In its guidance, OFAC strongly encourages organizations to ensure that their SCP is developed, implemented, and routinely updated by employing a risk-based approach to sanctions compliance. While OFAC recognizes that the content of each SCP will differ based on the specific company’s circumstances (e.g., size and sophistication, nature of business, counterparties and geographic locations), it makes clear that there are five essential components: 

• Management commitment: senior executives and/or the board of directors should review and approve the organization’s SCP periodically. The senior leadership should also ensure that compliance units receive adequate resources aligned with the organization’s operations, which may include appointing dedicated officers and deploying adequate information technology services. 
• Risk assessment: an ongoing assessment of potential threats or vulnerabilities is vital to effective sanctions compliance. Organizations should adopt a defined method of identifying, analyzing and addressing risks by assessing all their external interactions, including careful scrutiny of the risks carried by M&A transactions. In particular, organizations should focus their risk assessment on clients, customers, products or services, any intermediaries, counterparties and transactions, as well as tracking their supply chains. 
• Internal controls: organizations should be aware of all recent developments affecting sanctions compliance and adjust their SCP accordingly. The appointment of dedicated personnel is strongly encouraged to ensure an effective system of internal communication and information sharing. 
• Testing and auditing: organizations should routinely conduct comprehensive, independent and objective evaluations of their SCP, for which senior leadership should be accountable. Testing should take place at both specific levels and the enterprise-wide level, and should be aimed at remedying any shortcomings of the sanctions program-related software and dedicated personnel. The company’s audit function or an outside resource may be best suited for this task. 
• Training: as part of an effective SCP, staff should be trained on a periodic basis, at least annually. Organizations should tailor their training programs to the type of business carried out and ensure that “high-risk employees” receive more specific guidance. Having easily accessible and employee-friendly training material is paramount to the running of an effective SCP. 

The guidance reminds companies that OFAC may consider the aforementioned components as mitigating or aggravating factors in the context of apparent sanctions violations and potential settlements.

Given the importance placed by OFAC on companies implementing, reviewing and updating an appropriate SCP, the dynamic sanctions landscape commonly faced, and the vigor with which OFAC is pursuing companies in breach of U.S. sanctions, we recommend that companies revisit their SCP against this guidance to ensure OFAC’s recommendations are adopted. If assistance is required in this regard, then our sanctions team is well placed and happy to assist. 

To view the full text of the guidance document and related annex, visit www.treasury.gov.

Client Alert 2019-117