Article Law360

What OFAC Means by a Risk-Based Approach to Compliance

Even though the Office of Foreign Assets Control has acknowledged COVID-19 challenges, the agency still expects companies to take a risk-based approach to sanctions compliance by routinely updating programs that reflect their individual business models, customer bases and geographic operations, say Kirkland partner Mario Mancuso and of counsel Abigail Cotterill in this article for Law360.

In the year since the U.S. Department of the Treasury's Office of Foreign Assets Control published "A Framework for OFAC Compliance Commitments," COVID-19 has drastically shifted the business landscape in which the target audience for this guidance operates.

With companies focused on streamlining operations, managing newly remote workforces and meeting changing client demands, the need for efficient, cost-effective, risk-based compliance programs has never been greater.

Recognizing this challenge, on April 20, OFAC issued guidance, which provides that in determining its response to potential violations during the pandemic, it will consider temporary reallocations of compliance resources that were in response to COVID-19, but only if they were "consistent with a [risk-based compliance] approach."[1]

This article explains what OFAC means by a risk-based approach to compliance, and provides an overview of how to implement that guidance in practice.

Defining Risk-Based Compliance

In issuing the framework in May 2019, OFAC underscored its expectation that companies take a "risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program," or SCP.[2]

The concept of risk-based compliance is regularly referenced in prior OFAC guidance, including in the Economic Sanctions Enforcement Guidelines and the related risk matrix of factors for financial institutions evaluating their customer base.[3]

Until the issuance of the 2019 framework, however, the agency had not provided granular recommendations on what a risk-based approach to compliance meant in practice.

By highlighting risk assessment as one of five essential elements of compliance, alongside management commitment, internal controls, testing and auditing, and training, OFAC clarified its expectations that risk-based compliance starts with a defined exercise "to identify inherent risks in order to inform risk-based decisions and controls."[4]

In this regard, risk-based compliance is tailored to a company's current business model, and a risk assessment is an exercise that maps key compliance risks and provides the blueprint from which to build or revise a sanctions compliance program.

While companies may be accustomed to performing due diligence on targets for acquisition, the risk assessment is akin to doing periodic diligence on one's own company from top to bottom, to provide a holistic overview of current operational sanctions risks and blind spots.[5]

Risk Assessment Benefits

Companies seeking to avail themselves of the April 20 guidance, or to otherwise tune their SCPs, may benefit from a risk assessment for two principal reasons.

First, sanctions risks are not static, and fluctuate frequently due to changes in OFAC sanctions program restrictions, as well as changes in businesses as they grow in ways that may inadvertently implicate OFAC restrictions. Without knowledge of its current risks, a company cannot adjust its controls consistent with OFAC expectations.

Unlike an audit, which tests past compliance program performance to ensure that controls were working as designed, a risk assessment looks forward to map new risks which may not have been present before. Such an assessment is critical to the initial design of a SCP, as well as at later stages when the business is changing in ways that could elevate or shift sanctions risks.

Such moments may include expanding distribution territories, acquiring a new foreign subsidiary, changes in OFAC regulations such that previously permissible activities present elevated sanctions risks, or changes in customer profiles or division activities due to external factors such as the COVID-19 pandemic.

Second, regular risk assessments may lead to mitigation credit in the event of future violations. Recent OFAC enforcement actions show that a one-size-fits-all paper program, which fails to account for individualized business models, customer bases, and geographic operations, will not result in mitigation credit should potential violations arise under those programs, and may even be an aggravating factor.[6]

For OFAC to show leniency to companies facing strict liability for potential violations of U.S. sanctions, companies must first demonstrate that they have made a good faith effort to customize their compliance programs to their businesses. Similarly, while the April 20 guidance recognizes that companies may need to reallocate resources in response to the COVID-19 pandemic, it notes that OFAC nonetheless expects them to do so thoughtfully and based on an understanding of their risk profile.

Designing an Effective Risk Assessment

If the goal of the risk assessment is to create a current heat map of sanctions risks specific to a company, successful execution depends on a strong methodology and appropriately tailored scope.

The framework confirms that risk assessments should seek to pinpoint sanctions risks posed by three main risk vectors: (1) risks posed by third parties, such as customers, suppliers and intermediaries; (2) risks posed by products and services; and (3) risks based on geographic locations of operations and third parties.[7]

An effective risk assessment seeks to gather information from across the organization about all three of these categories, using tools described further below.

OFAC further recommends that risk assessments account for root causes of past violations or systemic SCP deficiencies identified in daily business.[8] For example, companies that have had past violations related to improper U.S. dollar transactions may also seek to map their current use of U.S. financial institutions and dollar-denominated accounts throughout their businesses, so they know where their touchpoints to the U.S. financial system currently exist.

It is also advisable for companies to consult recent enforcement actions and OFAC guidance, to consider whether the risk assessment should cover other, industry-specific areas of risk.

OFAC's recent maritime shipping and civil aviation advisories, for instance, suggest that companies operating in these industries may endeavor to design their risk assessments to gather information about high-risk maritime shipping practices or potential nexuses to restricted Iranian airlines, respectively.[9]

Finally, organizations should consider the periodicity of their risk assessments in determining appropriate scope. A company may decide that it will conduct an organization-wide risk assessment every three years, and perform targeted risk assessments focused on only one geography or one vector of risk in the interim years.

The scope of targeted, interim risk assessments may be based on changes in OFAC guidance, audit or testing results, or findings of violation which suggest the need to confirm that the risk heat map for a particular subsidiary or risk vector, such as U.S. financial institution touchpoints, is still current.

Executing the Risk Assessment

Consistent with OFAC expectations for a holistic approach to risk assessment, a risk-assessment work plan should collect high-level business information through mechanisms such as questionnaires, checklists, background interviews and targeted document requests.

While there may be many sources of this information, including company enterprise resource planning systems, customer files and employees themselves, OFAC suggests leveraging existing information-gathering mechanisms to inform the risk assessment process.

Information obtained from the assignment of customer risk ratings at onboarding, as informed by customer location and risk-rating factors found in the OFAC risk matrices, is one OFAC-identified source that risk assessments may leverage to populate a heat map of high-risk customers.[10]

Another source is results of recent mergers and acquisition due diligence exercises, which may flag new businesses that have unmitigated risk exposures. Financial metrics reported from subsidiaries which include data on high-volume customers, revenues and product sales may also provide useful data points.

Interviews of employees in customer or other third-party facing roles, such as supply chain managers, sales leads, or account executives, can provide valuable human intelligence on risk factors such as new banking relationships, new geographic targets for sales expansions, or new shipping routes or distribution channels.

A risk assessment may identify information suggesting potential violations of sanctions or SCP weaknesses. To better ensure that any results or findings from the risk assessment can be protected by the attorney-client privilege, it is prudent to ensure that all phases of the risk assessment — including information gathering — are conducted at the direction of in-house or external counsel, for the purpose of providing legal advice to the company.

Analyzing the Results

Once the information gathering is complete, the assessment team should analyze the results and categorize the sanctions-related risks in the company's operations from lowest to highest. Just as the specific lines of inquiry for a risk assessment should be informed by OFAC guidance, analysis of the information gathered should be performed against current OFAC restrictions and guidance, including advisories, OFAC frequently asked questions, and enforcement information.

If interviews with sales managers suggest that the company has received a potential sales lead in Iran, or would like to expand business into eastern European countries including Ukraine, an understanding of the U.S. embargoes on Iran and the Crimea region would signal that these business units may pose higher sanctions risks.

Similarly, if information requests regarding program implementation show that a foreign subsidiary acquired 15 months ago has yet to fully implement the company's SCP, review of recent enforcement actions would show that OFAC would likely consider this a delay that creates an elevated risk for violation of the Iran and Cuba sanctions programs.[11]

Conversely, if sales records show that a subsidiary has ceased to use distributors in the Middle East, and is instead now focusing its sales efforts exclusively in Western Europe due to COVID-19, knowledge of lower transshipment risks in that geographic region may support a risk-based decision to temporarily reduce compliance resources assigned to this subsidiary.

Documenting the Findings

Once the analysis of the findings is complete, risk-assessment teams should take the time to carefully document their observations. This documentation could take the form of heat maps that identify lower-risk, higher-risk, and highest-risk customers, product or service offerings, and geographic areas of activity.

As a corollary, the risk-assessment team should also document the proposed corresponding SCP adjustments, and how those adjustments are prioritized based on the heat map.

The value of the documentation exercise tracks the benefits of the risk assessment described above. First, it provides proof that any changes to the SCP are based on actual assessments of risk, and not on perceived or untested hypotheses about risk that may be based on outdated business information.

Second, the documentation creates a record of the company's good faith attempts to implement the OFAC framework. Though sanctions violations continue to be strict-liability violations, the documented risk-based approach to compliance can mitigate the severity of any penalties or related administrative responses that OFAC will take should violations occur.

Finally, this documentation provides a reference point for future risk assessments, which will create efficiencies in those future exercises.

In an increasingly complex business and regulatory environment, there is significant value in maintaining company records of past risk-based decision-making, which can serve as guideposts to navigating new risks going forward.

Mario Mancuso is a partner and Abigail Cotterill is counsel at Kirkland & Ellis LLP

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.





[5] Id.

[6] (Finding that an aggravating factor was that e.l.f.'s "OFAC compliance program was either non-existent or inadequate throughout the time period in which the apparent violations occurred, and [that e.l.f.] appears not to have exercised sufficient supply chain due diligence while sourcing products from a region that poses a high risk to the effectiveness of the [North Korea Sanctions Regulations].")


[8] Id.

[9] See, e.g.,;


[11] (Confirming that OFAC viewed a [15] month delay in notifying a newly-acquired foreign subsidiary that it was subject to U.S. sanctions, and related delays in compliance program implementation as a "slow" timeline, and suggesting that similarly-situated companies may face elevated enforcement risks if they do not actively monitor subsidiary integration.)