As OFAC sanctions multiply, risk management is crucial

Any person or business with a U.S. presence is subject to OFAC sanctions. As part of its enforcement efforts, OFAC provides the Specially Designated Nationals (SDN) and Blocked Persons List of individuals and companies whose assets should be blocked and with whom U.S. persons are prohibited from doing business. Non-SDN sanctions, published as part of OFAC’s Consolidated Sanctions List, define restrictions other than full blocking sanctions, such as prohibitions on the provision of certain goods or services.

Another category of OFAC sanctions – sectoral sanctions – can increase the compliance and operational risk for financial services companies associated with managing these programs. Sectoral sanctions don’t name individuals or companies but rather a sector of an economy that U.S. entities are prohibited from engaging with. Some of the first sectoral sanctions were implemented when Russia annexed Crimea, restricting access to financial markets for the banking, energy, and defense sectors. Additional sectoral sanctions have been issued against parts of the Russian economy related to the more recent Ukraine invasion.

Establishing an effective OFAC compliance framework

With the complexity of navigating sanctions activity increasing, companies need to have qualified risk management specialists on their team who understand sanctions, who understand customers that might be involved in transactions with sanctioned entities, and who understand the legislation governing those transactions. Financial services organizations that manage high volumes of trade and investment transactions bear a particularly heavy burden when it comes to navigating sanctions, as they must monitor their own customers and the entities with which their customers do business.

For example, take a U.S.-based manufacturer that needs to purchase parts from a foreign country subject to sectoral sanctions. The manufacturer needs to have a control in place to ensure the purchase is permitted under relevant existing licenses. The manufacturer’s bank, having issued a letter of credit to finance the purchase, also needs to understand the OFAC implications of the manufacturer’s purchasing activity. Controls at the bank level are necessary as well to review any documentation associated with the letter of credit, verifying that all entities identified in the letter of credit are appropriately screened.

Many companies, particularly outside of financial services, have not performed a complete assessment of their sanctions risk. To help companies establish sound processes for managing these risks, OFAC has issued a "A Framework for OFAC Compliance Commitments" that clarifies the essential components of a sanctions compliance program, which should include:

• Management commitment to establish a culture of OFAC compliance
• Risk assessment to identify points of engagement with OFAC-prohibited entities
• Internal controls to set expectations and define procedures and policies for OFAC compliance
• Testing and auditing to assess effectiveness of processes
• Training to keep all appropriate personnel informed about OFAC compliance responsibilities

Controls for OFAC sanctions risk: Tech and teams

Technology-based solutions can help simplify the complex process of vetting vendor and partner relationships. If a manufacturer is trying to determine whether it can do business with a distributor overseas or a medical testing company is deciding whether to outsource testing to customers around the world, technology can support that due diligence. For example, Treasury offers a free sanctions list search tool that uses fuzzy logic to screen for matches on the SDN and non-SDN lists, and many technology providers also offer systems to help manage sanctions risk.

While technology is an important tool, employees play a crucial role in reviewing the output of matching algorithms and determining next steps. The level of OFAC sanctions risk at an organization or bank should dictate whether one person or a team of several people need to serve in this role. Staffing should align to the volume of risk, complexity of the environment, and amount of independent testing needed.

Matching algorithms aren’t perfect, and they can result in lots of false positives, so a tiered approach to handling alerts can be useful. A tier-one team or individual can review alerts to see if they truly represent a match, and that person can escalate anything that appears to be a true match to a tier-two individual who better understands sanctions risks and implications.

Managing OFAC sanctions risk proactively

Companies that aren’t yet set up to appropriately manage sanctions risk can start with a risk assessment to look at all potential exposures and then build and independently test a program. Once the program has been implemented, companies need to conduct tuning and calibration, including of any technology in place. Finally, a validation process can test the program to make sure it’s working as intended. A third party can help companies new to sanctions risk management walk through this process.

Failure to identify a sanctioned entity can lead to significant enforcement actions and pose reputational risk. Even if OFAC sanctions are violated by accident, the company responsible can be fined or subjected to criminal and civil penalties or enforcement actions. Underscoring the need to be proactive in managing sanctions risk, the financial impact of a penalty can be significant: OFAC issues tens of millions of dollars in fines per year.

By taking proactive steps, financial services organizations can protect themselves and their customers from unintentional transactions with sanctioned entities and strengthen their financial crime programs at the same time.