OFAC's New Economic Sanctions Enforcement Guidelines

CLICK ON EACH FILE IN THE LEFT HAND COLUMN TO SEE INDIVIDUAL PRESENTATIONS.

If no column is present: click Bookmarks or Pages on the left side of the window.

If no icons are present: Click View, select Navigational Panels, and chose either Bookmarks or Pages.

If you need assistance or to register for the audio portion, please call Strafford customer service at 800-926-7926 ext. 10

OFAC's New Economic Sanctions Enforcement Guidelines

Compliance Strategies to Withstand Tougher Foreign Asset Control Oversight

presents

Today's panel features:

Ronald I. Meltzer, Partner, WilmerHale, Washington, D.C.

Greta Lichtenbaum, Partner, O'Melveny & Myers, Washington, D.C.

Edward L. Rubinoff, Partner, Akin Gump Strauss Hauer & Feld, Washington, D.C.

Thursday, June 11, 2009

The conference begins at:1 pm Eastern12 pm Central

11 am Mountain10 am Pacific

The audio portion of this conference will be accessible by telephone only. Please refer to the dial in instructions emailed to registrants to access the audio portion of the conference.

A Live 90-Minute Audio Conference with Interactive Q&A

OFAC Sanctions and New Enforcement Guidelines

Ronald I. Meltzer June 11, 2009

WilmerHale 1

Background

OFAC: US Treasury Department office responsible for administering/enforcing US economic sanctions against certain designated countries, entities and persons Broad statutory authority based on national security/foreign

policy

Unilateral and multilateral sanctions

Significant administrative/interpretative discretion

Wide variation in sanctions programs/regulations

Focused agency mandate and lack of transparency in major

respects

WilmerHale 2

Types of Sanctions Country-based programs

– comprehensive embargoes (e.g., Cuba, Iran and Sudan)

– limited sets of sanctions (e.g., Burma, North Korea and Syria)

List-based programs– terrorism, narcotics trafficking, WMD proliferation,

regional destabilization, discredited regimes SDNs: specially-designated nationals & blocked

persons (http://www.treas.gov/ofac/t11sdn.pdf) Increased use of list-based programs to target

sanctions and avoid collateral effects

WilmerHale 3

OFAC JurisdictionOFAC sanctions regulations apply to US persons: All US citizens and permanent residents anywhere in

the world Companies organized in the United States Foreign branches of US companies. Any person, entity or property located in the United

States Cuba and North Korea: any entity owned or controlled

by US persons (i.e., foreign subsidiaries of US companies)

Iran and Sudan: non-US persons in reexport transactions involving certain items controlled under the EAR

WilmerHale 4

Scope of Prohibitions Prohibited transactions can extend to all types of

commercial/financial dealings (direct and indirect) with designated countries, entities and persons

– exports, imports, services, financing, investments, payments, dealings in property and travel (Cuba)

– facilitation and approval

Certain exempted, generally-authorized and specifically-licensed transactions

Blocking requirements for SDNs and certain country-based programs

WilmerHale 5

Penalties

October 2007 IEEPA Enhancement Act: steep increase in possible civil and criminal penalties

– civil penalties of up to $250K per violation, or twice the value of transaction at issue

– criminal penalties of up to $1MM per violation and/or 20 years imprisonment

Increased penalty levels impact compliance strategies and management of OFAC issues

WilmerHale 6

Economic Sanctions Enforcement Guidelines

New guidelines effective as of September 8, 2008

Supersede 2003 and 2006 enforcement guidance, including OFAC’s Interim Final Rule for Banks

Excludes pending enforcement cases (between October 2007 and September 8,2008) and certain violations under the CACR

Prompted by implementation of new penalty levels

WilmerHale 7

Enforcement Guidelines: Overview

Three main components:

Enforcement responses available to OFAC

General Factors for determining appropriate enforcement response

New framework for determining civil penalty amounts

WilmerHale 8

OFAC Enforcement Responses

Types of Outcomes

No Action

Request for Additional Information (e.g., 602 Letter)

Cautionary Letter (new OFAC option)

Finding of Violation (new OFAC option)

Civil Monetary Penalty

Criminal Referral

Other Administration Actions (e.g., cease and desist orders, license denial, suspension)

WilmerHale 9

New OFAC Enforcement Responses

Cautionary Letter Finding of a violation is not warranted or

substantiated by sufficient information, but underlying conduct could lead to violation in other circumstances

Not a final agency action; puts recipient on notice

Finding of Violation OFAC determines that violation occurred, but

monetary penalty not appropriate

Final enforcement response; recipient can respond

WilmerHale 10

General Factors

Eleven general factors in determining appropriate enforcement response

Replaces former mitigating and aggravating factors

No reference to OFAC risk assessments or risk-based approach to compliance (key focus of 2006 Interim Final Rule for Banks)

OFAC: final version of new guidelines will endorse risk-based approach

WilmerHale 11

General Factors (cont.)

1. Willful or reckless violation of law (willful misconduct or deliberate intent to violate, and any concealment, pattern of misconduct, prior notice of violation, and management involvement)

2. Awareness of conduct at issue (actual knowledge or “reason to know” about violation and management involvement)

WilmerHale 12


3. Harm to sanctions program objectives, e.g., benefit of violation to target country, entity or individual, implication for US policy, eligibility for a license, support for humanitarian action

4. Characteristics of subject person: commercial sophistication, size and financial condition, volume of transactions, and history of violations

WilmerHale 13


5. Existence and nature of subject person’s compliance program

6. Remedial responses to apparent violation

7. Nature and extent of cooperation with OFAC

8. Timing of the apparent violation in relation to the imposition of sanctions

9. Other enforcement action taken by federal, state or local agencies for same/similar violation

WilmerHale 14


10. Deterrence effect of response against the subject person and others in same industry

11. Other relevant factors determined on a case-by-case basis

WilmerHale 15

Civil Penalties Prior to imposing penalty, OFAC will issue a

pre-penalty notice

- Describes alleged violation, relevant General Factors, proposed penalty and maximum penalty

- Subject person will have opportunity to respond prior to issuance of final notice

Settlements still available, but negotiated in accordance with new guidelines

Penalties based on:

1. Transaction Value

2. Egregious or non-egregious nature of violation

3. Whether violation was voluntarily self-disclosed

WilmerHale 16

Civil Penalties (cont.)

Egregious cases

Most serious violations, based on General Factors, with focus on willfulness or recklessness, awareness of conduct, harm to sanctions program objectives, and individual characteristics of violator

Non-egregious cases

Most cases will involve non-egregious violations

WilmerHale 17


Voluntary Self Disclosure

Subject person self-initiates disclosure of apparent violation before discovery by OFAC or other government (federal, state or local) agency/official

Earns 50 percent reduction in otherwise applicable base penalty amount

WilmerHale 18


Statutory Cap $250K/violation

Applicable schedule amount (seven categories from $1K to $250K based on transaction value)

No VSD

½ of Statutory Cap$125K/violation

½ of transaction value(capped at $125K/violation)

VSD

EgregiousNon-Egregious

Base Penalty Amounts

WilmerHale 19


Base penalty amount may be adjusted based on evaluation of General Factors

Substantial cooperation with OFAC results in 25-40 percent reduction of base penalty

First violation generally results in reduction of up to 25 percent of base penalty

WilmerHale 20


Additional penalties

Failure to furnish requested information:

– Up to $20K for transactions ≤ $500K

– Up to $50K for transactions > $500K

Penalties for late filings of up to $2,500

Failure to maintain required records

– Up to $5K for first failure to maintain required records

– Up to $10K for each additional violation

WilmerHale 21

Key Questions/Issues

Will OFAC change it approach to risk-based compliance?

Are VSDs effectively ruled out for many regulated industries, including financial services?

Does reliance on transaction value distort outcomes and disadvantage certain industries?

Do new guidelines ignore key compliance issues?– Repeat errors– “Grace period” following M&A transactions

New OFAC Enforcement Guidelines:Penalty Process and Industry Reaction

Greta L.H. Lichtenbaum

2

Civil Penalties Process Prior to imposing penalty, OFAC will issue a pre-penalty notice

- Describes alleged violation, relevant General Factors, proposed penalty and maximum penalty

- Subject person will have opportunity to respond prior to issuance of final notice

Settlements still available, but negotiated in accordance with new guidelines

Penalties based on:

1. Transaction Value

2. Egregious or non-egregious nature of violation

3. Whether violation was voluntarily self-disclosed

3

Civil Penalties – 2 Categories

• Egregious cases

– Most serious violations, based on General Factors, with focus on willfulness or recklessness, awareness of conduct, harm to sanctions program objectives, and individual characteristics of violator

• Non-egregious cases

– Most cases will involve non-egregious violations

4

Civil Penalties – Voluntary Self Disclosure

• Voluntary Self Disclosure Narrowly Defined

– Only VSD if:

• subject person self-initiates disclosure of apparent violation before discovery by OFAC or other gov’t agency and

• No other party is REQUIRED to disclose same or similar violation

– Earns 50 percent reduction in otherwise applicable base penalty amount

5

Calculation of Civil Penalties

Statutory Cap $250K/violation

Applicable schedule amount (seven categories from $1K to $250K based on transaction value)

No VSD

½ of Statutory Cap$125K/violation

½ of transaction value(capped at $125K/violation)

VSD

EgregiousNon-Egregious

Base Penalty Amounts

6


• Base penalty amount may be adjusted based on evaluation of General Factors

• Substantial cooperation with OFAC results in 25-40 percent reduction of base penalty

• First violation typically results in reduction of up to 25 percent of base penalty

7


• Additional penalties

– Failure to furnish requested information:

• Up to $20K for transactions ≤ $500K

• Up to $50K for transactions > $500K

– Penalties for late filings of up to $2,500

– Failure to maintain required records

• Up to $5K for first failure to maintain required records

• Up to $10K for each additional violation

8

Industry Reaction – 11/07/08 Comments

• Primarily financial institutions commented• They urge OFAC to retain prior practice of

having an industry approach for financial institutions

• Comments reflect confusion about whether OFAC still maintains a “risk-based” approach

9

Industry Reaction -- VSD Definition

• Wide-spread concern re: narrow VSD definition• focus on language: no VSD if “a third party is

required to notify OFAC of the apparent violation or substantially similar apparent violation because a transaction was blocked or rejected by that third party (regardless of whether or when OFAC actually receives such notice from the third party and regardless of whether the Subject Person was aware of the third party’s disclosure.)”

• Also concern that voluntary disclosure credit is inadequate in egregious cases – starting from such a high penalty amount, such that 50% mitigation doesn’t do enough

10

Industry Reaction

• Wide-spread concern about tying the General Factor of “cooperation with OFAC” to an agreement to waive the statute of limitations

• ABA concern about whether guidelines undermine of attorney client privilege when companies required to submit “all relevant information”

11

Industry Reaction

• Many proposals for amendments or supplements to General Factors– OFAC should recognize the “rogue employee”

scenario– Make clear that careful, good faith – yet erroneous

-- legal analysis will never be viewed as reckless or willful conduct

– When assessing whether there is a “history of violations,” OFAC should take into account if those violations were caused by clerical errors

12

Some Questions/Issues

– What will OFAC do in response to concerns about VSDs, since narrow definition may rule out VSDsin many cases, particularly if a U.S. financial institution involved?

– Not raised in Comments, but -- does reliance on transaction value distort outcomes and disadvantage certain industries and situations?

– Are new guidelines equitable for those with particular compliance challenges?

• Repeat errors• “Grace period” following M&A transactions

OFAC’s New Economic Sanctions Enforcement Guidelines: Impact on Internal Compliance Programs

Edward L. RubinoffAkin Gump Strauss Hauer & Feld, LLP

June 11, 2009

2

What Is An Internal Compliance Program (“ICP”)

An ICP is a set of formalized policies and procedures developed to detect and prevent company violations of economic sanctions or export laws.

An effective ICP is like an insurance policy An ICP is NOT an affirmative defense under the U.S. economic

sanctions laws, however an effective ICP should: Prevent inadvertent violations that could lead to enforcement

actions by the OFAC; Obtain mitigation of penalties in the event of an enforcement

action; and Demonstrate corporate responsibility to potential and existing

business partners.

3

Is An Internal Compliance Program Required?

No Legal Requirement But Significant Legal Benefits ICPs are not generally required by any of the primary statutes or

regulations governing U.S. sanctions laws. However, failure to develop an ICP can lead to severe

consequences under the new OFAC Economic Sanctions Enforcement Guidelines (the “New Guidelines”).

OFAC’s Economic Sanctions Enforcement Guidelines The existence and effectiveness of a compliance program is one

of the General Factors that OFAC will consider in determining anappropriate response to a violation, and if a civil penalty is warranted, in establishing the amount of that penalty. 73 Fed. Reg. 51933 (September 8, 2008).

4

General Principles In Creating And Implementing An ICP

OFAC does not suggest policies or procedures that should be included in an ICP. Therefore, companies have freedom to developICPs tailored to meet their needs and address their risks.

General ICP Principles ICP Should Reflect the Company’s OFAC Risk Exposure OFAC’s 2006 Economic Sanctions Enforcement Procedures for

Banking Institutions (the “2006 Enforcement Procedures”) 71 Fed.Reg. 1971 (January 12, 2006) encouraged banks to rate their products, services, customers and geographic reach as low, medium or high risk and then to develop compliance polices and procedures based on their risk profile. OFAC stated that in determining whether or not to impose a civil

monetary penalty for a violation, it “will consider information … concerning the [banking] institution’s compliance program and the adequacy of that program based on its OFAC risk profile.” OFAC indicated that this risk-based compliance approach would

be extended to other business sectors, and it subsequently issued similar guidance for charities and the securities industry.

5

General Principles In Creating And Implementing An ICP

Custom-Fit the ICP to Your Company The elements on an ICP must be designed to operate within the

structure, culture and resources of the company in order to be effective.

Maintain a Flexible, Evolving ICP A company must maintain a dynamic approach to its ICP and

remain alert to OFAC changes in order for a program to retain its effectiveness.

Keep the ICP Manageable In most contexts, this requires a centralized system of detailed

review of transactions screened or “red flagged” by lower-level employees.

Ensure Upper Management Support For the ICP The most customized, dynamic and manageable ICP will not

succeed if the corporate hierarchy is not committed to ensuring OFAC compliance.

6

Key Elements Of An Effective ICP

While various businesses have different risk areas, as a general rule, ICPs should contain a variant of each of the elements listed below: Corporate Policy/Management Commitment

An ICP should include a corporate policy statement regarding thecompany’s approach and commitment to compliance with sanctions laws. The ICP should be adopted and issued by management. ICP Infrastructure and Delegation Authority

The presence of a centralized administrator of an ICP is a crucial element in making an ICP manageable. The benefits of a centralized compliance decision making include: Identifiable Resource Coordination and Consistency Efficient OFAC Monitoring Institutional Knowledge

7


Education and TrainingIn order to ensure effective personnel participation in an ICP, an ICP should, at a minimum, address: The scope of the education and training program; Frequency of training; and Training methods.

Due Diligence in Forming Counterparty Relationships (Screening of Counterparties and Transactions, Background Checks as Appropriate)The most important tool in avoiding OFAC violations is the proper screening of customers, business partners and other counterparties and transactions. The ICP must also set out whento conduct counterparty and contract screening.

8


Internal AuditsInternal audits serve as important tools for maintaining a dynamic ICP, and each ICP should provide for periodic auditing of the ICP and the company’s adherence to its conditions.

Recordkeeping OFAC programs generally require the retention of all records relating to a transaction covered by OFAC regulations for five years. At a minimum, an ICP should require the OFAC compliance officer or office to archive business records relating to transactions concluded under a specific or general OFAC license, as well as transactions relating to “red-flagged” transactions.

Notification and ReportingThe ICP should provide procedures to deal with violations once they are discovered. The ICP should provide guidelines for confidential reporting of violations internally. The ICP should also provide guidelines regarding reporting of violations to OFAC and gathering mitigating evidence for the potential OFAC investigation.

9

Risk-Based Compliance ICPs and the New Guidelines

The New Guidelines explicitly superseded the 2006 Enforcement Procedures and made no reference to risk assessment and corresponding risk-based compliance programs. Therefore, commenters expressed concern over what they perceived as OFAC’s move away from previously established policy and uncertainty regarding what OFAC now deems to be the correct approach to compliance.

In determining what sort of enforcement action to take under the New Guidelines, OFAC continues to look at a company’s individual characteristics, including its commercial sophistication, size and financial condition, volume of transactions, history of violation and compliance program.

OFAC has not removed the risk matrices posted on its website in sections providing industry-specific compliance guidance for charities and financial institutions.

10

Risk-Based Compliance ICPs and the New Guidelines

On November 6, 2008, OFAC published on-line guidance (arguably not enforcement procedures) for the securities industry in which the agency encouraged companies to develop proactive, risk-based compliance programs. The agency also stated that “the cornerstone of an effective OFAC

compliance program is an assessment of the risks presented by a firm’s customer base, specific products/services, and the geographic locations in which it conducts business.”

These indicators imply that OFAC retains a risk-based, industry specific approach to compliance under the New Guidelines. Indeed, in public forums it has stated that it has not abandoned risk-based compliance principles.

Nevertheless, the New Guidelines have created confusion, uncertainty and concern, so OFAC should formally issue a clarification.

11

Evaluating ICPs Against the New Guidelines

According to the New Guidelines, when OFAC deems the imposition of a civil penalty to be appropriate, the agency will calculate the proposed penalty based on two factors: voluntary self-disclosure and classification of the violation as egregious or non-egregious.

Effective risk-based compliance programs are the best way to encourage voluntary self disclosure and avoid conduct that could be classified as egregious.

Classification of a violation as egregious or non-egregious depends on analysis of the first four General Factors: Willful or Reckless Violation; Awareness of Conduct; Harm to Sanctions Program Objectives; and The Individual Characteristics of the Subject Person

However, OFAC’s analysis will place greater weight on whether the violation was willful or reckless and whether the Subject Person was aware or should have been aware of the conduct at issue in making this decision.

12


Address elements of the first two General Factors (Willfulness and Awareness/Reason to Know) in the ICP by ensuring: Effective and consistent oversight by management Increased auditing and testing of compliance controls Additional training Encouraging a culture of compliance

Voluntary Self-Disclosures The ICP should take into account that voluntary self-disclosure is

a significant mitigating factor (generally at least 50% deduction). Note that failure to report an ongoing transaction that violatesOFAC restrictions may lead to the conclusion that the violation was “willful”. The ICP should provide specific guidance regarding the necessity

for immediate remedial action in response to a violation and when and how a violation is reported to OFAC.

13


In cases of egregious violations, the base amount of the civil penalty potentially can be astronomical. Even in non-egregious cases, the use of transaction value as the base penalty can produce large fines. Accordingly, ICPs should ensure that adequate compliance

procedures are applied to high-value and high-volume transactions that might involve sanctions targets.

14


In summary, for companies that already have an effective ICP, the New Guidelines do not necessarily suggest a change in approach. One of the primary objectives of an ICP is to prevent inadvertent violations that could lead to enforcement actions by the OFAC, and that continues to be the case. However, the New Guidelines have implications for encouraging ICPs and they highlight factors that companies ought to pay particular attention to when establishing or reviewing compliance programs in order to minimize OFAC’s response to apparent violations.

15

Edward L. RubinoffAkin Gump Strauss Hauer & Feld, LLP1333 New Hampshire Ave. N.W. Washington, DC 20036Tel: (202) 887-4026Fax: (202) [email protected]

Documents

OFAC's New Economic Sanctions Enforcement Guidelines