Now Is the Time for Companies to Assess Their Compliance Programs

Michelle Williams of Clifford Chance’s litigation, regulatory and white collar practice group, discusses recent enforcement actions taken by the Office of Foreign Assets Control (OFAC) – and what companies can do to proactively improve their compliance programs.

CCBJ: Tell us about some of the significant enforcement activities that have come out of the OFAC in the last year or so.

Michelle Williams: There was a good deal of OFAC activity toward the end of 2018, following a quiet first half of the year. Overall, there were just seven cases – two bank cases and five on the corporate side – and it's interesting that they involved enforcement of not just Iran-related violations. In prior years, OFAC's focus was on Iran, but last year there were cases involving violations of sanctions relating to Belarus, Ukraine and Cuba, as well as Iran. In fact, OFAC's settlement with Société Générale, the French multinational investment bank, was a major Cuba-related enforcement action.

In the last few cases of 2018, I would note the OFAC provided much more guidance in their settlement documents about their expectations for compliance and what companies should being learning from these settlements. Obviously, companies know that they shouldn’t violate the sanctions regulations, but OFAC is starting to convey a sense of what they are looking at beyond that – expectations about best practices for staffing compliance functions, conducting audits and making sure there is a strong commitment to compliance throughout the company. They really want to see that companies have policies and procedures in place to prevent these types of activities from recurring as much as they want to punish wrongdoers with financial penalties.

What are the OFAC’s current priorities, and how are they resolving matters?

We are expecting continued actions with respect to Iran, but also anticipate that there will likely be more Russia-related enforcement. OFAC will continue to find examples of particularly egregious conduct and highlight those to bring about changes. However, what we saw in 2018 – and will likely continue to see in 2019 – is that OFAC focuses on some less objectively egregious violations of sanctions in an attempt to change the discussion around OFAC compliance. That said, penalties were significantly lower last year. OFAC collected around $71 million in 2018, as opposed to around $120 million in 2017. It seems more likely that there will be an increase in the penalties collected by OFAC in 2019, especially as highlighted by the Société Générale settlement where OFAC, contrary to prior precedent, collected its penalty from the bank and did not consider the fine amount imposed by OFAC satisfied by Société Générale's payments of fines to other Federal agencies.

What should we expect to see from the OFAC in 2019?

We’re going to continue to see public settlements, but based on what OFAC has said and what we can read from the settlements last year, we anticipate very targeted guidance about OFAC's expectations. Everyone has a general sense of what makes for a strong compliance program, but getting specific guidance from OFAC will be helpful for compliance officers at companies that are trying to develop a robust sanctions program. As practitioners, we will appreciate having that additional clarity, because it means that my clients and I can go to the OFAC, show them a new compliance program and say, “Look, we’ve met or exceeded all of your requirements.”

What’s your advice for clients who want to proactively examine their compliance programs and identify areas for improvement?

Now is the time. This is an opportunity for companies to step back and assess their compliance programs. That's especially true given the initial guidance we now have, based on the 2018 settlements. For example, your compliance function must be sufficiently staffed, so you might take a look at your head count. Do you have enough people? Do you have people in the right roles, at the right levels of seniority and in the right geographical areas to match the scope and risk profile of your company?

Beyond that, look at your training. Has it been a while since you refreshed the online training you filmed five years ago? Have you thought about new ways to convey the training to your workforce – online training and other modules that they can use? It's also a good time to make sure your audit function is looking at your compliance measures. Have they checked your policies? Are the policies working in practice? Have you had any weak OFAC-related or sanctions-related audit findings?

This should all be part of what you’re generally doing as a company focused on compliance, but when new OFAC guidance comes out, it's a strong signal that it's time to do a refresh. The guidance gleaned from the 2018 settlements suggests that companies must have a culture of compliance and should be risk-based in their approach to compliance. So, ask yourself: Does the CEO have a clear statement on the company’s website regarding its commitment to compliance? If OFAC does come calling, it’s good to be able to point to simple things like that and say, “Look, we do take this seriously. Our senior management is on board, and our employees understand and recognize that compliance is important to the company's success.”

Published .