Blog
Managing OFAC Compliance as a Non-US Company
Dealing with OFAC compliance can be tricky for non-US companies. OFAC, or the Office of Foreign Assets Control, administers and enforces economic and trade sanctions against targeted foreign countries, regimes, terrorists, international narcotics traffickers, and more. While OFAC regulations apply mainly to US companies and citizens, they can also impact non-US companies in certain situations. This article will break down key things you need to know about OFAC as a non-US company, so you can effectively manage compliance.
Contents
Who Needs to Comply with OFAC?
OFAC regulations apply to US persons and entities, including:
- US citizens and permanent residents, no matter where they are located
- Entities organized under US law, including companies and their foreign branches
- Entities and individuals physically located in the US
Some OFAC programs also require foreign subsidiaries of US companies to comply.
As a non-US company, you may still need to comply if:
- You conduct transactions in US dollars which clear through the US financial system
- You have a US parent or subsidiary company
- You do business with US companies or persons
- You use US-origin goods and technology
Bottom line – if you have ties to the US or use the US financial system, OFAC regulations could apply to you. It’s important to evaluate your specific business activities and relationships to assess your risk exposure.
Consequences of OFAC Violations
If found in violation of OFAC sanctions, penalties can be severe:
- Civil monetary fines up to $307,922 per violation or twice the value of the transaction
- Criminal fines up to $1 million and imprisonment up to 20 years for willful violations
- Reputational damage and loss of banking relationships
In 2019, Standard Chartered Bank paid $639 million to settle potential civil liability for apparent violations of OFAC regulations. This shows that OFAC is serious about enforcing its rules, even on non-US entities.
Creating an OFAC Compliance Program
To manage OFAC risk, non-US companies should implement a customized sanctions compliance program. Here are key elements to include:
- Risk assessment – Analyze your products, services, customers and geographic footprint to identify potential OFAC exposure.
- Written policies and procedures – Document processes for screening customers, transactions, and third parties against OFAC lists.
- Sanctions list screening – Use advanced software to screen customers and transactions against OFAC’s Specially Designated Nationals (SDN) list and other sanctions lists.
- Training – Educate staff on OFAC regulations and your compliance program. Training should be ongoing to address updates.
- Record keeping – Maintain records of due diligence efforts and documented compliance for at least 5 years.
- Auditing – Regularly audit your OFAC compliance program to assess effectiveness and identify gaps.
Tailor your compliance program to your risk profile. Higher risk entities may require more robust controls. Document your program and update as needed to show OFAC you are making good faith efforts.
Screening Transactions and Customers
A key part of any OFAC compliance program is robust screening to detect prohibited dealings early. This involves checking:
- Customer and supplier names against OFAC’s SDN list and other denied parties lists
- Transaction details like origin, destination, currency, and goods/services against OFAC restrictions
- Ownership information to identify hidden SDN interests of 50% or more
Screening should happen at onboarding and repeated regularly after. Use denied party screening software that checks multiple lists and provides automated alerts. Configure your system to block or flag potential name matches for review.
Investigate any hits to determine if they are false positives or valid SDN matches. Gather ownership documentation and research connections. False positives can be cleared, but valid SDN matches may require blocking or rejecting the transaction and filing a report with OFAC.
Handling Potential OFAC Violations
If you discover a potential OFAC violation, act quickly to contain the situation:
- Immediately stop the transaction or activity in question.
- Gather all relevant facts and documentation.
- Conduct root cause analysis to identify how the potential violation occurred.
- Report it to your legal department and senior management.
- Voluntarily disclose it to OFAC within 180 days to mitigate penalties.
OFAC looks favorably on voluntary self-disclosures and extensive remediation when determining resolution agreements and penalties. However, delays in reporting can lead to harsher enforcement actions.
Useful OFAC Resources
Stay up-to-date on OFAC regulations and guidance for non-US companies:
- OFAC Sanctions Compliance Guidelines – Provides guidance on designing sanctions compliance programs.
- OFAC Brochures – Overview brochures on different sanctions programs.
- OFAC FAQs – Answers to frequently asked questions on OFAC regulations.
- OFAC Licensing – Information on applying for specific licenses from OFAC.
- Export Administration Regulations (EAR) – Rules on exporting US goods and technology.
It’s important for non-US companies to stay updated on OFAC’s Specially Designated Nationals (SDN) and other denied parties lists, which frequently change. Subscribe to OFAC’s email updates and check the sanctions lists regularly.
Consult with an experienced OFAC attorney if you need help designing and implementing a sanctions compliance program tailored to your risk profile. Legal review is also key when evaluating potential OFAC issues.