On 2 May 2019 the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) issued "A Framework for OFAC Compliance Commitments" (the framework), which outlines five components OFAC considers to be essential for an effective risk-based sanctions compliance program (SCP). In addition to the five key components, OFAC highlights "root causes" of sanctions violations in the framework. This is the first time OFAC has offered detailed insight into the agency's expectations with respect to an organization's SCP. To date, organizations have generally referred to the OFAC Risk Matrix in assessing the effectiveness of their compliance measures. See 31 Code of Federal Regulations Part 501, Appendix A. The framework is not meant to replace the matrix but instead weaves components of the OFAC Risk Matrix into the various elements of the framework.

The framework was released just days after the U.S. Department of Justice (DOJ) published an updated version of its guidance titled "Evaluation of Corporate Compliance Programs." Please see this Hogan Lovells alert for more information on the guidance. OFAC had already begun to implement the new framework, beginning with compliance program elements in enforcement actions and settlement agreements beginning in 2018. Taken together, these publications signal the U.S. government's intention to focus on increasing regulatory enforcement and scrutiny of compliance programs.

Characteristics of an effective sanctions compliance program

The five "essential components" of an effective SCP outlined in the framework are: management commitment, risk assessment, internal controls, testing and auditing, and training.

Management commitment

Senior management's commitment is the cornerstone of a successful SCP. In fact, OFAC considers it to be "one of the most important factors" in determining an SCP's success, and is essential for ensuring that an organization's SCP program is fully integrated into the organization's daily operations. OFAC emphasizes the importance of having a designated compliance officer charged with enforcing the organization's sanctions compliance policies and procedures. In addition, OFAC sets out senior management responsibilities including:

  • Review and approve the organization's SCP.
  • Ensure that compliance personnel have sufficient authority and autonomy to effectively implement policies designed to minimize risk.
  • Ensure the organization has the necessary resources to adequately enforce its SCP (e.g., human capital, expertise, information technology).
  • Promote a culture of compliance (e.g., compliance violation reporting without fear of reprisal, misconduct openly discouraged, SCP oversight throughout the organization).
  • Recognize the seriousness of sanctions violations and SCP failures (e.g., address root causes of violations, deploy systemic solutions).

Senior management attention to these obligations contributes to the creation of a robust SCP and fosters a culture of compliance throughout an organization.

Risk assessment

Conducting a comprehensive risk assessment will help an organization to identify any potential threats or vulnerabilities that can lead to violations of OFAC regulations. The risks should be reflected in the frequency and manner of the risk assessment. Specifically, OFAC notes that an effective assessment will capture potential risks associated with "clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization." In particular, OFAC recommends that organizations incorporate comprehensive risk assessments into customer onboarding and that the compliance function be incorporated into the mergers, acquisitions, and integration processes.

Internal controls

In the framework, OFAC describes acceptable internal controls, including procedures designed to identify, appropriately respond to, and document any activities that may run afoul of OFAC regulations. An effective SCP will have procedures that are easy to implement, are reflected in the organization's day-to-day operations, and that are updated to implement the results of risk assessments, and testing/auditing. It is important that organizations stay informed of OFAC actions and announcements as they can impact an organization's implementation of internal controls.

Testing and auditing

Organizations should have an objective testing or audit function to evaluate the effectiveness of their SCP, and to identify and correct deficiencies. Testing can be done internally or by a third party, and enterprisewide or on a specific portion of the SCP.


All appropriate employees, particularly those in high-risk positions, should be provided training periodically, or at a minimum, annually. Training should be customized, role-specific, and include assessments to hold employees accountable for sanctions compliance. Training materials should be made easily accessible and available to employees on an ongoing basis. Finally, in the event of negative testing or audit results or detection of a deficiency in the SCP, training or other corrective action should be provided to the personnel involved.

To view the full article please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.