What is OFAC, and what does an OFAC policy cover?
The Office of Foreign Assets Control (“OFAC”) is the government agency responsible for enforcing trade and economic sanctions imposed by the US Government. Essentially, this government agency compiles OFAC’s List of Specially Designated Nationals and Blocked Persons (“SDN List”), which includes individuals and entities owned or controlled by, or acting behalf of, sanctioned countries, as well as individuals such as terrorists. U.S. persons are not legally allowed to do business with entities or individuals on this list.
U.S. international policy changes rapidly as the geopolitical landscape shifts, and it is important to ensure your firm understands the impact of those changes—especially if you have foreign investors or an international investment strategy. The sanctions lists are dynamic and regularly changing, so having an effective Anti-Money Laundering (“AML”) and OFAC policy and process in place for evaluating compliance across the firm’s Limited Partner (“LP”) investor base, vendors, and investments is critical for ensuring ongoing compliance.
From a fund manager's perspective, while I am sure you wouldn’t take money from Putin, it isn’t always that obvious who/what is behind the business entity you are engaging with. For example, Russian shell corporations get added to the U.S. sanctions list regularly as they become known.
What are the requirements for Exempt Reporting Advisers?
Currently, there is no AML program rule in the U.S. for Exempt Reporting Advisers (“ERAs”) or their administrators, but remember it is still illegal to do business with sanctioned individuals or entities. So while it isn't required, it is good business practice to put something in place (and follow it!).
Across the board, ERAs have fewer compliance reporting requirements and, as such, are typically more susceptible to unknowingly committing violations. Many VC firms only conduct Know Your Customer (“KYC”) checks upon an LP’s subscription to the fund or upon initial investment in a portfolio company and not on a regular cadence. But, regardless of whether or not a policy is in place or being followed internally, the firm is ultimately legally responsible if/when they do business with a sanctioned entity or person, whether they are aware of it or not.
Who should be checked, and who does this include?
Any entity or individual your firm does business with—a.k.a. sends money to or receives money from—should be checked. In the VC world, this includes LPs, vendors, service providers, and portfolio companies. Remember, U.S. persons are prohibited from doing business directly (or indirectly) with any sanctioned person or entity. This could mean you can not do business with a vendor if one of the owners is on the SDN List. Imagine how tricky this can get to detect with shell companies and pass-through entities.
What should an OFAC Policy include, and where should it live?
In 2019, OFAC released a framework for an effective compliance policy. According to OFAC, every compliance program should incorporate the following: (1) management commitment and support; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
A major element of an OFAC policy is risk assessment. Determining the threat and vulnerability of your firm to interacting or doing business with potentially sanctioned individuals or entities will be critical in deciding the procedure and processes required to avoid violations. For example, if you have foreign LPs or invest internationally, your risk profile would be higher than a firm that has only domestic LPs and invests locally.
Typically OFAC compliance lives within your AML policy but can be a separate policy as well.
Is there a template?
Yes! FINRA has a robust AML template publicly available that includes a section on OFAC specially. This is a great starting point to review items a policy should/could include and pair it down to reflect your specific business need and risk level. From a practical standpoint, you want your policy to reflect what you are actually doing, so be sure to edit the template to be applicable.
Service providers such as Parallel Markets and IQ-EQ will also provide you with a template that incorporates their offerings into your policy.
But are they really enforcing this?
The scope and enforcement of sanctions programs have dramatically increased globally, and stronger requirements from U.S. agencies are likely. Similarly, given conflicts abroad, some banks in the U.S. are proactively requiring these policy changes from their clients with more likely to follow suit.
Ultimately, you, as the fund manager, are liable and responsible for ensuring your fund isn’t doing business with sanctioned individuals or entities. Simply not knowing or not having a process in place is not a valid defense for sanctions violations and may lead to civil penalties. In other words, ignorance is not bliss. From a fund perspective, your fund assets could be frozen, and/or forced liquidation of the fund’s assets could occur. Having the right checks in place is not only in your best interest as a manager but also in the best interest of your LPs.
In another vein, many institutional LPs require policies to be in place and will review your procedures around AML and OFAC compliance as part of their operational due diligence process. If you are fundraising, leveraging a reputable compliance service provider will add validity and confidence from institutional LPs as it will ensure the policy is actually being followed in practice.
What are the pros and cons of handling KYC in-house vs. through a service provider?
Some firms may choose to handle KYC in-house. The US government makes the OFAC sanctions list and databases easily accessible online for free, so implementing a policy with in-house checks can be feasible, especially if you are low risk. Give it a try! You can even do a bulk copy and paste using FINRA’s tool. However, depending on the number of LPs and portfolio companies you have, this can be burdensome and time-consuming, especially if you need to search the owners or the shareholders behind each entity. Also, you will need to have updated KYC documents, such as driver's licenses or passport, and W9 or W8 forms, to ensure you are searching for the correct information.
If handling in-house sounds daunting, fear not; there are 3rd party solutions that address these specific pieces of compliance. Firms can choose from more platform-based technology solutions like Parallel Markets or more of a consulting model with brand name firms like IQ-EQ or ACA Global. Tech platforms are fairly new solutions to the market that have been launched over the recent years to meet compliance needs in a scalable and affordable way, while the brand name consulting firms focus on advisory aspects and are reputable, especially with institutional LP perspective. Depending on your needs and scope, both of these options can be cost-effective solutions and will manage the collection of relevant KYC documents as well as run the compliance checks—some even offer 24/7 monitoring. Additionally, leveraging a compliance service provider can decrease the costs associated with investor onboarding by moving the KYC process from the law firms to the compliance provider.
So, I’ve followed Strut’s advice and have a policy and processes in place—what do we do if our search comes back with a SDN List match?
Your OFAC policy will include steps to take if a hit is confirmed as a sanctioned individual or entity. Typically what this includes is proactively contacting your firm's legal counsel to immediately take the necessary steps to terminate the relationship, reject the transaction and/or block the assets and file a blocked assets and/or rejected transaction form with OFAC. Furthermore, many service providers have built-in remediation services and processes for if and when this occurs.
Compliance can feel overwhelming, but having the right systems and processes in place is the majority of the battle. Strut is here to help you navigate through the nice to haves versus the need to haves, and ensure you are making the best decisions for your firm.