中商商业工程技术研究院

《美国海外资产控制办公室(OFAC)合规承诺框架》

发表时间:2019-05-05 14:08

                         A Framework for OFAC Compliance Commitments

                   《美国海外资产控制办公室(OFAC)合规承诺框架》

The U.S. Departmentof the Treasury's Office of Foreign Assets Control (OFAC) administers andenforces U.S. economic and trade sanctions programs against targeted foreigngovernments individuals, groups, and entities in accordance with nationalsecurity and foreign policy goals and objectives.

  美国财政部下属的海外资产控制办公室(OFAC)根据国家安全和外交政策负责管理和执行针对外国政府个人、团体和实体的美国经济和贸易制裁方案。

OFAC stronglyencourages organizations subject to U.S. jurisdiction, as well as foreignentities that conduct business in or with the United States. U.S. persons, orusing U.S.-origin goods or services, to employ a risk-based approach tosanctions complianceby developing, implementing, and routinely updating asanctions compliance program (SCP). While eachrisk-based SCP will varydepending on a variety of factors-including thecompany's size and sophistication,products and services, customers and counterparties, and geographiclocations-each program should be predicated on and incorporate at least fiveessential components of compliance:

(1) managementcommitment:

(2) risk assessment:

(3) internalcontrols:

(4) testing andauditing; and

(5) training.

OFAC大力鼓励受美国司法管辖的企业以及在美国或与美国人开展业务的外国实体或使用美国原产产品或服务的外国实体,设立、实施并定期更新其制裁合规方案(SCP),采用一个基于风险的方法达到制裁合规。虽然每个基于风险的SCP会根据各种因素(包括公司规模和复杂程度、产品和服务、客户和交易对手以及地理位置)的不同而有所差异,但每个方案都应包含至少以下五个必要合规要素:

1)管理层承诺;

2)风险评估;

3)内部控制;

4)测试及审计;

5)培训。

If after conductingan investigation and determining that a civil monetary penalty("CMP") is the appropriate administrative action in response to anapparent violation, the Office of Compliance and Enforcement (OCE) willdetermine which of the following or other elements should be incorporatedintothe subject person's SCP as part of any accompanying settlement agreement, asappropriate. As in all enforcement cases, OFAC will evaluate a subject person'sSCP in a manner consistent with the Economic Sanctions Enforcement Guidelines(the "Guidelines")

如果经调查后认定针对一个明显违规行为应该采取的适当行政行为是民事金钱处罚,合规及执法办公室(OCE)可以酌情确定将以下哪些要素或其他要素作为随附和解协议的一部分纳入到被处罚人的SCP。与所有执法案件一样,OFAC将根据《经济制裁执行指南》(指南)对被处罚人的SCP进行评估。

When applying theGuidelines to a given factual situation, OFAC will consider favorably subjectpersons that had effective SCPs at the time of an apparent violation. Forexample, under General Factor E (compliance program), OFAC may consider theexistence, nature, and adequacy of an SCP. and when appropriate, may mitigate aCMP on that basis.在将OFAC在将指南适用于特定事实情况时,会把被处罚人在明显违规行为发生时所拥有的有效SCP作为一个有力因素进行考虑。例如,在通用因素E(合规方案)下,OFAC可以对SCP的存在、性质及充分性进行考虑。适当时,可以基于这个因素减轻民事经济处罚。

Subject personsthat haveimplemented effective SCPs that are predicated on the five essentialcomponents of compliance may also benefit from further mitigation of a CMPpursuant to General Factor F (remedial response) when the SCP results inremedial steps being taken.

对于实施了基于五个基本合规要素的有效SCP的被处罚人,在根据SCP采取补救措施时,也可以利用通用因素F(补救措施)来进一步减少其民事经济处罚。

Finally, OFAC may,in appropriate cases, consider the existence of an effective SCP at the time ofan apparent violation as a factor in its analysis as to whether a case isdeemed "egregious."

最后,在适当情况下,OFAC可以在发生明显违规行为时考虑将是否存在一个有效的SCP作为分析案件是否恶劣的一个因素。

This document isintended to provide organizations with a framework for the five essentialcomponents of a risk-based SCP, and contains an appendix outlining several ofthe root causes that have led to apparent violations of thesanctions programsthat OFAC administers. OFAC recommends all organizations subject to U.S.jurisdiction review the settlements published by OFAC to reassess and enhancetheir respective SCPs, when and as appropriate.

本文件旨在为企业提供一个基于风险的SCP中五个基本组成部分的框架。本文件还包含了一个附录,概述了导致明显违反OFAC制裁方案的一些根本原因。OFAC建议所有受美国司法管辖的企业对其公布的和解案例进行审查,以便在适当的时候重新评估并改善各自的SCP

MANAGEMENTCOMMITMENT

管理层承诺

Senior Management'scommitment to, and support of, an organization's risk-based SCP is one of themost important factors in determining its success. This support is essential inensuring the SCP receives adequate resources and is fully integrated into theorganization's daily operations, and also helps legitimize the program, empowerits personnel, and foster a culture of compliance throughout the organization.

高级管理层对企业基于风险的SCP的承诺及支持是决定该SCP成功与否的最重要因素之一。这种支持对于确保SCP获得足够的资源并完全融入企业的日常运营中是至关重要的,同时也有助于使合规方案合法化,赋予SCP人员权力,并培养整个企业内的合规文化。

GeneralAspects of an SCP: Senior Management Commitment

SCP通用因素:高级管理层承诺

Senior managementcommitment to supporting an organization's SCP is a critical factor indetermining the success of the SCP. Effective management support includes theprovision of adequate resources to the compliance unit(s) and support forcompliance personnel's authority within an organization. The term "seniormanagement"may differ among various organizations, but typically the termshould include senior leadership, executives, and/or the board of directors.

高级管理层对企业SCP的承诺支持是确定SCP成功的一个重要因素。有效的管理层支持包括为合规部门提供足够资源,并支持合规人员在企业内的权限。高级管理层一词在不同企业中的指代可能有所不同,但通常该术语应包括高级领导层、高级管理人员和/或董事会。

1.Senior management has reviewed and approved the organization's SCP.

1. 高级管理层审查并批准了该企业的SCP

2.Senior management ensures that its complianceunit(s) is/are delegatedsufficient authority and autonomy to deploy its policies and procedures in amanner that effectively controls the organization's OFAC risk. As part of thiseffort, senior management ensures the existence of direct reporting linesbetween the Scp function and senior management, including routine and periodicmeetings between these two elements of the organization.

2.高级管理层确保其合规部门获得了足够的权力和自主权,在部署政策和程序时,可以有效控制企业的OFAC风险。作为这项工作的一部分,高级管理层应确保在SCP职能部门与高级管理层之间存在一个直接报告线,包括这两个部门之间的例行会议与定期会议。

3.Senior management has taken, and will continue to take, steps to ensure thatthe organization's compliance unit(s) receive adequate resources-including inthe form of human capital, expertise, information technology, and otherresources, as appropriate-that are relative to the organization's breadth ofoperations, target and secondary markets, and other factors affecting itsoverall risk profile.

3.高级管理层已采取并将继续采取措施,确保企业的合规部门获得足够资源-包括与企业的运营范围、目标和二级市场相匹配的人力资本、专业知识、信息技术和其他资源,以及影响其整体风险状况的其他因素。

These efforts couldgenerally be measured by the following criteria:

这些努力通常可以通过以下标准来进行衡量:

A. The organization has appointed a dedicated OFACsanctions compliance officer1;

A. 该企业已任命了专门的OFAC制裁合规官;

1 This may be the same person servingin other senior compliance positions, e.g., the Bank Secrecy Act Officer or anExport Control Officer, as many institutions, depending on size and complexity,designate a single person to oversee all areas of financial crimes or exportcontrol compliance.

可以是承担其他高级合规职位的同一人员,例如银行保密法官员或出口管制官员,因为许多机构按照规模和复杂程度,指定一个人来监督所有金融犯罪或出口管制领域合规性。

B. The quality andexperience of the personnel dedicated to the SCP, including: (1) the technicalknowledge and expertise of these personnel with respect to OFAC's regulations,processes, and actions: (ii) the ability of these personnel to understand complexfinancial and commercial activities, apply their knowledge of OFAC to theseitems, and identify OFAC-related issues, risks, and prohibited activities: and(ii) the efforts to ensure that personnel dedicated to the SCP havesufficientexperience and an appropriate position

B.专门负责SCP的人员应具备以下品质与经验,包括:(1)这些人员在OFAC法规、程序和行动方面的技术知识和专业知识;(2)这些人员有理解复杂金融及商业活动的能力、将OFAC相关知识应用于这些项目的能力以及确定OFAC相关问题、风险及被禁止活动的能力;以及(3)作出确保SCP人员在企业内有足够经验和适当职位且作为企业成功的组成部分的努力;以及

C. Sufficientcontrol functions exist that support the organization's SCP-including but notlimited to information technology software and systems-that adequately addressthe organization's OFAC-risk assessment and levels

C.存在足够可以支持企业SCP、充分解决企业OFAC风险评估及水平的控制功能-包括但不限于信息技术软件和系统。

4. Seniormanagement promotes a "culture of compliance" throughout theorganization.

4. 高级管理层在整个企业内推广合规文化

These efforts couldgenerally be measured by the following criteria:

这些努力通常可以通过以下标准来衡量:

A. The ability of personnel to report sanctionsrelated misconduct by the organization or its personnel to senior managementwithout fear of reprisal.

A. 员工有能力向高级管理层汇报由企业或员工实施的制裁相关不当行为,而不必担心遭到报复。

B. Senior managementmessages and takes actions that discourage misconduct and prohibitedactivities, and highlight the potential repercussions of non-compliance withOFAC sanctions; and

B.高级管理层传递遏制不当行为及被禁止活动的信息并采取行动,强调不遵守OFAC制裁的潜在影响;

C. The ability ofthe SCP to have oversight over the actions of the entire organization,including but not limited to senior management, for the purposes of compliancewith OFAC sanctions.

C. SCP拥有为实现OFAC制裁合规性目的而监督整个企业(包括但不限于高级管理层)行动的能力。

5. Senior management demonstrates recognition of the seriousness ofapparent violations of the laws and regulations administered by OFAC,

or malfunctions deficiencies, or failures by the organization and itspersonnel to comply with the SCP's policies and procedures, and implementsnecessary measures to reduce the occurrence of apparent violations in thefuture. Such measures should address theroot causes of past apparent violationsand represent systemic solutions whenever possible.

5.高级管理层表明已经认识到了明显违反OFAC法规的行为或工作疏忽缺陷或企业及员工未能遵守SCP政策和程序的行为,会采取必要措施减少将来明显违规行为的发生。这些措施应解决过去明显违法行为的根本原因,并尽可能作为能够代表系统性的解决方案。

RISK ASSESSMENT

风险评估

Risks in sanctionscompliance are potential thre

Risks in sanctionscompliance are potential threats or vulnerabilities that, ignored or notproperly handled, can lead to violations of OFAC's regulations and negativelyaffect an organization's reputation and business. OFAC recommends thatorganizations take a risk-based approach when designing or updating an SCP. Oneof the central tenets of this approach is for organizations to conductaroutine, and if appropriate ongoing ""risk assessment"forthepurposes of identifying potential OFAC issues theyare likely to encounter.As described in detail below. the results of a risk assessment are integral ininforming the SCP's policies, procedures, internal controls, and training inorder to mitigate such risks

制裁合规风险是指被忽视的或处理不当的潜在威胁或漏洞,可能会导致违反OFAC规定,并对企业的声誉和业务造成负面影响。OFAC建议企业在设计或更新SCP时采取基于风险的方法。这种方法的核心原则之一是企业进行惯常的、(如果合适的话)持续的风险评估,用于识别可能遇到的潜在OFAC问题。如下文详述,风险评估结果是了解减轻风险的SCP政策、程序、内部控制和培训的必要条件。

While there is no"one-size-fits all"risk assessment, the exercise should generallyconsist of aholistic review of the organization from top-to-bottom and assessits touchpoints to the outside world. This process allows the organization toidentify potential areas in which it may, directly or indirectly, engage withOFAC-prohibited persons, parties, countries, or regions. For example anorganization's SCP may conduct an assessment of the following:

虽然没有一个一刀切的风险评估方法,但一般应包括从上到下对企业进行全面审查,以及对其与外界接触点进行评估。该程序允许企业识别可能直接或间接与被OFAC禁止的人员、当事人、国家或地区进行互动的潜在区域。例如,企业的SCP可以对以下内容进行评估:

(i) customers,supply chain intermediaries, and counter-parties; (ii) the products andservices it offers, including how and where such items fit into other financialor commercial products, services, networks, or systems; and (iii) he geographiclocations of the organization, as well as its customers, supply chain, intermediaries,and counter-parties. Risk assessments and sanctions-related due diligence isalso important during mergers and acquisitions, particularly in scenariosinvolving non-U.S companies or corporations.

i)客户、供应链、中间人及相对方;(ii)提供的产品和服务,包括此类项目如何以及在何处适用于其他金融或商业产品、服务、网络或系统;(iii)企业及其客户、供应链、中间人及相对方的地理位置。在兼并和收购过程中,特别是在涉及非美国公司的情况下,风险评估及制裁相关尽职调查也是非常重要的。

General Aspectsof an SCP: Conducting a Sanctions Risk Assessment

SCP通用要素:开展制裁风险评估

A fundamentalelement of asound SCP is the assessment of specific clients, products, servicesand geographic locations in order to determine potential OFAC sanctions risk.The purpose of a risk assessment is to identify inherent risks in order toinform risk-based decisions and controls.

一个健全的SCP的基本要素是对特定客户、产品、服务及地理位置进行评估,以确定出潜在的OFAC制裁风险。风险评估的目的是识别出固有风险,以便为基于风险的决策和控制提供信息。

The Annex toAppendix A to 31 C.F.R. Part 501, OFAC's Economic Sanctions EnforcementGuidelines, provides an OFAC Risk Matrix that may be used by financialinstitutions or other entities to evaluate their compliance programs:

本文件附件是《联邦管理条例》第31编第501部分的附录A-OFAC经济制裁执行指南》,该指南提供了一个OFAC风险矩阵,可供金融机构或其他实体用于合规方案的评估:

I. Theorganization conducts or will conduct, an OFAC risk assessment in a manner andwith a frequency, that adequately accounts for the potential risks. Such riskscould be posed by its clients and customers, products, services, supply chainintermediaries, counter-parties, transactions, and geographic locations,depending, on the nature of the organization. As appropriate, theriskassessment will be updated to account for the root causes of any apparentviolations or systemic deficiencies identified by the organization during theroutine course of business.

1.企业按照充分考虑潜在风险的方式和频率进行或将进行OFAC风险评估。这些风险可能由客户、产品、服务、供应链、中间人、交易对手、交易和地理位置导致,具体取决于企业性质。在适当情况下,应更新风险评估,解释企业在日常业务过程中发现的任何明显违规行为或缺陷的根本原因。

A. In assessing itsOFAC risk, organizations should leverage existing information toinform theprocess. In turn, the risk assessment will generally inform the extent of thedue diligence efforts at various points in a relationship or in a transaction.This may include:

A.在评估OFAC风险时,企业应利用现有信息了解这个程序。反过来,风险评估通常也会说明在一种关系或一笔交易中的以下各个点进行尽职调查工作的程度:

1. On-boarding: Theorganization develops asanctions risk rating for customers, customer groups, oraccount relationships, as appropriate, by leveraging information provided bythe customer (for example, through a Know Your Customer or Customer DueDiligence process) and independent research conducted by the organization atthe initiation of the customer relationship.

1.新客户关系建立:企业开始与客户建立关系时,利用客户提供的信息(例如,通过了解您的客户或客户尽职调查流程)以及企业自己的独立研究,对客户、客户群或客户关系制定制裁风险评级。

This informationwill guide the timing and scope of future due diligence efforts. Importantelements to consider in determining the sanctions risk rating can be foundinOFAC's risk matrices

该信息将指导未来尽职调查工作的时间和范围。可以在OFAC提供的风险矩阵中找到确定制裁风险评级时所需要考虑的重要因素。

2. Mergers andAcquisitions (M&A): As noted above, proper risk assessmentsshould includeand encompass a variety of factors and data points for each organization. Oneof the multitude of areas organizations should include in their riskassessments-which, in recent years, appears to have presented, numerouschallenges with respect to OFAC sanctions-are mergers and acquisitions.Compliance functions should also be integrated into the merger, acquisition,and integration process. Whether inan advisory capacity or as a anticipant, theorganization engages in appropriate due diligence to ensure thatsanctions-related issues are identified, escalated to the relevantseniorlevels, addressed prior to the conclusion of any transaction, andincorporated into the organization's risk assessment process. After an M&Atransaction iscompleted, the organization's Audit and Testing function will becritical to identifying any additional sanctions-related issues.

2.并购:如上所述,适当的风险评估内容应涵盖每个企业的各种因素和数据点。企业在其风险评估中应纳入的许多领域中的一个是-兼并和收购,这也是近年来似乎已经显现出OFAC制裁众多挑战的领域。合规职能也应纳入合并、收购和整合的过程。无论是作为顾问还是参与者,企业都应该进行适当的尽职调查,确保识别出制裁相关问题,上报到相关高级级别,在任何交易结束之前对这些问题进行解决并纳入企业的风险评估流程。在并购交易完成后,企业的审计和测试职能对于确定任何与制裁相关的其他问题是至关重要的。

II. Theorganization hasdeveloped a methodology to identify, analyze, and addresstheparticular risks it identifies. As appropriate, the risk assessment will beupdated to account for the conduct and root causes of any apparent violationsor systemic deficiencies identified by the organization during the routinecourse of business, for example, through a testing or audit function.

企业已开发出发现、分析和解决所识别出的特定风险的方法。在适当情况下,例如,通过测试或审计功能对风险评估进行更新,说明企业在日常业务过程中发现的任何明显违规行为或系统缺陷及其产生的根本原因。

INTERNAL CONTROLS

内部控制

An effective SCPshould include internal controls, including policies and procedures, in orderto identify, interdict, escalate, report (as appropriate), and keep recordspertaining to activity that may be prohibited by the regulations and lawsadministered by OFAC. The purpose of internal controls is to outline clearexpectations, define procedures and processes pertaining to OFAC compliance(including reporting and escalation chains), and minimize the risks identifiedby the organization's risk assessments. Policies and procedures should beenforced, weaknesses should be identified (including through root causeanalysis of any compliance breaches) and remediatedand internal and/or externalaudits and assessments of the program should be conducted on a periodic basis.

一个有效的SCP应涵盖内部控制内容,包括识别、拦截、上报、报告(视情况而定)及保存与OFAC法规、法律可能被禁止活动有关记录的政策和程序。内部控制的目的是概述明确期望、对OFAC合规相关的程序和流程(包括报告和上报链)进行定义,并最大限度地降低企业风险评估所识别出的风险。应有效执行政策和程序,(包括通过对任何违规行为根本原因进行分析)对弱点进行识别和补救,定期对方案进行内部和/或外部审计和评估。

Given the dynamicnature of U.S. economic and trade sanctions,a successful and effectiveSCPshould be capable of adjusting rapidly to changes published by OFAC. Theseinclude the following: (i) updates to OFAC's List of Specially DesignatedNationals and Blocked Persons(the "SDN List"), the Sectoral SanctionsIdentification List ("SSI List"), and other sanctions-related lists:(ii new. amended, or updated sanctions programs or prohibitions imposed ontargeted foreign countries, governments, regions, or persons, through theenactment of new legislation, the issuance of new Executive orders,regulations, or published OFAC guidance or other OFAC actions: and (iii) theissuance of general licenses.

鉴于美国经济和贸易制裁政策不断变化,一个成功有效的SCP应能够迅速适应OFAC政策的发展,OFAC政策包括:(i)对OFAC特别指定国民和被封锁人员名单(“SDN清单)、部门制裁识别清单(“SSI清单)和其他制裁相关清单的更新;(ii)通过颁布新立法、新行政指令、法规或公布OFAC指南或其他OFAC行动对目标外国、政府、地区或个人实施新的、经修订的或更新的制裁方案或禁令;以及(iii)颁发一般许可证。

GeneralAspects of an SCP: Internal Controls

SCP通用:内部控制

Effective OFACcompliance programs generally include internal controls, including policies andprocedures, in order to identify, interdict, escalate, report (as appropriate),and keep records pertaining to activity that is prohibited by the sanctionsprograms administered by OFAC. The purpose of internal controls is to outlineclear expectations, define procedures and processes pertaining to OFACcompliance, and minimize the risks identified by an entity's OFACriskassessments. Policies and procedures should be enforced, and weaknessesshould be identified(including through root cause analysis of any compliancebreaches) and remediated in order to prevent activity that might violate thesanctions programs administered by OFAC.

有效的OFAC合规方案通常涵盖内部控制,包括识别、拦截、上报、报告(视情况而定)及保存OFAC制裁方案下被禁止活动有关记录的政策和程序。内部控制的目的是概述一个明确的期望,对OFAC合规相关的程序和流程进行定义,并最大限度地降低实体经过OFAC风险评估所识别出的风险。大力执行政策和程序,并(包括通过对任何合规违规行为的根本原因进行分析)识别缺陷并进行补救,防止可能违反OFAC制裁方案的活动发生。

ITheorganization has designed and implemented written policies and proceduresoutlining the SCP. These policies and procedures are relevant to theorganization.

capturethe organization's day-to-day operations and procedures, are easy to follow.

anddesigned to prevent employees from engaging in misconduct.

1.该企业设计并实施了概述SCP的书面政策和程序。这些政策和程序应与企业相适应,融入企业的日常操作和程序中,易遵循,并可以防止员工从事不当行为。

别出的风险。大力执行政策和程序,并(包括通过对任何合规违规行为的根本原因进行分析)识别缺陷并进行补救,防止可能违反OFAC制裁方案的活动发生。

ITheorganization has designed and implemented written policies and proceduresoutlining the SCP. These policies and procedures are relevant to theorganization.

capturethe organization's day-to-day operations and procedures, are easy to follow.

anddesigned to prevent employees from engaging in misconduct.

1.该企业设计并实施了概述SCP的书面政策和程序。这些政策和程序应与企业相适应,融入企业的日常操作和程序中,易遵循,并可以防止员工从事不当行为。

II Theorganization has implemented internal controls that adequately address theresults of its OFAC risk assessment and profile. These internal controls shouldenable the organization to clearly and effectively identify. interdict,escalate. and report to appropriate personnel within the organizationtransactions and activity that may be prohibited by OFAC. To the extentinformation technology solutions factor into the organization's internalcontrols, the organization has selected and calibrated the solutions in amanner that is appropriate to address the organization's risk profile andcompliance needs, and the organization routinely tests the solutions to ensureeffectiveness.

企业实施了充分解决OFAC风险评估结果及概况的内部控制。这些内部控制应使企业清楚有效地识别、拦截、上报,并向企业内相关人员报告可能被OFAC禁止的交易和活动。在某种程度上,信息技术解决方案会影响到企业的内部控制,企业应选择适合解决其风险状况和合规性需求的方式、对解决方案进行校准,定期测试解决方案以确保方案的有效性。

III Theorganization enforces the policies and procedures it implements as part of itsOFAC compliance internal controls through internal and/or external audits.

企业通过内部和/或外部审计执行其所实施的政策和程序,作为OFAC合规内部控制的一部分。

V.Theorganization ensures that its OFAC-related recordkeeping policies andprocedures adequately account for its requirements pursuant to thesanctionsprograms administered by OFAC.

企业确保其OFAC相关记录保存政策和程序充分考虑了其在OFAC制裁方案下的要求。

VI. Theorganization has clearly communicated the SCP's policies and procedures to allrelevant staff, including personnel within the SCP program, as well as relevantgatekeepers and business units operating in high-risk areas (e-g., customeracquisition, payments, sales, ete.) and to external parties performing SCPresponsibilities on behalf of the organization.

企业已明确将SCP政策和程序传达给所有相关人员,包括SCP方案内人员、高风险领域运营的相关把关者和业务部门(例如,客户获取、支付、销售等部门)以及代表企业履行SCP职责的外部各方。

VII. Theorganization has appointed personnel for integrating the SCP's policies andprocedures into the daily operations of the company or corporation. Thisprocess includes consultations with relevant business units, and confirms theorganization's employees understand the policies and procedures.

企业指定了将SCP政策和程序融入到公司日常运营中是人员。融入程序包括与相关业务部门进行协商,确保企业员工了解SCP政策和程序。

TESTING ANDAUDITING

测试及审计

Audits assess theeffectiveness of current processes and check for inconsistencies between theseand day-to-day operations. A comprehensive and objective testing or auditfunction within an SCP ensures that an organization identifies programweaknesses and deficiencies, and it is the organization's responsibility toenhance its program, including all program-related software, systems, and othertechnology, to remediate any identified compliance gaps. Such enhancementsmight include updating, improving, or recalibrating SCP elements to account fora changing risk assessment or sanctionsenvironment. Testing and auditing can beconducted on a specific element of an SCP or at the enterprise-wide level.

审计可以对当前程序的有效性进行评估,并检查这些程序与日常运营之间的不一致性。对SCP全面、客观的测试或审计功能可以确保企业识别出物品的缺陷。企业有责任加强其合规方案,包括所有与方案相关的软件、系统和其他技术,修复任何已识别出的合规差距。此类加强功能可能包括更新、改进或重新校准SCP元素,以应对不断变化的风险评估或制裁环境。可以对SCP的特定元素或在整个公司范围内进行测试和审计。

General Aspectsof an SCP: Testing and Auditing.

SCP通用要素:测试和审计。

comprehensive,independent, and objective testing or audit function within an SCP ensures atentities are aware of where and how their programs are performing and should beupdated, enhanced, or recalibrated to account for a changing risk assessment orsanctions environment, as appropriate. Testing or audit, whether conducted on aspecific element of a compliance program or at the enterprise-wide level, areimportant tools to ensure the program is working as designed and identifyweaknesses and deficiencies within a compliance program.

SCP内的全面、独立及客观的测试或审计功能可确保实体了解其合规方案的执行地点和方式,以酌情对测试或审计功能进行更新、增强或重新校准,应对不断变化的风险评估或制裁环境。无论是针对合规方案的特定要素进行测试或审计,还是在企业范围内进行测试或审计,都是确保方案能够按设计目的进行运作,是识别合规方案中弱点和缺陷的重要工具。

1. Theorganization commits to ensuring that the testing or audit function isaccountable to senior management, is independent of the audited activities andfunctions, and has sufficient authority, skills, expertise, resources, andauthority within the organization.

企业承诺确保测试或审计职能对高级管理层负责,独立于被审计的活动和职能,并在企业内拥有足够的权力、技能、专业知识、资源和权限。

II. Theorganization commits to ensuring that it employs testing or audit proceduresappropriate to the level and sophistication of its SCP and that this function,whether deployed internally or by an external party, reflects a comprehensiveand objective assessment of the organization's OFAC-related risk assessment andinternal controls.

企业承诺确保采用适合其SCP级别和复杂程度的测试或审计程序,且无论是由内部还是由外部部门开展测试或审计活动,都反映了对该企业OFAC相关风险评估及内部控制的全面客观评估。

III. Theorganization ensures that, upon learning of a confirmed negative testing resultor audit finding pertaining to its SCP, it will take immediate and effectiveaction, to the extent possible, to identify and implement compensating controlsuntil the root cause of the weakness can be determined and remediated.

企业确保在获悉了确认的负面测试结果或与其SCP有关的审核结果后,会尽可能立即采取有效措施,识别并实施补偿控制措施,直至确定出弱点的根本原因并进行补救。

TRAINING

培训

An effectivetraining program is an integral component of a successful SCP. The trainingprogram should be provided to all appropriate employees and personnel on aperiodic basis (and at a minimum, annually) andgenerally should accomplish thefollowing: (i) provide job-specific knowledge based on need; (ii) communicatethe sanctions compliance responsibilities for each employee; and (iii) holdemployees accountable for sanctions compliance training through assessments.

有效的培训方案是一个成功的SCP的组成部分。应向所有适当的员工和人员定期(至少每年一次)提供培训,并通常应包含以下工作:(i)根据需要提供工作专业知识;(ii)向每位员工传达制裁合规方面的责任;(iii)通过评估,使员工对制裁合规培训负责。

GeneralAspects of an SCP: Training

SCP通用要素:培训

An adequate trainingprogram, tailored to an entity's risk profile and all appropriate employees andstakeholders. is critical to the success of an SCP.

根据实体风险状况及所有适当员工和利益相关者提供量身定制的适当培训方案对SCP的成功是至关重要的。

1. Theorganization commits to ensuring that its OFAC-related training programprovides adequate information and instruction to employees and, as appropriate,stakeholders (for example, clients, suppliers, business partners, andcounterparties)in order to support the organization's OFAC compliance efforts.Such training should be further tailored to high-risk employees within the organization.

企业承诺确保,为支持企业的OFAC合规工作,其OFAC相关培训方案应向员工及适当的利益相关者(例如,客户、供应商、业务合作伙伴和交易对手)提供充分的信息和指导。此类培训应进一步针对企业内的高风险员工开展。

II. Theorganization commits to provide OFAC-related training with a scope that isappropriate for the products and services it offers; the customers, clients,and partner relationships it maintains; and the geographic regions in which itoperates.

企业承诺提供与其产品和服务、维护的客户、合作伙伴关系及其经营所在地理区域相当的OFAC相关培训。

III. Theorganization commits to providing OFAC-related training with a frequency thatis appropriate based on its OFAC risk assessment and risk profile.

企业承诺根据其OFAC风险评估和风险概况,提供适当的OFAC相关培训。

VI. Theorganization commits to ensuring that, upon learning of a confirmed negativetesting result or audit finding, or other deficiency pertaining to its SCP, itwill take immediate and effective action to provide training to or othercorrective action with respect to relevant personnel.

企业承诺在得知确认的负面测试结果或与其SCP有关的审核结果或其他缺陷后,将立即采取有效措施,为相关人员提供培训或采取其他纠正措施。

Root Causes ofOFAC Sanctions Compliance Program Breakdowns or Deficiencies Basedon Assessmentof Prior OFAC Administrative Actions

根据对OFAC先前行政行为的评估,确定出的OFAC制裁合规方案故障或缺陷产生的根本原因

Since itspublication of the Economic Sanctions Enforcement Guidelines31 C.F.R. part 501,App. A (the "Guidelines"), OFAC has finalized numerous publicenforcement actions in which itidentified deficiencies or weaknesses within thesubject person's SCP. These items, which are provided in a non-exhaustive listbelow, are provided to alert persons subject to U.S. jurisdiction, includingentities that conduct business in or with the United States, U.S. persons, orU.S.-origin goods or services, about several specific root causes associatedwith apparent violations of theregulations it administers in order to assistthem in designing, updating, and amending their respective SCP.

自公布《联邦管理条例》第31编第501部分附件A-《经济制裁执法指南》(指南)以来,在OFAC已完成的许多公共执法行动中确定出被处罚人的SCP存在缺陷或弱点,下面列出了一个非详尽的清单,用于提醒受美国管辖的人员,包括在美国、与美国或美国人开展业务、使用美国原产商品或服务,明显违反OFAC法规行为相关若干具体的根本原因,以协助企业设计、更新和修订他们各自的SCP

I. Lackof a Formal OFAC SCP

未设立正式的OFAC SCP

OFAC regulations donot require a formal SCP: however. OFAC encouragesorganizations subject to U.S.jurisdiction (including but not limited to those entities that conduct businessin, with, or through the United States or involving U.S.-origin goods,services. or technology)and particularly those that engage in internationaltrade or transactions or possess any clients or counter-parties located outsideof the United States, to adopt aformal SCP. OFAC has finalizednumerous civilmonetary penalties since publicizing the Guidelines in which the subjectperson's lack of an SCP was one of the root causes of the sanctions violationsidentified during the course of the investigation. In addition, OFAC frequentlyidentified this element as an aggravating factor in its analysis of the GeneralFactors associated with such administrative actions.

OFAC法规没有强制要求企业设立正式的SCP,但是OFAC鼓励受美国司法管辖的企业(包括但不限于在美国境内、通过美国或与美国开展业务或涉及美国原产商品、服务或技术的实体),特别是那些从事国际贸易或交易的企业或拥有位于美国境外客户或相对方的企业设立正式的SCP。自公布《指南》以来,在很多OFAC已经完成的对被处罚人进行的民事罚款处罚中,都是由于在调查过程中发现违反制裁规定的根本原因之一是没有设立SCP。此外,OFAC经常将这个要素作为此类行政行为相关一般因素分析的加重因素。

II.Misinterpreting, or Failing to Understand the Applicability of, OFAC'sRegulations

OFAC规则适用性的误读或不理解

Numerousorganizations have committed sanctions violations by misinterpreting OFAC'sregulations, particularly in instances in which the subject person determinedthe transaction, dealing, or activity at issue was either not prohibited or didnot apply to their organization oroperations. For example, severalorganizations have failed to appreciate or consider (or, in someinstances,actively disregarded) the fact that OFAC sanctions applied to theirorganization based on their status as a U.S. person, a U.S.-owned or controlledsubsidiary (in the Cuba and Iranprograms), or dealings in or with U.S. persons,the U.S. financial system, or U.S.-origin goodsand technology.

许多企业由于误解了OFAC规定从而违反了制裁规定,特别是,被处罚人员认定其交易或争议活动未被禁止或OFAC规定不适用于他们企业或运营。例如,一些企业未能理解、考虑(或在某些情况下,积极忽视)OFAC制裁会由于他们作为美国人、美国拥有或控制的子公司(在古巴和伊朗项目中)、在美国或与美国人开展交易、涉及美国金融系统或美国原产货物和技术的交易这些因素适用于他们企业。

With respect to thisspecific root cause, OFAC's administrative actions have typically identified,additional aggravating factors, such as reckless conduct, the presence ofnumerous warning signs that the activity at issue was likely prohibited,awareness by the organization's management of the conduct at issue, and thesize and sophistication of the subject person.

关于这个特定的根本原因,在OFAC的行政行为中通常已经确定出了其他加重因素,例如鲁莽行为、存在大量表明有关活动可能被禁止的警告标志、企业管理层有关行为的认识以及被处罚人的规模和复杂程度。

III.Facilitating Transactions by Non-U.S. Persons (Including Through or By OverseasSubsidiaries or Affiliates).

(包括通过海外子公司或关联公司)促进非美国人的交易

Multipleorganizations subject to U.S. jurisdiction--specifically those withforeign-based.

Operations andsubsidiaries located outside of the United States-have engaged in transactionsor activity that violated OFAC's regulations by referring businessopportunities to, approving or signing off on transactions conducted by, orotherwise facilitating dealings between their organization's non-U.S. locationsand OFAC-sanctioned countries, regions, or persons. In many instances, the rootcause of these violations stems from a misinterpretation or misunderstanding ofOFAC's regulations. Companies and corporations with integrated operations,particularlythose involving orrequiring participation by their U.S.-basedheadquarters, locations, or personnel, should ensure any activities they engagein (i.e., approvals, contracts, procurement, etc.) are compliant with OFAC'sregulations.

受美国管辖的多个企业-特别是总部位于外国的企业、位于美国境外的运营和子公司由于对其企业的非美国地点与OFAC制裁国家、地区或个人开展交易引用商业机会、批准或签署或以其他方式为此类交易提供便利,从事违反了OFAC规定的交易或活动。在许多情况下,这些违规行为的根本原因在于对OFAC法规的误解或误读。具有多个运营地点的公司,尤其是涉及或要求总部、其他运营地点或人员参与的公司应确保其参与的任何活动(即批准、合同、采购等)符合OFAC的规定。

IVExporting orRe-exporting U.S.-origin Goods, Technology, or Services to OFAC-

SanctionedPersons or Countries

OFAC制裁的人或国家出口或再出口美国原产货物、技术或服务

VUtilizing theU.S. Financial System, or Processing Payments to or through U,S.

FinancialInstitutions, for Commercial Transactions Involving OFAC-Sanctioned Persons orCountries

利用美国金融系统处理或通过美国金融机构处理涉及OFAC制裁人或国家的商业交易

Many non-U.S.persons have engaged in violations of OFAC's regulations by processingfinancial transactions (almost all of which have been denominated in U.S.Dollars) to or through U.S. financial institutions that pertain tocommercialactivity involving an OFAC-sanctioned country, region, or person. Although noorganizations subject to U.S. jurisdiction may be involved in the underlyingtransaction--such as the shipment of goods from a third-country to anOFAC-sanctioned country-the inclusion of a U.S. financial institution in anypayments associated with these transactions often results in a prohibitedactivity (e.g., the exportation or re-exportation of

services from theUnited States to a comprehensively sanctioned country, or dealing in blockedproperty in the United States). OFAC has generally focused its enforcementinvestigations on persons who have engaged in willful or reckless conduct,attempted to conceal their activity (e.g., by stripping or manipulating paymentmessages, or making falserepresentations to their non-U.S. or U.S. financialinstitution), engaged in a pattern or practice of conduct for several months oryears, ignored or failed to consider numerous warning signs that the conductwas prohibited, involved actual knowledge or involvement by the organization'smanagement, caused significant harm to U.S. sanctions program objectives, andwere large or sophisticated organizations.

许多非美国人为美国金融机构或通过美国金融机构处理涉及OFAC制裁国家、地区或个人商业活动的金融交易(几乎全部以美元计价)而违反了OFAC规定。虽然受美国管辖的企业可能没有参与相关交易活动-例如将货物从第三国运输到OFAC制裁的国家但是将美国金融机构引入这些交易相关的任何付款通常会导致被禁止的活动发生(例如,将服务从美国出口或再出口到一个受到全面制裁的国家,或者处理在美国被封锁的财产)。OFAC在其执法调查中一般重点查看以下人员:从事故意或鲁莽行为、试图隐瞒其活动(例如通过剥离或操纵支付信息或对非美国或美国金融机构作出虚假陈述)、从事违规行为达几个月或几年(惯性行为)、忽视或未对许多表明被禁止行为的警告信号进行考虑、涉及企业管理层的实际明知或参与、对美国制裁方案目标造成重大损害、大型或复杂企业。

VI.Sanctions Screening Software or Filter Faults

制裁筛选软件或过滤器故障

Many organizationsconduct screening of their customers, supply chain, intermediaries,counter-parties, commercial and financial documents, and transactions in orderto identify OFAC-prohibited locations, parties.or dealings. At timesorganizationshave failed to update their sanctions screening software to incorporate updatesto the SDN List or SSI List, failed to include pertinent identifiers such asSWIFT Business IdentifierCodes for designated, blockedor sanctioned financial institutions.or did not account for alternative spellings of prohibitedcountries orparties-particularly in instances in which the organization is domiciled orconducts business in geographies thatfrequently utilize such alternativespellings (i.e., Habana instead of Havana, Kuba instead of Cuba, Soudan insteadof Sudan, etc.).

许多企业对其客户、供应链、中间人、相对方的商业和财务文件、交易进行筛选,以识别OFAC所禁止的地点、各方当事人或交易。有时,企业未能更新其制裁筛选软件从而未纳入更新后的SDN清单或SSI清单,或未能包括相关标识符,例如被指定、封锁、或被制裁的金融机构的SWIFT业务标识符代码,或(特别是在企业所在地或在经常使用这种替代拼写的地理区域开展业务的情况下),没有说明被禁止国家和当事方的替代拼写,(即Habana替代哈瓦那(Havana),Kuba替代古巴(Cuba),Soudan替代苏丹(Sudan)等)。

VII.Improper Due Diligence on Customers/Clients (e.g., Ownership, BusinessDealings, etc.)

对客户(例如,所有权、业务往来等)的不当尽职调查

One of thefundamental components of an effective OFAC risk assessment and SCP isconducting due diligence on an organization's customers, supply chain,intermediaries, and counter-parties. Various administrative actions taken byOFAC involved improper or incomplete due diligence by a company or corporationon its customers, such as their ownership, geographic location(s),counter-parties, and transactions, as well as their knowledge and awareness ofOFAC sanctions.

一个有效OFAC风险评估,即SCP的基本组成部分之一是对企业的客户、供应链、中间人和交易对方进行尽职调查。很多情况下,OFAC采取行政措施的起因是公司对其客户的尽职调查不当或不完整。尽职调查的内容应涉及例如,所有权、地理位置、交易对手、交易以及对OFAC制裁的了解和认识。

VIl.De-Centralized Compliance Functions and Inconsistent Application of an SCP

非集中的合规职能&SCP适用的不一致性

While eachorganization should design, develop, and implement its risk-based SCP based onits own characteristics, several organizations subject to U.S. jurisdictionhave committed apparentviolations due to a de-centralized SCP. often withpersonnel and decision-makers scattered in various offices or business units.In particular, violations have resulted from this arrangement due to animproper interpretation and application of OFAC's regulations, the lack of aformal escalation process to review high-risk or potential OFAC customers ortransactions, an inefficient or incapable oversight and audit function, ormiscommunications regarding the organization's sanctions-related policies andprocedures.

虽然每个企业都应根据自己的特点设计、开发和实施基于风险的SCP,但受美国管辖的企业通常因分散的SCP(人员和决策者分散在各个办公室或业务部门)导致了明显违规行为的发生。特别是,由于对OFAC法规的解释和适用不当,缺少对高风险或潜在的OFAC客户或交易进行审查的正式上报程序、监督和审计职能低效或不起作用、企业制裁有关政策和程序沟通不畅,导致了违规行为的发生。

IX.Utilizing Non-Standard Payment or Commercial Practices

非标准的付款或商业惯例

Organizationssubject to U.S. jurisdiction are in the best position to determine whether aparticular dealing, transaction, or activity is proposed or processed in amanner that is consistent with industry norms and practices. In many instances,organizations attempting to evade or circumvent OFAC sanctions or conceal theiractivity will implement non-traditional business methods in order to completetheir transactions.

受美国管辖的企业最容易确定出将进行或处理的特定交易或活动是否符合行业规范和惯例。在许多情况下,试图逃避或规避OFAC制裁或隐瞒其活动的企业为完成其交易往往会采用不同寻常的商业方法。

X.Individual Liability

个人责任

In severalinstances, individual employees-particularly in supervisory, managerial, orexecutive-level positions-have played integral roles in causing or facilitatingviolations of the regulations administered by OFAC. SpecificallyOFAC hasidentified scenarios involving U.S.-owned or controlled entities operatingoutside of the United States, in which supervisory, managerial or executiveemployees of the entities conducted or facilitated dealings or transactionswith OFAC-sanctioned persons, regions, or countries, notwithstanding the factthat the U.S. entity had a fulsome sanctions compliance program in place. Insome of these cases, the employees of the foreign entities also made efforts toobfuscate and conceal their activities from others within the corporateorganization, including compliance personnel, as well as from regulators or lawenforcement. In such circumstances, OFAC will consider using its enforcementauthorities not only against the violating entities, but against theindividuals as well.

在一些案例中,个别员工-特别是监督、管理或行政级职位的员工在导致或促进违反OFAC法规方面发挥了不可或缺的作用。特别是,OFAC已确定出,在涉及美国境外运营的美国拥有或控制实体的情况下,尽管美国实体已实施了充分到位的制裁合规方案,但实体的监督、管理或执行人员与被OFAC制裁的人员、地区或国家开展交易或促成交易。在其中一些案例中,外国实体的员工也故意向公司企业内其他人,包括合规人员以及监管机构或执法部门混淆和隐瞒这些活动。在这种情况下,OFAC将考虑不仅针对违规实体进行执法,还会针对个人进行执法。