and extension of a tolling agreement. And OFAC highlighted
the bank’s “robust remedial response, including by changing its
policies and procedures as well as its compliance structure …”
OFAC’s separate action for violations committed by the bank’s
subsidiaries highlights the long arm of sanctions enforcement,
as both subsidiaries operate primarily in Europe. According to
OFAC, in an annual Anti-Money Laundering Risk Assessment, the
Canadian bank discovered that the subsidiaries lacked adequate
compliance programs. In part for that reason presumably, the
subsidiaries processed nearly 3,500 transactions with persons
residing or located in Iran or Cuba. These transactions totaled
$92,868,862 between 2008 and 2013.
Yet no penalty was imposed against the subsidiaries. OFAC
explained that the violations were not the result of intentional
misconduct but rather inadequate compliance and a lack of
understanding about the scope of U.S. sanctions jurisdiction.
OFAC also emphasized remedial measures were taken, including
In any event, the penalties imposed (and not imposed)
by OFAC demonstrate that OFAC generally expects greater
accountability from larger businesses, and that large global
entities are expected to understand the complexities of U.S.
sanctions laws and to have in place the compliance infrastructure to prevent, detect, and—when deemed appropriate—self-report violations.
To be clear, OFAC is not giving small organizations a free pass—
far from it. But OFAC also seems to recognize that the compliance
infrastructure in a smaller organization should be commensurate
with the organization’s size and risk profile. In other words, OFAC
seems to appreciate that compliance programs should be risk-based. And this is a lesson from which every company can benefit.
So how does a company, either before it is under investigation or
once already in the government’s sights, try to control the damage?
As demonstrated in the Canadian bank case, cooperation with
the government is typically a good strategy. But it is important
to note that there is rarely an affirmative obligation to disclose a
violation of U.S. sanctions; in many cases a company can reasonably
decide not to self-disclose.
Even in such a case, however, there are certain steps that are
essential to remediate violations that have occurred. Based on
past OFAC enforcement actions, and our own experiences, we
think the following steps are critical:
Careful investigation. If a violation or potential violation is
identified, the company must conduct an appropriate investigation. The scope of the investigation should be based on the nature
of the actual/potential violation, but an investigation must take
place. Otherwise problematic conduct may continue, and if it
does, and the government subsequently learns of it, the penalties are likely to be much more severe. The government really
does not like it when companies duck their head in the sand and
hope a problem goes away—the government’s expectation is that
problematic conduct will be investigated, root causes identified,
and specific remedial measures will be taken to protect against
similar problems in the future.
Enhancements can take many forms—
improved policies and procedures, enhanced training,
more robust auditing, and other steps may all be warranted
depending on the circumstances. Regardless of which measures are
taken, those that are implemented should be specifically directed
to address violations /compliance shortcomings that have been
identified. For example, if a company’s screening processes are
not extended to its non-U.S. operations, and violations occurred
because non-U.S. operations were conducting business with prohibited parties, those operations should be instructed to adopt
specific screening mechanisms. If a U.S. company’s personnel
are processing transactions with Iran under the false impression
that the U.S. embargo on Iran has been lifted, those personnel
(and probably all relevant personnel of the company) should be
trained on the scope of U.S. sanctions on Iran.
Compliance enhancements also serve the purpose of demonstrating that the company has a tone from the top that emphasizes the importance of compliance. In our experience, nothing
is more important than a culture of compliance. The only way
such a culture can be meaningfully introduced and maintained
is through committed leadership.
Monitoring. Even the best compliance program will be unable
to prevent all violations. It is thus necessary to have a monitoring mechanism so that weaknesses—even if they don’t turn into
violations—can be identified and remedied. Compliance reviews
should be conducted on a regular basis and with reference to
what makes most sense commercially. Spending an exorbitant
amount of money to audit a low-risk jurisdiction may not be
needed; likewise, spending a paltry sum to review the operations
in a high-risk jurisdiction may be asking for trouble.
Recordkeeping. In each area of compliance, keeping good records is vital: it is those records that will often be the most useful evidence that your enterprise did its best to comply with the
law—even if there was a misstep. Results of monitoring, including
who has responsibility for managing corrective actions recommended due to the monitoring, should be kept in compliance
files. Copies of training materials should be maintained, and of
course policies and procedures should be memorialized so they
are readily accessible to personnel.
There is no indication that OFAC is slowing down its enforcement
activities—now as always, financial institutions will often make
a compelling target for the agency. All risk cannot be eliminated,
but it can definitely be mitigated through the steps listed above. ■
ABOUT THE AUTHOR
THAD MCBRIDE leads the International Trade Practice Group at
Bass, Berry & Sims PLC. He focuses his practice on counseling clients
on compliance with economic sanctions and embargoes, U.S. export
regulations (ITAR and EAR), and the Foreign Corrupt Practices Act
(FCPA). Thad can be reached at email@example.com.
may all be