Introduction
The increasing integration of the world economy, combined with the increasing focus on security in the post-September 11th environment, provides U.S. businesses with a multitude of new business opportunities as well as higher risk of exposure. Companies pursuing business leads to the far reaches of the globe may return home to find themselves facing stiff fines and potential criminal prosecution for running afoul of U.S. economic sanctions laws and regulations. In addition, the dynamic political nature of U.S. sanctions law can mean that today's valued customer can become tomorrow's international outlaw. The need for an effective internal compliance program ("ICP") to avoid sanctions law violations has increased exponentially, driven by the increasing contact even small U.S. businesses have with foreign clients and the increasing focus on stemming the flow of financial resources to terrorist organizations in the post-September 11th environment. This article sets forth the general principles that should be observed when constructing an ICP, outlines the specific measures a company can adopt in its ICP, and describes special situations and transactions which should be encompassed by a sanctions ICP.
What is an ICP and Why Should I Have One?
An ICP is a set of formalized policies and procedures developed to detect and prevent company violations of economic sanctions or export laws. The United States maintains a number of different regulatory schemes that restrict international trade in furtherance of various national security and foreign policy goals. The Departments of State, Commerce, and Energy manage export control programs designed to prevent the shipment of sensitive U.S. technology to certain foreign countries or end-users. The Department of Treasury's Office of Foreign Assets Control ("OFAC") administers U.S. economic sanctions programs, which prohibit dealing, in whole or in part, with nations currently disfavored by the U.S. Government. OFAC currently administers comprehensive U.S. sanctions programs Cuba, Iran, Iraq, Libya, and Sudan as well as more limited sanctions against Angola, Burma, Liberia, and Sierra Leone. The long-standing sanctions against North Korea were substantially eased in June 200l. In addition, OFAC administers controls against persons and entities designated as "fronts" for these countries, as well persons "specially designated" on the basis of their affiliation with international terrorism (such as the Taliban and al-Qaeda); destabilization of the Balkans or the Middle East; weapons proliferation; narcotics trafficking.
While export controls focus largely on the characteristics of the product itself and its country of origin, sanctions controls generally apply to the activities of "U.S. persons" wherever located, including company branch offices abroad. As a result, sanctions controls cover a far broader range of activity than export control regulations, including the provision of services, travel, and financing, in addition to general prohibitions on the export of goods to the targeted countries. Many businesses that are not subject to export controls must deal with sanctions controls on a daily basis, most prominently in the banking and financial services industries. Therefore, the more comprehensive reach of sanctions controls requires U.S. businesses to look beyond their product line and analyze virtually all commercial contact with targeted countries, regardless of the country of origin of the goods, technology, or services.
OFAC's regulations do not require a business to establish an ICP to prevent sanctions violations. However, failure to develop an ICP can lead to severe consequences. Depending on the sanctions regime, monetary penalties of up to $10,000,000 for each individual OFAC violation can be imposed, and company officials found guilty of violating OFAC regulations can face prison terms of up to 30 years. Moreover, even well-meaning companies can face substantial fines, since OFAC penalties can be imposed for inadvertent violations. ICPs can prevent OFAC violations, and can mitigate the consequences in those instances where an OFAC violation occurs despite the use of an ICP. The Federal Sentencing Guidelines provide for a downward adjustment in sentencing for criminal violations where a company maintains an effective ICP. See United States Sentencing Commission, Guidelines Manual, 8A1.2, Application Note 3(k) (2001). In addition, OFAC considers the presence of an ICP when imposing civil penalties. See OFAC Economic Sanctions Enforcement Guidelines, 68 Fed. Reg. 4422-4429. An effective ICP therefore provides two significant benefits to a company: it prevents OFAC violations from occurring and mitigates penalties in those instances where an OFAC violation goes undetected.
General ICP Principles
Unlike the Department of Commerce's Bureau of Industry and Security (BIS), OFAC does not suggest various policies and procedures that should be included in an ICP. Businesses are therefore left with little guidance, but tremendous freedom, in developing an OFAC ICP. This freedom allows a company to design an OFAC ICP streamlined to meet the needs and address the risks of a particular company. Building an effective, individualized ICP requires identification of the company's risk profile and incorporation of a few general core principles into the program.
A. Identification of ICP Issues-The Risk Profile
The first step in developing an OFAC ICP is identifying relevant business activities that can result in OFAC violations. OFAC violations can occur in the following circumstances:
• Sales and Transactions for Goods or Services: OFAC regulations generally prohibit the export or import of any goods or services from sanctioned countries. In addition, U.S. persons cannot enter into transactions with persons that OFAC has identified as being associated with a certain targeted country governments or terrorist or drug activities. These individuals and business "fronts" are known as "Specially Designated Nationals" ("SDNs"), and OFAC provides a public listing of SDNs that is updated frequently.
• Finance/Transactions: OFAC regulations prohibit facilitation of financing of any transaction with a targeted country or SDN. In addition, U.S. financial institutions are required to freeze bank deposits and other assets in which targeted foreign governments or persons have an interest, and these blocked accounts may not be paid out, withdrawn, set off, transferred or dealt with in any manner without an OFAC license.
• Travel: OFAC prohibits transactions related to travel to some, but not all, targeted countries.
• Vessels: OFAC maintains a list of vessels that U.S. persons may not lease due to their connection to sanctioned countries or individuals.
Hiring: U.S. companies or their branches may incur OFAC liability by hiring nationals of targeted countries or SDNs as employees or agents for their overseas operations.
In addition to identifying those business practices that are at-risk for OFAC violations, a company should also examine potential risk areas in its client base. Existing customers may pose OFAC violation risks due to their international dealings because OFAC regulations often prohibit even indirect facilitation of transactions with sanctioned countries or entities. New and little-known customers or clients may be SDNs or have dealings with SDNs or sanctioned countries. A thorough assessment of the company's customer base can also identify whether the company's business attracts high-risk customers.
A company should also identify products or services that it offers that may attract sanctioned countries. For instance, a company that sells oil field equipment should be especially diligent in developing an ICP for that division, since sanctioned countries such as Iran, Iraq, and Libya are among a limited number of countries that possess substantial oil reserves.
In addition, a company should examine its marketing practices for potential OFAC violation risks. Companies that market internationally or market to unknown customers can quickly find themselves engaged in solicitation or negotiations that are prohibited by various sanctions regimes. U.S. companies should also note that their overseas branches (but generally not subsidiaries) are considered "U.S. persons" subject to all OFAC prohibitions.
Finally, an assessment should be done of the risk-sensitivity of the company. A business should make an honest self-appraisal of how aggressive or conservative it is willing to be in pursuing business opportunities in sensitive markets. This assessment is driven by a number of factors, including the company's culture, the inherent nature of its business, and its principal marketing areas.
B. Foundation for a Successful OFAC Compliance Program
Once the areas of potential OFAC liability have been established, a firm can begin to produce its OFAC ICP. When developing and implementing an ICP, a company should be mindful of four guiding principles.
Principle 1: Custom-Fit the ICP to Your Company
The elements of an ICP must be designed to operate within the structure, culture, and resources of the company in order to be effective. A small business' customer base may be limited enough to allow it to check the SDN manually and therefore make use of SDN detection software, commonly called "interdiction" software, unnecessary. A major multinational bank, on the other hand, as a practical matter should use interdiction software due to the volume of automated transactions it conducts each day. Risk-averse companies may wish to employ layers of transactional review and incorporate a company policy that encourages OFAC clarification requests wherever the law is unclear, while more aggressive companies or companies with low risk profiles may wish to set up systems that provide quick legal interpretations and customer background checks. Failure to appreciate the unique character of the company when developing an ICP will lead to wasteful procedures that provide little added security and ignore risk areas where a company must pay particular attention to avoid non-compliance.
Companies may also wish to customize their ICP among their various divisions or sections. While an ICP should be comprehensive, resources should be allocated efficiently among areas with varying violation risk factors. For example, a company that produces both oil pipeline equipment and natural gas home heating systems may wish to vary its ICP among those two divisions. The significant number of potential customers for oil pipeline equipment located in Iran, Iraq or Libya suggests that more stringent ICP measures are needed than in the natural gas home heating systems division, which would likely make few sales in the warm climes of many sanctioned countries. Companies may also choose to structure their ICP to give priority to SDN checks for divisions that deal in time-sensitive or high-value accounts. By evaluating the risks and needs of each division separately, a company can minimize the burdens of the ICP without sacrificing its effectiveness.
Principle 2: Maintain a Flexible, Evolving ICP
A company must maintain a dynamic approach to its ICP and remain alert to OFAC changes in order for a program to retain its effectiveness. From the internal firm standpoint, a dynamic approach requires feedback, whether in the form of an audit or employee consultations, regarding where ICP procedures work, where they do not, and where alternate strategies may enhance efficacy and efficiency. Continuing assessment of the program also allows the company to alter the program where company changes in structure, product line, or customer base reveal a need to redesign the ICP.
A company must also construct its ICP to remain alert to changes from OFAC. Sanctions regulations can change quickly, since they are driven primarily by political factors. A company can find itself in an increased realm of liability where new programs are implemented or existing programs are strengthened. These changes will sometimes be obvious because the driving political forces are at the forefront of news reports, as in the case of the strengthening of sanctions against the Federal Republic of Yugoslavia, Serbia, and Montenegro in April 1999 as reports of ethnic atrocities against Kosovo citizens became front-page news. However, often the political events motivating a new sanctions program will go unnoticed by the majority of the American public, and therefore provide little warning to most businesses of a new sanctions regime, as was the case with the imposition and subsequent tightening of sanctions against UNITA-controlled areas of Angola in 1993, 1997, and 1998.
The listing of new SDNs is another area where OFAC changes can go largely unnoticed unless an ICP actively monitors OFAC information releases. The OFAC SDN list changes constantly as OFAC becomes aware of new front organizations and individuals. Therefore, in order for SDN checks to be effective, an ICP must ensure that checks are being conducted on the most recent SDN listings. In addition, OFAC releases new SDN lists as conditions warrant, rather than updating SDN lists on a regular basis. As a result, firms cannot assume that an SDN list is current because it was released in the last six months, but instead must make frequent reference back to the OFAC website to determine if a more recent list exists.
A dynamic and alert ICP also provides a decided competitive advantage in addition to preventing OFAC violations. Political winds blow in all directions, and recent years have seen sanctions policy lead to the loosening as well as tightening of sanctions regimes. For instance, alert businesses have been able exploit new opportunities to conclude sales of medical and agricultural products to Libya, Iran, Iraq, and Sudan and of agricultural products to Cuba under more liberal OFAC licensing regulations. OFAC has also recently announced or implemented liberalization of aspects of the Cuban and North Korean sanctions regimes. SDN changes can also lead to new business opportunities, as OFAC has the power to de-list SDNs. Therefore, failure to construct a flexible ICP can lead to missed business opportunities.
Principle 3: Keep the ICP Manageable
In order for an ICP to be effective, a firm must also ensure that it is manageable. In most contexts, this requires a centralized system of detailed review of transactions screened or "red flagged" by lower-level employees. Since prohibitions differ across sanctions regimes and frequently change, it is often impractical to attempt to educate lower-level employees to the extent necessary to reach an informed conclusion regarding the OFAC-consistency of any particular transaction. It is therefore often more efficient to develop simple "red-flag" guidelines at the operational levels of a business that allow employees to forward questionable transactions to a central legal or management department for detailed review. In order for an ICP to be manageable for lower-level employees, many of whom focus on the core task assigned to them, their ICP duties must be kept simple. For example, bank tellers should not be required to undertake detailed analysis of account requests for OFAC sufficiency, but should instead be instructed to forward for review any accounts that contain "suspicious" information, such as addresses or references to blocked countries or cities within those countries. Therefore, a manageable ICP often requires simplified procedures for many employees that forward questionable transactions to a centralized office for further review.
Principle 4: Ensure Upper Management Support for the ICP
The most customized, dynamic and manageable ICP will not succeed if the corporate hierarchy is not committed to ensuring OFAC compliance. There is often initial resistance from management to an ICP due to lingering beliefs that an ICP is irrelevant to their business or department or that inadvertent OFAC violations are rarely discovered or dealt with harshly. These attitudes often manifest themselves as an unwillingness to impose punitive measures for employee violations of the ICP or the portrayal of ICP requirements as secondary in importance to the actual conduct of business. This atmosphere filters down to employees, who will then be less diligent in following ICP procedures and more willing to abandon these procedures when under time or deal-making pressure. An ICP is not truly "effective" where management is not committed to its execution, a factor OFAC will note when examining an ICP as a mitigating factor for an "inadvertent" violation.
III. Elements of an Effective ICP
Though each business must undergo the same analysis to identify its risk areas and incorporate the same underlying principles in developing and implementing its ICP, the actual elements of the final ICP will vary greatly from company to company. As a general rule, ICPs should contain a variant of each of the elements listed below. However, each business should make an individual determination regarding which procedures for each element will produce the most effective and efficient ICP for its company.
A. Policy Statement
An ICP should require the development of a policy statement regarding its approach to OFAC compliance in order to communicate management commitment to the ICP and outline its basic guiding principles. The ICP should indicate what the company hopes to achieve in issuing the policy statement, as well as the officer or office responsible for administering the program. The ICP may also designate the method of distribution of the statement (e.g., via e-mail, company bulletin board, or individual distribution) and specify a time period for reexamination and redistribution. In short, the ICP should set up the procedures to ensure that the policy statement reaches employees and communicates the current substantive position of the company regarding its ICP.
Several elements are suggested for the substance of the statement itself. The statement should be issued by an officer or director of the company on company letterhead and should highlight the existence of a formal ICP. Management should use the policy statement to emphasize the role international trade or transactions play in the company's business, and note that these transactions expose the company and its employees and officers to risks when they involve sanctioned countries or individuals. The statement should also identify the person(s) or office(s) to which employees should direct questions or potential OFAC violations. Finally, the statement should include a list of the consequences for OFAC violations, including fines that may be levied against the company and the possibility of criminal prosecution as well as internal sanctions for failing to follow the ICP or committing an OFAC violation.
B. ICP Infrastructure and Delegation of Authority
As noted above, the presence of a centralized administrator of an ICP is a crucial element in making an ICP manageable. Businesses must therefore develop in the ICP the responsibilities to be delegated to a central compliance officer or office. When deciding what degree of authority should be vested in the central OFAC officer or office, the following benefits of centralized compliance decision-making should be kept in mind:
• Identifiable Resource: The more authority vested in a central OFAC compliance officer or division, the more readily recognizable the compliance officer is to the general workforce. As a result, employees and officers will immediately know whom to contact when an OFAC question arises.
• Coordination and Consistency: A centralized OFAC compliance center increases the consistency of OFAC compliance decisions and efforts. This is especially important where a company contains several divisions that may apply the same ICP policies differently.
• Efficient OFAC Monitoring: Vesting a central compliance office with responsibility for monitoring and disseminating OFAC regulations and SDN list changes eliminates the unnecessary duplication of the task.
• Institutional Knowledge: As a centralized office begins to see repetitive issues, it becomes more efficient in analyzing such issues. Central compliance officers also begin to develop a working knowledge of OFAC compliance personnel and OFAC procedures for receiving guidance on compliance issues.
As a general rule, OFAC compliance responsibility should be specifically assigned to at least one high-ranking officer or director. Such an assignment enhances compliance efforts in two ways: (1) it communicates the company's commitment to OFAC compliance and the serious nature of the issue; and (2) the career and legal liability placed on the official for OFAC violations increases the likelihood of strict enforcement of ICP procedures. The ICP can then name a specific officer, lawyer, or department that is charged with making day-to-day decisions regarding OFAC compliance. Though the ICP may wish to vest responsibility in an office rather than officer, it should, at a minimum, clearly state one person who holds overall responsibility for the program and serves as the external contact person for OFAC.
C. Education and Training
Among the most important provisions of an ICP are the procedures providing for the education and training of employees regarding OFAC compliance. Employees often possess the most information relevant to identifying potential OFAC violations and employees incapable of recognizing and addressing those concerns often mean OFAC violations go unidentified until an OFAC penalty notice is received. In order to ensure effective employee participation in an ICP, an ICP should, at a minimum, address three areas: (1) scope of the education and training program; (2) frequency of training; and (3) training methods.
Scope of Education and Training
A company should provide OFAC training for employees in all areas identified by the company as "at-risk" for OFAC violations when making its initial ICP assessment. This includes all areas where employees process transactions, make contact with present or potential clients, have authority to bind the company, or process the shipment of goods. Again, a company may wish to vary the depth of training based on the relative risks associated with particular departments. An ICP should also appoint an officer(s) or office(s) responsible for developing and updating training programs.
Frequency of Education and Training
All relevant employees should be provided education and training regarding OFAC issues at an orientation or other similar introductory training. The ICP should also provide for a periodic "refresher" or continuing education on a semi-annual, annual, or biannual basis, dependent on the degree of OFAC risk in the business or department. The ICP should also allow management to conduct ad hoc compliance programs following major revisions to OFAC regulations.
Methods of Education and Training
Most ICPs provide for the development of a written OFAC compliance manual. These manuals ensure that the compliance information transmitted to the employee is consistent and allows the employee to make quick reference to basic OFAC procedures, eliminating unnecessary calls to the OFAC compliance officer. Compliance manuals need not be issued to every employee, but can be held by the OFAC training officer for reuse, with additional copies placed strategically throughout the business for quick reference. For instance, a single OFAC manual can be kept at the bank teller workstation or in the marketing department. However, where employees travel often and/or operate in areas at high risk for OFAC violations, a condensed manual or "red-flag" sheet can be produced to provide constant reminders and guidance regarding OFAC issues.
The contents of an OFAC employee manual may differ widely based on the OFAC responsibilities entrusted to employees and the likely OFAC issues they will face. However, certain information should probably be contained in every manual. Each manual should clearly set out the range of penalties for OFAC violations and detail all persons who can be personally liable for both intentional and inadvertent infractions. The manual should provide a sample SDN list, a description of its contents, and instructions for its use. Manuals also should generally contain an employee certification that they have read, understand, and promise to abide by the ICP and other OFAC procedures. Finally, a manual may include a list of sample transactions or situations that raise OFAC issues and a quiz or answer sheet providing suggestions for dealing with these situations.
In addition to employee training manuals, most training and education provisions of ICPs allow for employee training sessions. Initial sessions typically review the employee manual, and both initial and subsequent sessions may focus on specific OFAC situations or experiences. The ICP may also design training sessions where employees "act out" OFAC scenarios, are quizzed regarding basic OFAC compliance policy, or are encouraged to ask questions regarding OFAC issues. It is suggested that an ICP also provide a mechanism for employee feedback regarding the ICP itself, either through written evaluations or feedback sessions where employees are encouraged to share their OFAC experiences. These feedback sessions are critical for providing information to the compliance officer or office from employees that are charged with detecting OFAC issues regarding what procedures work, what procedures are failing, and new methods to deal with OFAC compliance. This information allows the company's ICP to be dynamic and allows for further tailoring of the ICP to the company's specific situation.
Though employee manuals and training sessions are the traditional method of disseminating OFAC compliance information, modern media tools allow for additional methods to educate and train employees. Training videos provide uniform instruction and lessen the burden on the officer(s) or office(s) responsible for training employees. Internal "intranet" web sites may be used to post basic ICP documents, OFAC laws and regulations, and updated information, rather than using written manuals. These sites can also be designed to test employees from their workstations. E-mail provides the OFAC compliance officer with a quick and efficient method to disseminate updated information regarding OFAC regulations, SDN list changes, and ICP policy changes. Software has also been developed to train and test employees.
D. Screening of Customers and Transactions
The central goal of sanctions regulations is to prevent commercial contact with targeted countries, individuals, and entities. Therefore, the most important tool in avoiding OFAC violations is the proper screening of customers and transactions. Screening of customers can be accomplished by two methods: the use of "interdiction" software and manual screening against a printed list.
As a practical matter, interdiction software is probably an ICP requirement for sophisticated banks and large, sophisticated businesses that process contracts, customers, or other information electronically. OFAC would likely view an ICP for these businesses that does not use this software as deficient, especially where a database of customer information exists. Even small businesses and banks should evaluate the marginal preventative effect of interdiction software versus manual screening.
Interdiction software may be developed by in-house computer programmers or purchased from a variety of commercial vendors. In general, the software allows the computer to scan customer, transaction, or contract databases for names and locations that could point to a possible contact with a sanctioned country, transaction, or SDN. More sophisticated programs also check for misspelled names that may be SDNs or sanctioned country locations and can filter out search terms that consistently provide false "red flags." As an additional benefit, OFAC SDN changes can now be electronically integrated into an interdiction system via "delimited" and "fixed file" formats, rather than being entered manually into these programs.
Manual interdiction or screening can also be effectively used for some businesses. An ICP that uses a manual interdiction process should generally allow for multiple checks on a transaction to lessen the possibility of human error. The ICP should direct key employees to flag transactions with suspicious information, especially those transactions that make mention of any of the sanctioned countries and major cities within those countries. Employees can be reminded of targeted countries by posting or providing quick access to a list of the sanctioned countries and prominent cities within those countries. However, since many SDNs go by seemingly benign names and reside in countries friendly to the United States, a number of OFAC-prohibited transactions will go undetected under this method. Therefore, it is imperative that at least once prior to execution of a transaction the relevant parties are checked against the full SDN list, which is currently between 60 and 70 pages long. For ease of use, the list is arranged alphabetically, and various aliases of SDNs are cross-referenced to avoid oversight.
Once an ICP sets out the method of screening clients, it must identify which client information will be screened. Customers themselves must first be screened, and then any known connections between customers and other individuals or entities should be screened. Companies should not ignore potential OFAC problems due to the length of the customer relationship, especially since customers themselves may be unaware of the nature of their connections and may appreciate notice regarding OFAC violations. The ICP should also provide for checks of existing customers against subsequent changes to the SDN list.
Finally, an ICP must set out when to conduct customer and contract screening. Generally, the ICP should require customer screening at the first available point after contact. Initial screening can prevent the relationship from progressing to the point that would be prohibited by OFAC regulations if the customer is from a sanctioned country or an SDN. For instance, OFAC provisions regarding brokering, facilitating, negotiating and travel may occur before a contract is entered into. Initial screening also prevents waste of company resources by identifying customers with whom no business activity is possible before expensive marketing or sales efforts are made. In some instances, initial screening may be required because a transaction may occur at the point of initial contact, such as certain banking transactions. In these instances, it may be necessary to utilize interdiction software. The ICP can also call for follow-up customer screens during the application or bid process or at the conclusion of negotiations or a contract.
E. Order Processing and Export Clearance
Though an ICP may set out the methods and timing of screening procedures, a company may wish to include further details and procedures governing order processing in its ICP. A company should determine whether it wishes to incorporate further processing procedures after evaluating the various risk levels for OFAC violations among its departments. High-risk areas may warrant additional safeguards. For instance, the ICP can authorize an employee at any level to suspend a transaction based on a discovery of potential OFAC problems. Where a transaction is nearing completion faster than the normal processing time of the OFAC compliance officer, a risk-averse company may wish to provide such a safeguard. ICPs may also require that all or select customers provide destination control statements, client certifications regarding product use and reexport, and other assurances against diversion.
F. Internal Audits
Internal audits serve as important tools for maintaining a dynamic ICP, and each ICP should provide for periodic auditing of the ICP and the company's adherence to its conditions. The frequency and depth of internal audits depends in large part on the volume and/or value of business at-risk for OFAC violations. Companies should use internal audits to both identify problem officers or employees for sanction or retraining and to determine fundamental structural flaws in the ICP itself. Rooting out ICP flaws is critical, since such structural deficiencies tend to allow OFAC violations to occur on a consistent basis, thereby increasing the potential for an OFAC penalty notice. The ICP may also require audits more frequently during the early stages of a new program in order to uncover structural problems.
G. Recordkeeping
OFAC programs generally require the retention of all records relating to a transaction covered by OFAC regulations for five years. At a minimum, an ICP should require the OFAC compliance officer or office to archive business records relating to transactions concluded under a specific or general OFAC license. In addition, to the extent possible businesses should also archive business records relating to "red-flagged" transactions that the internal OFAC compliance officer later determined to be permitted under OFAC regulations, as OFAC may subsequently take a different view of the transaction. OFAC recordkeeping provisions are also broad and vague as to exactly which records must be maintained. Therefore, the ICP should at least require the preservation of core documents, and should probably reflect a preference for inclusion of other business documents.
Businesses should take care not to treat recordkeeping provisions lightly. Violations of recordkeeping provisions constitute a separate OFAC regulations violation, even if the underlying transaction was OFAC-consistent, such as transactions undertaken under an OFAC general license. Therefore, businesses with lax record control procedures may find themselves facing OFAC penalties despite never engaging in a transaction that violated OFAC regulations.
OFAC recordkeeping regulations also contain other specific directives that should be included in an ICP. OFAC regimes require that a specific company contact be designated by the company to be responsible for the gathering and turning over of documents at OFAC request. Also, holders of blocked property must register under many OFAC schemes and file annual statements. Therefore, an ICP should also provide procedures for the immediate freezing of the assets of customers that are subsequently listed as SDNs and notification of OFAC through its record procedures.
H. Notification and Reporting
Though a well-designed ICP should minimize the occurrence of OFAC violations, ICPs must still provide procedures to deal with violations once they are unearthed. First, the ICP should provide clear guidelines for reporting violations internally. The ICP should set out the officer or office to which the violation should be reported, should allow for confidential reporting, and should provide for reduced employer penalties where violations are self-reported.
An ICP should also provide procedures for the internal OFAC compliance officer or office regarding reporting of violations to OFAC. First, the ICP should set out procedures for determining whether an OFAC violation has occurred. This process may involve the preparation of a report on the transaction and direct the filing of a request for ruling with OFAC where a specified officer makes a determination that good cause exists to believe a violation has occurred. Though the ICP need not require that all questionable transactions be submitted for OFAC examination, it should take into account that self-disclosure is a mitigating factor when OFAC chooses among the broad array of possible penalties, especially where the violation was inadvertent and an effective ICP is in place. An ICP should also encourage self-disclosure since failure to report an ongoing transaction that violates OFAC strictures makes the violation "willful," and therefore subject to stiffer penalties and prison terms. Therefore, an ICP should provide specific guidance as to when and how a violation is reported to OFAC. A designated officer should be directed to gather relevant documents and prepare a disclosure notice. The ICP may also require the OFAC compliance officer to prepare a cost-benefit report to be forwarded to the president or board of directors for further action. Finally, the ICP should provide procedures for gathering mitigating and defense evidence for the potential OFAC investigation.
IV. Special Issues
Certain OFAC compliance issues require particular attention in an ICP. Some of these issues are industry-specific; others are generic. Moreover, OFAC regulations contain some exceptions which may afford business opportunities.
A. Financial Institutions
An ICP is a fundamental requirement for any financial institution. Given the broad scope of many OFAC programs, financial institutions serve as a priority target for OFAC enforcement efforts. Even small, regional banks may find themselves at great risk for OFAC violations, as their customers often lack a sophisticated understanding of OFAC regulations, increasing the possibility that they will submit prohibited transactions for financing.
Financial institutions must freeze any assets or deposits in which an SDN or sanctioned country government or national holds an interest. These accounts may not be dealt with in any manner absent an OFAC license. An ICP must not only provide procedures for ensuring that these accounts are not transacted on, but must also provide procedures for meeting OFAC reporting requirements for these accounts. In addition, an ICP should assign responsibility and proscribe procedures for an officer or office to check existing accounts that are subsequently blocked due to a new sanctions regime or SDN designation by OFAC.
OFAC regulations generally prohibit financial institutions from facilitating financing of any transaction with a sanctioned country or SDN. Therefore, financial institution ICPs must provide comprehensive procedures to detect potential OFAC violations in transactions before they are processed and executed. The ICP should provide for broad and continuing education of tellers and account managers, and these employees should have access to a list of sanctioned countries and SDNs. If possible, interdiction software should be installed throughout the bank's computer system to supplement employee compliance efforts. The ICP should also empower these employees to place immediate holds on deposits, withdrawals, and checks until further review where there is evidence of a possible OFAC issue. Immediate training or notice should be provided as soon as economic sanctions are imposed against a new target country, and SDN changes should be circulated immediately upon release.
Letter of Credit ("LOC") and wire transactions pose significant OFAC risks for financial institutions, since these transactions are often used for international transactions and involve multiple parties, each of whom may be an SDN or connected with a sanctioned country. An ICP should require an examination of every LOC or wire transfer for SDNs or sanctioned country connections. In the case of LOCs, the issuing, confirming, or advising banks should be checked against the SDN list and for sanctioned country connections. The underlying LOC transaction and the LOC documents should also be examined for evidence of potential OFAC issues, and the shipper listed on the bill of lading must be checked against OFAC's list of prohibited vessels. For wire transfers, the ICP should direct the wire transfer department to check the intermediary bank and the bank of the beneficiary against the SDN list and report any evidence that the underlying transaction may be prohibited by OFAC. Again, the use of interdiction software is preferred.
B. Insurance
U.S. insurance carriers and underwriters should be especially vigilant when constructing ICP screening programs. As in other business ICPs, insurance sector ICPs should contain provisions for checking their customers against the SDN list and avoiding policy sales directly to nationals and governments of sanctioned countries. Moreover, OFAC's prohibitions on facilitation of transactions with sanctioned countries, individuals, or entities require insurers to examine closely the insured company's business activities and other parties in an underlying transaction. Insurance policies that insure activities, goods or assets that have virtually any contact with SDNs or sanctioned country governments or nationals pose OFAC risks. For example, each of the following transactions constitutes an OFAC violation:
• A global liability policy underwritten by a U.S. insurer for property interests of a Dutch conglomerate that includes a hotel in Havana, Cuba.
• An insurance policy issued by a U.S. insurer for a construction project in Beirut, Lebanon, in which a bank controlled by the Government of Iran is named as an additional beneficiary in its capacity as the holder of a mortgage on the project.
• Freight insurance issued by a U.S. insurer that covers air shipments of Cuban cigars from Mexico to France.
• An aviation liability policy issued by a U.S. insurer that covers scheduled stops in Tehran by a foreign air carrier.
A reinsurance policy by a U.S. insurer extending coverage for risks of a ceding insurer that would include obligations arising from insurance transactions that violate U.S. sanctions regulations.
As these examples make clear, ICPs for insurance carriers and underwriters require procedures that screen not only the customer itself but also the other parties to the transaction. Insurer ICPs can attack this problem with multiple strategies. At a minimum, the ICP must ensure that all beneficiaries and assets insured by the policy are screened for possible connections to sanctioned activities. In addition, insurers may wish to develop standard contract language for policies that specifically states that scope of coverage does not extend to any assets or activities where insuring those assets or activities would violate U.S. sanctions laws and regulations.
C. Intangible Exports and Deemed Exports
When interpreting export control and sanctions regulations, administrative agencies generally deem technology "exported" when it is released to a foreign national or a foreign national is given access to such technology. At a minimum, the ICP should provide that employee training and education, particularly training for hiring personnel, make reference to the OFAC violation risk when hiring foreign nationals. An ICP can further prevent potential OFAC violations by restricting access to company technology, files, and servers to employees only. In addition, hiring departments should be especially vigilant in ensuring that prospective employees are not SDNs or affiliated with SDNs or sanctioned countries. ICP procedures for hiring departments can require the applicant to provide two forms of identification, ask questions regarding country of citizenship, and/or require references. The ICP should require that any "red flags" raised by these questions be forwarded to the internal OFAC compliance official.
D. Electronic Commerce
The growing use of electronic commerce presents new challenges in customer screening, and it is unclear how OFAC expects companies to deal with these challenges. Electronic commerce may attract sanctioned individuals or entities, since the customer is never seen in e-commerce transactions, transactions are often concluded at the will of the purchaser, and purchases can be made from anywhere around the globe. ICPs may utilize a number of methods to minimize the risk of making shipment to an SDN or sanctioned country. First, interdiction software may be adapted to scan web purchases prior to authorization. An ICP can also require web purchasers to provide additional data that could reveal OFAC problems, such as both home and business addresses and company or organization name. Also, businesses that have substantial electronic commerce business may heighten ICP provisions and procedures for shipping departments to provide a further line of defense in recognizing sales destined for prohibited destinations.
E. Cross-Border Mergers and Acquisitions
The potential for inheriting OFAC violations in new business alliances should not be overlooked by an ICP. Though most foreign companies may legally transact business with sanctioned countries and SDNs under their domestic law, various OFAC sanctions regimes may prohibit or limit U.S. company involvement in a foreign business that has connections with sanctioned countries or SDNs. Companies concluding joint ventures should therefore have ICP processes designed to elicit the partner's connections and dealings with sanctioned countries or SDNs. When acquiring foreign companies, ICP procedures should ensure that issues regarding the target's business activities or holdings with sanctioned countries or SDNs are detected and forwarded to the internal compliance officer for review.
F. Travel
Restrictions on travel-related transactions vary across sanctions programs, and therefore ICP procedures should require that travel to any sanctioned country be cleared with the OFAC compliance officer prior to departure. OFAC regulations often place restrictions on the use of U.S. currency or credit cards to pay for goods in sanctioned countries. An ICP should therefore also provide a list of procedures for procuring OFAC licenses for travel funds for employees when travel to sanctioned countries is possible.
G. Chartered Vessels
Within its SDN list, OFAC provides a listing of vessels with which U.S. companies may not transact business or ship products. An ICP should therefore provide that all shipping contracts and nominations are screened against the SDN list and updates to this list are timely reported to relevant departments.
H. OFAC Exceptions
An ICP, in addition to its preventative provisions, should identify for employees areas where commercial and other contact is permitted with sanctioned countries and SDNs. For instance:
• Informational Materials Exception: Each sanctions program allows for the export and import of publicly-available informational materials. An ICP should contain procedures to ensure, however, that exported materials do not contain material that could be seen as solicitation of business from these countries. For example, the ICP could require all informational materials sent to sanctioned countries or SDNs to be cleared by the OFAC compliance officer.
• Agricultural and Medical Products: Many sanctions regimes now contain general licenses allowing U.S. persons to negotiate and conclude executory contracts for the sale of agricultural and medical products. Performance under the contract requires a specific license from OFAC. Moreover, OFAC recently implemented legislation that eases U.S. prohibitions on the export of U.S. medical and food products to Libya, Iran and Sudan. Similar reforms have been implemented by BIS with respect to agricultural exports to Cuba. ICP training should make these rules and opportunities clear to marketing and sales persons in these areas, and should provide procedures to closely monitor each step of the negotiating process to ensure compliance with OFAC rules.
• Inventory Exception: Some OFAC programs generally do not consider reexports from a foreign company's inventory to be covered by OFAC regulations unless the inventory was developed specifically for sale to a sanctioned country, entity, or person. ICP training should highlight this issue, and internal OFAC compliance officers should note this rule when examining "red-flagged" transactions.
Intellectual Property Registration and Protection: OFAC regulations also generally permit transactions in sanctioned countries related to registration or protection of intellectual property rights, including patents, trademarks, and other intellectual property. ICP training should note this fact and provide procedures to monitor activities of employees or outside counsel when utilizing this exception.
V. Conclusion
An ICP is an important tool for any business in an era of increasing globalization and heightened sensitivity to terrorism-related economic sanctions issues. A well-designed ICP can prevent OFAC violations from occurring, mitigate the consequences of those violations that do occur, and even alert a company to new business opportunities where sanctions regimes change. While there is no standard blueprint for an ICP, certain principles and elements can be adapted to a firm's size, structure, culture, and business type to produce an ICP that is both efficient and effective. Armed with an individualized OFAC ICP, a company can enter the turbulent new world economy with at least one risk addressed.
Published April 1, 2007.
