OFAC's New Economic Sanctions Enforcement Guidelines presents Compliance Strategies to Withstand Tougher Foreign Asset Control Oversight A Live 90-Minute Audio Conference with Interactive Q&A Today's panel features: Ronald I. Meltzer, Partner, WilmerHale, Washington, D.C. Greta Lichtenbaum, Partner, O'Melveny & Myers, Washington, D.C. Edward L. Rubinoff, Partner, Akin Gump Strauss Hauer & Feld, Washington, D.C. Thursday, June 11, 2009 The conference begins at: 1 pm Eastern 12 pm Central 11 am Mountain 10 am Pacific The audio portion of this conference will be accessible by telephone only. Please refer to the dial in instructions emailed to registrants to access the audio portion of the conference. CLICK ON EACH FILE IN THE LEFT HAND COLUMN TO SEE INDIVIDUAL PRESENTATIONS. If no column is present: click Bookmarks or Pages on the left side of the window. If no icons are present: Click View, select Navigational Panels, and chose either Bookmarks or Pages. If you need assistance or to register for the audio portion, please call Strafford customer service at 800-926-7926 ext. 10
OFAC Sanctions and New Enforcement Guidelines Ronald I. Meltzer June 11, 2009
Background OFAC: US Treasury Department office responsible for administering/enforcing US economic sanctions against certain designated countries, entities and persons Broad statutory authority based on national security/foreign policy Unilateral and multilateral sanctions Significant administrative/interpretative discretion Wide variation in sanctions programs/regulations Focused agency mandate and lack of transparency in major respects WilmerHale 1
Types of Sanctions Country-based programs comprehensive embargoes (e.g., Cuba, Iran and Sudan) limited sets of sanctions (e.g., Burma, North Korea and Syria) List-based programs terrorism, narcotics trafficking, WMD proliferation, regional destabilization, discredited regimes SDNs: specially-designated nationals & blocked persons (http://www.treas.gov/ofac/t11sdn.pdf) Increased use of list-based programs to target sanctions and avoid collateral effects WilmerHale 2
OFAC Jurisdiction OFAC sanctions regulations apply to US persons: All US citizens and permanent residents anywhere in the world Companies organized in the United States Foreign branches of US companies. Any person, entity or property located in the United States Cuba and North Korea: any entity owned or controlled by US persons (i.e., foreign subsidiaries of US companies) Iran and Sudan: non-us persons in reexport transactions involving certain items controlled under the EAR WilmerHale 3
Scope of Prohibitions Prohibited transactions can extend to all types of commercial/financial dealings (direct and indirect) with designated countries, entities and persons exports, imports, services, financing, investments, payments, dealings in property and travel (Cuba) facilitation and approval Certain exempted, generally-authorized and specifically-licensed transactions Blocking requirements for SDNs and certain countrybased programs WilmerHale 4
Penalties October 2007 IEEPA Enhancement Act: steep increase in possible civil and criminal penalties civil penalties of up to $250K per violation, or twice the value of transaction at issue criminal penalties of up to $1MM per violation and/or 20 years imprisonment Increased penalty levels impact compliance strategies and management of OFAC issues WilmerHale 5
Economic Sanctions Enforcement Guidelines New guidelines effective as of September 8, 2008 Supersede 2003 and 2006 enforcement guidance, including OFAC s Interim Final Rule for Banks Excludes pending enforcement cases (between October 2007 and September 8,2008) and certain violations under the CACR Prompted by implementation of new penalty levels WilmerHale 6
Enforcement Guidelines: Overview Three main components: Enforcement responses available to OFAC General Factors for determining appropriate enforcement response New framework for determining civil penalty amounts WilmerHale 7
OFAC Enforcement Responses Types of Outcomes No Action Request for Additional Information (e.g., 602 Letter) Cautionary Letter (new OFAC option) Finding of Violation (new OFAC option) Civil Monetary Penalty Criminal Referral Other Administration Actions (e.g., cease and desist orders, license denial, suspension) WilmerHale 8
New OFAC Enforcement Responses Cautionary Letter Finding of a violation is not warranted or substantiated by sufficient information, but underlying conduct could lead to violation in other circumstances Not a final agency action; puts recipient on notice Finding of Violation OFAC determines that violation occurred, but monetary penalty not appropriate Final enforcement response; recipient can respond WilmerHale 9
General Factors Eleven general factors in determining appropriate enforcement response Replaces former mitigating and aggravating factors No reference to OFAC risk assessments or risk-based approach to compliance (key focus of 2006 Interim Final Rule for Banks) OFAC: final version of new guidelines will endorse risk-based approach WilmerHale 10
General Factors (cont.) 1. Willful or reckless violation of law (willful misconduct or deliberate intent to violate, and any concealment, pattern of misconduct, prior notice of violation, and management involvement) 2. Awareness of conduct at issue (actual knowledge or reason to know about violation and management involvement) WilmerHale 11
General Factors (cont.) 3. Harm to sanctions program objectives, e.g., benefit of violation to target country, entity or individual, implication for US policy, eligibility for a license, support for humanitarian action 4. Characteristics of subject person: commercial sophistication, size and financial condition, volume of transactions, and history of violations WilmerHale 12
General Factors (cont.) 5. Existence and nature of subject person s compliance program 6. Remedial responses to apparent violation 7. Nature and extent of cooperation with OFAC 8. Timing of the apparent violation in relation to the imposition of sanctions 9. Other enforcement action taken by federal, state or local agencies for same/similar violation WilmerHale 13
General Factors (cont.) 10. Deterrence effect of response against the subject person and others in same industry 11. Other relevant factors determined on a case-by-case basis WilmerHale 14
Civil Penalties Prior to imposing penalty, OFAC will issue a pre-penalty notice - Describes alleged violation, relevant General Factors, proposed penalty and maximum penalty - Subject person will have opportunity to respond prior to issuance of final notice Settlements still available, but negotiated in accordance with new guidelines Penalties based on: 1. Transaction Value 2. Egregious or non-egregious nature of violation 3. Whether violation was voluntarily self-disclosed WilmerHale 15
Civil Penalties (cont.) Egregious cases Most serious violations, based on General Factors, with focus on willfulness or recklessness, awareness of conduct, harm to sanctions program objectives, and individual characteristics of violator Non-egregious cases Most cases will involve non-egregious violations WilmerHale 16
Civil Penalties (cont.) Voluntary Self Disclosure Subject person self-initiates disclosure of apparent violation before discovery by OFAC or other government (federal, state or local) agency/official Earns 50 percent reduction in otherwise applicable base penalty amount WilmerHale 17
Civil Penalties (cont.) Base Penalty Amounts VSD Non-Egregious ½ of transaction value (capped at $125K/violation) Egregious ½ of Statutory Cap $125K/violation No VSD Applicable schedule amount (seven categories from $1K to $250K based on transaction value) Statutory Cap $250K/violation WilmerHale 18
Civil Penalties (cont.) Base penalty amount may be adjusted based on evaluation of General Factors Substantial cooperation with OFAC results in 25-40 percent reduction of base penalty First violation generally results in reduction of up to 25 percent of base penalty WilmerHale 19
Civil Penalties (cont.) Additional penalties Failure to furnish requested information: Up to $20K for transactions $500K Up to $50K for transactions > $500K Penalties for late filings of up to $2,500 Failure to maintain required records Up to $5K for first failure to maintain required records Up to $10K for each additional violation WilmerHale 20
Key Questions/Issues Will OFAC change it approach to risk-based compliance? Are VSDs effectively ruled out for many regulated industries, including financial services? Does reliance on transaction value distort outcomes and disadvantage certain industries? Do new guidelines ignore key compliance issues? Repeat errors Grace period following M&A transactions WilmerHale 21
New OFAC Enforcement Guidelines: Penalty Process and Industry Reaction Greta L.H. Lichtenbaum
Civil Penalties Process Prior to imposing penalty, OFAC will issue a pre-penalty notice - Describes alleged violation, relevant General Factors, proposed penalty and maximum penalty - Subject person will have opportunity to respond prior to issuance of final notice Settlements still available, but negotiated in accordance with new guidelines Penalties based on: 1. Transaction Value 2. Egregious or non-egregious nature of violation 3. Whether violation was voluntarily self-disclosed 2
Civil Penalties 2 Categories Egregious cases Most serious violations, based on General Factors, with focus on willfulness or recklessness, awareness of conduct, harm to sanctions program objectives, and individual characteristics of violator Non-egregious cases Most cases will involve non-egregious violations 3
Civil Penalties Voluntary Self Disclosure Voluntary Self Disclosure Narrowly Defined Only VSD if: subject person self-initiates disclosure of apparent violation before discovery by OFAC or other gov t agency and No other party is REQUIRED to disclose same or similar violation Earns 50 percent reduction in otherwise applicable base penalty amount 4
Calculation of Civil Penalties Base Penalty Amounts Non-Egregious Egregious VSD ½ of transaction value (capped at $125K/violation) ½ of Statutory Cap $125K/violation No VSD Applicable schedule amount (seven categories from $1K to $250K based on transaction value) Statutory Cap $250K/violation 5
Calculation of Civil Penalties Base penalty amount may be adjusted based on evaluation of General Factors Substantial cooperation with OFAC results in 25-40 percent reduction of base penalty First violation typically results in reduction of up to 25 percent of base penalty 6
Calculation of Civil Penalties Additional penalties Failure to furnish requested information: Up to $20K for transactions $500K Up to $50K for transactions > $500K Penalties for late filings of up to $2,500 Failure to maintain required records Up to $5K for first failure to maintain required records Up to $10K for each additional violation 7
Industry Reaction 11/07/08 Comments Primarily financial institutions commented They urge OFAC to retain prior practice of having an industry approach for financial institutions Comments reflect confusion about whether OFAC still maintains a risk-based approach 8
Industry Reaction -- VSD Definition Wide-spread concern re: narrow VSD definition focus on language: no VSD if a third party is required to notify OFAC of the apparent violation or substantially similar apparent violation because a transaction was blocked or rejected by that third party (regardless of whether or when OFAC actually receives such notice from the third party and regardless of whether the Subject Person was aware of the third party s disclosure.) Also concern that voluntary disclosure credit is inadequate in egregious cases starting from such a high penalty amount, such that 50% mitigation doesn t do enough 9
Industry Reaction Wide-spread concern about tying the General Factor of cooperation with OFAC to an agreement to waive the statute of limitations ABA concern about whether guidelines undermine of attorney client privilege when companies required to submit all relevant information 10
Industry Reaction Many proposals for amendments or supplements to General Factors OFAC should recognize the rogue employee scenario Make clear that careful, good faith yet erroneous -- legal analysis will never be viewed as reckless or willful conduct When assessing whether there is a history of violations, OFAC should take into account if those violations were caused by clerical errors 11
Some Questions/Issues What will OFAC do in response to concerns about VSDs, since narrow definition may rule out VSDs in many cases, particularly if a U.S. financial institution involved? Not raised in Comments, but -- does reliance on transaction value distort outcomes and disadvantage certain industries and situations? Are new guidelines equitable for those with particular compliance challenges? Repeat errors Grace period following M&A transactions 12
OFAC s New Economic Sanctions Enforcement Guidelines: Impact on Internal Compliance Programs Edward L. Rubinoff Akin Gump Strauss Hauer & Feld, LLP June 11, 2009
What Is An Internal Compliance Program ( ICP ) An ICP is a set of formalized policies and procedures developed to detect and prevent company violations of economic sanctions or export laws. An effective ICP is like an insurance policy An ICP is NOT an affirmative defense under the U.S. economic sanctions laws, however an effective ICP should: Prevent inadvertent violations that could lead to enforcement actions by the OFAC; Obtain mitigation of penalties in the event of an enforcement action; and Demonstrate corporate responsibility to potential and existing business partners. 2
Is An Internal Compliance Program Required? No Legal Requirement But Significant Legal Benefits ICPs are not generally required by any of the primary statutes or regulations governing U.S. sanctions laws. However, failure to develop an ICP can lead to severe consequences under the new OFAC Economic Sanctions Enforcement Guidelines (the New Guidelines ). OFAC s Economic Sanctions Enforcement Guidelines The existence and effectiveness of a compliance program is one of the General Factors that OFAC will consider in determining an appropriate response to a violation, and if a civil penalty is warranted, in establishing the amount of that penalty. 73 Fed. Reg. 51933 (September 8, 2008). 3
General Principles In Creating And Implementing An ICP OFAC does not suggest policies or procedures that should be included in an ICP. Therefore, companies have freedom to develop ICPs tailored to meet their needs and address their risks. General ICP Principles ICP Should Reflect the Company s OFAC Risk Exposure OFAC s 2006 Economic Sanctions Enforcement Procedures for Banking Institutions (the 2006 Enforcement Procedures ) 71 Fed. Reg. 1971 (January 12, 2006) encouraged banks to rate their products, services, customers and geographic reach as low, medium or high risk and then to develop compliance polices and procedures based on their risk profile. OFAC stated that in determining whether or not to impose a civil monetary penalty for a violation, it will consider information concerning the [banking] institution s compliance program and the adequacy of that program based on its OFAC risk profile. OFAC indicated that this risk-based compliance approach would be extended to other business sectors, and it subsequently issued similar guidance for charities and the securities industry. 4
General Principles In Creating And Implementing An ICP Custom-Fit the ICP to Your Company The elements on an ICP must be designed to operate within the structure, culture and resources of the company in order to be effective. Maintain a Flexible, Evolving ICP A company must maintain a dynamic approach to its ICP and remain alert to OFAC changes in order for a program to retain its effectiveness. Keep the ICP Manageable In most contexts, this requires a centralized system of detailed review of transactions screened or red flagged by lower-level employees. Ensure Upper Management Support For the ICP The most customized, dynamic and manageable ICP will not succeed if the corporate hierarchy is not committed to ensuring OFAC compliance. 5
Key Elements Of An Effective ICP While various businesses have different risk areas, as a general rule, ICPs should contain a variant of each of the elements listed below: Corporate Policy/Management Commitment An ICP should include a corporate policy statement regarding the company s approach and commitment to compliance with sanctions laws. The ICP should be adopted and issued by management. ICP Infrastructure and Delegation Authority The presence of a centralized administrator of an ICP is a crucial element in making an ICP manageable. The benefits of a centralized compliance decision making include: Identifiable Resource Coordination and Consistency Efficient OFAC Monitoring Institutional Knowledge 6
Key Elements Of An Effective ICP Education and Training In order to ensure effective personnel participation in an ICP, an ICP should, at a minimum, address: The scope of the education and training program; Frequency of training; and Training methods. Due Diligence in Forming Counterparty Relationships (Screening of Counterparties and Transactions, Background Checks as Appropriate) The most important tool in avoiding OFAC violations is the proper screening of customers, business partners and other counterparties and transactions. The ICP must also set out when to conduct counterparty and contract screening. 7
Key Elements Of An Effective ICP Internal Audits Internal audits serve as important tools for maintaining a dynamic ICP, and each ICP should provide for periodic auditing of the ICP and the company s adherence to its conditions. Recordkeeping OFAC programs generally require the retention of all records relating to a transaction covered by OFAC regulations for five years. At a minimum, an ICP should require the OFAC compliance officer or office to archive business records relating to transactions concluded under a specific or general OFAC license, as well as transactions relating to red-flagged transactions. Notification and Reporting The ICP should provide procedures to deal with violations once they are discovered. The ICP should provide guidelines for confidential reporting of violations internally. The ICP should also provide guidelines regarding reporting of violations to OFAC and gathering mitigating evidence for the potential OFAC investigation. 8
Risk-Based Compliance ICPs and the New Guidelines The New Guidelines explicitly superseded the 2006 Enforcement Procedures and made no reference to risk assessment and corresponding risk-based compliance programs. Therefore, commenters expressed concern over what they perceived as OFAC s move away from previously established policy and uncertainty regarding what OFAC now deems to be the correct approach to compliance. In determining what sort of enforcement action to take under the New Guidelines, OFAC continues to look at a company s individual characteristics, including its commercial sophistication, size and financial condition, volume of transactions, history of violation and compliance program. OFAC has not removed the risk matrices posted on its website in sections providing industry-specific compliance guidance for charities and financial institutions. 9
Risk-Based Compliance ICPs and the New Guidelines On November 6, 2008, OFAC published on-line guidance (arguably not enforcement procedures) for the securities industry in which the agency encouraged companies to develop proactive, risk-based compliance programs. The agency also stated that the cornerstone of an effective OFAC compliance program is an assessment of the risks presented by a firm s customer base, specific products/services, and the geographic locations in which it conducts business. These indicators imply that OFAC retains a risk-based, industry specific approach to compliance under the New Guidelines. Indeed, in public forums it has stated that it has not abandoned risk-based compliance principles. Nevertheless, the New Guidelines have created confusion, uncertainty and concern, so OFAC should formally issue a clarification. 10
Evaluating ICPs Against the New Guidelines According to the New Guidelines, when OFAC deems the imposition of a civil penalty to be appropriate, the agency will calculate the proposed penalty based on two factors: voluntary self-disclosure and classification of the violation as egregious or non-egregious. Effective risk-based compliance programs are the best way to encourage voluntary self disclosure and avoid conduct that could be classified as egregious. Classification of a violation as egregious or non-egregious depends on analysis of the first four General Factors: Willful or Reckless Violation; Awareness of Conduct; Harm to Sanctions Program Objectives; and The Individual Characteristics of the Subject Person However, OFAC s analysis will place greater weight on whether the violation was willful or reckless and whether the Subject Person was aware or should have been aware of the conduct at issue in making this decision. 11
Evaluating ICPs Against the New Guidelines Address elements of the first two General Factors (Willfulness and Awareness/Reason to Know) in the ICP by ensuring: Effective and consistent oversight by management Increased auditing and testing of compliance controls Additional training Encouraging a culture of compliance Voluntary Self-Disclosures The ICP should take into account that voluntary self-disclosure is a significant mitigating factor (generally at least 50% deduction). Note that failure to report an ongoing transaction that violates OFAC restrictions may lead to the conclusion that the violation was willful. The ICP should provide specific guidance regarding the necessity for immediate remedial action in response to a violation and when and how a violation is reported to OFAC. 12
Evaluating ICPs Against the New Guidelines In cases of egregious violations, the base amount of the civil penalty potentially can be astronomical. Even in nonegregious cases, the use of transaction value as the base penalty can produce large fines. Accordingly, ICPs should ensure that adequate compliance procedures are applied to high-value and high-volume transactions that might involve sanctions targets. 13
Evaluating ICPs Against the New Guidelines In summary, for companies that already have an effective ICP, the New Guidelines do not necessarily suggest a change in approach. One of the primary objectives of an ICP is to prevent inadvertent violations that could lead to enforcement actions by the OFAC, and that continues to be the case. However, the New Guidelines have implications for encouraging ICPs and they highlight factors that companies ought to pay particular attention to when establishing or reviewing compliance programs in order to minimize OFAC s response to apparent violations. 14
15 Edward L. Rubinoff Akin Gump Strauss Hauer & Feld, LLP 1333 New Hampshire Ave. N.W. Washington, DC 20036 Tel: (202) 887-4026 Fax: (202) 887-4288 erubinoff@akingump.com