For entities and individuals that are subject to the Office of Foreign Assets Control’s (OFAC) oversight, compliance with OFAC’s sanctions programs need to be a priority in 2023. OFAC enforcement actions for apparent violations can lead to substantial civil monetary penalties (CMP); and, when sanctions program violations threaten national security or compromise federal foreign policy objectives, they can have additional civil penalties—and potentially criminal penalties as well.

So, what does it take to effectively manage the Office of Foreign Assets Control sanctions program compliance in 2023? There are several steps involved, starting with gaining a clear understanding of an entity’s or individual’s compliance obligations. This isn’t necessarily a straightforward process. While OFAC’s enforcement authority is extremely broad, different prohibitions and restrictions apply in different circumstances, and different entities and individuals may need to take different steps to adequately address the Office of Foreign Assets Control sanctions program compliance. 

Although OFAC expects all entities and individuals to dutifully address their compliance obligations, it does not provide significant guidance for developing an effective sanctions compliance program (SCP). While resources such as A Framework for OFAC Compliance Commitments and OFAC’s Risk Matrix provide some insights, the Office of Foreign Assets Control makes clear that it is up to entities and individuals to independently assess their specific SCP needs. 

5 Key Questions for Assessing OFAC Sanctions Program Compliance Obligations in 2023 

With this in mind, here are five key questions for assessing entities’ and individuals’ OFAC sanctions program compliance obligations in 2023: 

1. Is the Entity or Individual Subject to OFAC’s Oversight Authority? 

The first question is whether an entity or individual is subject to OFAC’s oversight authority. With that said, in most cases the answer is a clear, “Yes.” As OFAC explains in its online FAQs: 

“U.S. persons must comply with OFAC regulations, including all U.S. citizens and permanent resident aliens regardless of where they are located, all persons and entities within the United States, all U.S. incorporated entities and their foreign branches. In the cases of certain programs, foreign subsidiaries owned or controlled by U.S. companies also must comply. Certain programs also require foreign persons in possession of U.S.-origin goods to comply.”

In short, if an entity or individual engages in cross-border transactions either from within or outside of the United States, then the entity or individual will generally need to address OFAC compliance. While not all cross-border transactions have OFAC compliance implications, the risk of running up against a statutory or regulatory prohibition is enough to merit caution. This is due to the breadth of OFAC’s sanctions programs, which we discuss in greater detail below. 

To get an idea of the scope of OFAC’s authority, we can take a look at the definition of a “financial institution” under the Bank Secrecy Act (BSA). OFAC enforces the BSA (along with several other federal agencies); and, while the BSA and OFAC’s sanctions programs don’t necessarily overlap, “financial institutions” that are subject to the BSA will generally need to address other aspects of OFAC compliance as well. Under the BSA, “financial institutions” include (but are not limited to): 

• Automobile, airplane, and boat dealers
• Casinos and other gambling establishments 
• Commercial banks (including, but not limited to, FDIC-insured banks)
• Credit card system operators
• Credit unions and trust companies 
• Currency exchanges 
• Insurance companies 
• Investment bankers and investment companies
• Issuers, redeemers, and cashers of traveler’s checks, money orders, and “similar instruments” 
• Licensed money transmission businesses
• Loan and financing companies
• Pawnbrokers 
• Precious metals, stones, and jewels dealers 
• Private bankers 
• Securities and commodities brokers and dealers 
• Telegraph companies 
• Thrift institutions
• Travel agencies 
• U.S. agencies and branches of foreign banks
• Other businesses and agencies designated by the U.S. Treasury Department

Again, these are just examples of the types of entities and individuals that are subject to OFAC’s oversight. OFAC’s enforcement authority extends far beyond this list, and numerous other types of entities and individuals may need to implement an OFAC sanctions compliance program. 

2. Does a List-Based Sanction or Secondary Sanction Apply? 

Once it is determined that an entity or individual is subject to OFAC’s oversight generally, then the next question is: Do any of OFAC’s sanctions programs apply? 

Keep in mind, this is not the exclusive consideration for assessing an entity’s or individual’s OFAC compliance obligations. As noted above, OFAC enforces the BSA (and various other federal statutes) irrespective of the applicability of any of the agency’s sanctions programs. Thus, “financial institutions” and other entities may need to address OFAC compliance more broadly; but, for purposes of this article, we are focusing specifically on the need to develop and implement an SCP. 

OFAC’s sanctions programs fall into four broad categories. The first of these categories is OFAC’s list-based sanctions. OFAC maintains several lists of entities and individuals that have been identified as risks to U.S. national security or foreign policy for various reasons. The most well-known of these lists is the Specially Designated Nationals (SDN) List; and, as OFAC notes, “[SDNs’] assets are blocked and U.S. persons are generally prohibited from dealing with them.” 

The second category of OFAC sanctions is secondary sanctions. These are sanctions that apply to entities and individuals that are affiliated—either directly or indirectly—with SDNs. As OFAC’s secondary sanctions program is relatively new, relatively few secondary sanctions have been imposed. Nonetheless, the risk of inadvertently doing business with an entity or individual that is subject to secondary sanctions still requires careful consideration when developing an SCP. 

3. Does a Country-Based Sanction Apply? 

The third category of OFAC sanctions is country-based sanctions. These sanctions prohibit or restrict transactions involving entities in sanctioned countries—regardless of whether the counterparties in these countries have been designated as SDNs. Currently, OFAC’s country-based sanctions apply to: 

• Afghanistan
• Belarus 
• Burma
• China
• Cuba
• Ethiopia 
• Hong Kong
• Iran
• Nicaragua 
• North Korea 
• Russia 
• Somalia
• Sudan, Darfur, and South Sudan 
• Syria 
• Ukraine 
• Venezuela  

Similar to OFAC’s list-based sanctions and secondary sanctions, its country-based sanctions change over time. As a result, developing an SCP is not a one-time event, but rather an ongoing process that requires periodic re-evaluation of entities’ and individuals’ compliance program needs. 

4. Does a Sectoral Sanction Apply? 

The fourth category of OFAC sanctions is sectoral sanctions. These are sanctions that apply to specific industry sectors in specific foreign nations. While the Office of Foreign Assets Control (OFAC) maintains a list of sectoral sanctions, this list is dense and can be difficult to interpret, so it is important that entities and individuals work with experienced OFAC compliance counsel to determine whether any sectoral sanctions apply to their transactions. 

5. Does the Entity or Individual Have an Effective OFAC Compliance Program? 

Of course, the ultimate key to OFAC compliance is implementing an effective Sanctions Compliance Program. An effective Sanctions Compliance Program will allow for systematic identification of transactions that implicate one or more of OFAC’s sanctions programs. Upon determining that a transaction implicates a sanctions program, the Sanctions Compliance Program should then provide guidance regarding appropriate next steps—whether this involves blocking or rejecting the transaction, utilizing a general license, or submitting a specific license application to OFAC. 

Other key elements of effective compliance programs include (but are not limited to): 

Custom-Tailored OFAC Compliance Policies and Procedures 

When it comes to OFAC compliance, a custom-tailored approach is one of the essential components. Different entities and individuals will have different compliance obligations for OFAC regulations, and they will need to address their compliance obligations differently. OFAC expects all entities and individuals to implement policies and procedures that are suited to their specific risks and needs—and being able to demonstrate a custom-tailored approach to compliance can be critical when facing an OFAC investigation. 

Training, Software, and Other Means of Implementation 

Sanctions compliance program implementation is critical as well. An SCP is useless if it isn’t used to effectively address OFAC compliance risks in all aspects of an entity’s or individual’s operations. Training and sanctions screening software are two common means of implementation, although these will often be insufficient on their own. 

Testing and Auditing Procedures

Periodic testing and auditing are critical to effective OFAC compliance management as well. Entities and individuals need to know whether their SCPs are working as intended; and, if they aren’t, they must be able to address any issues before they trigger OFAC scrutiny. 

Enforcement Protocols 

OFAC expects entities to internally enforce SCP compliance. Depending on the circumstances, enforcement measures may range from reprimands and re-training to termination of employment. Here, too, a custom-tailored approach is key, and entities must make informed decisions based on the circumstances of each individual incident. 

Incident Response Protocols 

Internal compliance failures may trigger the need for an external response as well. For example, in many cases, voluntary self-disclosure to OFAC will be required. If an entity or individual does not voluntarily self-disclosure a violation to OFAC when it is required to do so, this can enhance the penalties that are on the table.