中国企业如何防范和应对美国政府制裁风险?——美国财政部《OFAC合规承诺框架》解读
作者:刘相文 Graham·Adria 王涛 王妙婷
2019年5月2日,美国财政部海外资产控制办公室(下称“OFAC”)发布了《OFAC合规承诺框架》(下称“OFAC框架”)。OFAC框架为公司如何建立有效的制裁合规体系提供了指引,对与美国政府/私人开展业务、使用美国原产货物/服务或者借助美国金融系统开展活动而受美国管辖的中国国有和民营企业非常关键。近年来,少数中国企业被美国政府指控违反其制裁规定,引发了市场关注。尤其值得一提的是,目前三家金融机构作为证人,收到了美国当局要求提交其前客户违反OFAC对朝鲜制裁的相关银行记录的传票。这三家金融机构并未遭到指控,甚至可能对其前客户违反OFAC制裁的行为毫不知情,但还是作为证人被动卷入了美国的法院诉讼程序。
On May 2, 2019, the U.S. Treasury Department’s Office of Foreign Asset Control (“OFAC”) released “A Framework for OFAC Compliance Commitments” (the “OFAC Framework”).[1] The OFAC Framework provides guidance on how companies can implement a successful sanction compliance program (“SCP”). This guidance is critical for Chinese companies, private or state-owned, that are doing business with the United States or U.S. persons, use U.S. origin goods or services, or otherwise find themselves under U.S. jurisdiction through activities such as using the U.S. financial system. There have been a few incidents of Chinese companies getting caught up in U.S. sanction investigations in the last few years. Notably, three financial institutions are currently embroiled in a U.S. court case over subpoenas they received to provide evidence relating to OFAC sanction violations by their former client for a North Korean entity. The three financial institutions have not committed any crimes nor are they under investigation. Indeed, it is very likely that they were unaware of the OFAC violations committed by their former customer that is the subject of the investigation.
OFAC是执行美国经济和贸易制裁的机构,负责维护特别指定国民名单(下称“SDN名单”)、部门制裁识别名单(下称“SSI名单”)和其他制裁名单。OFAC有权对违反制裁者进行民事处罚或者行政执法;而且,在适当的情形下,OFAC可以将潜在违反制裁的行为移交美国司法部等执法机关进行刑事调查或者指控。近年来,中国企业因违反美国经济和贸易制裁规定屡遭执法,损失了超过十亿美元。
OFAC is the U.S. civil enforcement agency tasked with implementing and enforcing American economic and trade sanctions and is responsible for maintaining the List of Specially Designated Nationals and Blocked Persons (the “SDN List”), the Sectoral Sanctions Identification List (the “SSI List”), and other sanctions-related lists. OFAC can impose civil penalties or other administrative actions for sanction violations and, when it deems appropriate, refer potential sanction violations to appropriate law enforcement agencies, such as the U.S. Department of Justice, for criminal investigation and/or prosecution. Violation of U.S. economic and trade sanctions by Chinese companies have contributed to enforcement actions that have cost the companies more than a billion dollars in recent years.
OFAC框架对受美国管辖的中国公司具有以下三点重要意义:一是按照OFAC框架建立的强大的制裁合规体系能够帮助中国公司避免卷入美国司法系统。故意违反美国制裁规定的中国公司往往备受关注,但有些中国公司也可能在毫不知情的情况下参与违反美国的制裁规定,而有效的制裁合规体系能够帮助中国公司防微杜渐,从源头上减少违反美国制裁规定的风险。二是OFAC衡量对违反制裁者的处罚时,会将强有力的制裁合规体系视为减轻处罚的因素。三是因违反制裁规定而与OFAC达成和解协议的公司经常被要求按照OFAC合规框架的标准来建立或者改进其制裁合规体系。
The OFAC Framework is a critical tool for Chinese companies operating under U.S. jurisdiction. First, a strong SCP developed in accordance with the OFAC Framework can help Chinese companies avoid getting tangled up in the U.S. legal system. Often, there is a focus on Chinese companies that are caught violating U.S. sanctions on purpose, but it is prudent to remember that Chinese companies can be caught up as unknowing participants. An effective SCP can help prevent sanction violations from the beginning. Second, a robust SCP can act as a mitigating factor when OFAC considers the appropriate response for a sanction violation. Third, companies that enter into settlement agreements with OFAC for sanction violations are often required to implement or improve their SCPs to meet the standards as set out in the OFAC Framework.
OFAC最近的决定通知愈来愈多描述了受罚企业补救措施的得失,对此有所了解的跨境合规律师对OFAC框架的内容应该并不陌生。OFAC框架集中并扩展了前述补救措施中的得失,因而成为一个实用的参考文件。在就OFAC框架发布的新闻稿中,OFAC的主任Andrea M. Gacki称,“这凸显了我们致力于与私营部门合作,以进一步推动对制裁要求的理解和遵守。”除了指导OFAC评估制裁合规体系外,OFAC框架还包含了一份常见违规行为成因清单。结合美国司法部于2019年4月30日最新发布的《企业合规程序评估》,中国企业比以往任何时候都更能采取有效措施以减少美国政府的指控。(关于司法部合规指南的更新,详见我们之前发表的文章:《美国司法部发布新版企业合规指南——<企业合规程序评估>》)。
The content of the OFAC Framework will be familiar to experienced cross-border compliance lawyers who have read recent OFAC decision notices which have increasingly described the positive and negative features of penalized companies’ remediation efforts. The OFAC Framework centralizes this guidance and expands on it, making it a helpful reference document. In the OFAC Framework’s press release, Director of the Office of Foreign Assets Control Andrea M. Gacki stated that “[t]his underlines our commitment to engage with the private sector to further promote understanding of, and compliance with, sanctions requirements.”[2] In addition to its guidance on how OFAC will evaluate SCPs, the OFAC Framework also includes a list of frequent sources of sanction violations. Combined with the release of the updated DOJ guidelines on compliance (you can see our article here) on April 30, 2019,[3] Chinese companies are better positioned than ever to take effective steps to reduce their exposure to American prosecutors.
OFAC框架
The OFAC Framework
OFAC框架“强烈鼓励”公司开展风险导向的制裁合规,在此过程中考虑公司的规模和复杂程度、产品和服务、客户和交易对方以及地理位置。
The OFAC Framework “strongly encourages” companies to take a risk-based approach to sanctions compliance that takes into consideration a company’s size and sophistication, products and services, customers and counterparties, and geographic locations.
无论公司如何,OFAC框架建议所有制裁合规体系应包括五个“基本”组成部分:1)管理层承诺;2)风险评估;3)内部控制;4)测试和审计;5)培训。
Regardless of the company, the OFAC Framework suggests that all SCPs should include five “essential” components: 1) management commitment; 2) risk assessment; 3) internal controls; 4) testing and auditing; and 5) training.
1) 高级管理层承诺
Senior Management Commitment
高级管理层的支持力度是决定公司制裁合规体系是否成功的“最重要因素”。高级管理层包括高级领导层、经理层和/或董事会。OFAC框架列出了有效高层承诺的五个基本方面:
One of the “most important factors” in determining the success of a company’s SCP is the level of support from senior management. Senior management includes senior leadership, executives, and/or the board of directors. The OFAC Framework lists five general aspects of effective senior management commitment:
I.审查
Review
高级管理层应审查和批准公司的制裁合规体系。
Senior management should review and approves the company’s SCP.
II.授权与自主权
Authority and Autonomy
高级管理层应确保公司的合规部门有足够的权力和自主性来执行制裁合规体系,并有效控制OFAC风险,其中应当包括合规工作人员和高级管理层之间的直接报告渠道,例如两者之间的定期会议。
Senior management should ensure that the company’s compliance units are delegated sufficient authority and autonomy to implement the SCP and effectively control OFAC risk. This should include direct reporting lines between the SCP personnel and senior management, including regular meetings between the two.
III.足够的资源
Adequate Resources
高级管理层应采取措施确保公司的合规部门根据需要分配到足够的资源,包括人员、专业知识和IT支持。这是一项持续性的投资,并应与公司的“业务范围、目标市场与二级市场以及影响其整体风险状况的其他因素”相匹配。
Senior management should take steps to ensure that the company’s compliance units are allocated adequate resources as needed, including personnel, expertise, and IT support. This should be an ongoing investment that is appropriate for the company’s “breadth of operations, target and secondary markets, and other factors affecting its overall risk profile.”
OFAC框架列出了衡量一家公司是否配备足够资源的三项标准。
The OFAC Framework lists three criteria for measuring whether a company has provided adequate resources.
A.公司应任命一名专门的OFAC制裁合规官,根据公司的规模和复杂程度,可以由出口管制官等高级合规官员担任。
A.The company should appoint a dedicated OFAC sanctions compliance officer. Depending on the size and complexity of a company, this may be a person serving in other senior compliance positions, such as an Export Control Officer.
B.合规工作人员具有适当的知识、经验、专业能力和职位,能够理解和识别OFAC相关的问题、风险和禁止的活动。
B.The personnel dedicated to the SCP have the appropriate knowledge, experience, expertise, and position to understand and identify OFAC-related issues, risks, and prohibited activities.
C.企业应有足够的控制功能来支持公司的制裁合规体系,包括IT软件和系统,以充分处理公司的OFAC风险评估和风险级别。
C.There are sufficient control functions to support a company’s SCP, including IT software and systems, that adequately address the company’s OFAC-risk assessment and levels.
IV.合规文化
Culture of Compliance
与所有合规活动一样,高级管理层应在公司推广“合规文化”。OFAC框架列出了衡量一家公司是否正在推广合规文化的三项标准。
As is the case with all compliance activities, senior management should promote a “culture of compliance” at the company. The OFAC Framework lists three criteria for measuring whether a company is promoting a culture of compliance.
A.员工可以举报公司或员工的OFAC相关违规行为,而不必担心报复。
A.Personnel can report OFAC related misconduct by the company or personnel without fear of reprisal.
B.高级管理层宣贯并采取行动以预防OFAC相关违规行为,并强调不合规行为的潜在影响。
B.Senior management communicates and takes actions that discourage OFAC related misconduct and highlight potential repercussions for non-compliance.
C.制裁合规体系为遵守OFAC规定而监督包括高级管理层在内的整个公司的行为。
C.The SCP has oversight over the actions of the entire company, including senior management, for the purposes of OFAC compliance.
V.违规的认识
Recognition of Violations
高级管理层应认识到公司及公司员工违反或未能遵守必要的合规政策和程序的严重性。他们应该采取必要的措施,以减少过往违规行为再次发生,并提出系统的解决方案。
Senior management should recognize the seriousness of OFAC violations or failures by the company and its personnel from failing to comply with necessary SCP policies and procedures. They should implement necessary measures to reduce the occurrence of past violations and represent systemic solutions.
2) 风险评估
Risk Assessment
OFAC框架鼓励公司在设计或更新其制裁合规体系时采用“风险导向的方法”。在此语境下,风险是指“如果忽视或处理不当,可能导致违反OFAC规定的潜在威胁或漏洞”。OFAC推荐的最佳方法是进行持续的“风险评估”,以宣贯合规政策、程序、内部控制,并通过培训降低风险。
The OFAC Framework recommends that companies take a “risk-based approach” when designing or updating their SCP. Risks in this context are “potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations”. OFAC recommends that the best way to do this is to conduct ongoing “risk assessments” to inform SCP policies, procedures, internal controls, and training to mitigate risks.
虽然OFAC框架承认不存在通用的风险评估方法,但公司通常应对自身进行全面审查,并评估其外部风险所在,以识别与OFAC所禁止人员、缔约方或国家/地区的潜在互动领域,包括客户、产品、服务和地理位置。公司还应在兼并收购期间尤其是并购对象位于风险多发区域时,进行风险评估和OFAC相关尽职调查。
Although the OFAC Framework acknowledges that there is no “one-size-fits all” for risk assessment, companies should generally conduct a holistic review of the entire company and assess where it has external exposure. This allows for the identification of potential areas of interaction with OFAC-prohibited persons, parties, or countries/regions, including clients, products, services, and geographic locations. Companies should also conduct risk assessments and OFAC-related due diligence during mergers and acquisitions, especially if the other company is in geographically at-risk areas.
OFAC框架列出了有效评估OFAC风险的两个一般方面:
The OFAC Framework lists two general aspects of conducting an effective OFAC risk assessment:
I.评估OFAC风险
Assessing OFAC Risk
OFAC风险评估的方式和频率应与潜在风险相匹配。这些风险可能来自“客户、产品、服务、供应链、中介机构、交易对手、交易本身和地理位置,具体取决于组织性质。”通过不断更新以确保风险评估的充分性,从而暴露被识别的任何明显违规或系统缺陷的“根源”。
OFAC risk assessment should be conducted in a manner and with a frequency that adequately accounts for potential risk. These risks could be posed by its “clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization.” An adequate risk assessment will be updated for the “root causes” of any apparent violations or systemic deficiencies identified.
在评估OFAC风险时,各公司应利用现有信息确定在客户关系或交易中所需的尽职调查程度。公司可以利用客户在“了解您的客户”或“客户尽职调查”以及建立客户关系伊始时公司进行的独立研究等程序中提供的信息,评估客户、客户群体或客户关系的风险概况。这些信息可用于指导未来的OFAC风险尽职调查工作。此外,前述合规尽职调查应成为公司兼并、收购和整合工作的必要组成部分。《美国联邦法规》第31卷第501部分附录A—“经济制裁执行指南”中的OFAC风险矩阵,列明了风险评级时需要考虑的重要因素,具体如下:
When assessing OFAC risk, companies should leverage existing information to determine the extent of due diligence required in a customer relationship or transaction. Companies can develop a sanctions risk profile for customers, customer groups, or account relationships by leveraging information provided by the customer through procedures such as “Know Your Customer” or “Customer Due Diligence” as well as independent research conducted by the organization at the initiation of the customer relationship. This information can be used to guide future OFAC risk due diligence efforts. Additionally, this compliance due diligence should be integrated into merger, acquisition, and integration processes. The important elements to consider when determining the sanctions risk rating can be found in the OFAC’s risk matrix provided by 31 CFR Appendix A to part 501 - Economic Sanctions Enforcement Guidelines. We have included a translated version below.
风险矩阵 OFAC Risk Matrix OFAC | ||
低 Low | 中 Moderate | 高 High |
在地区范围内稳定、知名的客户群 Stable, well-known customer base in a localized environment | 由于在国内市场分立、兼并或收购而发生变化的客户群 Customer base changing due to branching, merger, or acquisition in the domestic market | 在国际环境中巨大、波动的客户群 A large, fluctuating client base in an international environment |
少有非居民外国人、外国客户(包括拥有美国委托书的账户)和外国商业客户等高风险客户 Few high-risk customers; these may include nonresident aliens, foreign customers (including accounts with U.S. powers of attorney), and foreign commercial customers | 中等数量的高风险客户 A moderate number of high-risk customers | 大量的高风险客户 A large number of high-risk customers |
无境外分支机构,无外国银行代理账户 No overseas branches and no correspondent accounts with foreign banks | 有境外分支机构或外国银行代理账户 Overseas branches or correspondent accounts with foreign banks | 有境外分支机构或多个外国银行代理账户 Overseas branches or multiple correspondent accounts with foreign banks |
没有提供电子服务(如电子银行),或提供的产品是纯粹信息性或非交易性的 No electronic services (e.g., e-banking) offered, or products available are purely informational or non-transactional | 提供有限的电子产品(如电子银行)和服务 The institution offers limited electronic (e.g., e-banking) products and services | 该机构提供各种电子产品(如电子银行)和服务(如转账、电子账单支付或通过互联网开立的账户) The institution offers a wide array of electronic (e.g., e-banking) products and services (i.e., account transfers, e-bill payment, or accounts opened via the Internet) |
客户和非客户的转账金额有限,第三方交易有限,无跨境转账 Limited number of funds transfers for customers and non-customers, limited third-party transactions, and no international funds transfers | 存在主要为服务客户而进行的适量转账,可能有一些从个人或商业账户的跨境转账 A moderate number of funds transfers, mostly for customers; possibly, a few international funds transfers from personal or business accounts | 大量的客户和非客户资金转移,包括国际资金转移 A high number of customer and non-customer funds transfers, including international funds transfers |
没有其他类型的国际交易,如贸易融资、跨境自动清算中心和主权债务管理 No other types of international transactions, such as trade finance, cross-border ACH, and management of sovereign debt | 有限的其他类型国际交易 Limited other types of international transactions | 大量其他类型的国际交易 A high number of other types of international transactions |
没有OFAC执法记录;没有明显违规或存在可能导致违规情况的相关证据 No history of OFAC actions; no evidence of apparent violation or circumstances that might lead to a violation | OFAC最近采取了少量执法行动(近五年),包括通知函或民事罚款,且有证据表明该机构处理了相关问题,未来不会有类似违规风险 A small number of recent actions (i.e., actions within the last five years) by OFAC, including notice letters, or civil money penalties, with evidence that the institution addressed the issues and is not at risk of similar violations in the future | OFAC最近采取了多次执法行动,但该机构并未解决相关问题,因此导致该机构今后实施类似违规行为的风险增加 Multiple recent actions by OFAC, where the institution has not addressed the issues, thus leading to an increased risk of the institution undertaking similar violations in the future |
管理层已根据该机构的客户群和生产线全面评估其风险水平。这种对风险的理解和对OFAC合规的坚定承诺在整个组织中得到令人满意的宣贯 Management has fully assessed the institution’s level of risk based on its customer base and product lines. This understanding of risk and strong commitment to OFAC compliance is satisfactorily communicated throughout the organization | 管理层展现出对OFAC合规要点的合理理解,其承诺基本明确并且在整个组织中得到令人满意的宣贯,但可能缺乏与风险适当匹配的合规体系 Management exhibits a reasonable understanding of the key aspects of OFAC compliance and its commitment is generally clear and satisfactorily communicated throughout the organization, but it may lack a program appropriately tailored to risk | 管理层不理解或选择忽视OFAC合规风险的关键方面。合规的重要性没有在整个组织中得到强调或传达 Management does not understand, or has chosen to ignore, key aspects of OFAC compliance risk. The importance of compliance is not emphasized or communicated throughout the organization. |
董事会或董事会专业委员会已经批准了包括充分且与该机构OFAC风险状况相一致的政策、程序、控制和信息系统在内的OFAC合规体系 The board of directors, or board committee, has approved an OFAC compliance program that includes policies, procedures, controls, and information systems that are adequate, and consistent with the institution’s OFAC risk profile | 董事会已批准了OFAC合规体系,其中包括确保合规所需的大部分适当政策、程序、控制和信息系统,但出现一些不足 The board has approved an OFAC compliance program that includes most of the appropriate policies, procedures, controls, and information systems necessary to ensure compliance, but some weaknesses are noted | 董事会尚未批准OFAC合规体系,或者相关政策、程序、控制和信息系统严重不足 The board has not approved an OFAC compliance program, or policies, procedures, controls, and information systems are significantly deficient |
人员配备足以合理执行OFAC合规体系 Staffing levels appear adequate to properly execute the OFAC compliance program. | 人员配备总体充分,但出现一些不足 Staffing levels appear generally adequate, but some deficiencies are noted. | 管理层未能配备足够的人员以开展工作 Management has failed to provide appropriate staffing levels to handle workload. |
明确界定和执行OFAC合规的权限和责任,包括指定合格的OFAC合规官 Authority and accountability for OFAC compliance are clearly defined and enforced, including the designation of a qualified OFAC officer | 界定了权限和责任,但需要一些改进。已指定合格的OFAC合规官 Authority and accountability are defined, but some refinements are needed. A qualified OFAC officer has been designated | 尚未明确规定合规权限和责任。未任命任何OFAC合规官或者任命的合规官不合格。OFAC合规官的角色尚不清楚 Authority and accountability for compliance have not been clearly established. No OFAC compliance officer, or an unqualified one, has been appointed. The role of the OFAC compliance officer is unclear |
根据机构的风险状况进行适当、有效的培训,涵盖相关人员,并提供必要的最新信息和资源以确保合规 Training is appropriate and effective based on the institution’s risk profile, covers applicable personnel, and provides necessary up-to-date information and resources to ensure compliance | 存在培训,并且管理层提供了与组织风险状况相匹配的充足资源;但是,培训项目没有涵盖部分领域 Training is conducted and management provides adequate resources given the risk profile of the organization; however, some areas are not covered within the training program | 培训分散且遗漏重要的监管和风险领域,或者没有培训 Training is sporadic and does not cover important regulatory and risk areas or is nonexistent |
机构运用了强有力的质量控制方法 The institution employs strong quality control methods | 机构运用了有限的质量控制方法 The institution employs limited quality control methods | 机构未运用质量控制方法 The institution does not employ quality control methods |
II.风险评估
Risk Assessment
Companies should develop methods to identify, analyze, and address risks. This risk assessment should be updated regularly though testing or auditing.
公司应制定识别、分析和处理风险的方法。风险评估应通过测试或审计进行定期更新。
3) 内部控制
Internal Controls
公司应就可能被OFAC规定禁止的活动进行内部控制,包括“识别、阻断、升级、报告和记录”该等活动的政策和程序。内部控制的作用是“提出明确的预期,规定OFAC合规相关的程序和流程”,并将风险最小化。应定期进行内外部审计和评估,以确保内部控制合理运作。
Companies should include internal controls related to activity that may be prohibited by OFAC regulations. This includes policies and procedures to “identify, interdict, escalate, report, and record” such activity. The role of internal controls is to “outline clear expectations, define procedures and processes pertaining to OFAC compliance,” and minimize risks. Internal and/or external audits and assessments should be conducted regularly to ensure that the internal controls are working properly.
成功的制裁合规体系应该能够根据OFAC更新的信息迅速作出调整,包括制裁名单、SDN名单和SSI名单的更新;出于任何原因启动的新制裁计划;以及颁发通用许可证。OFAC框架列出了有效内部控制的七个一般方面:
A successful SCP program should be capable of adjusting rapidly to changes published by OFAC, including updates to sanction lists, the SDN list and the SSI List; new sanctions programs initiated for any reasons; and the issuance of general licenses.[4] The OFAC Framework lists seven general aspects of effective internal controls:
I.书面政策和程序
Written Policies and Procedures
企业应制定和实施概述制裁合规体系的书面政策和程序。这些书面政策和程序应该具有相关性,具体到日常操作和程序,易于遵循,并有助于预防违规行为。
Written policies and procedures should be created and implemented that outline the SCP. They should be relevant, capture day-to-day operations and procedures, are easy to follow, and designed to prevent misconduct.
II.充分的内部控制
Adequate Internal Controls
企业应实施能充分处理其OFAC风险评估结果和状况的内部控制。内部控制应有效为相关人员“识别、阻断、升级和报告”OFAC禁止的活动。IT解决方案的选择应符合公司的风险状况和合规需求。与制裁合规体系的其他方面一样,应定期对内部控制进行测试,以确保其有效性。
Internal controls should be implemented that adequately address the results of its OFAC risk assessment and profile. The internal controls should effectively “identify, interdict, escalate, and report” to appropriate personnel OFAC prohibited activity. IT solutions should be selected in a manner that is appropriate to the company’s risk profile and compliance needs. As with all aspects of a compliance program, it should be regularly tested to ensure effectiveness.
III.审计
Audits
作为OFAC合规内部控制的一部分而被实施的政策和程序应通过内外部审计来执行。
The policies and procedures implemented as part of an OFAC compliance internal controls should be enforced through internal and/or external audits.
IV.记录保存
Recordkeeping
与OFAC相关的记录保存政策和程序应充分体现OFAC规定中的要求。
OFAC-related recordkeeping policies and procedures should adequately account for its requirements under OFAC regulations.
V.应对
Response
一旦发现内部控制漏洞,公司应采取“迅速有效”的措施,以确定和实施补充控制。
Companies should take “immediate and effective” action to identify and implement compensating controls upon learning of a weakness in its internal controls.
VI.沟通
Communication
制裁合规体系的政策和程序应明确传达给所有相关员工、在高风险领域运营的业务单位以及代表公司履行合规职责的外部主体,前述高风险领域包括客户开发、支付和销售等。
SCP’s policies and procedures should be clearly communicated to all relevant staff as well as business units operating in high-risk areas and to external parties performing SCP responsibilities on behalf of the company. High-risk areas include, among others, customer acquisition, payments, and sales.
VII.整合
Integration
企业应指定人员将制裁合规体系的政策和程序融入公司日常运营,包括与相关业务部门进行协商,并确认员工了解政策和程序。
Personnel should be appointed for integrating the SCP’s policies and procedures into the daily operations of the company. This process should include consultations with relevant business units and confirms that employees understand the policies and procedures.
4) 测试与审计
Testing and Auditing
全面、独立和客观的测试或审计功能,对于确保公司了解其制裁合规体系是否按预期实施至关重要。测试或审计能够让公司决定何时更新、增强或进一步调整其制裁合规体系,以应对不断变化的风险评估或制裁。OFAC框架列出了测试和审计有效性的三个一般方面:
Comprehensive, independent, and objective testing or audit function for an SCP is vital for ensuring that companies understand whether their compliance program is working as intended. Testing or auditing allows companies to determine when they should update, enhance, or recalibrate their SCP in response to changing risk assessments or sanctions. The OFAC Framework lists three general aspects of an effective testing and auditing program:
I.独立负责
Independent and Accountable
测试和审计应向高级管理层负责;应独立于被审计行为;应由具备足够权限、技能、专业能力和资源的人员进行。
Testing and auditing should be accountable to senior management; independent of the audited activities; and should done by personnel with sufficient authority, skills, expertise, and resources.
II.复杂性
Sophistication
测试和审计程序应与制裁合规体系的复杂性相匹配,并对OFAC相关风险评估和内部控制进行“全面而客观”的评估。
Testing and auditing procedures should be appropriate for the sophistication of its SCP and reflect a “comprehensive and objective” evaluation of the organization’s OFAC-related risk assessment and internal controls.
III.应对
Response
在获悉关于制裁合规体系的确定负面测试结果或审计后,公司应采取“迅速有效的行动”来确定和实施补偿控制,直到合规漏洞的根源得到确定和纠正。
Upon learning of a confirmed negative testing result or audit related to its SCP, companies should take “immediate and effective action” to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
5) 培训
Training
成功制裁合规体系的最后一个方面是有效的培训项目。企业应根据自身风险状况定期为所有相关员工和人员提供培训。培训项目应根据岗位需要提供相关知识,宣贯合规责任,并通过评估强化员工合规培训。OFAC框架列出了有效培训项目的五个一般方面:
The final aspect of a successful SCP is an effective training program. A training program should be provided to all appropriate employees and personnel on a periodic basis and should be tailored to the company’s risk profile. A training program should aim to provide job-specific knowledge as needed; communicate sanctions compliance responsibilities; and hold employees accountable for sanctions compliance training through assessments. The OFAC Framework lists five general aspects of an effective training program:
I.员工及利益相关者培训
Training for Employees and Stakeholders
OFAC合规培训项目应视情况向员工和利益相关者提供充分的信息和指导。利益相关者包括客户、供应商、业务合作伙伴和交易对手。企业尤其要为高风险员工提供专门的培训。
OFAC-related training programs should provide adequate information and instruction to employees and, as appropriate, stakeholders. Stakeholders include, among others, clients, suppliers, business partners, and counterparties. Specific, tailored training should be provided to high-risk employees.
II.适当的范围
Appropriate Scope
OFAC合规培训应与公司实际情况相匹配,包括提供产品和服务的范围,顾客、客户及其维持的伙伴关系,以及运营区域。
OFAC-related training should be appropriate for the scope for the products and services a company offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.
III.培训频率
Training Frequency
企业组织培训的频率应与OFAC风险评估和风险状况相匹配,但是每年需至少组织一次培训。
Training frequency should be appropriate based on its OFAC risk assessment and risk profile. At a minimum, training should occur annually.
IV.纠正措施
Corrective Actions
公司在获悉经确认的负面测试、审计结果,或者其他制裁合规体系缺陷后,应立即采取有效措施,向相关人员提供培训或采取其他纠正措施。
Upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its SCP, a company should take immediate and effective action to provide training to or other corrective action to relevant personnel.
V.可利用的资源
Accessible Resources
培训项目应包括容易为所有相关人员获取的资源和材料。
A training program should include easily accessible resources and materials that are available to all applicable personnel.
OFAC违规的常见原因
Common Causes of OFAC Violations
OFAC框架非穷尽列举了制裁合规体系失败或缺陷的十个常见“根源”。
The OFAC Framework contains a non-exhaustive list of ten common “root causes” of compliance program breakdowns or deficits.
I.缺乏正式的OFAC制裁合规体系
Lack of a Formal OFAC SCP
最常见的问题之一是缺乏正式的制裁合规体系。这不仅会导致制裁违规的发生,而且OFAC还将其视为行政执法中的加重情节。
One of the most common problems is simply the lack of a formal SCP. Not only does this result in sanction violations occurring, OFAC treats it as an aggravating factor in administrative actions.
II.误读或不理解OFAC规定的适用
Misinterpreting, or Failing to Understand the Applicability of, OFAC’s Regulations
对OFAC规定的误读是另一个常见问题,该问题时常发生在案涉主体认为案涉交易或活动或者未被禁止,或者不适用于其组织机构或操作过程时。“行为不考虑后果,许多警示信号表明案涉行为可能被禁止,企业管理层对案涉行为有所预知,案涉企业规模较大且复杂度较高”等因素也被视为加重情节。
Misinterpretation of OFAC’s regulations is another common problem. This often occurs when the subject person determined the transaction, dealing, or activity at issue was either not prohibited or did not apply to their organization or operations. This too can be treated as an aggravating factoring when there is “reckless conduct, the presence of numerous warning signs that the activity at issue was likely prohibited, awareness by the organization’s management of the conduct at issue, and the size and sophistication of the subject person.”
III.促进非美国主体(包括通过或者由海外子公司或附属公司)进行交易
Facilitating Transactions by Non-U.S. Persons (Including Through or By Overseas Subsidiaries or Affiliates)
公司有时会被发现从事违反OFAC规定的交易或其他活动,这些行为包括向OFAC制裁对象介绍、批准或者签署业务,或者通过其他方式促成组织的非美国分支与OFAC制裁人员、当事方或国家/地区之间的交易。
Companies are sometimes caught engaging in transactions or activities that violated OFAC’s regulations by referring business opportunities to, approving, or signing off on transactions conducted by, or otherwise facilitating dealings between their organization’s non-U.S. locations and OFAC-sanctioned persons, parties, or countries/ regions.
IV.向OFAC制裁对象出口或者再出口美国原产货物、技术或服务
Exporting or Re-exporting U.S.-origin Goods, Technology, or Services to OFAC-Sanctioned Persons or Countries
非美国主体的一个常见问题是,以向OFAC制裁人员、当事方或国家/地区再出口、转让或出售为目的,购买原产于美国的货物。前述情况甚至在已有警示表明禁止这种活动时,例如禁止再出口的合同条款,仍有发生。
A common problem for non-U.S. persons is the purchase of U.S.-origin goods with the specific intent of re-exporting, transferring, or selling the items to persons, parties, or countries/regions subject to OFAC sanctions. This has occurred at times when there were warning signs that this activity was prohibited, such as clauses in contracts prohibiting re-exporting.
V.为与OFAC制裁对象相关的商业交易利用美国金融系统、向或者通过美国金融机构进行支付
Utilizing the U.S. Financial System, or Processing Payments to or through U.S. Financial Institutions, for Commercial Transactions Involving OFAC-Sanctioned Persons or Countries
许多非美国主体在与受OFAC制裁人员、当事方或者国家/地区相关的商业活动中,开展通过美国金融机构或者与美国金融机构进行的金融交易,同样违反OFAC的规定。
Many non-U.S. persons have also violated OFAC’s regulations by processing financial transactions to or through U.S. financial institutions that pertain to commercial activity involving an OFAC-sanctioned persons, parties, or countries/regions.
VI.制裁筛查软件或者过滤器错误
Sanctions Screening Software or Filter Faults
公司有时未能更新其制裁筛查软件以纳入更新的SDN名单或SSI名单;未能包括相关的识别符,例如被指定、封锁或制裁金融机构的SWIFT商业识别码;或未能考虑到制裁对象名称的替代拼写。
Companies have failed at times to update their sanctions screening software to incorporate updates to the SDN List or SSI List, failed to include pertinent identifiers such as SWIFT Business Identifier Codes for designated, blocked, or sanctioned financial institutions, or did not account for alternative spellings of prohibited countries or parties.
VII.客户尽职调查(如所有权、业务来往等)不当
Improper Due Diligence on Customers/Clients
(e.g., Ownership, Business Dealings, etc.)
OFAC采取的多种行政执法措施都源于公司对客户的尽职调查不当或不完整,例如客户的所有权、地理位置、交易对手和交易本身以及客户对OFAC制裁的了解和意识。
Various administrative actions taken by OFAC involved improper or incomplete due diligence by a company or corporation on its customers, such as their ownership, geographic location(s), counterparties, and transactions, as well as their knowledge and awareness of OFAC sanctions.
VIII.分散的合规职能与制裁合规体系的矛盾适用
De-Centralized Compliance Functions and Inconsistent Application of an SCP
合规人员和决策者分散在不同办公室和业务部门的分散式合规体系可能存在问题,从多方面导致违规行为的发生:对OFAC规定的不当解释和适用、缺乏正式的升级流程审查高风险客户/交易、低效或无力的监督和审计职能、对组织制裁相关政策和程序的错误传达等。
De-centralized SCPs with personnel and decision makers scatter across various offices and business units can be problematic. Violations have resulted from this arrangement due to an improper interpretation and application of OFAC’s regulations, the lack of a formal escalation process to review high-risk customers or transactions, an inefficient or incapable oversight and audit function, or miscommunications regarding the organization’s sanctions-related policies and procedures.
IX.利用非标准支付或商业惯例
Utilizing Non-Standard Payment or Commercial Practices
在许多情况下,试图规避OFAC制裁或隐瞒违规活动的组织将实施“非传统商业手段”以完成交易。公司的经营方式应符合行业规范和惯例。
In many instances, organizations attempting to evade or circumvent OFAC sanctions or conceal their activity will implement “non-traditional business methods” in order to complete their transactions. Companies should operate in a manner that is consistent with industry norms and practices.
X.个人责任
Individual Liability
在某些情况下,公司员工特别是监督层、管理层或经理层试图向其他合规人员、监管机构或执法机关“混淆或隐藏”其违规活动。此时,OFAC将考虑对违规公司和个人一并采取执法行动。
In some of these cases, employees—particularly in supervisory, managerial, or executive-level positions—have attempted to “obfuscate and conceal” their activities from others within their compliance personnel, as well as from regulators or law enforcement. In such circumstances, OFAC will consider bringing enforcement actions against both the violating company and the individuals.
给中国企业的建议
Advice for Chinese Companies
OFAC合规框架为中国企业审查和改进其制裁合规体系提供了明确指导,无论企业是与美国主体进行交易、使用美国金融系统还是出口或再出口美国原产货物或服务,都可以参照适用前述合规框架。鉴于美国当局对中国企业的严格审查,我们强烈建议各公司评估其制裁合规体系是否与其业务领域及相关风险敞口相匹配。假如美国当局可以选择调查一家中国公司或非中国公司,其可能会选择调查中国公司。
The OFAC Compliance Framework provides clear guidance on reviewing and improving SCPs for Chinese companies that do business with U.S. persons, use the U.S. financial system, or export or re-export U.S. origin goods or services. In light of the heightened scrutiny of Chinese companies by U.S. authorities, we strongly advise that companies evaluate whether their SCPs are appropriate for their business area and their associated risk exposure. If U.S. authorities had a choice to investigate a Chinese company or a non-Chinese company, it is likely the authorities would choose to investigate the Chinese company.
根据我们处理美国制裁相关调查的实务经验和通过公开渠道检索到的执法行动,诚信经营的中国公司被OFAC调查通常有三个原因:
Based on our professional experience in dealing with U.S. sanction-related investigations and publicly available enforcement actions, Chinese companies that are operating in good faith often find themselves tangled up with OFAC for three reasons:
第一,许多中国企业并不知晓其行为受美国法管辖。常见情形之一是,中国公司利用美国金融系统进行结算,但结算的交易本身并不涉及任何美国公司或商品。例如,尽管现在伊朗已不再受联合国制裁,中国公司意欲在伊朗开展业务时仍需谨慎,应避免通过美国金融系统进行结算。
First, many Chinese companies are simply unaware that they are partaking in activities that places them under U.S. jurisdiction. This is often the case with Chinese companies utilizing the U.S. financial system for transactions that otherwise do not involve U.S. related companies or goods. For example, Chinese companies looking to do business in Iran now that the country is no longer under United Nations sanctions should be careful to ensure that their transactions do not go through the U.S. financial system.
第二,业务遍布国内外的大型中国公司需要确保其不同地区的业务部门都维持强有力的制裁合规体系。我们经常发现,北京或上海总部制裁合规体系强大而集中的公司,受其偏远地区或国外营业机构违规行为之牵连而遭受调查。中国公司应保持警惕,确保其制裁合规体系覆盖所有业务地区,尤其是风险高发地区。
Second, large Chinese companies with sprawling operations in China and abroad need to ensure that their compliance systems are robust in all their operating locations. Too often we see companies with strong, centralized compliance systems in their Beijing or Shanghai headquarters finding themselves under investigation for violations that occurred in a remote or foreign office. Chinese companies should be vigilant in ensuring that their SCP covers all of their operations with special attention for at-risk locations.
第三,中国企业有时对持续更新的制裁名单不够关注。2018年是OFAC制裁对象数量增加最多的一年,全年全球共有700家实体被加入OFAC的SDN名单。目前名单上共有来自全球的1500多家实体,因此,中国企业使用合适的互联网工具,以确保快速准确筛选被制裁对象非常关键。
Third, Chinese companies have struggled at times to keep up with the constantly updating sanctions list. 700 entities all over the world were added to OFAC’s SDN list in 2018 – the most added in single year. With over 1500 entities now on the list, it’s critical that Chinese companies invest in the proper IT tools to ensure they accurately and efficiently screen out sanctioned entities.
对中国公司来说,OFAC合规框架的出台恰逢其时。美国政府出于政治原因针对中国公司已尽人皆知,数家知名中国公司因违反制裁规定而成为中美贸易战的牺牲品。目前三家金融机构因受到其前客户违反制裁的牵连,而作为证人陷入关于传票的复杂诉讼中,这表明即使公司善意经营,如果不够勤勉谨慎,还是可能遭受风险。虽然OFAC没有强制要求企业建立制裁合规体系,但我们强烈建议受美国法管辖的中国公司,尤其是国有企业,聘请专业的合规团队及时建立或更新其制裁合规体系,以达到最佳行业标准。
The OFAC Framework comes at a vital time for Chinese companies. It is no secret that the current U.S. administration is targeting Chinese companies for political reasons. Several high-profile Chinese companies have found themselves as pawns in the ongoing China-U.S. trade war due to sanction violations. The three financial institutions caught up their complex legal battle over subpoenas relating to sanction violations by their former customer shows that even companies operating in good faith can run into problems if they are not diligent. While SCPs are not legally required under OFAC regulations, we cannot recommend enough that Chinese companies, especially state-owned enterprises, that find themselves under U.S. jurisdiction engage quality compliance professions to swiftly implement or update their SCP so they meet best in industry standards.
【注]
[1] https://www.treasury.gov/resource-center/sanctions/.../framework_ofac_cc.pdf
[2] https://home.treasury.gov/news/press-releases/sm680
[3] Insert
[4] A license is an authorization from OFAC to engage in a transaction that would be prohibited. A general license authorizes a particular type of transaction for a class of persons without the need to apply for a license.
End
作者简介
刘相文 律师
北京办公室 合伙人
业务领域:合规/政府监管, 诉讼仲裁, 收购兼并
Graham·Adria
北京办公室 争议解决部
王涛
北京办公室 争议解决部
王妙婷
北京办公室 争议解决部
作者往期文章推荐:
特别声明:
以上所刊登的文章仅代表作者本人观点,不代表北京市中伦律师事务所或其律师出具的任何形式之法律意见或建议。
如需转载或引用该等文章的任何内容,请私信沟通授权事宜,并于转载时在文章开头处注明来源于公众号“中伦视界”及作者姓名。未经本所书面授权,不得转载或使用该等文章中的任何内容,含图片、影像等视听资料。如您有意就相关议题进一步交流或探讨,欢迎与本所联系。
点击“阅读原文”,可查阅该专业文章官网版。