This is part 3 of a five-part series with Tom Fox and the FCPA Compliance Report on navigating an increasingly complex sanctions landscape. The series will consider the current sanctions landscape, discuss how to build a sanctions compliance program, walk listeners through what happens when a sanctions breach or potential breach is discovered, consider new sanctions exposure, and conclude with a look in that veiled land of the future by considering issues on the horizon.
These situations often begin with a difficult proposition: an entity finds out about a sanctions violation or even a potential violation. What steps should they take to uncover what happened, and how should they report it to a regulator, if at all?
The first core lesson is the most crucial: don’t ignore it. Organizations must make a determination as to whether or not they assess there has been a breach, and then take appropriate steps to address it. In some cases, individuals may find they have violated sanctions and try to potentially cover it up, or perhaps management has not paid sufficient attention to a potential violation. This type of response almost always leads to additional interest and potential enforcement activity by enforcement agencies or regulators, including the Office of Foreign Assets Control (OFAC).
After an initial assessment of the issue, compliance professionals should prepare to escalate their assessment and any preliminary conclusions up the internal organizational chain, and also potentially to notify regulators. Internal and external counsel may need to be alerted in order to make a proper assessment of whether a breach or violation has occurred, as some sanctions laws can be confusing, broad, or unclear on what is or is not permissible.
The next step is to figure out exactly what happened. It is critical to conduct a robust internal investigation that is multi-fold. As an entity begins uncovering exactly what has and has not happened, it is critical to gather the facts to establish whether a legitimate violation has occurred. It will also be important to obtain an eventual determination by OFAC or other sanctions enforcement agencies as to whether a violation has occurred. Additionally, this will help decipher if this issue is a systemic violation as opposed to a one-off occurrence.
Once an entity has conducted an internal investigation, they must determine whether they will file a self-disclosure, known as a Voluntary Self-Disclosure (VSD). It is important to note that the OFAC process for VSDs creates an incentive structure for companies to self-report. The largest incentive is that entities receive a percentage off the base penalty for self-disclosure. Additionally, if a company self-reports, OFAC has flexibility in its final decision—including whether to make an enforcement action public.
Two additional considerations by OFAC concern remediation and cooperation. Remediation means an organization has corrected the problem after an investigation and root cause analysis (RCA).
These are the types of proactive steps OFAC and regulatory authorities are keen on seeing from entities, as it signals they are taking sanctions compliance seriously, and want to cooperate with regulatory authorities. OFAC will take these factors into consideration when establishing a civil monetary penalty and whether to engage in enforcement activity, up to and including the potential requirement for a monitor.
To listen to the next podcast in the series, please click here.
