Global menu

Our global pages


OFAC publish guidance on effective Sanctions Compliance Programs

  • United Kingdom
  • Fraud and financial crime
  • Sanctions


On 2 May 2019, the Treasury’s Office of Foreign Assets Control (OFAC) published A Framework for OFAC Compliance Commitments (the Framework) providing guidance on the essential components of an effective risk-based sanctions compliance program (SCP).

The Framework is aimed at organisations under U.S. jurisdiction, together with those foreign entities that conduct business in or with the U.S., U.S. persons, or using U.S.-origin goods or services.

In OFAC’s Framework, organisations are advised to adopt a risk-based approach to sanctions compliance which should be based on five key components:

  1. management commitment;
  2. risk assessment;
  3. internal controls;
  4. testing and auditing; and
  5. training

The Framework sets out how organisations may demonstrate that they have adopted each of the key components by reference to specific criteria. In addition, the Framework summarises the root causes of OFAC SCP breakdowns or deficiencies that have been identified from the public enforcement actions against organisations which have been taken to date.

This non-exhaustive list includes:

  1. lack of a formal OFAC SCP;
  2. misinterpreting or failing to understand the applicability of OFAC regulations;
  3. facilitating transactions by non-US persons (including through or by overseas subsidiaries or affiliates);
  4. exporting or re-exporting US origin goods, technology, or services to OFAC sanctioned persons or countries;
  5. utilising the US financial system or processing payments to or through US Financial Institutions, for commercial transactions involving OFAC sanctioned persons or countries;
  6. sanctions screening software or filter faults;
  7. improper due diligence on customer/clients (e.g. ownership, business dealings etc);
  8. de-centralised compliance functions and inconsistent application of an SCP;
  9. utilising non-standard payment or commercial practices;
  10. individual liability

What this means for you?

An organisation must be able to demonstrate that its SCP has the five key components set out in the OFAC Framework in order to appropriately mitigate the risk of extensive enforcement action from OFAC in light of an apparent violation. OFAC explains that the SCP will be evaluated in line with the Economic Sanctions Enforcement Guidelines (the Guidelines) and moreover, OFAC will consider favourably ‘subject persons that had effective SCP’s at the time of the violation’. An effective SCP may be a mitigating factor when considering the value of a civil monetary penalty.

As advised by OFAC, organisations should review this guidance, together with the public enforcement actions published by OFAC which address the deficiencies and weaknesses within the subject person’s SCP in order to reassess and enhance its own where required.

Organisations considering this guidance should also be aware of the updated Department of Justice (DOJ) guidance for prosecutors on evaluating corporate compliance programs. This DOJ guidance updates the previous version published in February 2017 and provides invaluable insight for organisations operating in multiple jurisdictions. The DOJ guidance prompts organisations to consider the design, effectiveness and practical application of its compliance framework. Although the guidance is not intended to be a checklist, it is easily applicable and transferable to an SCP and organisations would be well advised to consider the two in conjunction.