A Framework for OFAC Compliance Commitments
《美国海外资产控制办公室(OFAC)合规承诺框架》
The U.S. Department of the Treasury'sOffice of Foreign Assets Control (OFAC) administers and enforces U.S. economicand trade sanctions programs against targeted foreign governments individuals,groups, and entities in accordance with national security and foreign policygoals and objectives.
美国财政部下属的海外资产控制办公室(OFAC)根据国家安全和外交政策负责管理和执行针对外国政府个人、团体和实体的美国经济和贸易制裁方案。
OFAC strongly encouragesorganizations subject to U.S. jurisdiction, as well as foreign entities thatconduct business in or with the United States. U.S. persons, or usingU.S.-origin goods or services, to employ a risk-based approach to sanctionscompliance by developing, implementing, and routinely updating a sanctions complianceprogram (SCP). While each risk-based SCP will vary depending on a variety offactors-including the company's size and sophistication, products and services,customers and counterparties, and geographic locations-each program should bepredicated on and incorporate at least five essential components of compliance:
(1) management commitment:
(2) riskassessment:
(3) internal controls:
(4) testing and auditing;and
(5) training.
OFAC大力鼓励受美国司法管辖的企业以及在美国或与美国人开展业务的外国实体或使用美国原产产品或服务的外国实体,设立、实施并定期更新其制裁合规方案(SCP),采用一个基于风险的方法达到制裁合规。虽然每个基于风险的SCP会根据各种因素(包括公司规模和复杂程度、产品和服务、客户和交易对手以及地理位置)的不同而有所差异,但每个方案都应包含至少以下五个必要合规要素:
(1)管理层承诺;
(2)风险评估;
(3)内部控制;
(4)测试及审计;
(5)培训。
If after conductingan investigation and determining that a civil monetary penalty("CMP")is the appropriate administrative action in response to an apparent violation,the Office of Compliance and Enforcement (OCE) will determine which of thefollowing or other elements should be incorporated into the subject person'sSCP as part of any accompanying settlement agreement, as appropriate. As in allenforcement cases, OFAC will evaluate a subject person's SCP in a mannerconsistent with the Economic Sanctions Enforcement Guidelines(the"Guidelines")
如果经调查后认定针对一个明显违规行为应该采取的适当行政行为是民事金钱处罚,合规及执法办公室(OCE)可以酌情确定将以下哪些要素或其他要素作为随附和解协议的一部分纳入到被处罚人的SCP。与所有执法案件一样,OFAC将根据《经济制裁执行指南》(“指南”)对被处罚人的SCP进行评估。
When applying the Guidelines
to a given factual situation, OFAC will consider favorably subject persons that
had effective SCPs at the time of an apparent violation. For example, under
General Factor E (compliance program), OFAC may consider the existence, nature,
and adequacy of an SCP. and when appropriate, may mitigate a CMP on that basis.在将OFAC在将指南适用于特定事实情况时,会把被处罚人在明显违规行为发生时所拥有的有效SCP作为一个有力因素进行考虑。例如,在通用因素E(合规方案)下,OFAC可以对SCP的存在、性质及充分性进行考虑。适当时,可以基于这个因素减轻民事经济处罚。
Subject persons that have implemented
effective SCPs that are predicated on the five essential components of
compliance may also benefit from further mitigation of a CMP pursuant to
General Factor F (remedial response) when the SCP results in remedial steps being
taken.
对于实施了基于五个基本合规要素的有效SCP的被处罚人,在根据SCP采取补救措施时,也可以利用通用因素F(补救措施)来进一步减少其民事经济处罚。
Finally, OFAC may, in appropriate cases,
consider the existence of an effective SCP at the time of an apparent violation
as a factor in its analysis as to whether a case is deemed
"egregious."
最后,在适当情况下,OFAC可以在发生明显违规行为时考虑将“是否存在一个有效的SCP”作为分析案件是否“恶劣”的一个因素。
This document is intendedto provide organizations with a framework for the five essential components ofa risk-based SCP, and contains an appendix outlining several of the root causesthat have led to apparent violations of the sanctions programs that OFACadministers. OFAC recommends all organizations subject to U.S. jurisdictionreview the settlements published by OFAC to reassess and enhance theirrespective SCPs, when and as appropriate.
本文件旨在为企业提供一个基于风险的SCP中五个基本组成部分的框架。本文件还包含了一个附录,概述了导致明显违反OFAC制裁方案的一些根本原因。OFAC建议所有受美国司法管辖的企业对其公布的和解案例进行审查,以便在适当的时候重新评估并改善各自的SCP。
MANAGEMENT COMMITMENT
管理层承诺
Senior Management'scommitment to, and support of, an organization's risk-based SCP is one of the mostimportant factors in determining its success. This support is essential in ensuringthe SCP receives adequate resources and is fully integrated into the organization'sdaily operations, and also helps legitimize the program, empower its personnel,and foster a culture of compliance throughout the organization.
高级管理层对企业基于风险的SCP的承诺及支持是决定该SCP成功与否的最重要因素之一。这种支持对于确保SCP获得足够的资源并完全融入企业的日常运营中是至关重要的,同时也有助于使合规方案合法化,赋予SCP人员权力,并培养整个企业内的合规文化。
General Aspects of an SCP: Senior
Management Commitment
SCP通用因素:高级管理层承诺
Senior management commitment to supporting
an organization's SCP is a critical factor in determining the success of the
SCP. Effective management support includes the provision of adequate resources
to the compliance unit(s) and support for compliance personnel's authority
within an organization. The term "senior management" may differ among
various organizations, but typically the term should include senior leadership,
executives, and/or the board of directors.
高级管理层对企业SCP的承诺支持是确定SCP成功的一个重要因素。有效的管理层支持包括为合规部门提供足够资源,并支持合规人员在企业内的权限。“高级管理层”一词在不同企业中的指代可能有所不同,但通常该术语应包括高级领导层、高级管理人员和/或董事会。
1.Senior management has reviewed and
approved the organization's SCP.
1. 高级管理层审查并批准了该企业的SCP。
2.Senior management ensures that its compliance
unit(s) is/are delegated sufficient authority and autonomy to deploy its
policies and procedures in a manner that effectively controls the
organization's OFAC risk. As part of this effort, senior management ensures the
existence of direct reporting lines between the SCP function and senior
management, including routine and periodic meetings between these two elements
of the organization.
2.高级管理层确保其合规部门获得了足够的权力和自主权,在部署政策和程序时,可以有效控制企业的OFAC风险。作为这项工作的一部分,高级管理层应确保在SCP职能部门与高级管理层之间存在一个直接报告线,包括这两个部门之间的例行会议与定期会议。
3.Senior management has taken, and will
continue to take, steps to ensure that the organization's compliance unit(s)
receive adequate resources-including in the form of human capital, expertise,
information technology, and other resources, as appropriate-that are relative
to the organization's breadth of operations, target and secondary markets, and
other factors affecting its overall risk profile.
3.高级管理层已采取并将继续采取措施,确保企业的合规部门获得足够资源-包括与企业的运营范围、目标和二级市场相匹配的人力资本、专业知识、信息技术和其他资源,以及影响其整体风险状况的其他因素。
These efforts could generally be measured
by the following criteria:
这些努力通常可以通过以下标准来进行衡量:
A. The organization has appointed a dedicated OFAC sanctions
compliance officer1;
A. 该企业已任命了专门的OFAC制裁合规官;
1 This may bethe same person serving in other senior compliance positions, e.g., the BankSecrecy Act Officer or an Export Control Officer, as many institutions,depending on size and complexity, designate a single person to oversee allareas of financial crimes or export control compliance.
可以是承担其他高级合规职位的同一人员,例如银行保密法官员或出口管制官员,因为许多机构按照规模和复杂程度,指定一个人来监督所有金融犯罪或出口管制领域合规性。
B. The quality and experience of the
personnel dedicated to the SCP, including: (1) the technical knowledge and expertise
of these personnel with respect to OFAC's regulations, processes, and actions:
(ii) the ability of these personnel to understand complex financial and
commercial activities, apply their knowledge of OFAC to these items, and
identify OFAC-related issues, risks, and prohibited activities: and(ii) the
efforts to ensure that personnel dedicated to the SCP have sufficient experience
and an appropriate position
B.专门负责SCP的人员应具备以下品质与经验,包括:(1)这些人员在OFAC法规、程序和行动方面的技术知识和专业知识;(2)这些人员有理解复杂金融及商业活动的能力、将OFAC相关知识应用于这些项目的能力以及确定OFAC相关问题、风险及被禁止活动的能力;以及(3)作出确保SCP人员在企业内有足够经验和适当职位且作为企业成功的组成部分的努力;以及
C. Sufficient controlfunctions exist that support the organization's SCP-including but not limitedto information technology software and systems-that adequately address theorganization's OFAC-risk assessment and levels
C.存在足够可以支持企业SCP、充分解决企业OFAC风险评估及水平的控制功能-包括但不限于信息技术软件和系统。
4. Senior management
promotes a "culture of compliance" throughout the organization.
4. 高级管理层在整个企业内推广“合规文化”。
These efforts couldgenerally be measured by the following criteria:
这些努力通常可以通过以下标准来衡量:
A. The ability of personnel to reportsanctions related misconduct by the organization or its personnel to seniormanagement without fear of reprisal.
A. 员工有能力向高级管理层汇报由企业或员工实施的制裁相关不当行为,而不必担心遭到报复。
B. Seniormanagement messages and takes actions that discourage misconduct and prohibitedactivities, and highlight the potential repercussions of non-compliance with OFACsanctions; and
B.高级管理层传递遏制不当行为及被禁止活动的信息并采取行动,强调不遵守OFAC制裁的潜在影响;
C. The ability of theSCP to have oversight over the actions of the entire organization, includingbut not limited to senior management, for the purposes of compliance with OFACsanctions.
C. SCP拥有为实现OFAC制裁合规性目的而监督整个企业(包括但不限于高级管理层)行动的能力。
5. Seniormanagement demonstrates recognition of the seriousness of apparent violationsof the laws and regulations administered by OFAC, or malfunctions deficiencies,or failures by the organization and its personnel to comply with the SCP'spolicies and procedures, and implements necessary measures to reduce theoccurrence of apparent violations in the future. Such measures should addressthe root causes of past apparent violations and represent systemic solutionswhenever possible.
5.高级管理层表明已经认识到了明显违反OFAC法规的行为或工作疏忽缺陷或企业及员工未能遵守SCP政策和程序的行为,会采取必要措施减少将来明显违规行为的发生。这些措施应解决过去明显违法行为的根本原因,并尽可能作为能够代表系统性的解决方案。
RISK ASSESSMENT
风险评估
Risks in sanctions complianceare potential threats or vulnerabilities that, ignored or not properly handled,can lead to violations of OFAC's regulations and negatively affect anorganization's reputation and business. OFAC recommends that organizations takea risk-based approach when designing or updating an SCP. One of the central tenetsof this approach is for organizations to conduct a routine, and if appropriateongoing ""risk assessment" for the purposes of identifyingpotential OFAC issues they are likely to encounter. As described in detailbelow. the results of a risk assessment are integral in informing the SCP'spolicies, procedures, internal controls, and training in order to mitigate suchrisks
制裁合规风险是指被忽视的或处理不当的潜在威胁或漏洞,可能会导致违反OFAC规定,并对企业的声誉和业务造成负面影响。OFAC建议企业在设计或更新SCP时采取基于风险的方法。这种方法的核心原则之一是企业进行惯常的、(如果合适的话)持续的“风险评估”,用于识别可能遇到的潜在OFAC问题。如下文详述,风险评估结果是了解减轻风险的SCP政策、程序、内部控制和培训的必要条件。
While there is no "one-size-fitsall "risk assessment, the exercise should generally consist of a holisticreview of the organization from top-to-bottom and assess its touchpoints to theoutside world. This process allows the organization to identify potential areasin which it may, directly or indirectly, engage with OFAC-prohibited persons,parties, countries, or regions. For example an organization's SCP may conductan assessment of the following:
虽然没有一个“一刀切”的风险评估方法,但一般应包括从上到下对企业进行全面审查,以及对其与外界接触点进行评估。该程序允许企业识别可能直接或间接与被OFAC禁止的人员、当事人、国家或地区进行互动的潜在区域。例如,企业的SCP可以对以下内容进行评估:
(i) customers, supplychain intermediaries, and counter-parties; (ii) the products and services itoffers, including how and where such items fit into other financial orcommercial products, services, networks, or systems; and (iii) he geographic locationsof the organization, as well as its customers, supply chain, intermediaries, andcounter-parties. Risk assessments and sanctions-related due diligence is alsoimportant during mergers and acquisitions, particularly in scenarios involvingnon-U.S companies or corporations.
(i)客户、供应链、中间人及相对方;(ii)提供的产品和服务,包括此类项目如何以及在何处适用于其他金融或商业产品、服务、网络或系统;(iii)企业及其客户、供应链、中间人及相对方的地理位置。在兼并和收购过程中,特别是在涉及非美国公司的情况下,风险评估及制裁相关尽职调查也是非常重要的。
General Aspects of
an SCP: Conducting a Sanctions Risk Assessment
SCP通用要素:开展制裁风险评估
A fundamental elementof a sound SCP is the assessment of specific clients, products, services andgeographic locations in order to determine potential OFAC sanctions risk. Thepurpose of a risk assessment is to identify inherent risks in order to informrisk-based decisions and controls.
一个健全的SCP的基本要素是对特定客户、产品、服务及地理位置进行评估,以确定出潜在的OFAC制裁风险。风险评估的目的是识别出固有风险,以便为基于风险的决策和控制提供信息。
The Annex to AppendixA to 31 C.F.R. Part 501, OFAC's Economic Sanctions Enforcement Guidelines,provides an OFAC Risk Matrix that may be used by financial institutions or otherentities to evaluate their compliance programs:
本文件附件是《联邦管理条例》第31编第501部分的附录A-《OFAC经济制裁执行指南》,该指南提供了一个OFAC风险矩阵,可供金融机构或其他实体用于合规方案的评估:
I. The organization
conducts or will conduct, an OFAC risk assessment in a manner and with a
frequency, that adequately accounts for the potential risks. Such risks could
be posed by its clients and customers, products, services, supply chain intermediaries,
counter-parties, transactions, and geographic locations, depending, on the
nature of the organization. As appropriate, the risk assessment will be updated
to account for the root causes of any apparent violations or systemic
deficiencies identified by the organization during the routine course of
business.
1.企业按照充分考虑潜在风险的方式和频率进行或将进行OFAC风险评估。这些风险可能由客户、产品、服务、供应链、中间人、交易对手、交易和地理位置导致,具体取决于企业性质。在适当情况下,应更新风险评估,解释企业在日常业务过程中发现的任何明显违规行为或缺陷的根本原因。
A. In assessing itsOFAC risk, organizations should leverage existing information to inform the process.In turn, the risk assessment will generally inform the extent of the duediligence efforts at various points in a relationship or in a transaction. Thismay include:
A.在评估OFAC风险时,企业应利用现有信息了解这个程序。反过来,风险评估通常也会说明在一种关系或一笔交易中的以下各个点进行尽职调查工作的程度:
1. On-boarding: Theorganization develops a sanctions risk rating for customers, customer groups,or account relationships, as appropriate, by leveraging information provided bythe customer (for example, through a Know Your Customer or Customer Due Diligenceprocess) and independent research conducted by the organization at the initiationof the customer relationship.
1.新客户关系建立:企业开始与客户建立关系时,利用客户提供的信息(例如,通过了解您的客户或客户尽职调查流程)以及企业自己的独立研究,对客户、客户群或客户关系制定制裁风险评级。
This information willguide the timing and scope of future due diligence efforts. Important elementsto consider in determining the sanctions risk rating can be found in OFAC'srisk matrices
该信息将指导未来尽职调查工作的时间和范围。可以在OFAC提供的风险矩阵中找到确定制裁风险评级时所需要考虑的重要因素。
2. Mergers and Acquisitions(M&A): As noted above, proper risk assessments should include and encompassa variety of factors and data points for each organization. One of themultitude of areas organizations should include in their risk assessments-which,in recent years, appears to have presented, numerous challenges with respect toOFAC sanctions-are mergers and acquisitions. Compliance functions should alsobe integrated into the merger, acquisition, and integration process. Whether inan advisory capacity or as a anticipant, the organization engages inappropriate due diligence to ensure that sanctions-related issues areidentified, escalated to the relevant senior levels, addressed prior to theconclusion of any transaction, and incorporated into the organization's riskassessment process. After an M&A transaction is completed, theorganization's Audit and Testing function will be critical to identifying anyadditional sanctions-related issues.
2.并购:如上所述,适当的风险评估内容应涵盖每个企业的各种因素和数据点。企业在其风险评估中应纳入的许多领域中的一个是-兼并和收购,这也是近年来似乎已经显现出OFAC制裁众多挑战的领域。合规职能也应纳入合并、收购和整合的过程。无论是作为顾问还是参与者,企业都应该进行适当的尽职调查,确保识别出制裁相关问题,上报到相关高级级别,在任何交易结束之前对这些问题进行解决并纳入企业的风险评估流程。在并购交易完成后,企业的审计和测试职能对于确定任何与制裁相关的其他问题是至关重要的。
II. The organization
has developed a methodology to identify, analyze, and address the particular
risks it identifies. As appropriate, the risk assessment will be updated to
account for the conduct and root causes of any apparent violations or systemic
deficiencies identified by the organization during the routine course of
business, for example, through a testing or audit function.
企业已开发出发现、分析和解决所识别出的特定风险的方法。在适当情况下,例如,通过测试或审计功能对风险评估进行更新,说明企业在日常业务过程中发现的任何明显违规行为或系统缺陷及其产生的根本原因。
INTERNAL CONTROLS
内部控制
An effective SCP shouldinclude internal controls, including policies and procedures, in order toidentify, interdict, escalate, report (as appropriate), and keep records pertainingto activity that may be prohibited by the regulations and laws administered byOFAC. The purpose of internal controls is to outline clear expectations, defineprocedures and processes pertaining to OFAC compliance(including reporting andescalation chains), and minimize the risks identified by the organization'srisk assessments. Policies and procedures should be enforced, weaknesses shouldbe identified (including through root cause analysis of any compliancebreaches) and remediated and internal and/or external audits and assessments ofthe program should be conducted on a periodic basis.
一个有效的SCP应涵盖内部控制内容,包括识别、拦截、上报、报告(视情况而定)及保存与OFAC法规、法律可能被禁止活动有关记录的政策和程序。内部控制的目的是概述明确期望、对OFAC合规相关的程序和流程(包括报告和上报链)进行定义,并最大限度地降低企业风险评估所识别出的风险。应有效执行政策和程序,(包括通过对任何违规行为根本原因进行分析)对弱点进行识别和补救,定期对方案进行内部和/或外部审计和评估。
Given the dynamic natureof U.S. economic and trade sanctions, a successful and effective SCP should becapable of adjusting rapidly to changes published by OFAC. These include thefollowing: (i) updates to OFAC's List of Specially Designated Nationals andBlocked Persons(the "SDN List"), the Sectoral Sanctions IdentificationList ("SSI List"), and other sanctions-related lists:(ii new.amended, or updated sanctions programs or prohibitions imposed on targetedforeign countries, governments, regions, or persons, through the enactment ofnew legislation, the issuance of new Executive orders, regulations, orpublished OFAC guidance or other OFAC actions: and (iii) the issuance ofgeneral licenses.
鉴于美国经济和贸易制裁政策不断变化,一个成功有效的SCP应能够迅速适应OFAC政策的发展,OFAC政策包括:(i)对OFAC特别指定国民和被封锁人员名单(“SDN清单”)、部门制裁识别清单(“SSI清单”)和其他制裁相关清单的更新;(ii)通过颁布新立法、新行政指令、法规或公布OFAC指南或其他OFAC行动对目标外国、政府、地区或个人实施新的、经修订的或更新的制裁方案或禁令;以及(iii)颁发一般许可证。
General Aspects of an SCP: Internal
Controls
SCP通用:内部控制
Effective OFAC complianceprograms generally include internal controls, including policies and procedures,in order to identify, interdict, escalate, report (as appropriate),and keeprecords pertaining to activity that is prohibited by the sanctions programs administeredby OFAC. The purpose of internal controls is to outline clear expectations,define procedures and processes pertaining to OFAC compliance, and minimize therisks identified by an entity's OFAC risk assessments. Policies and proceduresshould be enforced, and weaknesses should be identified(including through rootcause analysis of any compliance breaches) and remediated in order to preventactivity that might violate the sanctions programs administered by OFAC.
有效的OFAC合规方案通常涵盖内部控制,包括识别、拦截、上报、报告(视情况而定)及保存OFAC制裁方案下被禁止活动有关记录的政策和程序。内部控制的目的是概述一个明确的期望,对OFAC合规相关的程序和流程进行定义,并最大限度地降低实体经过OFAC风险评估所识别出的风险。大力执行政策和程序,并(包括通过对任何合规违规行为的根本原因进行分析)识别缺陷并进行补救,防止可能违反OFAC制裁方案的活动发生。
I The organization has designed and
implemented written policies and procedures outlining the SCP. These policies
and procedures are relevant to the organization. Capture the organization's day-to-day operations and
procedures, are easy to follow,and designed to prevent employees from engaging in misconduct.
1.该企业设计并实施了概述SCP的书面政策和程序。这些政策和程序应与企业相适应,融入企业的日常操作和程序中,易遵循,并可以防止员工从事不当行为。
别出的风险。大力执行政策和程序,并(包括通过对任何合规违规行为的根本原因进行分析)识别缺陷并进行补救,防止可能违反OFAC制裁方案的活动发生。
II The organization
has implemented internal controls that adequately address the results of its
OFAC risk assessment and profile. These internal controls should enable the
organization to clearly and effectively identify. interdict, escalate. and
report to appropriate personnel within the organization transactions and
activity that may be prohibited by OFAC. To the extent information technology
solutions factor into the organization's internal controls, the organization
has selected and calibrated the solutions in a manner that is appropriate to
address the organization's risk profile and compliance needs, and the
organization routinely tests the solutions to ensure effectiveness.
企业实施了充分解决OFAC风险评估结果及概况的内部控制。这些内部控制应使企业清楚有效地识别、拦截、上报,并向企业内相关人员报告可能被OFAC禁止的交易和活动。在某种程度上,信息技术解决方案会影响到企业的内部控制,企业应选择适合解决其风险状况和合规性需求的方式、对解决方案进行校准,定期测试解决方案以确保方案的有效性。
III The organization
enforces the policies and procedures it implements as part of its OFAC compliance
internal controls through internal and/or external audits.
企业通过内部和/或外部审计执行其所实施的政策和程序,作为OFAC合规内部控制的一部分。
V. The organization
ensures that its OFAC-related recordkeeping policies and procedures adequately
account for its requirements pursuant to the sanctions programs administered by
OFAC.
企业确保其OFAC相关记录保存政策和程序充分考虑了其在OFAC制裁方案下的要求。
VI. The organization has clearly communicated
the SCP's policies and procedures to all relevant staff, including personnel
within the SCP program, as well as relevant gatekeepers and business units
operating in high-risk areas (e-g., customer acquisition, payments, sales, etc.)
and to external parties performing SCP responsibilities on behalf of the
organization.
企业已明确将SCP政策和程序传达给所有相关人员,包括SCP方案内人员、高风险领域运营的相关把关者和业务部门(例如,客户获取、支付、销售等部门)以及代表企业履行SCP职责的外部各方。
VII. The organization
has appointed personnel for integrating the SCP's policies and procedures into
the daily operations of the company or corporation. This process includes
consultations with relevant business units, and confirms the organization's
employees understand the policies and procedures.
企业指定了将SCP政策和程序融入到公司日常运营中是人员。融入程序包括与相关业务部门进行协商,确保企业员工了解SCP政策和程序。
TESTING AND AUDITING
测试及审计
Audits assess the effectivenessof current processes and check for inconsistencies between these and day-to-dayoperations. A comprehensive and objective testing or audit function within anSCP ensures that an organization identifies program weaknesses anddeficiencies, and it is the organization's responsibility to enhance itsprogram, including all program-related software, systems, and other technology,to remediate any identified compliance gaps. Such enhancements might includeupdating, improving, or recalibrating SCP elements to account fora changingrisk assessment or sanctions environment. Testing and auditing can be conductedon a specific element of an SCP or at the enterprise-wide level.
审计可以对当前程序的有效性进行评估,并检查这些程序与日常运营之间的不一致性。对SCP全面、客观的测试或审计功能可以确保企业识别出物品的缺陷。企业有责任加强其合规方案,包括所有与方案相关的软件、系统和其他技术,修复任何已识别出的合规差距。此类加强功能可能包括更新、改进或重新校准SCP元素,以应对不断变化的风险评估或制裁环境。可以对SCP的特定元素或在整个公司范围内进行测试和审计。
General Aspects of
an SCP: Testing and Auditing.
SCP通用要素:测试和审计。
comprehensive, independent,and objective testing or audit function within an SCP ensures at entities areaware of where and how their programs are performing and should be updated,enhanced, or recalibrated to account for a changing risk assessment or sanctionsenvironment, as appropriate. Testing or audit, whether conducted on a specificelement of a compliance program or at the enterprise-wide level, are importanttools to ensure the program is working as designed and identify weaknesses anddeficiencies within a compliance program.
SCP内的全面、独立及客观的测试或审计功能可确保实体了解其合规方案的执行地点和方式,以酌情对测试或审计功能进行更新、增强或重新校准,应对不断变化的风险评估或制裁环境。无论是针对合规方案的特定要素进行测试或审计,还是在企业范围内进行测试或审计,都是确保方案能够按设计目的进行运作,是识别合规方案中弱点和缺陷的重要工具。
1. The organization
commits to ensuring that the testing or audit function is accountable to senior
management, is independent of the audited activities and functions, and has
sufficient authority, skills, expertise, resources, and authority within the
organization.
企业承诺确保测试或审计职能对高级管理层负责,独立于被审计的活动和职能,并在企业内拥有足够的权力、技能、专业知识、资源和权限。
II. The organization
commits to ensuring that it employs testing or audit procedures appropriate to
the level and sophistication of its SCP and that this function, whether deployed
internally or by an external party, reflects a comprehensive and objective assessment
of the organization's OFAC-related risk assessment and internal controls.
企业承诺确保采用适合其SCP级别和复杂程度的测试或审计程序,且无论是由内部还是由外部部门开展测试或审计活动,都反映了对该企业OFAC相关风险评估及内部控制的全面客观评估。
III. The organization
ensures that, upon learning of a confirmed negative testing result or audit
finding pertaining to its SCP, it will take immediate and effective action, to
the extent possible, to identify and implement compensating controls until the
root cause of the weakness can be determined and remediated.
企业确保在获悉了确认的负面测试结果或与其SCP有关的审核结果后,会尽可能立即采取有效措施,识别并实施补偿控制措施,直至确定出弱点的根本原因并进行补救。
TRAINING
培训
An effective training program is anintegral component of a successful SCP. The training program should be providedto all appropriate employees and personnel on aperiodic basis (and at aminimum, annually) and generally should accomplish the following:
(i) provide job-specific knowledge basedon need; (ii) communicate the sanctions compliance responsibilities for eachemployee; and (iii) hold employees accountable for sanctions compliancetraining through assessments.
有效的培训方案是一个成功的SCP的组成部分。应向所有适当的员工和人员定期(至少每年一次)提供培训,并通常应包含以下工作:(i)根据需要提供工作专业知识;(ii)向每位员工传达制裁合规方面的责任;(iii)通过评估,使员工对制裁合规培训负责。
General Aspects of an SCP: Training
SCP通用要素:培训
An adequatetraining program, tailored to an entity's risk profile and all appropriateemployees and stakeholders. is critical to the success of an SCP.
根据实体风险状况及所有适当员工和利益相关者提供量身定制的适当培训方案对SCP的成功是至关重要的。
1. The organization
commits to ensuring that its OFAC-related training program provides adequate
information and instruction to employees and, as appropriate, stakeholders (for
example, clients, suppliers, business partners, and counterparties)in order to
support the organization's OFAC compliance efforts. Such training should be
further tailored to high-risk employees within the organization.
企业承诺确保,为支持企业的OFAC合规工作,其OFAC相关培训方案应向员工及适当的利益相关者(例如,客户、供应商、业务合作伙伴和交易对手)提供充分的信息和指导。此类培训应进一步针对企业内的高风险员工开展。
II. The organization
commits to provide OFAC-related training with a scope that is appropriate for
the products and services it offers; the customers, clients, and partner
relationships it maintains; and the geographic regions in which it operates.
企业承诺提供与其产品和服务、维护的客户、合作伙伴关系及其经营所在地理区域相当的OFAC相关培训。
III. The organization
commits to providing OFAC-related training with a frequency that is appropriate
based on its OFAC risk assessment and risk profile.
企业承诺根据其OFAC风险评估和风险概况,提供适当的OFAC相关培训。
VI. The organization
commits to ensuring that, upon learning of a confirmed negative testing result
or audit finding, or other deficiency pertaining to its SCP, it will take
immediate and effective action to provide training to or other corrective
action with respect to relevant personnel.
企业承诺在得知确认的负面测试结果或与其SCP有关的审核结果或其他缺陷后,将立即采取有效措施,为相关人员提供培训或采取其他纠正措施。
Root Causes of OFAC
Sanctions Compliance Program Breakdowns or Deficiencies Based on Assessment of
Prior OFAC Administrative Actions
根据对OFAC先前行政行为的评估,确定出的OFAC制裁合规方案故障或缺陷产生的根本原因
Since its publication of the Economic
Sanctions Enforcement Guidelines31 C.F.R. part 501,App. A (the
"Guidelines"), OFAC has finalized numerous public enforcement actions
in which it identified deficiencies or weaknesses within the subject person's
SCP. These items, which are provided in a non-exhaustive list below, are
provided to alert persons subject to U.S. jurisdiction, including entities that
conduct business in or with the United States, U.S. persons, or U.S.-origin
goods or services, about several specific root causes associated with apparent
violations of the regulations it administers in order to assist them in
designing, updating, and amending their respective SCP.
自公布《联邦管理条例》第31编第501部分附件A-《经济制裁执法指南》(“指南”)以来,在OFAC已完成的许多公共执法行动中确定出被处罚人的SCP存在缺陷或弱点,下面列出了一个非详尽的清单,用于提醒受美国管辖的人员,包括在美国、与美国或美国人开展业务、使用美国原产商品或服务,明显违反OFAC法规行为相关若干具体的根本原因,以协助企业设计、更新和修订他们各自的SCP。
I. Lack of a Formal OFAC SCP
未设立正式的OFAC SCP
OFAC regulations donot require a formal SCP: however. OFAC encourages organizations subject toU.S. jurisdiction (including but not limited to those entities that conductbusiness in, with, or through the United States or involving U.S.-origin goods,services. or technology)and particularly those that engage in international tradeor transactions or possess any clients or counter-parties located outside ofthe United States, to adopt a formal SCP. OFAC has finalized numerous civil monetarypenalties since publicizing the Guidelines in which the subject person's lackof an SCP was one of the root causes of the sanctions violations identifiedduring the course of the investigation. In addition, OFAC frequently identifiedthis element as an aggravating factor in its analysis of the General Factorsassociated with such administrative actions.
OFAC法规没有强制要求企业设立正式的SCP,但是OFAC鼓励受美国司法管辖的企业(包括但不限于在美国境内、通过美国或与美国开展业务或涉及美国原产商品、服务或技术的实体),特别是那些从事国际贸易或交易的企业或拥有位于美国境外客户或相对方的企业设立正式的SCP。自公布《指南》以来,在很多OFAC已经完成的对被处罚人进行的民事罚款处罚中,都是由于在调查过程中发现违反制裁规定的根本原因之一是没有设立SCP。此外,OFAC经常将这个要素作为此类行政行为相关一般因素分析的加重因素。
II. Misinterpreting, or Failing to
Understand the Applicability of, OFAC's Regulations
对OFAC规则适用性的误读或不理解
Numerous organizationshave committed sanctions violations by misinterpreting OFAC's regulations,particularly in instances in which the subject person determined thetransaction, dealing, or activity at issue was either not prohibited or did notapply to their organization or operations. For example, several organizations havefailed to appreciate or consider (or, in some instances, actively disregarded)the fact that OFAC sanctions applied to their organization based on theirstatus as a U.S. person, a U.S.-owned or controlled subsidiary (in the Cuba andIran programs), or dealings in or with U.S. persons, the U.S. financial system,or U.S.-origin goods and technology.
许多企业由于误解了OFAC规定从而违反了制裁规定,特别是,被处罚人员认定其交易或争议活动未被禁止或OFAC规定不适用于他们企业或运营。例如,一些企业未能理解、考虑(或在某些情况下,积极忽视)OFAC制裁会由于他们作为美国人、美国拥有或控制的子公司(在古巴和伊朗项目中)、在美国或与美国人开展交易、涉及美国金融系统或美国原产货物和技术的交易这些因素适用于他们企业。
With respect tothis specific root cause, OFAC's administrative actions have typically identified,additional aggravating factors, such as reckless conduct, the presence of numerouswarning signs that the activity at issue was likely prohibited, awareness bythe organization's management of the conduct at issue, and the size andsophistication of the subject person.
关于这个特定的根本原因,在OFAC的行政行为中通常已经确定出了其他加重因素,例如鲁莽行为、存在大量表明有关活动可能被禁止的警告标志、企业管理层有关行为的认识以及被处罚人的规模和复杂程度。
III. Facilitating Transactions by Non-U.S.
Persons (Including Through or By Overseas Subsidiaries or Affiliates).
(包括通过海外子公司或关联公司)促进非美国人的交易
Multiple organizationssubject to U.S. jurisdiction--specifically those with foreign-based.
Operations and subsidiarieslocated outside of the United States-have engaged in transactions or activitythat violated OFAC's regulations by referring business opportunities to,approving or signing off on transactions conducted by, or otherwisefacilitating dealings between their organization's non-U.S. locations and OFAC-sanctionedcountries, regions, or persons. In many instances, the root cause of theseviolations stems from a misinterpretation or misunderstanding of OFAC'sregulations. Companies and corporations with integrated operations, particularlythose involving or requiring participation by their U.S.-based headquarters,locations, or personnel, should ensure any activities they engage in (i.e.,approvals, contracts, procurement, etc.) are compliant with OFAC's regulations.
受美国管辖的多个企业-特别是总部位于外国的企业、位于美国境外的运营和子公司由于对其企业的非美国地点与OFAC制裁国家、地区或个人开展交易引用商业机会、批准或签署或以其他方式为此类交易提供便利,从事违反了OFAC规定的交易或活动。在许多情况下,这些违规行为的根本原因在于对OFAC法规的误解或误读。具有多个运营地点的公司,尤其是涉及或要求总部、其他运营地点或人员参与的公司应确保其参与的任何活动(即批准、合同、采购等)符合OFAC的规定。
IV Exporting or Re-exporting
U.S.-origin Goods, Technology, or Services to OFAC-
Sanctioned Persons
or Countries
向OFAC制裁的人或国家出口或再出口美国原产货物、技术或服务
V Utilizing the U.S.
Financial System, or Processing Payments to or through U,S.
Financial Institutions,
for Commercial Transactions Involving OFAC-Sanctioned Persons or Countries
利用美国金融系统处理或通过美国金融机构处理涉及OFAC制裁人或国家的商业交易
Many non-U.S. personshave engaged in violations of OFAC's regulations by processing financialtransactions (almost all of which have been denominated in U.S. Dollars) to orthrough U.S. financial institutions that pertain to commercial activityinvolving an OFAC-sanctioned country, region, or person. Although no organizationssubject to U.S. jurisdiction may be involved in the underlying transaction--suchas the shipment of goods from a third-country to an OFAC-sanctioned country-theinclusion of a U.S. financial institution in any payments associated with thesetransactions often results in a prohibited activity (e.g., the exportation orre-exportation of
services from the UnitedStates to a comprehensively sanctioned country, or dealing in blocked propertyin the United States). OFAC has generally focused its enforcement investigationson persons who have engaged in willful or reckless conduct, attempted toconceal their activity (e.g., by stripping or manipulating payment messages, ormaking false representations to their non-U.S. or U.S. financial institution),engaged in a pattern or practice of conduct for several months or years,ignored or failed to consider numerous warning signs that the conduct wasprohibited, involved actual knowledge or involvement by the organization's management,caused significant harm to U.S. sanctions program objectives, and were large orsophisticated organizations.
许多非美国人为美国金融机构或通过美国金融机构处理涉及OFAC制裁国家、地区或个人商业活动的金融交易(几乎全部以美元计价)而违反了OFAC规定。虽然受美国管辖的企业可能没有参与相关交易活动-例如将货物从第三国运输到OFAC制裁的国家–但是将美国金融机构引入这些交易相关的任何付款通常会导致被禁止的活动发生(例如,将服务从美国出口或再出口到一个受到全面制裁的国家,或者处理在美国被封锁的财产)。OFAC在其执法调查中一般重点查看以下人员:从事故意或鲁莽行为、试图隐瞒其活动(例如通过剥离或操纵支付信息或对非美国或美国金融机构作出虚假陈述)、从事违规行为达几个月或几年(惯性行为)、忽视或未对许多表明被禁止行为的警告信号进行考虑、涉及企业管理层的实际明知或参与、对美国制裁方案目标造成重大损害、大型或复杂企业。
VI. Sanctions Screening Software or Filter
Faults
制裁筛选软件或过滤器故障
Many organizations conduct screening of
their customers, supply chain, intermediaries, counter-parties, commercial and
financial documents, and transactions in order to identify OFAC-prohibited
locations, parties. or dealings. At times organizations have failed to update
their sanctions screening software to incorporate updates to the SDN List or
SSI List, failed to include pertinent identifiers such as SWIFT Business
Identifier Codes for designated, blocked or sanctioned financial institutions. or
did not account for alternative spellings of prohibited countries or parties-particularly
in instances in which the organization is domiciled or conducts business in
geographies that frequently utilize such alternative spellings (i.e., Habana
instead of Havana, Kuba instead of Cuba, Soudan instead of Sudan, etc.).
许多企业对其客户、供应链、中间人、相对方的商业和财务文件、交易进行筛选,以识别OFAC所禁止的地点、各方当事人或交易。有时,企业未能更新其制裁筛选软件从而未纳入更新后的SDN清单或SSI清单,或未能包括相关标识符,例如被指定、封锁、或被制裁的金融机构的SWIFT业务标识符代码,或(特别是在企业所在地或在经常使用这种替代拼写的地理区域开展业务的情况下),没有说明被禁止国家和当事方的替代拼写,(即Habana替代哈瓦那(Havana),Kuba替代古巴(Cuba),Soudan替代苏丹(Sudan)等)。
VII. Improper Due Diligence on
Customers/Clients (e.g., Ownership, Business Dealings, etc.)
对客户(例如,所有权、业务往来等)的不当尽职调查
One of the fundamental components of an
effective OFAC risk assessment and SCP is conducting due diligence on an
organization's customers, supply chain, intermediaries, and counter-parties.
Various administrative actions taken by OFAC involved improper or incomplete
due diligence by a company or corporation on its customers, such as their
ownership, geographic location(s),counter-parties, and transactions, as well as
their knowledge and awareness of OFAC sanctions.
一个有效OFAC风险评估,即SCP的基本组成部分之一是对企业的客户、供应链、中间人和交易对方进行尽职调查。很多情况下,OFAC采取行政措施的起因是公司对其客户的尽职调查不当或不完整。尽职调查的内容应涉及例如,所有权、地理位置、交易对手、交易以及对OFAC制裁的了解和认识。
VIII. De-Centralized Compliance Functions and Inconsistent
Application of an SCP
非集中的合规职能&SCP适用的不一致性
While each organization should design,
develop, and implement its risk-based SCP based on its own characteristics, several
organizations subject to U.S. jurisdiction have committed apparent violations
due to a de-centralized SCP. often with personnel and decision-makers scattered
in various offices or business units. In particular, violations have resulted
from this arrangement due to an improper interpretation and application of
OFAC's regulations, the lack of a formal escalation process to review high-risk
or potential OFAC customers or transactions, an inefficient or incapable oversight
and audit function, or miscommunications regarding the organization's
sanctions-related policies and procedures.
虽然每个企业都应根据自己的特点设计、开发和实施基于风险的SCP,但受美国管辖的企业通常因分散的SCP(人员和决策者分散在各个办公室或业务部门)导致了明显违规行为的发生。特别是,由于对OFAC法规的解释和适用不当,缺少对高风险或潜在的OFAC客户或交易进行审查的正式上报程序、监督和审计职能低效或不起作用、企业制裁有关政策和程序沟通不畅,导致了违规行为的发生。
IX. Utilizing Non-Standard Payment or
Commercial Practices
非标准的付款或商业惯例
Organizations subject to U.S. jurisdiction
are in the best position to determine whether a particular dealing,
transaction, or activity is proposed or processed in a manner that is consistent
with industry norms and practices. In many instances, organizations attempting
to evade or circumvent OFAC sanctions or conceal their activity will implement
non-traditional business methods in order to complete their transactions.
受美国管辖的企业最容易确定出将进行或处理的特定交易或活动是否符合行业规范和惯例。在许多情况下,试图逃避或规避OFAC制裁或隐瞒其活动的企业为完成其交易往往会采用不同寻常的商业方法。
X. Individual Liability
个人责任
In several instances,individual employees-particularly in supervisory, managerial, or executive-levelpositions-have played integral roles in causing or facilitating violations ofthe regulations administered by OFAC. Specifically OFAC has identifiedscenarios involving U.S.-owned or controlled entities operating outside of theUnited States, in which supervisory, managerial or executive employees of theentities conducted or facilitated dealings or transactions with OFAC-sanctionedpersons, regions, or countries, notwithstanding the fact that the U.S. entityhad a fulsome sanctions compliance program in place. In some of these cases,the employees of the foreign entities also made efforts to obfuscate andconceal their activities from others within the corporate organization,including compliance personnel, as well as from regulators or law enforcement.In such circumstances, OFAC will consider using its enforcement authorities notonly against the violating entities, but against the individuals as well.
在一些案例中,个别员工-特别是监督、管理或行政级职位的员工在导致或促进违反OFAC法规方面发挥了不可或缺的作用。特别是,OFAC已确定出,在涉及美国境外运营的美国拥有或控制实体的情况下,尽管美国实体已实施了充分到位的制裁合规方案,但实体的监督、管理或执行人员与被OFAC制裁的人员、地区或国家开展交易或促成交易。在其中一些案例中,外国实体的员工也故意向公司企业内其他人,包括合规人员以及监管机构或执法部门混淆和隐瞒这些活动。在这种情况下,OFAC将考虑不仅针对违规实体进行执法,还会针对个人进行执法。
网友评论