5
completed, the organization’s Audit and Testing function will be critical to
identifying any additional sanctions-related issues.
II. The organization has developed a methodology to identify, analyze, and address the
particular risks it identifies. As appropriate, the risk assessment will be updated to
account for the conduct and root causes of any apparent violations or systemic
deficiencies identified by the organization during the routine course of business, for
example, through a testing or audit function.
INTERNAL CONTROLS
An effective SCP should include internal controls, including policies and procedures, in order to
identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that
may be prohibited by the regulations and laws administered by OFAC. The purpose of internal
controls is to outline clear expectations, define procedures and processes pertaining to OFAC
compliance (including reporting and escalation chains), and minimize the risks identified by the
organization’s risk assessments. Policies and procedures should be enforced, weaknesses should
be identified (including through root cause analysis of any compliance breaches) and remediated,
and internal and/or external audits and assessments of the program should be conducted on a
periodic basis.
Given the dynamic nature of U.S. economic and trade sanctions, a successful and effective SCP
should be capable of adjusting rapidly to changes published by OFAC. These include the
following: (i) updates to OFAC’s List of Specially Designated Nationals and Blocked Persons
(the “SDN List”), the Sectoral Sanctions Identification List (“SSI List”), and other sanctions-
related lists; (ii) new, amended, or updated sanctions programs or prohibitions imposed on
targeted foreign countries, governments, regions, or persons, through the enactment of new
legislation, the issuance of new Executive orders, regulations, or published OFAC guidance or
other OFAC actions; and (iii) the issuance of general licenses.
General Aspects of an SCP: Internal Controls
Effective OFAC compliance programs generally include internal controls, including policies and
procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records
pertaining to activity that is prohibited by the sanctions programs administered by OFAC. The
purpose of internal controls is to outline clear expectations, define procedures and processes
pertaining to OFAC compliance, and minimize the risks identified by an entity’s OFAC risk
assessments. Policies and procedures should be enforced, and weaknesses should be identified
(including through root cause analysis of any compliance breaches) and remediated in order to
prevent activity that might violate the sanctions programs administered by OFAC.
I. The organization has designed and implemented written policies and procedures
outlining the SCP. These policies and procedures are relevant to the organization,
capture the organization’s day-to-day operations and procedures, are easy to follow,
and designed to prevent employees from engaging in misconduct.