OFAC’s new framework guidance for sanctions compliance programs stretched into new territory with its risk assessment requirement. This new approach reflects OFAC’s recent aggressive enforcement programs.


 


The scope of a risk assessment has to mirror the breadth of enforcement risks and has to include review of:



(i) customers, supply chain, intermediaries, and counter-parties;


(ii) the products and services it offers, including how and where such items fit into other financial or commercial products, services, networks or systems;


(iii) the geographic locations of the organization, as well as its customers, supply chain, intermediaries and counter-parties; and


(iv) potential merger and acquisitions, especially those involving non-U.S. companies or corporations.