业识别码;或未能考虑到制裁对象名称的替代拼写。

 

Companies have failed at times to update their sanctions screening software to incorporate updates to the SDN List or SSI List, failed to include pertinent identifiers such as SWIFT Business Identifier Codes for designated, blocked, or sanctioned financial institutions, or did not account for alternative spellings of prohibited countries or parties.

 

VII.客户尽职调查(如所有权、业务来往等)不当

Improper Due Diligence on Customers/Clients (e.g., Ownership, Business Dealings, etc.) 

 

OFAC采取的多种行政执法措施都源于企业对客户的尽职调查不当或不完整,例如客户的所有权、地理位置、交易对手和交易本身以及客户对OFAC制裁的了解和意识。

 

Various administrative actions taken by OFAC involved improper or incomplete due diligence by a company or corporation on its customers, such as their ownership, geographic location(s), counterparties, and transactions, as well as their knowledge and awareness of OFAC sanctions.

 

VIII.分散的合规职能与制裁合规体系的矛盾适用

De-Centralized Compliance Functions and Inconsistent Application of an SCP 

 

合规人员和决策者分散在不同办公室和业务部门的分散式合规体系可能存在问题,从多方面导致违规行为的发生:对OFAC规定的不当说明和适用、缺乏正式的升级流程审查高风险客户/交易、低效或无力的监督和审计职能、对组织制裁相关政策和程序的错误传达等。

 

De-centralized SCPs with personnel and decision makers scatter across various offices and business units can be problematic. Violations have resulted from this arrangement due to an improper interpretation and application of OFAC’s regulations, the lack of a formal escalation process to review high-risk customers or transactions, an inefficient or incapable oversight and audit function, or miscommunications regarding the organization’s sanctions-related policies and procedures.

 

IX.利用非标准支付或商业惯例

Utilizing Non-Standard Payment or Commercial Practices

 

在许多情况下,试图规避OFAC制裁或隐瞒违规活动的组织将实施“非传统商业手段”以完成交易。企业的经营方式应符合行业规范和惯例。

 

In many instances, organizations attempting to evade or circumvent OFAC sanctions or conceal their activity will implement “non-traditional business methods” in order to complete their transactions. Companies should operate in a manner that is consistent with industry norms and practices.

 

X.个人责任

Individual Liability

 

在某些情况下,企业员工特别是监督层、管理层或经理层试图向其他合规人员、监管机构或执法机关“混淆或隐藏”其违规活动。此时,OFAC将考虑对违规企业和个人一并采取执法行动。

 

In some of these cases, employees—particularly in supervisory, managerial, or executive-level positions—have attempted to “obfuscate and conceal” their activities from others within their compliance personnel, as well as from regulators or law enforcement. In such circumstances, OFAC will consider bringing enforcement actions against both the violating company and the individuals.

 

 

给中国企业的建议

Advice for Chinese Companies

 

OFAC合规框架为中国企业审查和改进其制裁合规体系提供了明确引导,无论企业是与美国主体进行交易、使用美国金融系统还是出口或再出口美国原产货物或服务,都可以参照适用前述合规框架。鉴于美国当局对中国企业的严格审查,大家强烈建议各企业评估其制裁合规体系是否与其业务领域及相关风险敞口相匹配。假如美国当局可以选择调查一家中国企业或非中国企业,其可能会选择调查中国企业。

 

The OFAC Compliance Framework provides clear guidance on reviewing and improving SCPs for Chinese companies that do business with U.S. persons, use the U.S. financial system, or export or re-export U.S. origin goods or services. In light of the heightened scrutiny of Chinese companies by U.S. authorities, we strongly advise that companies evaluate whether their SCPs are appropriate for their business area and their associated risk exposure. If U.S. authorities had a choice to investigate a Chinese company or a non-Chinese company, it is likely the authorities would choose to investigate the Chinese company.

 

根据大家处理美国制裁相关调查的实务经验和通过公开渠道检索到的执法行动,诚信经营的中国企业被OFAC调查通常有三个原因:

 

Based on our professional experience in dealing with U.S. sanction-related investigations and publicly available enforcement actions, Chinese companies that are operating in good faith often find themselves tangled up with OFAC for three reasons:

 

第一,许多中国企业并不知晓其行为受美国法管辖。常见情形之一是,中国企业利用美国金融系统进行结算,但结算的交易本身并不涉及任何美国企业或商品。例如,尽管现在伊朗已不再受联合国制裁,中国企业意欲在伊朗开展业务时仍需谨慎,应避免通过美国金融系统进行结算。

 

First, many Chinese companies are simply unaware that they are partaking in activities that places them under U.S. jurisdiction. This is often the case with Chinese companies utilizing the U.S. financial system for transactions that otherwise do not involve U.S. related companies or goods. For example, Chinese companies looking to do business in Iran now that the country is no longer under United Nations sanctions should be careful to ensure that their transactions do not go through the U.S. financial system.  

 

第二,业务遍布国内外的大型中国企业需要确保其不同地区的业务部门都维持强有力的制裁合规体系。大家经常发现,北京或上海总部制裁合规体系强大而集中的企业,受其偏远地区或国外营业机构违规行为之牵连而遭受调查。中国企业应保持警惕,确保其制裁合规体系覆盖所有业务地区,尤其是风险高发地区。

 

Second, large Chinese companies with sprawling operations in China and abroad need to ensure that their compliance systems are robust in all their operating locations. Too often we see companies with strong, centralized compliance systems in their Beijing or Shanghai headquarters finding themselves under investigation for violations that occurred in a remote or foreign office. Chinese companies should be vigilant in ensuring that their SCP covers all of their operations with special attention for at-risk locations.

 

第三,中国企业有时对持续更新的制裁名单不够关注。2018年是OFAC制裁对象数量增加最多的一年,全年全球共有700家实体被加入OFAC的SDN名单。目前名单上共有来自全球的1500多家实体,因此,中国企业使用合适的互联网工具,以确保快速准确筛选被制裁对象非常关键。

 

Third, Chinese companies have struggled at times to keep up with the constantly updating sanctions list. 700 entities all over the world were added to OFAC’s SDN list in 2018 – the most added in single year. With over 1500 entities now on the list, it’s critical that Chinese companies invest in the proper IT tools to ensure they accurately and efficiently screen out sanctioned entities.

 

对中国企业来说,OFAC合规框架的出台恰逢其时。美国政府出于政治原因针对中国企业已尽人皆知,数家知名中国企业因违反制裁规定而成为中美贸易战的牺牲品。目前三家金融机构因受到其前客户违反制裁的牵连,而作为证人陷入关于传票的复杂诉讼中,这表明即使企业善意经营,如果不够勤勉谨慎,还是可能遭受风险。虽然OFAC没有强制要求企业建立制裁合规体系,但大家强烈建议受美国法管辖的中国企业,尤其是国有企业,聘请专业的合规团队及时建立或更新其制裁合规体系,以达到最佳行业标准。

 

The OFAC Framework comes at a vital time for Chinese companies. It is no secret that the current U.S. administration is targeting Chinese companies for political reasons. Several high-profile Chinese companies have found themselves as pawns in the ongoing China-U.S. trade war due to sanction violations. The three financial institutions caught up their complex legal battle over subpoenas relating to sanction violations by their former customer shows that even companies operating in good faith can run into problems if they are not diligent. While SCPs are not legally required under OFAC regulations, we cannot recommend enough that Chinese companies, especially state-owned enterprises, that find themselves under U.S. jurisdiction engage quality compliance professions to swiftly implement or update their SCP so they meet best in industry standards.

 

【注] 

[1] https://www.treasury.gov/resource-center/sanctions/.../framework_ofac_cc.pdf

[2] https://home.treasury.gov/news/press-releases/sm680

[3] Insert

[4] A license is an authorization from OFAC to engage in a transaction that would be prohibited. A general license authorizes a particular type of transaction for a class of persons without the need to apply for a license.

 

特别声明:

以上所刊登的文章仅代表编辑本人观点,不代表北京市美高梅手机娱乐律师事务所或其律师出具的任何形式之法律意见或建议。

如需转载或引用该等文章的任何内容,请私信沟通授权事宜,并于转载时在文章开头处注明来源于公众号“美高梅手机娱乐视界”及编辑姓名。未经本所书面授权,不得转载或使用该等文章中的任何内容,含图片、影像等视听资料。如您有意就相关议题进一步交流或探讨,欢迎与本所联系。

XML 地图 | Sitemap 地图