OFAC, Its 5 Essential Components, and Exemptions
OFAC, What is it?
OFAC (The Office of Foreign Assets Control) is a department in the U.S. Treasury. It is a supervisory authority that administers and enforces economic trade sanctions against states, organizations, and individuals. It was created in 1950 when China entered the Korean War. Furthermore, it has replaced the earlier existing Office of Foreign Funds Control, which was established in 1940 as a response to Norway’s invasion by the Nazis. It has the authority to enforce economic and trade sanctions imposed by the U.S. against other countries and groups of people.
The enforcement of such sanctions is based on the foreign policy and national security objectives of the country. It also imposes those sanctions which have been mandated by the United Nations. Such sanctions are enforced to create pressure on the country which is violating the international norms so that they conform to the acceptable behavior as per international standards.
5 Essential Components of OFAC
The Sanctions Compliance Program while calculating the risk associated with the actions of the country takes into account some factors such as the size and sophistication of the company, product and services rendered by the company, customers and counterparties, and geographical location. 5 such essential OFAC components act as a guide while predicting risk made by the Sanctions Compliance Program.
Senior Management Commitment
The compliance unit shall have sufficient authority and autonomy while enforcing sanctions. Thus, senior management such as compliance officers is appointed to review and authorize the sanctions imposed. For example, senior compliance officers like Bank Secrecy Act officers act as senior management to authorize the sanction. They have the expertise as well as technical knowledge about the sanctions and regulation of OFAC and help OFAC with them. They also ensure that the compliance unit receives adequate resources such as human capital, expertise, information technology, target and secondary market, etc. which ensures that culture of compliance within the organization.
A holistic review of the organization is taken, and potential risk is assessed which includes the customers, supply chains, intermediaries, and counterparties, the product and services offered by the organization, and how and where such items fit into other financial or commercial products, services, networks or systems, and the geographic locations of the organization. It is a part of due diligence which is performed to ensure the sanctions-related issues are identified, escalated to senior management, and incorporated into the process of risk assessment. This includes onboarding and Mergers and Acquisitions of an organization.
It includes reporting and escalation chains and minimizes the risks identified by the SCP. The policies and procedures of SCP shall be integrated into the daily operations of the company. The root cause of any breach shall be identified and remediated. The purpose is to outline the expectations and define the procedure and process of the OFAC compliance. They have to change the changes occurring, such as updating the list of Specially Designated Nationals and Blocked Persons, etc.
Testing and Auditing
SCP does the objective testing and audit function in the company and finds out the weakness and deficiencies of the company. It takes into account the day-to-day operations of a company. After finding the weakness, it attempts to enhance its program including all program-related software, systems, other technology, etc. they make updates and improvements accordingly. Senior management is responsible for the testing or audit function, so it has appropriate authority, expertise, and technical knowledge. It also ensures that immediate actions are taken if there is a confirmed negative result of the tests. The ultimate objective is to find out the root cause of the weakness identified and remediate them.
All the employees and stakeholders like clients and suppliers are provided with a training program that provides job-specific knowledge based on the needs. It communicates the sanctions’ compliance program responsibilities of each employee. It puts the accountability for sanctions compliance on the employee post-training. The training programs include easily accessible resources and materials that are available to all applicable personnel.
Sanctions List of OFAC and Their Examples
- Sanctions against the Russian Central Bank
- Exclusion of several Russian banks from the Swift international financial communication system
- Exports ban certain goods and technologies for oil refining
- Export restrictions on aerospace-related goods, technologies, and services
- Russian aircraft are not allowed to fly in European, Canadian, or American airspace
- Russian ships threatened with a ban on entering EU ports
- Restricted access to key technologies
- The USA bans export of high-tech products to Russia
- EU bans Russian state media RT and Sputnik
People and Institutions
- Sanctions against privileged access to the European Union
- EU and US plan to freeze the existing assets of Russian oligarchs, businessmen, and politicians
What are OFAC Exemptions?
Making new investments in a blocked country or in property that a blocked government or Specially Designated National owns, controls, or has an interest in are among the prohibited transactions listed under OFAC. But there are certain circumstances when exceptions are made under OFAC. The applicant must either apply for a special license from OFAC or use a generic license that has already been published and authorizes him or her to do business or engage in transactions that would otherwise be illegal.
OFAC Compliance Checklist
Certain elements of compliance have to be followed, such as:
The organization has to create a culture of compliance, which will be starting at the top. The senior officials must allocate sufficient resources to the compliance department of the organization.
The companies shall have a sanction control program, and OFAC recommends the companies use a risk-based approach in the same. They should conduct a risk assessment and then tailor the program to tackle those issues.
There is a need for policies and procedures to identify deficiencies and the company should keep a record of sanctions imposed by OFAC if any.
Testing and Auditing
There shall be independent testing and auditing to evaluate the effectiveness of the compliance program of a company. The company should update and enhance its program continuously and shall also update all compliance-related software, systems, and technology.
The appropriate employees of the company must be given appropriate training related to the OFAC sanctions and compliance once a year. There shall be an assessment for the training so that those employees can be held responsible for any kind of sanctions imposed due to lack of compliance.
What is an OFAC Violation?
OFAC has listed 10 violations in its guidance on compliance requirements published in 2019. The information given in the report serves as a checklist for sanction compliance programs for all companies subject to US jurisdiction. Those violations are as follows:
- Lack of a formal OFAC sanctions compliance program.
- Misinterpretation of OFAC regulations or a lack of understanding of their relevance
- Assisting non-US citizens in their dealings, especially by overseas subsidiaries or affiliates
- Exporting or re-exporting US-origin goods, technology, or services to OFAC sanctioned people or countries
- Processing payments through US financial institutions for commercial transactions involving OFAC sanctioned people or countries
- Failure to update sanctions screening software and filters
- Improper due diligence on customers/clients (eg. Ownership, business dealings, etc.)
- Decentralised compliance functions and inconsistent application of a sanction compliance program throughout an organization
- Using non-standard payment or commercial practices.
- Individual liability of managers, supervisors, and senior management. OFAC states that both entities in violation and the people responsible for the violation can be held liable.
There is a checklist for OFAC Ransomware Due Diligence Checklist. These are specifically made for the victims of ransomware. This checklist will provide a guideline to prevent such OFAC-related violations.
- Build a ransomware response team- A legal team comprised of OFAC lawyers, experienced insurance lawyers, etc.
- Review the OFAC list- Companies should hire an expert who receives OFAC alerts, is knowledgeable with how to search and comprehend the specially designated nationals list, and is familiar with how to use the dynamic search capabilities of the specially designated nationals list.
- Do not rely on an OFAC license application- OFAC will assess license applications involving ransomware payments demanded as a result of malicious cyber-enabled actions on a case-by-case basis, with a presumption of denial.
- Notify and cooperate with law enforcement- The OFAC advisory encourages victims of ransomware attacks to contact law enforcement immediately, noting that a “self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”
- Research the method of operation—it will provide useful intelligence for US government investigators and policymakers. Attributing cyberattackers and determining their objectives is considerably more an art than a science.
- Bogus flag cyberattackers can deceive, interfere, and trick even the most seasoned cyber experts, from merely releasing false claims of responsibility to replicating the tools, techniques, and even languages commonly employed by the group or country.
- Consult with OFAC if possible- OFAC encourages ransomware victims and companies involved in helping victims to “contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus.
- Create and maintain risk-based compliance processes for OFAC- Companies that deal with ransomware victims should implement a risk-based compliance program to avoid sanctions-related violations, according to the OFAC advisory, to “account for the risk that a ransomware payment may involve a specially designated national or blocked person or a comprehensively embargoed jurisdiction.”
- Utilize the knowledge of an insurance company- Many organizations that have been hit by ransomware have limited experience with OFAC and the extensive compliance procedures that are required for a successful sanctions program. However, insurance companies, like financial institutions, are already extensively regulated and frequently have seasoned OFAC-related experience as well as veteran anti-money laundering expertise.
- Engage the board of directors
- File a suspicious activity report if appropriate
- Make a paper trail
Thus, if you want to get the specific license to get an exception to the prohibition listed by OFAC, you will have to apply for the official web page “License Application Page” for the same. There is a description of each embargo or sanctions program found on the OFAC website. It can be found in the “Sanctions Programs and Country Information” area of the page.
US persons including citizens and permanent residents regardless of where they are located, all persons and entities within the United States, all US incorporated entities, and their foreign branches must comply with the OFAC regulations. In case of any violations of these regulations, civil and criminal penalties can be imposed, which may exceed several million dollars in some cases.
Here is another article related to sanctions: