美国财政部《OFAC合规承诺框架》解读

 

作者：刘相文 Graham•Adria 王涛 王妙婷

 

2019年5月2日，美国财政部海外资产控制办公室（下称“OFAC”）发布了《OFAC合规承诺框架》（下称“OFAC框架”）。OFAC框架为公司如何建立有效的制裁合规体系提供了指引，对与美国政府/私人开展业务、使用美国原产货物/服务或者借助美国金融系统开展活动而受美国管辖的中国国有和民营企业非常关键。近年来，少数中国企业被美国政府指控违反其制裁规定，引发了市场关注。尤其值得一提的是，目前三家金融机构作为证人，收到了美国当局要求提交其前客户违反OFAC对朝鲜制裁的相关银行记录的传票。这三家金融机构并未遭到指控，甚至可能对其前客户违反OFAC制裁的行为毫不知情，但还是作为证人被动卷入了美国的法院诉讼程序。

 

On May 2, 2019, the U.S. Treasury Department’s Office of Foreign Asset Control (“OFAC”) released “A Framework for OFAC Compliance Commitments” (the “OFAC Framework”).[1] The OFAC Framework provides guidance on how companies can implement a successful sanction compliance program (“SCP”). This guidance is critical for Chinese companies, private or state-owned, that are doing business with the United States or U.S. persons, use U.S. origin goods or services, or otherwise find themselves under U.S. jurisdiction through activities such as using the U.S. financial system. There have been a few incidents of Chinese companies getting caught up in U.S. sanction investigations in the last few years. Notably, three financial institutions are currently embroiled in a U.S. court case over subpoenas they received to provide evidence relating to OFAC sanction violations by their former client for a North Korean entity. The three financial institutions have not committed any crimes nor are they under investigation. Indeed, it is very likely that they were unaware of the OFAC violations committed by their former customer that is the subject of the investigation.

 

OFAC是执行美国经济和贸易制裁的机构，负责维护特别指定国民名单（下称“SDN名单”）、部门制裁识别名单（下称“SSI名单”）和其他制裁名单。OFAC有权对违反制裁者进行民事处罚或者行政执法；而且，在适当的情形下，OFAC可以将潜在违反制裁的行为移交美国司法部等执法机关进行刑事调查或者指控。近年来，中国企业因违反美国经济和贸易制裁规定屡遭执法，损失了超过十亿美元。

 

OFAC is the U.S. civil enforcement agency tasked with implementing and enforcing American economic and trade sanctions and is responsible for maintaining the List of Specially Designated Nationals and Blocked Persons (the “SDN List”), the Sectoral Sanctions Identification List (the “SSI List”), and other sanctions-related lists. OFAC can impose civil penalties or other administrative actions for sanction violations and, when it deems appropriate, refer potential sanction violations to appropriate law enforcement agencies, such as the U.S. Department of Justice, for criminal investigation and/or prosecution. Violation of U.S. economic and trade sanctions by Chinese companies have contributed to enforcement actions that have cost the companies more than a billion dollars in recent years.

 

OFAC框架对受美国管辖的中国公司具有以下三点重要意义：一是按照OFAC框架建立的强大的制裁合规体系能够帮助中国公司避免卷入美国司法系统。故意违反美国制裁规定的中国公司往往备受关注，但有些中国公司也可能在毫不知情的情况下参与违反美国的制裁规定，而有效的制裁合规体系能够帮助中国公司防微杜渐，从源头上减少违反美国制裁规定的风险。二是OFAC衡量对违反制裁者的处罚时，会将强有力的制裁合规体系视为减轻处罚的因素。三是因违反制裁规定而与OFAC达成和解协议的公司经常被要求按照OFAC合规框架的标准来建立或者改进其制裁合规体系。

 

The OFAC Framework is a critical tool for Chinese companies operating under U.S. jurisdiction. First, a strong SCP developed in accordance with the OFAC Framework can help Chinese companies avoid getting tangled up in the U.S. legal system. Often, there is a focus on Chinese companies that are caught violating U.S. sanctions on purpose, but it is prudent to remember that Chinese companies can be caught up as unknowing participants. An effective SCP can help prevent sanction violations from the beginning. Second, a robust SCP can act as a mitigating factor when OFAC considers the appropriate response for a sanction violation. Third, companies that enter into settlement agreements with OFAC for sanction violations are often required to implement or improve their SCPs to meet the standards as set out in the OFAC Framework.

 

OFAC最近的决定通知愈来愈多描述了受罚企业补救措施的得失，对此有所了解的跨境合规律师对OFAC框架的内容应该并不陌生。OFAC框架集中并扩展了前述补救措施中的得失，因而成为一个实用的参考文件。在就OFAC框架发布的新闻稿中，OFAC的主任Andrea M. Gacki称，“这凸显了我们致力于与私营部门合作，以进一步推动对制裁要求的理解和遵守。”除了指导OFAC评估制裁合规体系外，OFAC框架还包含了一份常见违规行为成因清单。结合美国司法部于2019年4月30日最新发布的《企业合规程序评估》，中国企业比以往任何时候都更能采取有效措施以减少美国政府的指控。

 

The content of the OFAC Framework will be familiar to experienced cross-border compliance lawyers who have read recent OFAC decision notices which have increasingly described the positive and negative features of penalized companies’ remediation efforts. The OFAC Framework centralizes this guidance and expands on it, making it a helpful reference document. In the OFAC Framework’s press release, Director of the Office of Foreign Assets Control Andrea M. Gacki stated that “[t]his underlines our commitment to engage with the private sector to further promote understanding of, and compliance with, sanctions requirements.”[2] In addition to its guidance on how OFAC will evaluate SCPs, the OFAC Framework also includes a list of frequent sources of sanction violations. Combined with the release of the updated DOJ guidelines on compliance (you can see our article here) on April 30, 2019,[3] Chinese companies are better positioned than ever to take effective steps to reduce their exposure to American prosecutors.

 

 

OFAC框架

The OFAC Framework

 

OFAC框架“强烈鼓励”公司开展风险导向的制裁合规，在此过程中考虑公司的规模和复杂程度、产品和服务、客户和交易对方以及地理位置。

 

The OFAC Framework “strongly encourages” companies to take a risk-based approach to sanctions compliance that takes into consideration a company’s size and sophistication, products and services, customers and counterparties, and geographic locations.

 

无论公司如何，OFAC框架建议所有制裁合规体系应包括五个“基本”组成部分：1）管理层承诺；2）风险评估；3）内部控制；4）测试和审计；5）培训。

 

Regardless of the company, the OFAC Framework suggests that all SCPs should include five “essential” components: 1) management commitment; 2) risk assessment; 3) internal controls; 4) testing and auditing; and 5) training.

 

1) 高级管理层承诺

Senior Management Commitment

 

高级管理层的支持力度是决定公司制裁合规体系是否成功的“最重要因素”。高级管理层包括高级领导层、经理层和/或董事会。OFAC框架列出了有效高层承诺的五个基本方面： 

 

One of the “most important factors” in determining the success of a company’s SCP is the level of support from senior management. Senior management includes senior leadership, executives, and/or the board of directors. The OFAC Framework lists five general aspects of effective senior management commitment:

 

I.审查

Review

 

高级管理层应审查和批准公司的制裁合规体系。

 

Senior management should review and approves the company’s SCP.

 

II.授权与自主权

Authority and Autonomy

 

高级管理层应确保公司的合规部门有足够的权力和自主性来执行制裁合规体系，并有效控制OFAC风险，其中应当包括合规工作人员和高级管理层之间的直接报告渠道，例如两者之间的定期会议。

 

Senior management should ensure that the company’s compliance units are delegated sufficient authority and autonomy to implement the SCP and effectively control OFAC risk. This should include direct reporting lines between the SCP personnel and senior management, including regular meetings between the two.

 

III.足够的资源

Adequate Resources

 

高级管理层应采取措施确保公司的合规部门根据需要分配到足够的资源，包括人员、专业知识和IT支持。这是一项持续性的投资，并应与公司的“业务范围、目标市场与二级市场以及影响其整体风险状况的其他因素”相匹配。

 

Senior management should take steps to ensure that the company’s compliance units are allocated adequate resources as needed, including personnel, expertise, and IT support. This should be an ongoing investment that is appropriate for the company’s “breadth of operations, target and secondary markets, and other factors affecting its overall risk profile.”

 

OFAC框架列出了衡量一家公司是否配备足够资源的三项标准。

 

The OFAC Framework lists three criteria for measuring whether a company has provided adequate resources.

 

A.公司应任命一名专门的OFAC制裁合规官，根据公司的规模和复杂程度，可以由出口管制官等高级合规官员担任。

   The company should appoint a dedicated OFAC sanctions compliance officer. Depending on the size and complexity of a company, this may be a person serving in other senior compliance positions, such as an Export Control Officer.

 

B.合规工作人员具有适当的知识、经验、专业能力和职位，能够理解和识别OFAC相关的问题、风险和禁止的活动。

   The personnel dedicated to the SCP have the appropriate knowledge, experience, expertise, and position to understand and identify OFAC-related issues, risks, and prohibited activities.

 

C.企业应有足够的控制功能来支持公司的制裁合规体系，包括IT软件和系统，以充分处理公司的OFAC风险评估和风险级别。

   There are sufficient control functions to support a company’s SCP, including IT software and systems, that adequately address the company’s OFAC-risk assessment and levels. 

 

IV.合规文化

Culture of Compliance

 

与所有合规活动一样，高级管理层应在公司推广“合规文化”。OFAC框架列出了衡量一家公司是否正在推广合规文化的三项标准。

 

As is the case with all compliance activities, senior management should promote a “culture of compliance” at the company. The OFAC Framework lists three criteria for measuring whether a company is promoting a culture of compliance.

 

A.员工可以举报公司或员工的OFAC相关违规行为，而不必担心报复。

   Personnel can report OFAC related misconduct by the company or personnel without fear of reprisal.

 

B.高级管理层宣贯并采取行动以预防OFAC相关违规行为，并强调不合规行为的潜在影响。

   Senior management communicates and takes actions that discourage OFAC related misconduct and highlight potential repercussions for non-compliance.

 

C.制裁合规体系为遵守OFAC规定而监督包括高级管理层在内的整个公司的行为。

   The SCP has oversight over the actions of the entire company, including senior management, for the purposes of OFAC compliance.

 

V.违规的认识

Recognition of Violations 

 

高级管理层应认识到公司及公司员工违反或未能遵守必要的合规政策和程序的严重性。他们应该采取必要的措施，以减少过往违规行为再次发生，并提出系统的解决方案。

 

Senior management should recognize the seriousness of OFAC violations or failures by the company and its personnel from failing to comply with necessary SCP policies and procedures. They should implement necessary measures to reduce the occurrence of past violations and represent systemic solutions.

 

2) 风险评估

Risk Assessment

 

OFAC框架鼓励公司在设计或更新其制裁合规体系时采用“风险导向的方法”。在此语境下，风险是指“如果忽视或处理不当，可能导致违反OFAC规定的潜在威胁或漏洞”。OFAC推荐的最佳方法是进行持续的“风险评估”，以宣贯合规政策、程序、内部控制，并通过培训降低风险。

 

The OFAC Framework recommends that companies take a “risk-based approach” when designing or updating their SCP. Risks in this context are “potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations”. OFAC recommends that the best way to do this is to conduct ongoing “risk assessments” to inform SCP policies, procedures, internal controls, and training to mitigate risks.

 

虽然OFAC框架承认不存在通用的风险评估方法，但公司通常应对自身进行全面审查，并评估其外部风险所在，以识别与OFAC所禁止人员、缔约方或国家/地区的潜在互动领域，包括客户、产品、服务和地理位置。公司还应在兼并收购期间尤其是并购对象位于风险多发区域时，进行风险评估和OFAC相关尽职调查。

  

Although the OFAC Framework acknowledges that there is no “one-size-fits all” for risk assessment, companies should generally conduct a holistic review of the entire company and assess where it has external exposure. This allows for the identification of potential areas of interaction with OFAC-prohibited persons, parties, or countries/regions, including clients, products, services, and geographic locations. Companies should also conduct risk assessments and OFAC-related due diligence during mergers and acquisitions, especially if the other company is in geographically at-risk areas.

 

OFAC框架列出了有效评估OFAC风险的两个一般方面：

 

The OFAC Framework lists two general aspects of conducting an effective OFAC risk assessment:

 

I.评估OFAC风险

Assessing OFAC Risk 

 

OFAC风险评估的方式和频率应与潜在风险相匹配。这些风险可能来自“客户、产品、服务、供应链、中介机构、交易对手、交易本身和地理位置，具体取决于组织性质。”通过不断更新以确保风险评估的充分性，从而暴露被识别的任何明显违规或系统缺陷的“根源”。

 

OFAC risk assessment should be conducted in a manner and with a frequency that adequately accounts for potential risk. These risks could be posed by its “clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization.” An adequate risk assessment will be updated for the “root causes” of any apparent violations or systemic deficiencies identified.

 

在评估OFAC风险时，各公司应利用现有信息确定在客户关系或交易中所需的尽职调查程度。公司可以利用客户在“了解您的客户”或“客户尽职调查”以及建立客户关系伊始时公司进行的独立研究等程序中提供的信息，评估客户、客户群体或客户关系的风险概况。这些信息可用于指导未来的OFAC风险尽职调查工作。此外，前述合规尽职调查应成为公司兼并、收购和整合工作的必要组成部分。《美国联邦法规》第31卷第501部分附录A—“经济制裁执行指南”中的OFAC风险矩阵，列明了风险评级时需要考虑的重要因素，具体如下：

 

When assessing OFAC risk, companies should leverage existing information to determine the extent of due diligence required in a customer relationship or transaction. Companies can develop a sanctions risk profile for customers, customer groups, or account relationships by leveraging information provided by the customer through procedures such as “Know Your Customer” or “Customer Due Diligence” as well as independent research conducted by the organization at the initiation of the customer relationship. This information can be used to guide future OFAC risk due diligence efforts. Additionally, this compliance due diligence should be integrated into merger, acquisition, and integration processes. The important elements to consider when determining the sanctions risk rating can be found in the OFAC’s risk matrix provided by 31 CFR Appendix A to part 501 - Economic Sanctions Enforcement Guidelines. We have included a translated version below.

 

风险矩阵 OFAC Risk Matrix OFAC
低 Low	中 Moderate	高 High
在地区范围内稳定、知名的客户群 Stable, well-known customer base in a localized environment	由于在国内市场分立、兼并或收购而发生变化的客户群 Customer base changing due to branching, merger, or acquisition in the domestic market	在国际环境中巨大、波动的客户群 A large, fluctuating client base in an international environment
少有非居民外国人、外国客户（包括拥有美国委托书的账户）和外国商业客户等高风险客户 Few high-risk customers; these may include nonresident aliens, foreign customers (including accounts with U.S. powers of attorney), and foreign commercial customers	中等数量的高风险客户 A moderate number of high-risk customers	大量的高风险客户 A large number of high-risk customers
无境外分支机构，无外国银行代理账户 No overseas branches and no correspondent accounts with foreign banks	有境外分支机构或外国银行代理账户 Overseas branches or correspondent accounts with foreign banks	有境外分支机构或多个外国银行代理账户 Overseas branches or multiple correspondent accounts with foreign banks
没有提供电子服务（如电子银行），或提供的产品是纯粹信息性或非交易性的 No electronic services (e.g., e-banking) offered, or products available are purely informational or non-transactional	提供有限的电子产品（如电子银行）和服务 The institution offers limited electronic (e.g., e-banking) products and services	该机构提供各种电子产品（如电子银行）和服务（如转账、电子账单支付或通过互联网开立的账户） The institution offers a wide array of electronic (e.g., e-banking) products and services (i.e., account transfers, e-bill payment, or accounts opened via the Internet)
客户和非客户的转账金额有限，第三方交易有限，无跨境转账 Limited number of funds transfers for customers and non-customers, limited third-party transactions, and no international funds transfers	存在主要为服务客户而进行的适量转账，可能有一些从个人或商业账户的跨境转账 A moderate number of funds transfers, mostly for customers; possibly, a few international funds transfers from personal or business accounts	大量的客户和非客户资金转移，包括国际资金转移 A high number of customer and non-customer funds transfers, including international funds transfers
没有其他类型的国际交易，如贸易融资、跨境自动清算中心和主权债务管理 No other types of international transactions, such as trade finance, cross-border ACH, and management of sovereign debt	有限的其他类型国际交易 Limited other types of international transactions	大量其他类型的国际交易 A high number of other types of international transactions&am