作者：刘相文 Graham•Adria 王涛 王妙婷
On May 2, 2019, the U.S. Treasury Department’s Office of Foreign Asset Control (“OFAC”) released “A Framework for OFAC Compliance Commitments” (the “OFAC Framework”). The OFAC Framework provides guidance on how companies can implement a successful sanction compliance program (“SCP”). This guidance is critical for Chinese companies, private or state-owned, that are doing business with the United States or U.S. persons, use U.S. origin goods or services, or otherwise find themselves under U.S. jurisdiction through activities such as using the U.S. financial system. There have been a few incidents of Chinese companies getting caught up in U.S. sanction investigations in the last few years. Notably, three financial institutions are currently embroiled in a U.S. court case over subpoenas they received to provide evidence relating to OFAC sanction violations by their former client for a North Korean entity. The three financial institutions have not committed any crimes nor are they under investigation. Indeed, it is very likely that they were unaware of the OFAC violations committed by their former customer that is the subject of the investigation.
OFAC is the U.S. civil enforcement agency tasked with implementing and enforcing American economic and trade sanctions and is responsible for maintaining the List of Specially Designated Nationals and Blocked Persons (the “SDN List”), the Sectoral Sanctions Identification List (the “SSI List”), and other sanctions-related lists. OFAC can impose civil penalties or other administrative actions for sanction violations and, when it deems appropriate, refer potential sanction violations to appropriate law enforcement agencies, such as the U.S. Department of Justice, for criminal investigation and/or prosecution. Violation of U.S. economic and trade sanctions by Chinese companies have contributed to enforcement actions that have cost the companies more than a billion dollars in recent years.
The OFAC Framework is a critical tool for Chinese companies operating under U.S. jurisdiction. First, a strong SCP developed in accordance with the OFAC Framework can help Chinese companies avoid getting tangled up in the U.S. legal system. Often, there is a focus on Chinese companies that are caught violating U.S. sanctions on purpose, but it is prudent to remember that Chinese companies can be caught up as unknowing participants. An effective SCP can help prevent sanction violations from the beginning. Second, a robust SCP can act as a mitigating factor when OFAC considers the appropriate response for a sanction violation. Third, companies that enter into settlement agreements with OFAC for sanction violations are often required to implement or improve their SCPs to meet the standards as set out in the OFAC Framework.
OFAC最近的决定通知愈来愈多描述了受罚企业补救措施的得失，对此有所了解的跨境合规律师对OFAC框架的内容应该并不陌生。OFAC框架集中并扩展了前述补救措施中的得失，因而成为一个实用的参考文件。在就OFAC框架发布的新闻稿中，OFAC的主任Andrea M. Gacki称，“这凸显了我们致力于与私营部门合作，以进一步推动对制裁要求的理解和遵守。”除了指导OFAC评估制裁合规体系外，OFAC框架还包含了一份常见违规行为成因清单。结合美国司法部于2019年4月30日最新发布的《企业合规程序评估》，中国企业比以往任何时候都更能采取有效措施以减少美国政府的指控。
The content of the OFAC Framework will be familiar to experienced cross-border compliance lawyers who have read recent OFAC decision notices which have increasingly described the positive and negative features of penalized companies’ remediation efforts. The OFAC Framework centralizes this guidance and expands on it, making it a helpful reference document. In the OFAC Framework’s press release, Director of the Office of Foreign Assets Control Andrea M. Gacki stated that “[t]his underlines our commitment to engage with the private sector to further promote understanding of, and compliance with, sanctions requirements.” In addition to its guidance on how OFAC will evaluate SCPs, the OFAC Framework also includes a list of frequent sources of sanction violations. Combined with the release of the updated DOJ guidelines on compliance (you can see our article here) on April 30, 2019, Chinese companies are better positioned than ever to take effective steps to reduce their exposure to American prosecutors.
The OFAC Framework
The OFAC Framework “strongly encourages” companies to take a risk-based approach to sanctions compliance that takes into consideration a company’s size and sophistication, products and services, customers and counterparties, and geographic locations.
Regardless of the company, the OFAC Framework suggests that all SCPs should include five “essential” components: 1) management commitment; 2) risk assessment; 3) internal controls; 4) testing and auditing; and 5) training.
Senior Management Commitment
One of the “most important factors” in determining the success of a company’s SCP is the level of support from senior management. Senior management includes senior leadership, executives, and/or the board of directors. The OFAC Framework lists five general aspects of effective senior management commitment:
Senior management should review and approves the company’s SCP.
Authority and Autonomy
Senior management should ensure that the company’s compliance units are delegated sufficient authority and autonomy to implement the SCP and effectively control OFAC risk. This should include direct reporting lines between the SCP personnel and senior management, including regular meetings between the two.
Senior management should take steps to ensure that the company’s compliance units are allocated adequate resources as needed, including personnel, expertise, and IT support. This should be an ongoing investment that is appropriate for the company’s “breadth of operations, target and secondary markets, and other factors affecting its overall risk profile.”
The OFAC Framework lists three criteria for measuring whether a company has provided adequate resources.
The company should appoint a dedicated OFAC sanctions compliance officer. Depending on the size and complexity of a company, this may be a person serving in other senior compliance positions, such as an Export Control Officer.
The personnel dedicated to the SCP have the appropriate knowledge, experience, expertise, and position to understand and identify OFAC-related issues, risks, and prohibited activities.
There are sufficient control functions to support a company’s SCP, including IT software and systems, that adequately address the company’s OFAC-risk assessment and levels.
Culture of Compliance
As is the case with all compliance activities, senior management should promote a “culture of compliance” at the company. The OFAC Framework lists three criteria for measuring whether a company is promoting a culture of compliance.
Personnel can report OFAC related misconduct by the company or personnel without fear of reprisal.
Senior management communicates and takes actions that discourage OFAC related misconduct and highlight potential repercussions for non-compliance.
The SCP has oversight over the actions of the entire company, including senior management, for the purposes of OFAC compliance.
Recognition of Violations
Senior management should recognize the seriousness of OFAC violations or failures by the company and its personnel from failing to comply with necessary SCP policies and procedures. They should implement necessary measures to reduce the occurrence of past violations and represent systemic solutions.
The OFAC Framework recommends that companies take a “risk-based approach” when designing or updating their SCP. Risks in this context are “potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations”. OFAC recommends that the best way to do this is to conduct ongoing “risk assessments” to inform SCP policies, procedures, internal controls, and training to mitigate risks.
Although the OFAC Framework acknowledges that there is no “one-size-fits all” for risk assessment, companies should generally conduct a holistic review of the entire company and assess where it has external exposure. This allows for the identification of potential areas of interaction with OFAC-prohibited persons, parties, or countries/regions, including clients, products, services, and geographic locations. Companies should also conduct risk assessments and OFAC-related due diligence during mergers and acquisitions, especially if the other company is in geographically at-risk areas.
The OFAC Framework lists two general aspects of conducting an effective OFAC risk assessment:
Assessing OFAC Risk
OFAC risk assessment should be conducted in a manner and with a frequency that adequately accounts for potential risk. These risks could be posed by its “clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization.” An adequate risk assessment will be updated for the “root causes” of any apparent violations or systemic deficiencies identified.
When assessing OFAC risk, companies should leverage existing information to determine the extent of due diligence required in a customer relationship or transaction. Companies can develop a sanctions risk profile for customers, customer groups, or account relationships by leveraging information provided by the customer through procedures such as “Know Your Customer” or “Customer Due Diligence” as well as independent research conducted by the organization at the initiation of the customer relationship. This information can be used to guide future OFAC risk due diligence efforts. Additionally, this compliance due diligence should be integrated into merger, acquisition, and integration processes. The important elements to consider when determining the sanctions risk rating can be found in the OFAC’s risk matrix provided by 31 CFR Appendix A to part 501 - Economic Sanctions Enforcement Guidelines. We have included a translated version below.
OFAC Risk Matrix OFAC
Stable, well-known customer base in a localized environment
Customer base changing due to branching, merger, or acquisition in the domestic market
A large, fluctuating client base in an international environment
Few high-risk customers; these may include nonresident aliens, foreign customers (including accounts with U.S. powers of attorney), and foreign commercial customers
A moderate number of high-risk customers
A large number of high-risk customers
No overseas branches and no correspondent accounts with foreign banks
Overseas branches or correspondent accounts with foreign banks
Overseas branches or multiple correspondent accounts with foreign banks
No electronic services (e.g., e-banking) offered, or products available are purely informational or non-transactional
The institution offers limited electronic (e.g., e-banking) products and services
The institution offers a wide array of electronic (e.g., e-banking) products and services (i.e., account transfers, e-bill payment, or accounts opened via the Internet)
Limited number of funds transfers for customers and non-customers, limited third-party transactions, and no international funds transfers
A moderate number of funds transfers, mostly for customers; possibly, a few international funds transfers from personal or business accounts
A high number of customer and non-customer funds transfers, including international funds transfers
No other types of international transactions, such as trade finance, cross-border ACH, and management of sovereign debt
Limited other types of international transactions
A high number of other types of international transactions&am