The Complete Guide to OFAC Compliance
If you do business with foreign partners or customers, OFAC compliance is a big deal. The Office of Foreign Assets Control (OFAC), enforces sanctions against countries and groups of people.
OFAC sanctions and programs are in place to prevent businesses from doing business with terrorist and criminal organizations, and countries under U.S. embargos.
Obviously, people aren’t going to tell you that they’re terrorists or are from an embargoed country. So, OFAC maintains a list of countries, individuals, and other entities that U.S. individuals are prohibited from doing business with.
Now, nobody wants to be associated with illegal organizations or countries that have sanctions against them. But, you can’t avoid this if you don’t know which organizations and countries are off limits.
OFAC provides a list of organizations and countries that have sanctions against them. But, you have to check the list yourself. So, OFAC compliance is a matter of vigilance and education.
We’ll start with education. Then, we’ll cover the best practices and some tools that will help you maintain OFAC compliance.
What is OFAC Compliance?
First, who must comply with OFAC regulations? OFAC regulations apply to all “U.S. persons.” As it is defined by OFAC and the U.S. Patriot Act, “U.S. persons” includes individuals and all types of corporations.
In short, everyone must comply with OFAC regulations. If you’re buying or selling things from overseas, you can only buy and sell from people, organizations, and countries without OFAC sanctions against them.
OFAC can place regulations against individuals, organizations, and countries. There are two types of regulations: asset blocking and trade restrictions. You should avoid buying or selling from any organization or country with OFAC regulations against them, regardless of which type of regulation is in place.
OFAC regulations can be broad or narrow in scope. So, even if a country has sanctions against it, you can sometimes still buy and sell from companies and people in that country. It just depends on the type of sanctions that are in place.
You can find out which countries, organizations, and people OFAC has sanctions against by checking the OFAC sanctions lists:
Sanctions Programs and Country Information
Specially Designated Nationals and Blocked Persons List
These lists are human readable. But, combing through them can be an arduous, time-consuming task. We’ll talk about OFAC searches and checks soon.
Before we get to that, here’s what your OFAC compliance program should look like.
OFAC Screening Best Practices
Recently, OFAC released a document that outlined OFAC compliance best practices and pitfalls to avoid.
This is the OFAC recommended framework for creating a compliance program that follows recommended best practices:
- Management commitment
- Risk assessment
- Internal controls
- Testing and auditing
- Training
Let’s break each of these steps down.
Management Commitment
Clearly, in order for your OFAC compliance program to work, upper management needs to take it seriously. OFAC enforces regulations primarily through fines. So, you should take compliance seriously. But, this is enough of an issue that OFAC includes it in their framework.
Here are a few things your management team can do to maintain OFAC compliance:
- Put someone in charge of OFAC compliance. Ensure that your dedicated OFAC officers has the technical knowledge, and the commercial and financial understanding to manage your OFAC compliance program.
- Give senior management and employees the authority and autonomy to report potential OFAC violations. Upper management should always take employee reports seriously to create a culture of compliance, where employees feel their contributions are valued.
- Review and approve upper management’s involvement and actions in your OFAC compliance program.
Risk Assessment
Risk assessment boils down to evaluating all your overseas contacts and business partners, and identifying potential risks for OFAC violations.
These are the best practices for performing OFAC violation risk assessments:
- Understand that an OFAC violation could occur in any part of your business. You need to assess:
- Clients and customers.
- Product and service fulfillment.
- Supply chain.
- Intermediaries.
- Counter-parties.
- Transactions.
- Geographic locations.
Your business activities in any of these areas could lead to an OFAC violation, if you do not assess the risks and take appropriate measures.
- Implement an OFAC risk assessment at two critical phases:
- On-boarding. You should assess the risk whenever you develop a new working relationship with any client, customer, or business partner.
-
- Mergers and acquisitions. Assess the risk for OFAC violations before you complete the process of acquiring any new assets.
Assessing these risks will help you identify deficiencies in your OFAC compliance program and allocate your resources to best prevent violations.
Internal Controls
Implement policies and procedures for each stage of OFAC compliance and violation prevention:
- Violation identification.
- Interdiction.
- Escalation.
- Reporting.
- Record keeping.
The policies and procedures you put in place will create an efficient and replicable system for detecting and correcting OFAC violations, which will help you minimize infractions and avoid fines.
Testing and Auditing
Even if you have a good process in place, it’s vital that you consistently check to make sure there are no holes in your OFAC compliance program.
However, OFAC recommends taking an additional precaution in your testing and auditing process: ensure that there are no holes in the testing and auditing process itself.
- Verify that your testing and auditing program is reporting correctly and is accountable to your organization’s upper management.
- Ensure that your testing and auditing procedures are sophisticated enough to accurately assess your OFAC compliance program.
- Check responses to negative results in any test or audit to ensure that compliance issues are being resolved.
In short, you need to ensure that your testing and auditing process is more than a formality. It needs to actually identify and correct compliance issues.
Training
The obvious path here is to ensure that your employees are trained and informed about OFAC compliance and violations. That way your team members can identify and report problems when they see them.
But, OFAC recommends expanding the scope of your training beyond just your employees.
- Provide education to organizational stakeholders. This includes clients, suppliers, business partners, and anyone else who might be in a position to spot compliance issues.
- Tailor your training to your business. Provide training that addresses some of the specific compliance risks involved with your products or services, clients, and geographic regions where your organization operates.
- Make OFAC resources easily accessible. Give your employees the power to self-educate.
These are the core aspects of the OFAC recommended best practices. If you want more detailed information, you can read the entire report here.
OFAC compliance is important. But, it can also be tricky. That’s why you need reliable tools for your OFAC compliance program.
How to Do an OFAC Search
First, what is an OFAC check?
An OFAC check is simply a search of the OFAC sanctions and programs lists that reveals whether or not a client or customer is subject to any regulations. You should do an OFAC check as part of your on-boarding or acquisition process. This helps you avoid OFAC violations as you form new business relationships.
It’s also wise to run OFAC checks on the connections your business partners work with. This ensures that every stage of your business operation is free of potential OFAC violations.
The easiest way to do an OFAC check is to use an OFAC search tool. An OFAC search will show you if a person is on any of the OFAC restricted lists, and which list the person is on. And, the search will tell you why the person is on that list.
Additionally, the OFAC search checks other restricted lists, as well. OFAC searches check FBI, European, Asian, Australian, financial watch lists, and several other databases to ensure that you’re following both U.S. laws and foreign laws.
OFAC searches usually cost about $2.00 apiece. Considering the cost of OFAC violation fines, the cost of an OFAC search is more than worth it.
To run an OFAC search, simply search for a person using their first and last name. You can include other information such as birth date and state. But, you’ll get the best results if you search by name only.
That’s it. The search will give you information about the person, which lists they are on, and why they are on those lists.
If you’re really concerned about someone, consider hiring an investigator to do a background and criminal records check. It’s more expensive. But, it’s much more thorough and will turn up hard-to-find information that may be important.
What to Do Now
If you don’t have an OFAC compliance program in place, now is the time to create one. Working without an OFAC compliance program could cost you a lot of money in the long run. In fact, it will likely cost much more than the cost of adding OFAC searches to your on-boarding and acquisition processes.
If you need OFAC searches or background and criminal checks, hop over to the new Searchbug site and learn about our OFAC compliance tools.