The document describes how OFAC may include these components into its evaluation of apparent violations and resolution of investigations resulting in settlements.


It also provides organizations with a framework for the five essential components of a risk-based SCP, and outlines several of the root causes that have led to apparent violations of the sanctions programs that OFAC administers.

OFAC recommends all organizations subject to US jurisdiction review the settlements published by OFAC to reassess and enhance their respective SCPs, when and as appropriate.



1. Management Commitment

Senior Management’s commitment to, and support of, an organization’s risk-based SCP is one of the most important factors in achieving its success. This support is key in ensuring the SCP receives enough resources and is fully integrated into the organization’s daily operations, and also helps legitimize the program, empower its personnel, and adopt a culture of compliance throughout the organization.

2. Risk Assessment 

Risks in sanctions compliance are possible threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations and negatively affect an organization’s reputation and business.

OFAC recommends that organizations take a risk-based approach when designing or updating an SCP. One of the central tenets of this approach is for organizations to perform a routine, and if appropriate, ongoing 'risk assessment' for identifying potential OFAC issues they are likely to encounter. The results of a risk assessment are integral in informing the SCP’s policies, procedures, internal controls, and training in order to mitigate such risks.

While there is no 'one-size-fits all' risk assessment, the exercise should generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world.

3. Internal Controls

An effective SCP should include internal controls, including policies and procedures, in order to identify, interdict, escalate, report, and keep records pertaining to activity that may be prohibited by the regulations and laws administered by OFAC.

The purpose of internal controls is to outline clear expectations, define procedures and processes pertaining to OFAC compliance (including reporting and escalation chains), and limit the risks identified by the organization’s risk assessments. Policies and procedures should be enforced, weaknesses should be identified (including through root cause analysis of any compliance breaches) and remediated, and internal and/or external audits and assessments of the program should be conducted on a periodic basis.

4. Testing and Auditing

Audits assess the effectiveness of current processes and check for inconsistencies between these and day-to-day operations. A comprehensive and objective testing or audit function within an SCP ensures that an organization identifies program weaknesses and deficiencies, and it is the organization’s responsibility to enhance its program, including all program-related software, systems, and other technology, to remediate any identified compliance gaps. Such enhancements might include updating, improving, or recalibrating SCP elements to account for a changing risk assessment or sanctions environment. Testing and auditing can be conducted on a specific element of an SCP or at the enterprise-wide level.

5. Training

An effective training program is an integral component of a successful SCP. The training program should be provided to all appropriate employees and personnel on a periodic basis (and at a minimum, annually) and generally should accomplish the following:

  • Provide job-specific knowledge based on need;
  • Communicate the sanctions compliance responsibilities for each employee;
  • Hold employees accountable for sanctions compliance training through assessments.

See more details in the PDF herebelow