A recent OFAC enforcement action against MidFirst Bank highlights the five essential components of an effective sanctions compliance program that will serve to mitigate exposure in the event of a violation:
- Senior management commitment to developing a culture of compliance
- Thorough and routine risk assessment
- Defined internal controls and recordkeeping
- Comprehensive testing and auditing of transactions
- Periodic training for company personnel
On July 21, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued a Finding of Violation (“FOV”) to MidFirst Bank for violations of the Weapons of Mass Destruction Proliferators Sanctions Regulations. OFAC’s decision to issue an FOV to MidFirst, in place of steep civil penalties that are typical of OFAC enforcement, was based on a variety of mitigating factors that OFAC has vowed to consider in imposing penalties for U.S. sanctions violations. Among these factors, a risk-based sanctions compliance program consisting of both preventative as well as remedial measures in the event of a violation is imperative for companies engaged in international business to avoid large fines.
The FOV issued to MidFirst was the result of 34 transfers facilitated by the Oklahoma-based bank on behalf of two individuals newly sanctioned pursuant to Executive Order 13382.1 Like most sanctions programs, the executive order, which initially blocked the assets of eight specified entities, authorizes OFAC to designate other proliferators and supporters to the SDN list at any time. Pursuant to this authority, OFAC designated two existing account holders at the bank. Despite MidFirst’s two-pronged sanctions compliance program, which consisted of both outsourced and internal screenings of transactions, the bank failed to detect the change until 14 days after the designation. In that time, the bank facilitated five transactions totaling over $610,000 on behalf of the newly designated SDNs, in violation of U.S. sanctions.
The violations resulted from MidFirst’s misunderstanding of the frequency of existing-customer screenings under its sanctions compliance program. Instead of screening existing customers daily, the program screened existing customers only once every 30 days, which proved insufficient given OFAC’s now daily updates to over 30 country-specific sanctions programs. Despite the violation, OFAC cited the bank’s immediate efforts to remediate the insufficiencies, which included increasing the frequency and quality of screenings as well as cooperating with OFAC, to justify its decision not to impose a civil penalty.
In its response to MidFirst, OFAC requests that companies review its Framework for OFAC Compliance Commitments, which lists the primary features of an effective sanctions compliance program as well as certain red flags that often lead to compliance breakdowns. A formal sanctions compliance program, though not required, is highly recommended and will serve to mitigate potential liability in the event of a violation.
When it comes to compliance programs, one size does not fit all. Instead, the adequacy of a program will turn on a variety of factors, including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations. Despite these variations, OFAC has identified five essential components of any compliance program: management commitment, risk assessment, internal controls, testing and auditing, and training.
OFAC notes that a top-down commitment to compliance is vital to allocate the necessary resources to implement a robust sanctions compliance program. Risk assessments and testing should occur at regular intervals, include a thorough review of clients, products, services, and geographic locations, and allow for opportunities to adjust and tailor a company’s approach. Finally, internal controls should provide trained staff with streamlined policies and procedures that inform responses to potential prohibited activity.
OFAC’s response to MidFirst Bank’s violation is an instructive development in its assessment of compliance measures, and an encouraging result for companies similarly working to comply with OFAC’s guidelines. In addition, the Framework affords companies clear guidelines and an opportunity to customize sanctions compliance programs that fit the needs of their organizations. Such a strategy best positions companies to face a mitigated response should an OFAC violation occur despite best efforts to comply.
1. Executive Order 13382 blocks the property of persons engaged in proliferation activities and their support networks. The program initially applied to eight organizations in North Korea, Iran, and Syria. Exec. Order No. 13382, 70 Fed. Reg. 38567 (Jun. 28, 2005).