On March 27, 2019, the Office of Foreign Assets Control (OFAC) announced a settlement agreement with US-based Stanley Black & Decker, Inc., (Stanley Black & Decker) and its foreign subsidiary, Jiangsu Guoqiang Tools Co., Ltd. (GQ), in which Stanley Black & Decker agreed to pay $1,869,144 on behalf of GQ for the subsidiary’s unauthorized export of various tools and related parts to Iran. OFAC published a public version of the settlement agreement.
The enforcement action and ensuing settlement agreement are particularly notable for two reasons. First, on the settlement agreement, OFAC has provided significant guidance on what it appears to consider to be best practices in maintaining a risk-based sanctions compliance program.1 Although it was unusual for OFAC to communicate that guidance in a settlement agreement, we expect that OFAC’s compliance and enforcement guidance will increasingly take that form. Second, the action hints at the trends that OFAC enforcement actions may follow in 2019.
New Guidance on Compliance
The settlement agreement describes in relative detail OFAC’s expectations for an effective compliance program. While these expectations are cast as specific undertakings by GQ—in the form of GQ’s “compliance commitments”—they effectively set out the elements of compliance that OFAC would expect of companies subject to its jurisdiction. These elements have been identified by OFAC before, through publications and other public outreach, but this settlement agreement effectively crystallizes OFAC’s expectations for sanctions compliance in an integrated, organized fashion. Notably, the latest guidance flows from and is an important complement to OFAC’s enforcement guidelines issued nearly a decade ago,2 and, like the latter, aims to create a more transparent and predictable standard for compliance for a regulated community that consistently seeks greater certainty from the agency about its expectations for compliance.
OFAC identified five overarching elements that are the pillars of an effective compliance program, though companies will likely vary in how they implement these expectations under the risk-based approach to sanctions compliance:3
i. Management Commitment – The company’s senior management should demonstrate and communicate its commitment to compliance. Ways to demonstrate such commitment include ensuring that compliance units are delegated sufficient authority, autonomy and resources, and by promoting a “culture of compliance” throughout the organization.
ii. Risk Assessment – The compliance program should be tailored to the level of sanctions-specific risk posed, based on the company’s activities, products and services, and customers, among other factors. The risk assessment should be conducted “in a manner, and with a frequency, that adequately accounts for potential risks,”4 and it should be based on a methodology for identifying, analyzing and addressing such risks.
iii. Internal Controls – Internal controls should be implemented to detect, escalate, report and record activities that are prohibited under US sanctions. OFAC has identified a range of specific elements or actions for ensuring that adequate controls are in place. These include implementing written sanctions, compliance-related policies and procedures; maintaining clear and effective internal controls pertaining to the company’s ability to identify, interdict, escalate and report relevant transactions; enforcing the compliance policies and procedures; appointing personnel to integrate such policies and procedures; and conducting adequate recordkeeping.
iv. Testing and Audit – Periodic testing and audits should be conducted on specific elements of the compliance program and across the organization to identify and address any potential gaps. Specifically, the testing or audit should, inter alia, be a function that is accountable to the board, independent of the audited activities or functions, and has sufficient resources and authority within the organization. In addition, the risk assessment and sanctions program in general should be updated on a “periodic basis” to correct any potential weaknesses or deficiencies.
v. Training – Personnel and stakeholders should be provided sufficient and tailored sanctions-related training. This includes OFAC-related training with a scope and frequency that accounts for the company’s risk profile and activities; at a minimum, all relevant employees should receive training at least once a year.
The settlement agreement follows recent indications by Department of the Treasury officials that future settlement agreements will be similarly specific in setting out the compliance commitments that OFAC will seek from each apparent violator. In a December 2018 speech at the American Bar Association, Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker stated that “[t]o aid the compliance community in strengthening defenses against sanctions violations, OFAC will be outlining the hallmarks of an effective sanctions compliance program” in settlement agreements going forward.5
Companies should consider comparing their existing sanctions compliance program to the expectations set out in OFAC’s settlement agreement with Stanley Black & Decker/GQ, as OFAC will likely consider these the standard for “best practices” going forward. A company implementing these best practices would also benefit in any future enforcement action because OFAC considers the adequacy of a compliance program as a factor in determining whether to impose penalties and, if so, the amount of penalty to impose. Finally, companies should continue watching the OFAC enforcement space for further guidance from the agency.
OFAC’s enforcement actions against Stanley Black & Decker/GQ is the third (of five) announced thus far in 2019 that penalizes a US parent company for the post-acquisition conduct of its foreign subsidiary involving Iran or Cuba.6 The action is also consistent with the general increase in the ratio of OFAC enforcement actions against non-financial institutions.7 We expect that these trends will continue in 2019, particularly in the context of the United States’ escalation of pressure on Iran and parties that transact with Iran.
US companies should therefore ensure that they periodically and adequately audit or verify the activities of their foreign subsidiaries, even where these subsidiaries commit to refraining from conduct prohibited under US sanctions.