Supply Chain Due Diligence: Mitigating Sanctions Risk with New OFAC Compliance Framework


A wave of enforcement actions from the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) over the past two years has likely pushed the release of a new sanctions compliance framework—the first ever by the office—and highlights the critical importance of supply chain due diligence to mitigate sanctions risk.

Quite often, OFAC violations occur unwittingly—and in the eyes of regulators ignorance is not a valid excuse. OFAC’s new sanctions compliance framework focuses on how a robust and adhered-to sanctions compliance program (SCP), including clearly defined protocols for risk assessment and proper due diligence, can help companies avoid common causes of sanctions violations. The framework offers guidance to help companies assess and update their SCPs as needed. Acknowledging company SCPs will vary based on unique risk factors—such as company size and complexity, products and services, customers and partners, and geographic locations—the new framework outlines central elements of effective SCPs that apply to all. They include:

  • Senior Management Commitment – Noted as one of the most important factors for a successful risk-based SCP, senior management support looks like adequate resources allocated for compliance—including designating a senior compliance team member to be the organization’s dedicated OFAC compliance officer—and support for a “culture of compliance” across the organization.
  • Risk Assessment – A key tenet of a successful SCP involves routine and, if appropriate, ongoing assessment of risk to identify OFAC issues that the organization is likely to encounter.
  • Internal Controls – An effective SCP has defined policies and procedures for identifying, escalating, reporting (when appropriate) and keeping records of OFAC-prohibited activity.
  • Testing and Auditing – An independent, comprehensive, and objective testing and/or audit function is needed to assist with recalibrating, enhancing, or updating SCPs as risk assessment needs or sanctions environments change.
  • Training – Adequate training reinforces the support of the SCP beyond senior management, ensuring OFAC compliance among employees and stakeholders such as customers, business partners, suppliers, and counterparties. 

Once senior management buys into the importance of an effective SCP, companies often seek expertise in the marketplace, such as that of Vcheck Global’s industry professionals, to either augment or act as their compliance team and assist with OFAC compliance via risk assessments such as background investigations and due diligence. 

The OFAC framework highlights three areas of focus for companies to consider for routine risk assessments: 1) customers, counter-parties, intermediaries, and supply chain; 2) services and products offered, and how and when they fit into other commercial or financial systems, networks, services, and products; and 3) the geographic locations of the business’ operations, customers, counter-parties, intermediaries, and supply chain. 

More than guidelines for creating an effective SCP, the framework provides specific examples of identified weaknesses and deficiencies with SCPs that could put companies at risk. Here are three of the several cited examples to consider:

“Misinterpreting or Failing to Understanding the Applicability of OFAC Regulations”

OFAC regulations target foreign regimes, traffickers, terrorists, weapons dealers, and other threats, enforcing trade and economic sanctions based on U.S. national security goals and foreign policy regulations. The U.S. updates sanctions designations and issues new sanctions through OFAC, and often. In order to adhere to the latest regulations, Vcheck Global monitors these regulations and helps its clients complete the necessary supply chain due diligence to avoid unnecessary risk and prevent financial loss. For example, in May, the Treasury along with the U.S. State Department and U.S. Coast Guard issued a global advisory regarding deceptive shipping procedures designed to evade sanctions, specifically those issued for Iran, North Korea, and Syria. The advisory includes best practices for private industry to consider for mitigating risk exposure to sanctions.

“Exporting or Re-exporting U.S.-origin Goods, Technology, or Services to OFAC-Sanctioned Persons or Countries”

More well-reported U.S. sanctions on countries including Russia, North Korea, Iran, Cuba, Syria, and Venezuela, however there are also lesser-known sanctions against Burma, Somalia, Nicaragua, Sudan, and Darfur. Beyond country-designated sanctions, the U.S. also has cyber-related sanctions to protect critical infrastructure, prevent denial of service attacks, and potential loss of sensitive information at scale including personal finance data and trade secrets. Vcheck Global’s team of investigators are consistently monitoring OFAC regulations for changes and updates, and are adept at poring through sanctions and watch lists to identify subjects and affiliations.

One egregious OFAC case involving a Connecticut-based shipping company was identified to have engaged in business with a Burmese trading business actively listed on OFAC’s list of individuals and companies affiliated with targeted countries. The transactional value of the shipping company’s 36 identified OFAC violations amounted to more than $1.7 million. The potential civil liability was settled by the shipping company for $1.125 million—a settlement that may have been avoided had the shipping company completed and followed findings from a proper supply chain due diligence investigation.

Improper Due Diligence on Customers/Clients (Ownership, Business Dealings, etc.)

As stated at the beginning, non-compliance with OFAC regulations never pays off. Ignoring important due diligence tasks or assigning them to untrained team members who lack the ability or motivation to thoroughly investigate a business relationship or activity can lead to hefty fines and a tarnished business reputation.




Get in Touch

Get in touch with our team.
We can’t wait to hear from you.