In a recent post, we introduced the U.S. Treasury’s Office of Foreign Assets Control (OFAC) Framework for OFAC Compliance Commitments, a roadmap for a compliant sanctions compliance program (SCP). Pursuant to this guidance, industry actors (for example, global and multinational telematics companies like Geotab and their global Resellers and Partners) need to design and deploy a tailored, risk-based SCP to promote compliance and hedge against the possibility of a disruptive and costly violation of U.S. sanctions controls.
There are five elements to a SCP:
1. Management Commitment
2. Risk Assessment
3. Internal Controls
4. Testing and Auditing
This second article in the series on government compliance will discuss the first element, Management Commitment. It’s critical that technology providers take the time to carefully assess and manage their risk of incurring an OFAC enforcement action.
Demonstrating senior management’s commitment to sanctions compliance
OFAC recognizes that “Senior management’s commitment to, and support of, an organization’s risk-based SCP is one of the most important factors in determining its success.” Management’s commitment is critical. It ensures that the SCP receives adequate resources and is fully integrated into an organization’s daily operations. And it helps legitimize the program, empower its personnel, and foster a culture of compliance throughout the organization.
In particular, the Management Commitment element of the SCP displays the following characteristics:
I. Senior management has reviewed and approved the SCP
II. Senior management ensures that its compliance units are delegated sufficient authority and autonomy to effectively deploy its policies and procedures
III. Senior management has taken, and will continue to take, steps to ensure that the organization’s sanctions compliance function receives adequate resources
IV. Senior management promotes a culture of compliance throughout the organization
V. Senior management demonstrates recognition of the seriousness of apparent violations of the laws and regulations administered by OFAC
Senior management sets the organization’s course. By resolving to design and deploy a risk-based SCP, senior management demonstrates its commitment to cultivating a culture of compliance and reduces the risk of a costly and disruptive OFAC enforcement action.
Appointing your compliance officer
So, where to start? Like any important trip, you need to plan your route! First, OFAC recommends “the appointment of a compliance officer specifically responsible for implementing and providing guidance and interpretation on matters related to U.S. sanctions law.” This person can be an employee or an outside consultant, and he or she should display technical knowledge of, and expertise in, OFAC’s regulations, processes and actions.
Organizations should ensure that their compliance officer is fully resourced and imbued with sufficient authority to be successful in their role. To do this, establish direct reporting lines between the OFAC SCP function and members of senior management, including routine and periodic meetings between these two elements of the organization.
Once the SCP is completed, senior management should carefully review and approve it. Senior management’s deliberate adoption of the SCP sends a clear signal to the organization: it says, “we take our sanctions compliance obligations very seriously, and we will credit compliance and prevent prohibited activities.”
Much is written about a culture of compliance. Other than by appointing a compliance officer, resourcing this role, and directing the design of the SCP, how does an organization’s senior management successfully cultivate this critical mindset?
Developing a culture of compliance
The guidance identifies three possible criteria for successfully demonstrating a culture of compliance:
1. Senior management should ensure that its personnel feel free to report sanctions concerns without fear of reprisal.
2. Next, senior management should take actions that discourage misconduct and highlight the consequences of non-compliance.
3. Lastly, OFAC stresses the “ability of the SCP to have oversight over the actions of the entire organization, including but not limited to senior management, for the purpose of compliance with OFAC sanctions.”
Senior management must do more than pay lip service to their sanctions compliance activities; senior management needs to telegraph, through its actions, that it cares about this critical function and intends to resource and implement it. An effective culture of compliance will only result from a genuine, top-down commitment to an organization’s SCP.
As discussed in our previous post, a recent U.S. sanctions enforcement action raises the stakes for organizations in the telematics industry. It now appears that OFAC will require organizations that maintain customer location data to use that data in support of their sanctions program. Industry participants, including Geotab and their global Resellers and Partners, should act now to address and mitigate their risk.
Resolve today that you intend to design and implement a risk-based SCP that clearly demonstrates senior management’s commitment to developing a culture of compliance.