A risk-based approach to managing employee fraud and malpractice
Regulatory & Investigations
This article looks at the results of our in-depth analysis of Office of Foreign Assets Control (OFAC) penalties for sanction violations and suggests some factors that companies should take account of when considering sanction-related risks. Our analysis examined over 80 OFAC sanction violation settlements made between 2009 and January 2021 to identify some of the key learning points for any company that is exposed to sanctions risk.
Financial penalties for sanctions breaches can be eye-wateringly high. In 2012, HSBC settled with US regulators a financial penalty of $1.9 billion. In 2014, BNP was fined $8.9 billion over sanctions breaches to which it pleaded guilty in US courts. Of that figure, approximately $1 billion related to the OFAC penalty.
The approach that OFAC takes to determining penalties for sanction violations is well documented. Organisations that are under investigation will know that there are incentives, through potential discounts on penalties that encourage cooperation with OFAC, for example, by voluntarily self-disclosure of a potential breach of sanctions.
Additionally, when OFAC makes a public announcement of civil penalties and enforcement action, any aggravating and mitigating factors that it took into account when setting the quantum of the penalty are set out in the notice. This information is a goldmine of insight into the factors which OFAC takes into consideration in determining the level of any financial penalty. As penalties in the hundreds of millions (USD) are not unusual, discounts through mitigating factors can be significant.
The total value of all the penalty notices that we examined was in excess of 5.6Bn USD since 2009. Our analysis showed that:
However, with regards to mitigating factors, we found that, in almost every case (94%), the introduction of stronger and more robust compliance measures was viewed favourably and credit was given to those organisations that already had a strong compliance program in place prior to the OFAC investigation.
In 81% of cases, the organisation got credit for being cooperative with OFAC. For example, for prompt and comprehensive responses to questions or requests for information, voluntary self-disclosure of a potential violation and the signing of tolling agreements to extend the period of an investigation where the statute of limitations would otherwise prevent the investigation concluding.
Over 90% of all cases involved organisations that had not received a similar penalty in the previous 5 years which was viewed by OFAC as a significant mitigating factor.
Many organisations also volunteered to undertake and commit to a future programme of compliance improvements.
Many of the mitigating factors that OFAC notifications described are precisely the types of activities that well managed organisations should have in place in any event. The 3 key areas that were consistently highlighted by OFAC as being mitigating factors were:
A significant focus on enhanced and strengthened compliance functions was one of the most common factors. It is clear that a sanctions compliance program is crucial. Activities that were mentioned specifically included:
The way that an organisation responded upon identification of a violation was also a mitigating factor that was consistently recognised by OFAC. Organisations that were proactive, transparent and acted quickly and decisively placed themselves in a more advantageous position when it came to the consideration of any penalties.
The following response activities were consistently highlighted as mitigating factors by OFAC:
Transparency and a genuine will to cooperate with OFAC during enforcement proceedings are consistently highlighted as a crucial mitigating factor considered during the process of determining the appropriate penalty for a sanctions violation.
Genuine cooperation was demonstrated in a number of different ways and included:
Being the subject of OFAC enforcement proceedings is serious, costly and highly disruptive for any business. It impacts on the reputation of an organisation and in some cases can impinge on the credibility of local regulators, who may be seen as ineffective.
It is clear from our analysis of historic OFAC penalties that:
Ultimately, it is better is to avoid a violation in the first place. However, sanction risk is a complex area which often requires specialist advice and training to assess and manage effectively. Equally, the way that an organisation responds in the wake of a sanctions violation is also a complex process and requires considerable coordination and expertise to navigate effectively.
For more detailed information on our analysis of OFAC financial penalties and on how we can help you manage sanctions risk or respond more effectively to suspected sanction violations, please contact any of the authors listed below.