Every month, the Office of Foreign Assets Control, OFAC, publishes its current Fines & Penalties information, where fines, some of them in the millions of dollars, are levied against corporate entities. The fines occur when generally companies fail to:
(1) Screen prospective customers adequately in advance, meaning ensuring that a new client is not on any national or international sanctions list ( Know your Customer a/k/a KYC).
(2) Fail to follow international sanctions in place against countries, or non-state actors, when conducting businesses.
(3) Cast a blind eye to transactions with customers that obviously are merely conduits to end users that are sanctioned (Know your Customer's Customer).
What I see more often than not is the lack of a compliance department in the corporations being fined. Whilst only financial businesses, and certain other specific industries, are specifically required to maintain a compliance programme, foolish is the business owner in 2012 who fails to create one for his company. The usefulness of a compliance officer, operating a compliance department, is not only to protect against regulatory fines, but to guard against the company's unwitting involvement in criminal activities, and providing material support to terrorism, through terrorist financing. Not only does the lack of a compliance programme endanger the company's existence, but the liberty of its officers and managers, due to the War on Drugs, the Global War on Terrorism, and other ongoing law enforcement programmes.
Companies that are engaged in international trade are especially at risk, for a prized customer on the other side of the globe could, without adequate compliance, turn out to be transshipping your products into Iran or North Korea, to a Specially Designated Global Terrorist Organisation.
At the very least, you should have;
(A) A compliance programme, with written compliance manual.
(B) A comprehensive employee training programme.
(C) An annual, outside, independent audit of the programme, to ensure that it is being followed.
(D) Continuing education for your compliance staff.
(E) The necessary commercial off-the-shelf information resources as are necessary to operate an effective programme.
All businesses, irrespective of their type, should have such a programme, as part of an effective risk management policy.