Explain the importance of compliance and the sanctions for non-compliance

The United States has historically been a champion of imposing sanctions restrictions and regimes []. As a result, this activity affects the functioning of financial institutions around the world, who adapt their policies, to match the expectations of the American regulators, which gives rise to the phenomenon of the “Americanization of compliance.” [] Banks spend $270 billion per year on compliance. Some 10% or more of most bank operating costs can be attributed to compliance, and some estimates have regulatory costs doubling by 2022 []. Therefore, it is reasonable to start studying models of sanction compliance in this country.

The general approach to corporate compliance is expressed in a document of the Criminal Division of the U.S. Department of Justice called the “Evaluation of Corporate Compliance Program,” [] which was published on April 30, 2019. This is the second edition of this document originally issued in 2017. This document is intended for prosecutors who evaluate the effectiveness of corporate compliance policies by answering three questions: 1) whether the compliance program is well designed, 2) whether the program is effectively implemented, and 3) whether the program works in practice.

Although the document deals generally with corporate compliance, and the principles of performance evaluation can be applied to different types of compliance, the subject of this document is the evaluation of anti-corruption programs. This conclusion can be made since the creator and addressee of the document are employees of the prosecutor’s office, which has criminal and civil jurisdiction over companies found to have violated the FCPA.

Two days after the evaluation was published on May 2, 2019 [], the main US regulator in the field of sanctions, The Office of Foreign Assets Control (“OFAC”), published its “A framework for OFAC compliance commitments” (hereinafter – “The Framework”) []. From this point on, we can talk about separating sanction compliance into a separate object, which requires a special methodology.

Long before the publication of this document, experts noted problems in the communications of the agency, especially on issues of extraterritorial application. Paul Lee notes:

“The U.S. authorities failed to articulate and communicate at an early stage their expectations for extraterritorial compliance with OFAC sanctions. This failure in the 1980s and 1990s may have stemmed from policy differences among departments in the U.S. Government as to the appropriate extent of extraterritorial application, particularly as to a foreign bank’s clearing of U.S. dollars for transactions between non-U.S citizens and sanctioned countries. The U.S. Treasury Department began in 2005 to articulate a view on the appropriateness of clearing in US dollars for such transactions, it would have been appropriate for the Treasury Department–at least for retrospective enforcement t purposes–to recognize the air of benign neglect that surrounded these issues for many years” [].

One of the essential reasons for the publication of this framework was the Exxon Mobil case (See: Exxon Mobil Corp vs. Steven Mnuchin, U.S. District Court of Northern District of Texas/CIVIL ACTION № 3:17-CV-1930-B. December 31, 2019), in which the court concluded that OFAC did not provide a clear explanation of the regulation (“fair notice of its interpretation”) []. The decision on December 31, 2019, provides an analysis of OFAC’s explanations of sanctions restrictions. The FAQs section administered by OFAC is “a part of OFAC’s commitment to regulatory transparency.” [, , , , ] As of June 2022, over 1000 questions were answered. But these FAQs, like the clarifications provided under general and special licenses, did not give an overall picture of the regulator’s expectations.

1. Voluntary-compulsory compliance

The main expectation of the U.S. regulator of sanction compliance is voluntary-compulsory compliance, which is the implementation of the carrot-and-stick approach [] mechanism, which applies to legal entities at the level of state regulation.

The first element of expectations is voluntariness. In the context of compliance, the English concept of “commitment” differs from “requirement” in that it is a voluntary commitment by a company to follow the rules, as opposed to an external requirement imposed by the state. ISO 19600: 2014 Compliance management systems — Guidelines P. 3.15 stipulates “compliance commitments” are requirements that an organization chooses to comply with.” Compared with P.3.14, which stipulates the following: “compliance requirements” are a requirement that an organization has to comply with.” [] The framework explains:

“OFAC strongly encourages organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States, U.S. persons, or using U.S.-origin goods or services, to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP).” [, , , , ].

On the one hand, it is assumed that this is just a recommendation; on the other hand, a rather long list of subjects who are strongly advised to implement sanctions compliance is provided:

• All American companies (U.S. persons).

• Foreign legal entities that conduct business in the United States or have American counterparties/partners.

• All persons who use goods of American origin or use the services of American companies or American individuals. (For instance, 31 CFR § 560.205).

Moreover, transactions made in U.S. dollars may be subject to OFAC review, since the use of the U.S. financial system to circumvent sanctions is prohibited. This is explained in paragraph V of the root causes section:

“Many non-U.S. persons have engaged in violations of OFAC’s regulations by processing financial transactions (almost all of which have been denominated in U.S. Dollars) to or through U.S. financial institutions that pertain to commercial activity involving an OFAC-sanctioned country, region, or person. Although no organizations subject to U.S. jurisdiction may be involved in the underlying transaction, such as the shipment of goods, from a third country to an OFAC-sanctioned country—the inclusion of a U.S. financial institution in any payments associated with these transactions often results in a prohibited activity (e.g., the exportation or re-exportation of services from the United States to a comprehensively sanctioned country, or dealing in blocked property in the United States). OFAC has generally focused its enforcement investigations on persons who have engaged in willful or reckless conduct, attempted to conceal their activity (e.g., by stripping or manipulating payment messages, or making false representations to their non-U.S. or U.S. financial institution), engaged in a pattern or practice of conduct for several months or years, ignored or failed to consider numerous warning signs that the conduct was prohibited, involved actual knowledge or involvement by the organization’s management, caused significant harm to U.S. sanctions program objectives, and were large or sophisticated organizations” [, , , ].

In this regard, one expert notes: “The compliance framework, therefore, explained that the use of U.S. dollars may “often” result in a prohibited activity, such as the export of services, to a sanctioned country, but the framework did not reach the issue of whether a blanket prohibition is in place against the use of U.S. dollars in transactions with sanctioned entities, both for the U.S. and foreign parties” [].

In a Deferred Prosecution Agreement, 2010 between OFAC and the British Barclays Bank PLC (United States v. Barclays Bank PLC, No. 10-CR-00218-EGS), it is stated that the bank’s criminal actions are more than a deception of U.S. financial institutions–they threaten the security of the American state.

Such language shifts the burden of decision-making on compliance with sanctions restrictions into commercial entities, including non-U.S. entities.

Now let us move on to the second element-enforcement of compliance. The framework stipulates that the sanctions compliance program should consist of five mandatoryelements:

1. Management commitment;

2. Risk assessment;

3. Internal controls;

4. Testing and auditing; and.

5. Training.

The five mandatory elements of the OFAC Program are identical to the five COSO elements [, , , , , , , ]:

1. Control environment.

2. Risk assessment.

3. Control activities.

4. Information and communication; and

5. Monitoring.

The first mandatory element of the program–the commitment of the management, contains the obligations of the company’s management in relation to the following:

• Allocation of adequate resources.

• Implementation of sanctions compliance processes in current operational activities.

• Support and formalization of the sanction’s compliance program.

• Creating reporting channels; and

• The ability of the sanctions policy to have oversight over the actions of the entire organization, including those of senior management.

The second mandatory element is risk assessment. Unlike other similar documents, OFAC has taken an innovative approach to the problem of risk assessment. First, it described the fact that risks can come from customers or buyers, products or services, logistics, intermediaries, counterparties, transactions, and/or geographical locations, so each company should have its own risk assessment (saying “no one size fits all approach”).

Second, the company must conduct its own periodic assessment of potential risks, and OFAC determines two events where risk assessment is mandatory: when initiating a transaction (on-boarding), and during mergers and acquisitions (M&A). Third, OFAC provides an OFAC risk matrix for financial institutions [] based on the risk matrix of the guidelines for the implementation of the Anti-Money Laundering Act of 2005 [].

However, the risk matrix includes not only indicators of sanctions risks for financial institutions (Sanction A), but also indicators for evaluating the effectiveness of the compliance program (Sanction B). Thus, OFAC defines low-risk criteria as:

1. Management has fully assessed the bank’s level of risk based on its customer base and product lines. This understanding of risk and a strong commitment to OFAC compliance is satisfactorily communicated throughout the organization.

2. The board of directors, or a board committee, has approved an OFAC compliance program that includes policies, procedures, controls, and information systems that are adequate and consistent with the bank’s OFAC risk profile.

3. Staffing levels appear adequate to properly execute the OFAC compliance program.

4. Authority and accountability for OFAC compliance are clearly defined and enforced, including the designation of a qualified OFAC officer.

5. Training is appropriate and effective based on the bank’s risk profile, covers applicable personnel, and provides necessary up-to-date information and resources to ensure compliance.

6. The institution employs strong quality control methods.

7. Compliance considerations are incorporated into all products and areas of the organization.

8. Effective policies for screening transactions and new accounts for specially designated nationals and blocked persons (SDNs) and sanctioned countries are in place. These policies consider the level of risk of the type of transaction being screened.

9. Compliance systems and controls effectively identify and appropriately report potential OFAC violations. Compliance systems are commensurate with risk. Records have retained that document such reporting.

10. On a periodic basis, determined by the bank’s level of risk, all existing accounts are checked to ensure that problem accounts are properly blocked or restricted, depending on the requirements of the relevant sanctions program.

11. Compliance systems and controls quickly adapt to changes in the OFAC SDN list and country programs, regardless of how frequently or infrequently those changes occur.

12. Independent testing of a compliance program’s effectiveness is in place. An independent audit function tests OFAC compliance regarding systems and training.

13. Problems and potential problems are quickly identified, and management promptly implements meaningful corrective action.

14. Overall, appropriate compliance controls and systems have been implemented to identify compliance problems and assess performance [].

In other words, the effectiveness criteria of the sanctioned compliance system are defined by the regulator in the program and are part of it.

Enforcement of these five elements is made through “compliance” section in the regulatory documents. At the end of settlements with violated companies, two sections began to be added. The first reference section called “Compliance considerations», which briefly provides an analysis of what compliance measures (mechanisms) the company should have used to avoid a violation or analyzes that errors in the compliance system led to the violation. The second reference section is “OFAC Regulatory and Compliance Sources,” which provides a link to this program.

For example, in an agreement with Amazon (Amazon.com Inc. Settlement. July 8, 2020) in the section “Compliance considerations”, the following explanation is given as to why the company did not properly check the spelling of geographical locations that are under sanctions (the examples of Crimea and Cuba):

“This case demonstrates the importance of implementing and maintaining effective risk-based sanctions compliance controls, including sanctions screening tools appropriate for e-commerce and other internet-based businesses that operate on a global scale. Such large and sophisticated businesses should implement and employ compliance tools and programs that are commensurate with the speed and scale of their business operations. Global companies that rely heavily on automated sanctions screening processes should take reasonable, risk-based steps to ensure that their processes are appropriately configured to screen relevant customer information and to capture data quality issues, such as common misspellings. Routine testing of these processes to ensure effectiveness and identify deficiencies may also be appropriate. Moreover, companies that learn of a weakness in their internal compliance controls may benefit by taking immediate and effective action, to the extent possible, to identify and implement compensating controls, until the root cause of the weakness can be determined and remediated.” [].

In appropriate circumstances, OFAC may refer the matter to appropriate law enforcement agencies for criminal investigation and/or prosecution. Apparent sanctions violations that OFAC has referred for criminal investigation and/or prosecution also may be subject to OFAC civil penalty or other administrative action. Criminal procedures under the Department of Justice, and criminal liability are also mentioned in the International Emergency Economic Powers Act (IEEPA) 50 U.S.C. 1705(с).

The agreements that OFAC has the right to sign with companies are one of the types of “transactions with an administrative authority” (as opposed to an agreement with criminal charges–a deferred prosecution agreement). An OFAC agreement is made under certain conditions: the payment of a civil fine and the implementation of a compliance system. At the same time, it is specifically stipulated in the Economic Sanctions Enforcement Guidelines (Appendix A to 31 C.F.R. Part 501) that the fine can be reduced by 20–40% if the company did not voluntary disclose a violation but cooperated during the investigation [].

The mandatory implementation of the five elements of sanctions compliance is reflected not only in the abovementioned references to the agreements but also in the section on corrective measures for the legal entity. For instance, in the agreement with the Italian bank UniCredit, the regulator prescribes the introduction of five mandatory elements of sanctions compliance [].

The Appendix A to Chapter 501 (Reporting, Procedure, and Penalty Regulation) Code of Federal Regulation states fines for violations. If the OFAC Framework states that best practices are those that involve senior management in the adoption of a sanctioned compliance program and allocate the necessary resources for this. The instructions state that one of the aggravating circumstances when punishing violations of sanctions restrictions is the involvement of the company’s management in sanction violation. This is the way how the carrot-and-stick approach has been implemented [].

The second expectation of the regulator is the voluntary nature of reporting. The American model of compliance is based on encouraging voluntary reporting of violations, and this is a continuation of the practice developed based on the example of anti-corruption compliance, for instance, 9-47.120 - FCPA Corporate Enforcement Policy [].

So, Appendix A to 31 C.F.R. Part 501, App. A §|I(I). say the following:

“Voluntary self-disclosuremeans a self-initiated notification to OFAC of an apparent violation by a subject person that has committed, or otherwise participated in, an apparent violation of a statute, executive order, or regulation administered or enforced by OFAC, prior to or at the same time that OFAC, or any other federal, state, or local government agency or official, discovers the apparent violation or another substantially similar apparent violation.” [].

In the agreement with Airbnb Payments, Inc. dated January 3, 2022, OFAC justifies the reduction of the civil monetary penalty by stating that Airbnb Payments voluntarily self-disclosed the apparent violations, and the apparent violations constitute a non-egregious case [].

OFAC may refuse to file claims against a company that voluntarily reports a violation. This is similar to the Declinations Agreement, which the Department of Justice implements under FCPA. [See: Corporate Enforcement Policy, Justice Manual 9-47.120 and Principles of Federal Prosecution of Business Organizations, JM 9-28.300], or when still pursuing, voluntary reporting is considered when calculating the fine [].

The regulator’s expectation of voluntary reporting reflects the state’s desire, on the one hand, to facilitate limited departmental efforts (“procedural savings”), on the other hand, as a continuation of procedural savings, to reduce budget funds [].

1. c. International cooperation and participation of lawyers in sanctions risk assessment

With respect to existing compliance programs, for infringing companies that are incorporated in foreign jurisdictions, paragraph III (E) of the Annex establishes the principle of interaction between regulators in different countries regarding the evaluation of the effectiveness of a compliance program.

OFAC considers “the existence, nature, and adequacy of a subject person’s risk-based OFAC compliance program at the time of the apparent violation, where relevant. In the case of an institution subject to regulation where OFAC has entered a Memorandum of Understanding (MOU) with the subject person’s regulator, OFAC will follow the procedures set forth in such MOU regarding consultation with the regulator regarding the quality and effectiveness of the subject person’s compliance program. Even in the absence of an MOU, OFAC may take into consideration the views of federal, state, or foreign regulators, where relevant. Further information about risk-based compliance programs for financial institutions is set forth in the annex hereto.” [].

Regarding the compliance function and the provision of consulting services in the field of sanctions restrictions, OFAC back in 2017 prepared a short guidance of the provisions of certain services relating to the requirements of US sanctions laws, according to which the US person can:

1. Provide advice to third-party unauthorized countries and be in any role, including compliance specialist.

2. Express an opinion on the legality of individual transactions in accordance with U.S. restrictions. Also, they can request information from sanctioned individuals and conduct research on the legality of transactions [].

Unlike the British document, the American document says nothing about client-attorney privilege (“attorney-client privilege”), but most likely this principle does not require additional references.

Thus, the principles (expectations) can be distinguished by a state approach to sanctions compliance in the United States. The first principle is the voluntary enforcement nature of the company’s compliance obligations, and the second principle is the encouragement of voluntary reporting. The third principle is the active application of civil and administrative penalties. The fourth principle is the proportionality of sanctions restrictions to business opportunities.

This principle is reflected in the U.S. Treasury Department’s Sanctions Report for 2021. Among the goals of improving sanctions regulation, it lists: “Proportionality of sanctions to reduce unforeseen economic, political and humanitarian costs.” In specific, it says the following:

“Treasury should seek to tailor sanctions in order to mitigate unintended economic and political impacts on domestic workers and businesses, allies, and non-targeted populations abroad. This will protect key constituencies and help preserve support for the U.S. sanctions policy. For example, U.S. small businesses may lack the resources to bear the costs of sanctions compliance while competing with large companies at home and abroad; uncalibrated sanctions could unnecessarily lead them to turn down business opportunities in order to avoid these costs. Better tailored sanctions can help avoid these costs and maintain the competitiveness of U.S. businesses.” [].

The program did not mention the functioning of an independent monitor, which evaluates the company for the effectiveness of compliance measures for a certain period. For example, the New York State Department of Financial Services in 2012, pending the decision to revoke the license of Standards Chartered Bank in New York for transferring transactions to the sanctioned bank of Iran. An independent monitor for 2 years has been appointed as an interim measure [See more Consent Order Under New York Banking Law §§ 39 []. The New York State Financial Services Act § 206(c) provides for the right to monitor bank accounts.

What is the importance of sanctions for non compliance?

What is the importance of non compliance?

Why is it important to be in compliance?

What are the sanctions for non compliance of this act?