OFAC Likely to Narrow Scope of Criticized Reporting Requirements, Former OFAC Officer Says
The Office of Foreign Assets Control likely did not understand the industry burdens imposed by the update to its reporting, procedures and penalties regulations (see 1906200036) and will probably narrow their scope, said Jason Rhoades, a KPMG sanctions lawyer and former OFAC compliance officer. The regulations, which were updated last year, expanded the scope of transactions that must be reported to OFAC, including for non-financial institutions. The update was met with widespread criticism from industry, which called them confusing, unclear and overly burdensome (see 1907290015 and 1907230054). OFAC issued a set of frequently asked questions in February to try to clarify the new requirements (see 2002200057).
Even with the FAQs, companies have struggled to determine which transactions they must report under the regulations, Rhoades said during a June 25 KPMG webinar. Part of the issue is a lack of clarity surrounding the definition for “rejected transactions,” and Rhoades said some companies may be unsure whether an activity qualifies as a transaction they must report. He added that industry won’t receive more clarity until OFAC issues more guidance, although he said OFAC has issued “some informal guidance” to companies who have asked.
“My personal understanding is that perhaps OFAC might not have understood fully the breadth of what they were proposing and the issues that it might offer,” Rhoades said. “I believe that internal discussions are ongoing within OFAC as to how broadly to interpret this requirement.” OFAC declined to comment.
OFAC will likely clarify the scope of the regulations to only cover transactions that involve “some sort of official solicitation or attempt to execute a trade transaction,” Rhoades said. Examples include an “official order” being placed, or being “sent a check from someone who was in Iran that you need to turn away,” he said. “I think that's probably where they're going to come down.”
But Rhoades also called the reporting requirements “a fluid situation” and cautioned companies about applying their own interpretations of the regulations. “You can never say anything for certain until OFAC comes out and gives its guidance,” he said. “Until they provide that guidance, you technically take a risk in putting your own definition to it.”
Rhoades also discussed common mistakes in compliance programs, saying one of the most important aspects of avoiding violations is ensuring compliance training is enforced. “I've definitely seen that to be an issue,” he said. “If [a company's] training is not mandatory, or they’re not following up and making sure that people are taking mandatory training, then it loses a lot of its effectiveness.”
He also said OFAC specifically looks for how strongly a company’s senior management embraces compliance. Management should delegate compliance authority to employees “who are charged with implementing controls” but also keep themselves aware of compliance issues and require that they be notified when there are problems.
“When I was a compliance officer in OFAC, in most of the problems that we saw come up, it started off with a lack of understanding or lack of care in the management function of the company,” Rhoades said. “You want to have senior management … really give the resources that are needed and to guide those underneath them to make sure that compliance is carried out.”
Another common issue that leads to violations is a lack of a formal compliance program, Donald Hok, a KPMG trade lawyer and former CBP lawyer, said during the webinar. Some businesses think that formal programs are only needed for large, multinational companies and that compliance can be addressed as issues arise rather than proactively, Hok said. “This is an issue that we often see,” Hok said. “It's generally attributed to a lack of awareness in the company that a compliance program is even needed.”