Blog Compliance Trade and Sanction Compliance Program (SCP): What you need to know Like many software-as-a-service (Saas) companies, Thoropass provides our software and services to a variety of customers around the world. As a U.S.-based company, we must comply with U.S. laws regarding export controls, trade embargos, and anti-money laundering regulations. But, your company may also be obligated to meet these specific regulations and requirements. Thoropass follows the compliance framework established by the Office of Foreign Assets Control (OFAC) and found this guidance to succeed within our environment. This blog will help you establish your own Trade and Sanctions Compliance Program by providing you with essential information and recommendations. Disclaimer: This blog is NOT intended to provide you with any legal advice; you should seek your legal counsel’s advice when complying with your own trade regulations. Let’s jump right into it and start by covering some of the laws governing export and trade. The Export Administration Regulations The U.S. government has established different export controls regulating the transfer of U.S.-originated commodities (including software and technology) to other countries (and regions). The Export Administration Regulations (EAR) administered by the Department of Commerce’s Bureau of Industry and Security (BIS) cover reexport of U.S.-originated items as well as non-U.S. individuals involved in technical assistance, transfers, or other activities occurring in the U.S. (or abroad). Different factors determine the type of restrictions on specific transactions, including the item’s status, export classification, export destination, end-user, and end-use. In addition, there may be restrictions or requirements to export a particular item (like software containing encryption capabilities) even if the EAR doesn’t require a license. Furthermore, if the software/technology can be exported to most countries and end-users without a license, there may still be specific country or list-based restrictions. OFAC sanctions The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) administers and enforces the U.S. economic and trade sanctions program. The program targets not only specific countries but all organizations, vessels, and individuals deemed to be acting on behalf of sanctioned countries (or involved in terrorism, drugs, and other sanctioned activities). There are two general types of sanctions: country-based and list-based. As of the time of writing this post, the ‘prohibited countries and regions include: Cuba; Iran; North Korea; Syria; Crimea region of Ukraine; “Donetsk People’s Republic” region of Ukraine; and “Luhansk People’s Republic” region of Ukraine. This means U.S. individuals (or others subject to U.S. jurisdiction) are prohibited from nearly all dealings with other individuals (or entities) in these countries/regions. There are also some sanctions against Belarus, Myanmar (Burma), Russia, and Venezuela prohibiting transactions involving the governments of these countries. In addition to the countries listed, OFAC maintains list-based sanctions targeting Specially Designated Nationals (SDNs) and Blocked Persons. OFAC, BIS, and other U.S. government agencies maintain the Consolidated Screening List (CSL) recording SDNs and other Restricted Persons. Suggested for you What to expect during the Data Protection Impact Assessment (DPIA) process icon-arrow-long Anti-Money Laundering (AML) For criminal enterprises to continue operations, they need money. Money laundering is one-way individuals involved in criminal activities conceal their sources or disguise the nature of their illicit funds by making them appear legitimate. Money laundering generally involves three stages: Placement: converting funds into other financial instruments; Layering: (or separating) illicit funds into a series of legitimate transactions; and Integration: involving funds in a series of transactions, making them appear to be from legitimate sources. Another method of money laundering occurs through Trade-Based Money Laundering (TBML). Funding obtained by criminal activity is disguised by moving the value of the funds through the use of trade transactions. These trade transactions could include: Over- or under-invoicing: misrepresenting the price of goods. Multiple invoicing: invoicing one shipment several times. Short- or over-shipping: shipping more or fewer goods than invoiced. Obfuscation: shipping something other than what is invoiced. Phantom shipping: shipping nothing at all with false invoices. OFAC Framework As mentioned, we’ve adopted guidance from OFAC to implement a Sanctions Compliance Program (SCP) to comply with the EAR, OFAC, and AML regulations. This framework consists of the following components: Management Commitment Risk Assessment Internal Controls Testing and Auditing Training Let’s discuss each component in a little more detail. Management commitment Your executive management team must commit to a culture of compliance. You should implement an approved Trade and Sanctions Compliance Program Policy along with designating a Trade Compliance Officer (TCO) responsible for managing the program. Management should also seek legal counsel (or other experts) to comply with applicable regulations as needed. Additionally, measures must be put in place to ensure that compliance with the program is enforced. Risk assessment It is necessary to perform a risk assessment on the countries and organizations you are doing business with. In essence, you need to ‘know your customer’ (KYC), have a process in place to determine the country/region your customer is from, and perform checks against the CSL list. You should also check against your employees and contractors to ensure you do not transact business with restricted persons. The list is updated continuously, so you’ll need to run the checks against these entities, organizations, and individuals frequently. As part of your KYC program, you should include the following three components: Customer Identification Program (CIP): Ensure your customer is who they say they are. For individuals, you can get proof of identity through an authorized ID. For an organization, you may need to view their articles of incorporation, business licenses, agreements, financial references, or through a consumer reporting agency as examples. Customer Due Diligence: Determine your level of risk to money laundering activities. In the case of low-risk transactions, you may get away with performing simplified due diligence activities such as running the CSL check only. For higher-risk transactions, you may need to conduct enhanced due diligence activities. Continuous Monitoring: Continually monitor and review your compliance efforts and identify any suspicious activities. Internal controls It’s crucial to establish processes ensuring you’re running required checks and performing required due diligence activities. All your employees must be responsible for ensuring they abide by your SCP. This may include ensuring your EAR classification doesn’t change, notifying your TCO of any suspicious activities, or recommending compensating/remediating controls to ensure compliance with your program. Testing and auditing To ensure your compliance efforts get carried out effectively, you’ll need to implement testing or auditing of your SCP. Internal staff knowledgeable in SCP compliance, independent of the actual activities, can perform audits. You should correct any identified deficiencies immediately. Training To demonstrate your employees’ awareness of your SCP, all employees should receive mandatory training. As a standard, this training needs to be documented and employees should sign off on acceptance over your SCP Policy and any related processes. You should retain this training to demonstrate your compliance efforts and ensure your employees understand their responsibilities (and obligations) to comply with your SCP. Final thoughts There are several regulations restricting trade, and you must understand your responsibilities to comply with these regulations. Violations for failing to comply could open your organization (and you personally) to criminal and civil penalties with maximum fines of up to $20 million dollars and jail time of up to 30 years. As an example, Microsoft was recently required to pay over $3.3 million in total combined civil penalties to BIS and OFAC to resolve alleged and apparent violations of U.S. Export Controls and Sanctions. If your organization appreciates the process shared here or if you need some assistance with your compliance efforts, get in touch. We have experts at Thoropass who can help! Get the Guide Founder’s Guide to Security and Compliance Take security one step further, find out which frameworks are best for your business. Jay Trinckes Data Protection Officer See all Posts Get the Guide icon-arrow Jay Trinckes Data Protection Officer See all Posts Share this post with your network: Facebook Twitter LinkedIn