On May 2, 2019, the U.S. Treasury Department’s Office of Foreign Asset Control (“OFAC”) released “A Framework for OFAC Compliance Commitments” (the “OFAC Framework”). The OFAC Framework provides guidance on how companies can implement a successful sanction compliance program (“SCP”). This guidance is critical for Chinese companies, private or state-owned, that are doing business with the United States or U.S. persons, use U.S. origin goods or services, or otherwise find themselves under U.S. jurisdiction through activities such as using the U.S. financial system. There have been a few incidents of Chinese companies getting caught up in U.S. sanction investigations in the last few years. Notably, three financial institutions are currently embroiled in a U.S. court case over subpoenas they received to provide evidence relating to OFAC sanction violations by their former client for a North Korean entity. The three financial institutions have not committed any crimes nor are they under investigation. Indeed, it is very likely that they were unaware of the OFAC violations committed by their former customer that is the subject of the investigation.
OFAC is the U.S. civil enforcement agency tasked with implementing and enforcing American economic and trade sanctions and is responsible for maintaining the List of Specially Designated Nationals and Blocked Persons (the “SDN List”), the Sectoral Sanctions Identification List (the “SSI List”), and other sanctions-related lists. OFAC can impose civil penalties or other administrative actions for sanction violations and, when it deems appropriate, refer potential sanction violations to appropriate law enforcement agencies, such as the U.S. Department of Justice, for criminal investigation and/or prosecution. Violation of U.S. economic and trade sanctions by Chinese companies have contributed to enforcement actions that have cost the companies more than a billion dollars in recent years.
The OFAC Framework is a critical tool for Chinese companies operating under U.S. jurisdiction. First, a strong SCP developed in accordance with the OFAC Framework can help Chinese companies avoid getting tangled up in the U.S. legal system. Often, there is a focus on Chinese companies that are caught violating U.S. sanctions on purpose, but it is prudent to remember that Chinese companies can be caught up as unknowing participants. An effective SCP can help prevent sanction violations from the beginning. Second, a robust SCP can act as a mitigating factor when OFAC considers the appropriate response for a sanction violation. Third, companies that enter into settlement agreements with OFAC for sanction violations are often required to implement or improve their SCPs to meet the standards as set out in the OFAC Framework.
OFAC最近的决定通知愈来愈多描述了受罚企业补救措施的得失，对此有所了解的跨境合规律师对OFAC框架的内容应该并不陌生。OFAC框架集中并扩展了前述补救措施中的得失，因而成为一个实用的参考文件。在就OFAC框架发布的资讯稿中，OFAC的主任Andrea M. Gacki称，“这凸显了大家致力于与私营部门合作，以进一步推动对制裁要求的理解和遵守。”除了引导OFAC评估制裁合规体系外，OFAC框架还包含了一份常见违规行为成因清单。结合美国司法部于2019年4月30日最新发布的《企业合规程序评估》，中国企业比以往任何时候都更能采取有效措施以减少美国政府的指控。（关于司法部合规指南的更新，详见大家之前发表的文章：《美国司法部发布新版企业合规指南——<企业合规程序评估>》）。
The content of the OFAC Framework will be familiar to experienced cross-border compliance lawyers who have read recent OFAC decision notices which have increasingly described the positive and negative features of penalized companies’ remediation efforts. The OFAC Framework centralizes this guidance and expands on it, making it a helpful reference document. In the OFAC Framework’s press release, Director of the Office of Foreign Assets Control Andrea M. Gacki stated that “[t]his underlines our commitment to engage with the private sector to further promote understanding of, and compliance with, sanctions requirements.” In addition to its guidance on how OFAC will evaluate SCPs, the OFAC Framework also includes a list of frequent sources of sanction violations. Combined with the release of the updated DOJ guidelines on compliance (you can see our article here) on April 30, 2019, Chinese companies are better positioned than ever to take effective steps to reduce their exposure to American prosecutors.
The OFAC Framework
The OFAC Framework “strongly encourages” companies to take a risk-based approach to sanctions compliance that takes into consideration a company’s size and sophistication, products and services, customers and counterparties, and geographic locations.
Regardless of the company, the OFAC Framework suggests that all SCPs should include five “essential” components: 1) management commitment; 2) risk assessment; 3) internal controls; 4) testing and auditing; and 5) training.
Senior Management Commitment
One of the “most important factors” in determining the success of a company’s SCP is the level of support from senior management. Senior management includes senior leadership, executives, and/or the board of directors. The OFAC Framework lists five general aspects of effective senior management commitment:
Senior management should review and approves the company’s SCP.
Authority and Autonomy
Senior management should ensure that the company’s compliance units are delegated sufficient authority and autonomy to implement the SCP and effectively control OFAC risk. This should include direct reporting lines between the SCP personnel and senior management, including regular meetings between the two.
Senior management should take steps to ensure that the company’s compliance units are allocated adequate resources as needed, including personnel, expertise, and IT support. This should be an ongoing investment that is appropriate for the company’s “breadth of operations, target and secondary markets, and other factors affecting its overall risk profile.”
The OFAC Framework lists three criteria for measuring whether a company has provided adequate resources.
The company should appoint a dedicated OFAC sanctions compliance officer. Depending on the size and complexity of a company, this may be a person serving in other senior compliance positions, such as an Export Control Officer.
The personnel dedicated to the SCP have the appropriate knowledge, experience, expertise, and position to understand and identify OFAC-related issues, risks, and prohibited activities.
There are sufficient control functions to support a company’s SCP, including IT software and systems, that adequately address the company’s OFAC-risk assessment and levels.
Culture of Compliance
As is the case with all compliance activities, senior management should promote a “culture of compliance” at the company. The OFAC Framework lists three criteria for measuring whether a company is promoting a culture of compliance.
Personnel can report OFAC related misconduct by the company or personnel without fear of reprisal.
Senior management communicates and takes actions that discourage OFAC related misconduct and highlight potential repercussions for non-compliance.
The SCP has oversight over the actions of the entire company, including senior management, for the purposes of OFAC compliance.
Recognition of Violations
Senior management should recognize the seriousness of OFAC violations or failures by the company and its personnel from failing to comply with necessary SCP policies and procedures. They should implement necessary measures to reduce the occurrence of past violations and represent systemic solutions.
The OFAC Framework recommends that companies take a “risk-based approach” when designing or updating their SCP. Risks in this context are “potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations”. OFAC recommends that the best way to do this is to conduct ongoing “risk assessments” to inform SCP policies, procedures, internal controls, and training to mitigate risks.
Although the OFAC Framework acknowledges that there is no “one-size-fits all” for risk assessment, companies should generally conduct a holistic review of the entire company and assess where it has external exposure. This allows for the identification of potential areas of interaction with OFAC-prohibited persons, parties, or countries/regions, including clients, products, services, and geographic locations. Companies should also conduct risk assessments and OFAC-related due diligence during mergers and acquisitions, especially if the other company is in geographically at-risk areas.
The OFAC Framework lists two general aspects of conducting an effective OFAC risk assessment:
Assessing OFAC Risk
OFAC risk assessment should be conducted in a manner and with a frequency that adequately accounts for potential risk. These risks could be posed by its “clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization.” An adequate risk assessment will be updated for the “root causes” of any apparent violations or systemic deficiencies identified.
When assessing OFAC risk, companies should leverage existing information to determine the extent of due diligence required in a customer relationship or transaction. Companies can develop a sanctions risk profile for customers, customer groups, or account relationships by leveraging information provided by the customer through procedures such as “Know Your Customer” or “Customer Due Diligence” as well as independent research conducted by the organization at the initiation of the customer relationship. This information can be used to guide future OFAC risk due diligence efforts. Additionally, this compliance due diligence should be integrated into merger, acquisition, and integration processes. The important elements to consider when determining the sanctions risk rating can be found in the OFAC’s risk matrix provided by 31 CFR Appendix A to part 501 - Economic Sanctions Enforcement Guidelines. We have included a translated version below.
OFAC Risk Matrix OFAC
Stable, well-known customer base in a localized environment
Customer base changing due to branching, merger, or acquisition in the domestic market
A large, fluctuating client base in an international environment
Few high-risk customers; these may include nonresident aliens, foreign customers (including accounts with U.S. powers of attorney), and foreign commercial customers
A moderate number of high-risk customers
A large number of high-risk customers
No overseas branches and no correspondent accounts with foreign banks
Overseas branches or correspondent accounts with foreign banks
Overseas branches or multiple correspondent accounts with foreign banks
No electronic services (e.g., e-banking) offered, or products available are purely informational or non-transactional
The institution offers limited electronic (e.g., e-banking) products and services
The institution offers a wide array of electronic (e.g., e-banking) products and services (i.e., account transfers, e-bill payment, or accounts opened via the Internet)
Limited number of funds transfers for customers and non-customers, limited third-party transactions, and no international funds transfers
A moderate number of funds transfers, mostly for customers; possibly, a few international funds transfers from personal or business accounts
A high number of customer and non-customer funds transfers, including international funds transfers
No other types of international transactions, such as trade finance, cross-border ACH, and management of sovereign debt
Limited other types of international transactions
A high number of other types of international transactions
No history of OFAC actions; no evidence of apparent violation or circumstances that might lead to a violation.
A small number of recent actions (i.e., actions within the last five years) by OFAC, including notice letters, or civil money penalties, with evidence that the institution addressed the issues and is not at risk of similar violations in the future
Multiple recent actions by OFAC, where the institution has not addressed the issues, thus leading to an increased risk of the institution undertaking similar violations in the future
Management has fully assessed the institution’s level of risk based on its customer base and product lines. This understanding of risk and strong commitment to OFAC compliance is satisfactorily communicated throughout the organization.
Management exhibits a reasonable understanding of the key aspects of OFAC compliance and its commitment is generally clear and satisfactorily communicated throughout the organization, but it may lack a program appropriately tailored to risk.
Management does not understand, or has chosen to ignore, key aspects of OFAC compliance risk. The importance of compliance is not emphasized or communicated throughout the organization.
The board of directors, or board committee, has approved an OFAC compliance program that includes policies, procedures, controls, and information systems that are adequate, and consistent with the institution’s OFAC risk profile.
The board has approved an OFAC compliance program that includes most of the appropriate policies, procedures, controls, and information systems necessary to ensure compliance, but some weaknesses are noted.
The board has not approved an OFAC compliance program, or policies, procedures, controls, and information systems are significantly deficient.
Staffing levels appear adequate to properly execute the OFAC compliance program.
Staffing levels appear generally adequate, but some deficiencies are noted.
Management has failed to provide appropriate staffing levels to handle workload.
Authority and accountability for OFAC compliance are clearly defined and enforced, including the designation of a qualified OFAC officer.
Authority and accountability are defined, but some refinements are needed. A qualified OFAC officer has been designated.
Authority and accountability for compliance have not been clearly established. No OFAC compliance officer, or an unqualified one, has been appointed. The role of the OFAC compliance officer is unclear.
Training is appropriate and effective based on the institution’s risk profile, covers applicable personnel, and provides necessary up-to-date information and resources to ensure compliance.
Training is conducted and management provides adequate resources given the risk profile of the organization; however, some areas are not covered within the training program.
Training is sporadic and does not cover important regulatory and risk areas or is nonexistent.
The institution employs strong quality control methods.
The institution employs limited quality control methods.
The institution does not employ quality control methods.
Companies should develop methods to identify, analyze, and address risks. This risk assessment should be updated regularly though testing or auditing.
Companies should include internal controls related to activity that may be prohibited by OFAC regulations. This includes policies and procedures to “identify, interdict, escalate, report, and record” such activity. The role of internal controls is to “outline clear expectations, define procedures and processes pertaining to OFAC compliance,” and minimize risks. Internal and/or external audits and assessments should be conducted regularly to ensure that the internal controls are working properly.
A successful SCP program should be capable of adjusting rapidly to changes published by OFAC, including updates to sanction lists, the SDN list and the SSI List; new sanctions programs initiated for any reasons; and the issuance of general licenses. The OFAC Framework lists seven general aspects of effective internal controls:
Written Policies and Procedures
Written policies and procedures should be created and implemented that outline the SCP. They should be relevant, capture day-to-day operations and procedures, are easy to follow, and designed to prevent misconduct.
Adequate Internal Controls
Internal controls should be implemented that adequately address the results of its OFAC risk assessment and profile. The internal controls should effectively “identify, interdict, escalate, and report” to appropriate personnel OFAC prohibited activity. IT solutions should be selected in a manner that is appropriate to the company’s risk profile and compliance needs. As with all aspects of a compliance program, it should be regularly tested to ensure effectiveness.
The policies and procedures implemented as part of an OFAC compliance internal controls should be enforced through internal and/or external audits.
OFAC-related recordkeeping policies and procedures should adequately account for its requirements under OFAC regulations.
Companies should take “immediate and effective” action to identify and implement compensating controls upon learning of a weakness in its internal controls.
SCP’s policies and procedures should be clearly communicated to all relevant staff as well as business units operating in high-risk areas and to external parties performing SCP responsibilities on behalf of the company. High-risk areas include, among others, customer acquisition, payments, and sales.
Personnel should be appointed for integrating the SCP’s policies and procedures into the daily operations of the company. This process should include consultations with relevant business units and confirms that employees understand the policies and procedures.
Testing and Auditing
Comprehensive, independent, and objective testing or audit function for an SCP is vital for ensuring that companies understand whether their compliance program is working as intended. Testing or auditing allows companies to determine when they should update, enhance, or recalibrate their SCP in response to changing risk assessments or sanctions. The OFAC Framework lists three general aspects of an effective testing and auditing program:
Independent and Accountable
Testing and auditing should be accountable to senior management; independent of the audited activities; and should done by personnel with sufficient authority, skills, expertise, and resources.
Testing and auditing procedures should be appropriate for the sophistication of its SCP and reflect a “comprehensive and objective” evaluation of the organization’s OFAC-related risk assessment and internal controls.
Upon learning of a confirmed negative testing result or audit related to its SCP, companies should take “immediate and effective action” to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
The final aspect of a successful SCP is an effective training program. A training program should be provided to all appropriate employees and personnel on a periodic basis and should be tailored to the company’s risk profile. A training program should aim to provide job-specific knowledge as needed; communicate sanctions compliance responsibilities; and hold employees accountable for sanctions compliance training through assessments. The OFAC Framework lists five general aspects of an effective training program:
Training for Employees and Stakeholders
OFAC-related training programs should provide adequate information and instruction to employees and, as appropriate, stakeholders. Stakeholders include, among others, clients, suppliers, business partners, and counterparties. Specific, tailored training should be provided to high-risk employees.
OFAC-related training should be appropriate for the scope for the products and services a company offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.
Training frequency should be appropriate based on its OFAC risk assessment and risk profile. At a minimum, training should occur annually.
Upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its SCP, a company should take immediate and effective action to provide training to or other corrective action to relevant personnel.
A training program should include easily accessible resources and materials that are available to all applicable personnel.
Common Causes of OFAC Violations
The OFAC Framework contains a non-exhaustive list of ten common “root causes” of compliance program breakdowns or deficits.
Lack of a Formal OFAC SCP
One of the most common problems is simply the lack of a formal SCP. Not only does this result in sanction violations occurring, OFAC treats it as an aggravating factor in administrative actions.
Misinterpreting, or Failing to Understand the Applicability of, OFAC’s Regulations
Misinterpretation of OFAC’s regulations is another common problem. This often occurs when the subject person determined the transaction, dealing, or activity at issue was either not prohibited or did not apply to their organization or operations. This too can be treated as an aggravating factoring when there is “reckless conduct, the presence of numerous warning signs that the activity at issue was likely prohibited, awareness by the organization’s management of the conduct at issue, and the size and sophistication of the subject person.”
Facilitating Transactions by Non-U.S. Persons (Including Through or By Overseas Subsidiaries or Affiliates)
Companies are sometimes caught engaging in transactions or activities that violated OFAC’s regulations by referring business opportunities to, approving, or signing off on transactions conducted by, or otherwise facilitating dealings between their organization’s non-U.S. locations and OFAC-sanctioned persons, parties, or countries/ regions.
Exporting or Re-exporting U.S.-origin Goods, Technology, or Services to OFAC-Sanctioned Persons or Countries
A common problem for non-U.S. persons is the purchase of U.S.-origin goods with the specific intent of re-exporting, transferring, or selling the items to persons, parties, or countries/regions subject to OFAC sanctions. This has occurred at times when there were warning signs that this activity was prohibited, such as clauses in contracts prohibiting re-exporting.
Utilizing the U.S. Financial System, or Processing Payments to or through U.S. Financial Institutions, for Commercial Transactions Involving OFAC-Sanctioned Persons or Countries
Many non-U.S. persons have also violated OFAC’s regulations by processing financial transactions to or through U.S. financial institutions that pertain to commercial activity involving an OFAC-sanctioned persons, parties, or countries/regions.
Sanctions Screening Software or Filter Faults
Companies have failed at times to update their sanctions screening software to incorporate updates to the SDN List or SSI List, failed to include pertinent identifiers such as SWIFT Business Identifier Codes for designated, blocked, or sanctioned financial institutions, or did not account for alternative spellings of prohibited countries or parties.
Improper Due Diligence on Customers/Clients (e.g., Ownership, Business Dealings, etc.)
Various administrative actions taken by OFAC involved improper or incomplete due diligence by a company or corporation on its customers, such as their ownership, geographic location(s), counterparties, and transactions, as well as their knowledge and awareness of OFAC sanctions.
De-Centralized Compliance Functions and Inconsistent Application of an SCP
De-centralized SCPs with personnel and decision makers scatter across various offices and business units can be problematic. Violations have resulted from this arrangement due to an improper interpretation and application of OFAC’s regulations, the lack of a formal escalation process to review high-risk customers or transactions, an inefficient or incapable oversight and audit function, or miscommunications regarding the organization’s sanctions-related policies and procedures.
Utilizing Non-Standard Payment or Commercial Practices
In many instances, organizations attempting to evade or circumvent OFAC sanctions or conceal their activity will implement “non-traditional business methods” in order to complete their transactions. Companies should operate in a manner that is consistent with industry norms and practices.
In some of these cases, employees—particularly in supervisory, managerial, or executive-level positions—have attempted to “obfuscate and conceal” their activities from others within their compliance personnel, as well as from regulators or law enforcement. In such circumstances, OFAC will consider bringing enforcement actions against both the violating company and the individuals.
Advice for Chinese Companies
The OFAC Compliance Framework provides clear guidance on reviewing and improving SCPs for Chinese companies that do business with U.S. persons, use the U.S. financial system, or export or re-export U.S. origin goods or services. In light of the heightened scrutiny of Chinese companies by U.S. authorities, we strongly advise that companies evaluate whether their SCPs are appropriate for their business area and their associated risk exposure. If U.S. authorities had a choice to investigate a Chinese company or a non-Chinese company, it is likely the authorities would choose to investigate the Chinese company.
Based on our professional experience in dealing with U.S. sanction-related investigations and publicly available enforcement actions, Chinese companies that are operating in good faith often find themselves tangled up with OFAC for three reasons:
First, many Chinese companies are simply unaware that they are partaking in activities that places them under U.S. jurisdiction. This is often the case with Chinese companies utilizing the U.S. financial system for transactions that otherwise do not involve U.S. related companies or goods. For example, Chinese companies looking to do business in Iran now that the country is no longer under United Nations sanctions should be careful to ensure that their transactions do not go through the U.S. financial system.
Second, large Chinese companies with sprawling operations in China and abroad need to ensure that their compliance systems are robust in all their operating locations. Too often we see companies with strong, centralized compliance systems in their Beijing or Shanghai headquarters finding themselves under investigation for violations that occurred in a remote or foreign office. Chinese companies should be vigilant in ensuring that their SCP covers all of their operations with special attention for at-risk locations.
Third, Chinese companies have struggled at times to keep up with the constantly updating sanctions list. 700 entities all over the world were added to OFAC’s SDN list in 2018 – the most added in single year. With over 1500 entities now on the list, it’s critical that Chinese companies invest in the proper IT tools to ensure they accurately and efficiently screen out sanctioned entities.
The OFAC Framework comes at a vital time for Chinese companies. It is no secret that the current U.S. administration is targeting Chinese companies for political reasons. Several high-profile Chinese companies have found themselves as pawns in the ongoing China-U.S. trade war due to sanction violations. The three financial institutions caught up their complex legal battle over subpoenas relating to sanction violations by their former customer shows that even companies operating in good faith can run into problems if they are not diligent. While SCPs are not legally required under OFAC regulations, we cannot recommend enough that Chinese companies, especially state-owned enterprises, that find themselves under U.S. jurisdiction engage quality compliance professions to swiftly implement or update their SCP so they meet best in industry standards.
 A license is an authorization from OFAC to engage in a transaction that would be prohibited. A general license authorizes a particular type of transaction for a class of persons without the need to apply for a license.