美国海外资产控制办公室(OFAC)合规承诺框架（中英对照版）

DEPARTMENT OF THE TREASURY

WASHINGTON, D.C. 20220

A Framework for OFAC Compliance Commitments

美国海外资产控制办公室（OFAC）合规承诺框架

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) administers and enforces U.S. economic and trade sanctions programs against targeted foreign governments individuals, groups, and entities in accordance with national security and foreign policy goals and objectives.

美国财政部下属的海外资产控制办公室（OFAC）根据国家安全和外交政策负责管理和执行针对外国政府个人、团体和实体的美国经济和贸易制裁方案。

OFAC strongly encourages organizations subject to U.S. jurisdiction, as well as foreign entities that conduct business in or with the United States. U.S. persons, or using U.S.-origin goods or services, to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP). While each risk-based SCP will vary depending on a variety of factors-including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations-each program should be predicated on and incorporate at least five essential components of compliance: (1) management commitment: (2) risk assessment: (3) internal controls: (4) testing and auditing; and (5) training.

OFAC大力鼓励受美国司法管辖的企业以及在美国或与美国人开展业务的外国实体或使用美国原产产品或服务的外国实体，设立、实施并定期更新其制裁合规方案（SCP），采用一个基于风险的方法达到制裁合规。虽然每个基于风险的SCP会根据各种因素（包括公司规模和复杂程度、产品和服务、客户和交易对手以及地理位置）的不同而有所差异，但每个方案都应包含至少以下五个必要合规要素：（1）管理层承诺；（2）风险评估；（3）内部控制；（4）测试及审计；（5）培训。

If after conducting an investigation and determining that a Civil Monetary Penalty ("CMP") is the appropriate administrative action in response to an apparent violation, the Office of Compliance and Enforcement (OCE) will determine which of the following or other elements should be incorporated into the subject person's SCP as part of any accompanying settlement agreement, as appropriate. As in all enforcement cases, OFAC will evaluate a subject person's SCP in a manner consistent with the Economic Sanctions Enforcement Guidelines (the "Guidelines").

如果经调查后认定针对一个明显违规行为应该采取的适当行政措施是民事金钱处罚，合规及执法办公室（OCE）可以酌情确定将以下哪些要素或其他要素作为随附《和解协议》的一部分纳入到被处罚人的SCP。与所有执法案件一样，OFAC将根据《经济制裁执行指南》（“指南”）对被处罚人的SCP进行评估。

When applying the Guidelines to a given factual situation, OFAC will consider favorably subject persons that had effective SCPs at the time of an apparent violation. For example, under General Factor E (compliance program), OFAC may consider the existence, nature, and adequacy of an SCP. and when appropriate, may mitigate a CMP on that basis. Subject persons that have implemented effective SCPs that are predicated on the five essential components of compliance may also benefit from further mitigation of a CMP pursuant to General Factor F (remedial response) when the SCP results in remedial steps being taken.

在将指南适用于特定事实情况时，OFAC会把被处罚人在明显违规行为发生时所拥有的有效SCP作为一个有力因素进行考虑。例如，在通用因素E（合规方案）下，OFAC可以对SCP的存在、性质及充分性进行考虑。适当时，可以基于这个因素减轻民事经济处罚。对于实施了基于五个基本合规要素的有效SCP的被处罚人，在根据SCP采取补救措施时，也可以利用通用因素F（补救措施）来进一步减轻对其的民事经济处罚。

Finally, OFAC may, in appropriate cases, consider the existence of an effective SCP at the time of an apparent violation as a factor in its analysis as to whether a case is deemed "egregious."

最后，在适当情况下，OFAC可以在发生明显违规行为时考虑将“是否存在一个有效的SCP”作为分析案件是否“恶劣”的一个因素。

This document is intended to provide organizations with a framework for the five essential components of a risk-based SCP, and contains an appendix outlining several of the root causes that have led to apparent violations of the sanctions programs that OFAC administers. OFAC recommends all organizations subject to U.S. jurisdiction review the settlements published by OFAC to reassess and enhance their respective SCPs, when and as appropriate.

本文件旨在为企业提供一个基于风险的SCP中五个基本组成部分的框架。本文件还包含了一个附录，概述了导致明显违反OFAC制裁方案的一些根本原因。OFAC建议所有受美国司法管辖的企业对其公布的和解案例进行审查，以便在适当的时候重新评估并改善各自的SCP。

MANAGEMENT COMMITMENT

管理层承诺

Senior Management's commitment to, and support of, an organization's risk-based SCP is one of the most important factors in determining its success. This support is essential in ensuring the SCP receives adequate resources and is fully integrated into the organization's daily operations, and also helps legitimize the program, empower its personnel, and foster a culture of compliance throughout the organization.

高级管理层对企业基于风险的SCP的承诺及支持是决定该SCP成功与否的最重要因素之一。这种支持对于确保SCP获得足够的资源并完全融入企业的日常运营中是至关重要的，同时也有助于使合规方案合法化，赋予SCP人员权力，并培养整个企业内的合规文化。

General Aspects of an SCP: Senior Management Commitment

SCP通用因素：高级管理层承诺

Senior management commitment to supporting an organization's SCP is a critical factor in determining the success of the SCP. Effective management support includes the provision of adequate resources to the compliance unit(s) and support for compliance personnel's authority within an organization. The term "senior management" may differ among various organizations, but typically the term should include senior leadership, executives, and/or the board of directors.

高级管理层对企业SCP的承诺支持是确定SCP成功的一个重要因素。有效的管理层支持包括为合规部门提供足够资源，并支持合规人员在企业内的权限。“高级管理层”一词在不同企业中的定义可能有所不同，但通常该术语应包括高级领导层、高级管理人员和/或董事会。

I.  Senior management has reviewed and approved the organization's SCP.

高级管理层审查并批准了该企业的SCP。

II.  Senior management ensures that its compliance unit(s) is/are delegated sufficient authority and autonomy to deploy its policies and procedures in a manner that effectively controls the organization's OFAC risk. As part of this effort, senior management ensures the existence of direct reporting lines between the SCP function and senior management, including routine and periodic meetings between these two elements of the organization.

高级管理层确保其合规部门获得了足够的权力和自主权，在部署政策和程序时，可以有效控制企业的OFAC风险。作为这项工作的一部分，高级管理层应确保在SCP职能部门与高级管理层之间存在一个直接报告线，包括这两个部门之间的例行会议与定期会议。

III.  Senior management has taken, and will continue to take, steps to ensure that the organization's compliance unit(s) receive adequate resources-including in the form of human capital, expertise, information technology, and other resources, as appropriate-that are relative to the organization's breadth of operations, target and secondary markets, and other factors affecting its overall risk profile.

高级管理层已采取并将继续采取措施，确保企业的合规部门获得足够资源-包括与企业的运营范围、目标和二级市场相匹配的人力资本、专业知识、信息技术和其他资源，以及影响其整体风险状况的其他因素。

These efforts could generally be measured by the following criteria:

这些努力通常可以通过以下标准来进行衡量：

A.  The organization has appointed a dedicated OFAC sanctions compliance officer; ¹

该企业已任命了专门的OFAC制裁合规官；¹

B.  The quality and experience of the personnel dedicated to the SCP, including: (i) the technical knowledge and expertise of these personnel with respect to OFAC's regulations, processes, and actions: (ii) the ability of these personnel to understand complex financial and commercial activities, apply their knowledge of OFAC to these items, and identify OFAC-related issues, risks, and prohibited activities: and(iii) the efforts to ensure that personnel dedicated to the SCP have sufficient experience and an appropriate position within the organization, and are an integral component to the organization’s success; and

专门负责SCP的人员应具备以下品质与经验，包括：（1）这些人员在OFAC法规、程序和行动方面的技术知识和专业知识；（2）这些人员有理解复杂金融及商业活动的能力、将OFAC相关知识应用于这些项目的能力以及识别OFAC相关问题、风险及被禁止活动的能力；以及（3）做出确保SCP人员在企业内有足够经验和适当职位且作为企业成功的组成部分的努力；以及

C.  Sufficient control functions exist that support the organization's SCP-including but not limited to information technology software and systems-that adequately address the organization's OFAC-risk assessment and levels.

存在足够可以支持企业SCP、充分解决企业OFAC风险评估及水平的控制功能-包括但不限于信息技术软件和系统。

IV.  Senior management promotes a "culture of compliance" throughout the organization.

高级管理层在整个企业内推广“合规文化”。

These efforts could generally be measured by the following criteria:

这些努力通常可以通过以下标准来衡量：

A.  The ability of personnel to report sanctions related misconduct by the organization or its personnel to senior management without fear of reprisal.

员工有能力向高级管理层汇报由企业或员工实施的与制裁相关不当行为，而不必担心遭到报复。

B.  Senior management messages and takes actions that discourage misconduct and prohibited activities, and highlight the potential repercussions of non-compliance with OFAC sanctions; and

高级管理层传递遏制不当行为及被禁止活动的信息并采取行动，强调不遵守OFAC制裁的潜在影响；以及

C.  The ability of the SCP to have oversight over the actions of the entire organization, including but not limited to senior management, for the purposes of compliance with OFAC sanctions.

SCP拥有为符合OFAC制裁合规性目的而监督整个企业（包括但不限于高级管理层）行为的能力。

V.  Senior management demonstrates recognition of the seriousness of apparent violations of the laws and regulations administered by OFAC ,or malfunctions deficiencies, or failures by the organization and its personnel to comply with the SCP's policies and procedures, and implements necessary measures to reduce the occurrence of apparent violations in the future. Such measures should address the root causes of past apparent violations and represent systemic solutions whenever possible.

高级管理层表明已经认识到了明显违反OFAC法规的行为或工作疏忽缺陷或企业及员工未能遵守SCP政策和程序的行为，会采取必要措施减少将来明显违规行为的发生。这些措施应解决过去明显违法行为的根本原因，并尽可能作为能够代表系统性的解决方案。

RISK ASSESSMENT

风险评估

Risks in sanctions compliance are potential threats or vulnerabilities that, ignored or not properly handled, can lead to violations of OFAC's regulations and negatively affect an organization's reputation and business. OFAC recommends that organizations take a risk-based approach when designing or updating an SCP. One of the central tenets of this approach is for organizations to conduct routine, and if appropriate ongoing "risk assessment" for the purposes of identifying potential OFAC issues they are likely to encounter. As described in detail below. the results of a risk assessment are integral in informing the SCP's policies, procedures, internal controls, and training in order to mitigate such risks.

制裁合规风险是指被忽视的或处理不当的潜在威胁或漏洞，可能会导致违反OFAC规定，并对企业的声誉和业务造成负面影响。OFAC建议企业在设计或更新SCP时采取基于风险的方法。这种方法的核心原则之一是企业进行惯常的、（如果合适的话）持续的“风险评估”，用于识别可能遇到的潜在OFAC问题。如下文详述，风险评估结果是了解减轻风险的SCP政策、程序、内部控制和培训的组成部分。

While there is no “one-size-fits all “risk assessment, the exercise should generally consist of a holistic review of the organization from top-to-bottom and assess its touchpoints to the outside world. This process allows the organization to identify potential areas in which it may, directly or indirectly, engage with OFAC-prohibited persons, parties, countries, or regions. For example an organization’s SCP may conduct an assessment of the following:

虽然没有一个“一刀切”的风险评估方法，但一般应包括从上到下对企业进行全面审查，以及对其与外界接触点进行评估。该程序允许企业识别可能直接或间接与被OFAC禁止的人员、当事人、国家或地区进行互动的潜在区域。例如，企业的SCP可以对以下内容进行评估：

(i) customers, supply chain, intermediaries, and counter-parties; (ii) the products and services it offers, including how and where such items fit into other financial or commercial products, services, networks, or systems; and (iii) he geographic locations of the organization, as well as its customers, supply chain, intermediaries, and counter-parties. Risk assessments and sanctions-related due diligence is also important during mergers and acquisitions, particularly in scenarios involving non-U.S companies or corporations.

（i）客户、供应链，中间商及交易相对方；（ii）提供的产品和服务，包括此类项目如何以及在何处适用于其他金融或商业产品、服务、网络或系统；（iii）企业及其客户、供应链、中间商及交易相对方的地理位置。在兼并和收购过程中，特别是在涉及非美国公司的情况下，风险评估及制裁相关尽职调查也是非常重要的。

General Aspects of an SCP: Conducting a Sanctions Risk Assessment

SCP通用要素：开展制裁风险评估

A fundamental element of a sound SCP is the assessment of specific clients, products, services, and geographic locations in order to determine potential OFAC sanctions risk. The purpose of a risk assessment is to identify inherent risks in order to inform risk-based decisions and controls. The Annex to Appendix A to 31 C.F.R. Part 501, OFAC's Economic Sanctions Enforcement Guidelines, provides an OFAC Risk Matrix that may be used by financial institutions or other entities to evaluate their compliance programs:

一个健全的SCP的基本要素是对特定客户、产品、服务及地理位置进行评估，以确定出潜在的OFAC制裁风险。风险评估的目的是识别出固有风险，以便为基于风险的决策和控制提供信息。本文件附件是《联邦管理条例》第31编第501部分的附录A-《OFAC经济制裁执行指南》，该指南提供了一个OFAC风险矩阵，可供金融机构或其他实体用于合规方案的评估：

I.  The organization conducts or will conduct, an OFAC risk assessment in a manner and with a frequency, that adequately accounts for the potential risks. Such risks could be posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending, on the nature of the organization. As appropriate, the risk assessment will be updated to account for the root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business.

企业按照充分考虑潜在风险的方式和频率进行或将进行OFAC风险评估。这些风险可能由客户、产品、服务、供应链、中间商、交易对手、交易和地理位置导致，具体取决于企业性质。在适当情况下，应更新风险评估，解释企业在日常业务过程中发现的任何明显违规行为或缺陷的根本原因。

A.  In assessing its OFAC risk, organizations should leverage existing information to inform the process. In turn, the risk assessment will generally inform the extent of the due diligence efforts at various points in a relationship or in a transaction. This may include:

在评估OFAC风险时，企业应利用现有信息了解这个程序。反过来，风险评估通常也会说明在一种关系或一笔交易中的以下各个点进行尽职调查工作的程度：

1.  On-boarding: The organization develops a sanctions risk rating for customers, customer groups, or account relationships, as appropriate, by leveraging information provided by the customer (for example, through a Know Your Customer or Customer Due Diligence process) and independent research conducted by the organization at the initiation of the customer relationship. This information will guide the timing and scope of future due diligence efforts. Important elements to consider in determining the sanctions risk rating can be found in OFAC's risk matrices.

新客户关系建立：企业开始与客户建立关系时，视具体情况利用客户提供的信息（例如，通过了解您的客户或客户尽职调查流程）以及企业自己的独立研究，对客户、客户集团或客户关系制定制裁风险评级。该信息将指导未来尽职调查工作的时间和范围。可以在OFAC风险矩阵中找到确定制裁风险评级时所需要考虑的重要因素。

2.  Mergers and Acquisitions (M&A): As noted above, proper risk assessments should include and encompass a variety of factors and data points for each organization. One of the multitude of areas organizations should include in their risk assessments-which, in recent years, appears to have presented, numerous challenges with respect to OFAC sanctions-are mergers and acquisitions. Compliance functions should also be integrated into the merger, acquisition, and integration process. Whether in an advisory capacity or as a participant, the organization engages in appropriate due diligence to ensure that sanctions-related issues are identified, escalated to the relevant senior levels, addressed prior to the conclusion of any transaction, and incorporated into the organization's risk assessment process. After an M&A transaction is completed, the organization's Audit and Testing function will be critical to identifying any additional sanctions-related issues.

兼并和收购：如上所述，适当的风险评估内容应涵盖每个企业的各种因素和数据点。企业在其风险评估中应纳入的许多领域中的一个是-兼并和收购，这也是近年来似乎已经显现出OFAC制裁众多挑战的领域。合规职能也应纳入合并、收购和整合的过程。无论是作为顾问还是参与者，企业都应该进行适当的尽职调查，确保识别出制裁相关问题，上报到相关高级级别，在任何交易结束之前对这些问题进行解决并纳入企业的风险评估流程。在并购交易完成后，企业的审计和测试职能对于确定任何与制裁相关的其他问题是至关重要的。

II.  The organization has developed a methodology to identify, analyze, and address the particular risks it identifies. As appropriate, the risk assessment will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business, for example, through a testing or audit function.

企业已开发出发现、分析和解决所识别出的特定风险的方法。在适当情况下，例如，通过测试或审计功能对风险评估进行更新，说明企业在日常业务过程中发现的任何明显违规行为或系统缺陷及其产生的根本原因。

INTERNAL CONTROLS

内部控制

An effective SCP should include internal controls, including policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that may be prohibited by the regulations and laws administered by OFAC. The purpose of internal controls is to outline clear expectations, define procedures and processes pertaining to OFAC compliance (including reporting and escalation chains), and minimize the risks identified by the organization's risk assessments. Policies and procedures should be enforced, weaknesses should be identified (including through root cause analysis of any compliance breaches) and remediated and internal and/or external audits and assessments of the program should be conducted on a periodic basis.

一个有效的SCP应涵盖内部控制内容，包括识别、拦截、上报、报告（视情况而定）及保存与OFAC法规、法律可能被禁止活动有关记录的政策和程序。内部控制的目的是概述明确期望、对OFAC合规相关的程序和流程（包括报告和上报链）进行定义，并最大限度地降低企业风险评估所识别出的风险。应有效执行政策和程序，（包括通过对任何违规行为的根本原因进行分析）对弱点进行识别和补救，定期对方案进行内部和/或外部审计和评估。

Given the dynamic nature of U.S. economic and trade sanctions, a successful and effective SCP should be capable of adjusting rapidly to changes published by OFAC. These include the following: (i) updates to OFAC's List of Specially Designated Nationals and Blocked Persons(the "SDN List"), the Sectoral Sanctions Identification List ("SSI List"), and other sanctions-related lists:(ii) new, amended, or updated sanctions programs or prohibitions imposed on targeted foreign countries, governments, regions, or persons, through the enactment of new legislation, the issuance of new Executive orders, regulations, or published OFAC guidance or other OFAC actions: and (iii) the issuance of general licenses.

鉴于美国经济和贸易制裁政策不断变化，一个成功有效的SCP应能够迅速适应OFAC政策的发展，OFAC政策包括：（i）对OFAC特别指定国民和被封锁人员名单（“SDN清单”）、部门制裁识别清单（“SSI清单”）和其他制裁相关清单的更新；（ii）通过颁布新立法、新行政指令、法规或公布OFAC指南或其他OFAC行动对目标外国、政府、地区或个人实施新的、经修订的或更新的制裁方案或禁令；以及（iii）颁发一般许可证。

General Aspects of an SCP: Internal Controls

SCP的一般方面：内部控制

Effective OFAC compliance programs generally include internal controls, including policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that is prohibited by the sanctions programs administered by OFAC. The purpose of internal controls is to outline clear expectations, define procedures and processes pertaining to OFAC compliance, and minimize the risks identified by an entity's OFAC risk assessments. Policies and procedures should be enforced, and weaknesses should be identified (including through root cause analysis of any compliance breaches) and remediated in order to prevent activity that might violate the sanctions programs administered by OFAC.

有效的OFAC合规方案通常涵盖内部控制，包括识别、拦截、上报、报告（视情况而定）及保存OFAC制裁方案下被禁止活动有关记录的政策和程序。内部控制的目的是概述一个明确的期望，对OFAC合规相关的程序和流程进行定义，并最大限度地降低实体经过OFAC风险评估所识别出的风险。大力执行政策和程序，并（包括通过对任何合规违规行为的根本原因进行分析）识别缺陷并进行补救，防止可能违反OFAC制裁方案的活动发生。

I.  The organization has designed and implemented written policies and procedures outlining the SCP. These policies and procedures are relevant to the organization, capture the organization's day-to-day operations and procedures, are easy to follow, and designed to prevent employees from engaging in misconduct.

该企业设计并实施了概述SCP的书面政策和程序。这些政策和程序应与企业相适应，融入企业的日常操作和程序中，易遵循，并可以防止员工从事不当行为。

II.  The organization has implemented internal controls that adequately address the results of its OFAC risk assessment and profile. These internal controls should enable the organization to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activity that may be prohibited by OFAC. To the extent information technology solutions factor into the organization's internal controls, the organization has selected and calibrated the solutions in a manner that is appropriate to address the organization's risk profile and compliance needs, and the organization routinely tests the solutions to ensure effectiveness.

企业实施了充分解决OFAC风险评估结果及概况的内部控制。这些内部控制应使企业清楚有效地识别、拦截、上报，并向企业内相关人员报告可能被OFAC禁止的交易和活动。在某种程度上，信息技术解决方案会纳入到企业的内部控制后，企业应选择适合解决其风险状况和合规性需求的方式、对解决方案进行校准，定期测试解决方案以确保方案的有效性。

III.  The organization enforces the policies and procedures it implements as part of its OFAC compliance internal controls through internal and/or external audits.

企业通过内部和/或外部审计执行其所实施的政策和程序，作为OFAC合规内部控制的一部分。

IV.  The organization ensures that its OFAC-related recordkeeping policies and procedures adequately account for its requirements pursuant to the sanctions programs administered by OFAC.

企业确保其OFAC相关记录保存政策和程序充分考虑了其在OFAC制裁方案下的要求。

V.  The organization ensures that, upon learning of a weakness in its internal controls pertaining to OFAC compliance, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.

企业确保，一旦获悉内部控制中存在的缺陷与OFAC的合规要求有关，它将立即采取有效的行动，尽可能地识别和实施补偿性控制，直到缺陷的原因能够从源头上被纠正。

VI.  The organization has clearly communicated the SCP's policies and procedures to all relevant staff, including personnel within the SCP program, as well as relevant gatekeepers and business units operating in high-risk areas (e-g., customer acquisition, payments, sales, etc.) and to external parties performing SCP responsibilities on behalf of the organization.

企业已明确将SCP政策和程序传达给所有相关人员，包括SCP方案内人员、高风险领域运营的相关把关者和业务部门（例如，客户获取、支付、销售等部门）以及代表企业履行SCP职责的外部各方。

VII.  The organization has appointed personnel for integrating the SCP's policies and procedures into the daily operations of the company or corporation. This process includes consultations with relevant business units, and confirms the organization’s employees understand the policies and procedures.

企业指定了将SCP政策和程序融入到公司日常运营中是人员。融入程序包括与相关业务部门进行协商，确保企业员工了解SCP政策和程序。

TESTING AND AUDITING

测试及审计

Audits assess the effectiveness of current processes and check for inconsistencies between these and day-to-day operations. A comprehensive and objective testing or audit function within an SCP ensures that an organization identifies program weaknesses and deficiencies, and it is the organization's responsibility to enhance its program, including all program-related software, systems, and other technology, to remediate any identified compliance gaps. Such enhancements might include updating, improving, or recalibrating SCP elements to account for a changing risk assessment or sanctions environment. Testing and auditing can be conducted on a specific element of an SCP or at the enterprise-wide level.

审计可以对当前流程的有效性进行评估，并检查这些流程与日常运营之间的不一致性。对SCP全面、客观的测试或审计功能可以确保企业识别出流程的弱点和缺陷。企业有责任加强其合规方案，包括所有与方案相关的软件、系统和其他技术，修复任何已识别出的合规差距。此类加强功能可能包括更新、改进或重新校准SCP元素，以应对不断变化的风险评估或制裁环境。可以对SCP的特定元素或在整个公司范围内进行测试和审计。

General Aspects of an SCP: Testing and Auditing

SCP通用要素：测试和审计

A comprehensive, independent, and objective testing or audit function within an SCP ensures at entities are aware of where and how their programs are performing and should be updated, enhanced, or recalibrated to account for a changing risk assessment or sanctions environment, as appropriate. Testing or audit, whether conducted on a specific element of a compliance program or at the enterprise-wide level, are important tools to ensure the program is working as designed and identify weaknesses and deficiencies within a compliance program.

SCP内的全面、独立及客观的测试或审计功能可确保实体了解其合规方案的执行地点和方式，并视情况对测试或审计功能进行更新、增强或重新校准，以应对不断变化的风险评估或制裁环境。无论是针对合规方案的特定要素进行测试或审计，还是在全企业范围内进行测试或审计，都是确保方案能够按设计目的进行运作，是识别合规方案中弱点和缺陷的重要工具。

I.   The organization commits to ensuring that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, resources, and authority within the organization.

企业承诺确保测试或审计职能对高级管理层负责，独立于被审计的活动和职能，并在企业内拥有足够的权力、技能、专业知识、资源和权限。

II.  The organization commits to ensuring that it employs testing or audit procedures appropriate to the level and sophistication of its SCP and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of the organization's OFAC-related risk assessment and internal controls.

企业承诺确保采用适合其SCP级别和复杂程度的测试或审计程序，且无论是由内部还是由外部部门开展测试或审计活动，都反映了对该企业OFAC相关风险评估及内部控制的全面客观评估。

III.  The organization ensures that, upon learning of a confirmed negative testing result or audit finding pertaining to its SCP, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.

企业确保在获悉了确认的负面测试结果或与其SCP有关的审核结果后，会尽可能立即采取有效措施，识别并实施补偿控制措施，直至确定出弱点的根本原因并进行补救。

TRAINING

培训

An effective training program is an integral component of a successful SCP. The training program should be provided to all appropriate employees and personnel on aperiodic basis (and at a minimum, annually) and generally should accomplish the following: (i) provide job-specific knowledge based on need; (ii) communicate the sanctions compliance responsibilities for each employee; and (iii) hold employees accountable for sanctions compliance training through assessments.

有效的培训方案是一个成功的SCP的组成部分。应向所有适当的员工和人员定期（至少每年一次）提供培训，并通常应包含以下工作：（i）根据需要提供工作专业知识；（ii）向每位员工传达制裁合规方面的责任；（iii）通过评估，使员工对制裁合规培训负责。

General Aspects of an SCP: Training

SCP通用要素：培训

An adequate training program, tailored to an entity's risk profile and all appropriate employees and stakeholders. is critical to the success of an SCP.

根据实体风险状况及所有适用人员和利益相关者提供量身定制的适当培训方案对SCP的成功是至关重要的。

I.  The organization commits to ensuring that its OFAC-related training program provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties) in order to support the organization's OFAC compliance efforts. Such training should be further tailored to high-risk employees within the organization.

企业承诺确保，为支持企业的OFAC合规工作，其OFAC相关培训方案应向员工及适当的利益相关者（例如，客户、供应商、业务合作伙伴和交易对手）提供充分的信息和指导。此类培训应进一步针对企业内的高风险员工开展。

II.  The organization commits to provide OFAC-related training with a scope that is appropriate for the products and services it offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.

企业承诺提供与其产品和服务、维系的客户、合作伙伴关系及其经营所在地理区域相关的OFAC相关培训。

III.  The organization commits to providing OFAC-related training with a frequency that is appropriate based on its OFAC risk assessment and risk profile.

企业承诺根据其OFAC风险评估和风险概况，提供适当的OFAC相关培训。

IV.  The organization commits to ensuring that, upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its SCP, it will take immediate and effective action to provide training to or other corrective action with respect to relevant personnel.

企业承诺在得知确认的负面测试结果或与其SCP有关的审核结果或其他缺陷后，将立即采取有效措施，为相关人员提供培训或采取其他纠正措施。

V.  The organization’s training program includes easily accessible resources and materials that are available to all applicable personnel.

企业的培训方案包括所有适用人员都能轻易获取的资源和材料。

Root Causes of OFAC Sanctions Compliance Program Breakdowns or Deficiencies Based on Assessment of Prior OFAC Administrative Actions

根据对OFAC先前行政处罚的评估，确定出的OFAC制裁合规方案故障或缺陷产生的根本原因

Since its publication of the Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, App. A (the "Guidelines"), OFAC has finalized numerous public enforcement actions in which it identified deficiencies or weaknesses within the subject person's SCP. These items, which are provided in a non-exhaustive list below, are provided to alert persons subject to U.S. jurisdiction, including entities that conduct business in or with the United States, U.S. persons, or U.S.-origin goods or services, about several specific root causes associated with apparent violations of the regulations it administers in order to assist them in designing, updating, and amending their respective SCP.

自公布《美国联邦法规汇编》第31编第501部分附件A-《经济制裁执法指南》（“指南”）以来，OFAC已完成多次公共执法行动，其中在被处罚的对象所认定的SCP均存在各种缺陷或弱点。以下所列的非详尽的清单，旨在提醒受美国管辖的人员，包括在美国开展业务或与美国开展业务的实体、美国人员或原产地为美国的货物或服务，注意产生这些明显违规行为的根本原因，以协助企业设计、更新和修订他们各自的SCP。

I.  Lack of a Formal OFAC SCP

未制定正式的OFAC SCP

OFAC regulations do not require a formal SCP: however, OFAC encourages organizations subject to U.S. jurisdiction (including but not limited to those entities that conduct business in, with, or through the United States or involving U.S.-origin goods, services, or technology) and particularly those that engage in international trade or transactions or possess any clients or counter-parties located outside of the United States, to adopt a formal SCP. OFAC has finalized numerous civil monetary penalties since publicizing the Guidelines in which the subject person’s lack of an SCP was one of the root causes of the sanctions violations identified during the course of the investigation. In addition, OFAC frequently identified this element as an aggravating factor in its analysis of the General Factors associated with such administrative actions.

OFAC法规没有强制要求企业制定正式的SCP，但是OFAC鼓励受美国司法管辖的企业（包括但不限于在美国开展业务、与美国开展业务或通过美国或涉及原产地为美国的货物或服务或技术的实体），尤其是那些从事国际贸易或交易的企业或在美国境外有客户或交易对手的企业设立正式的SCP。自公布《指南》以来，在很多OFAC已经完成的对被处罚人进行的民事罚款处罚中，都是由于在调查过程中发现违反制裁规定的根本原因之一是没有制定SCP。此外，OFAC在分析与此类行政处罚相关的一般因素时，经常将这一因素视为加重因素。

II.   Misinterpreting, or Failing to Understand the Applicability of, OFAC's Regulations

对OFAC规则适用性的误读或误解

Numerous organizations have committed sanctions violations by misinterpreting OFAC's regulations, particularly in instances in which the subject person determined the transaction, dealing, or activity at issue was either not prohibited or did not apply to their organization or operations. For example, several organizations have failed to appreciate or consider (or, in some instances, actively disregarded) the fact that OFAC sanctions applied to their organization based on their status as a U.S. person, a U.S.-owned or controlled subsidiary (in the Cuba and Iran programs), or dealings in or with U.S. persons, the U.S. financial system, or U.S.-origin goods and technology.

许多企业由于误解了OFAC规定从而违反了制裁规定，特别是，被处罚人员将其有问题的交易或行为认定为未被禁止或OFAC规定不适用于他们企业或运营。例如，一些企业未能充分考虑（有些是根本不重视）他们作为美国人、美国人拥有或控制的子公司（在古巴和伊朗项目中）、在美国或与美国人开展交易、涉及美元金融系统或美国原产物品和技术，OFAC制裁会因为这些因素而适用于他们企业。

With respect to this specific root cause, OFAC's administrative actions have typically identified, additional aggravating factors, such as reckless conduct, the presence of numerous warning signs that the activity at issue was likely prohibited, awareness by the organization's management of the conduct at issue, and the size and sophistication of the subject person.

关于这个特定的根本原因，在OFAC的行政执法中通常已经认定了这些作为其他项的加重因素，例如鲁莽行为、存在大量表明相关行为可能被禁止的警示信号、企业管理层对相关行为的认知以及被处罚人的经营规模和业务复杂程度。

III.  Facilitating Transactions by Non-U.S. Persons (Including Through or By Overseas Subsidiaries or Affiliates)

为非美国人的交易提供便利（包括通过海外子公司或关联公司）

Multiple organizations subject to U.S. jurisdiction--specifically those with foreign-based Operations and subsidiaries located outside of the United States-have engaged in transactions or activity that violated OFAC's regulations by referring business opportunities to, approving or signing off on transactions conducted by, or otherwise facilitating dealings between their organization's non-U.S. locations and OFAC-sanctioned countries, regions, or persons. In many instances, the root cause of these violations stems from a misinterpretation or misunderstanding of OFAC's regulations. Companies and corporations with integrated operations, particularly those involving or requiring participation by their U.S.-based headquarters, locations, or personnel, should ensure any activities they engage in (i.e., approvals, contracts, procurement, etc.) are compliant with OFAC's regulations.

受美国管辖的多元化企业——特别在美国境外设有运营实体和子公司等附属机构的，由于该附属机构与受OFAC制裁国家、地区或个人从事违反了OFAC规定的交易或活动，如推荐商业机会、批准或签署或以其他方式为此类交易提供便利。在许多情况下，这些违规行为的根本原因在于对OFAC法规的误读或误解。运营地点分布不同国家的实体，尤其是涉及或需要总部、不同地点运营实体或其员工参与的，均须确保其参与的任何行为（即审批、签订合同、采购等）符合OFAC的规定。

IV.  Exporting or Re-exporting U.S.-origin Goods, Technology, or Services to OFAC-Sanctioned Persons or Countries

向OFAC制裁的人或国家出口或再出口美国原产货物、技术或服务

Non-U.S. persons have repeatedly purchased U.S.-origin goods with the specific intent of re-exporting, transferring, or selling the items to a person, country, or region subject to OFAC sanctions. In several instances, this activity occurred despite warning signs that U.S. economic sanctions laws prohibited the activity, including contractual language expressly prohibiting any such dealings. OFAC’s public enforcement actions in this area have generally been focused on companies or corporations that are large or sophisticated, engaged in a pattern or practice that lasted multiple years, ignored or failed to respond to numerous warning signs, utilized non-routine business practices, and—in several instances—concealed their activity in a willful or reckless manner.

非美国人多次购买原产于美国的货物，且购买货物的具体目的是为了向受海外资产管制办公室制裁的个人、国家或地区进行再出口、转让或出售。在一些情况下，尽管有迹象显示美国经济制裁法禁止这些行为，但这些行为仍然在发生，包括明确禁止任何这类交易的合同条款。OFAC在这一领域的公开执法行动通常侧重于大型或复杂的公司，他们从事这种模式或做法持续多年，忽视或未能对众多的警告信号作出反应，使用了非常规商业做法，并在一些情况下以故意或鲁莽的方式掩盖其活动。

V.  Utilizing the U.S. Financial System, or Processing Payments to or through U,S. Financial Institutions, for Commercial Transactions Involving OFAC-Sanctioned Persons or Countries

利用美国金融系统处理或通过美国金融机构处理被OFAC制裁的人或国家的商业交易

Many non-U.S. persons have engaged in violations of OFAC's regulations by processing financial transactions (almost all of which have been denominated in U.S. Dollars) to or through U.S. financial institutions that pertain to commercial activity involving an OFAC-sanctioned country, region, or person. Although no organizations subject to U.S. jurisdiction may be involved in the underlying transaction--such as the shipment of goods from a third-country to an OFAC-sanctioned country-the inclusion of a U.S. financial institution in any payments associated with these transactions often results in a prohibited activity (e.g., the exportation or re-exportation of services from the United States to a comprehensively sanctioned country, or dealing in blocked property in the United States). OFAC has generally focused its enforcement investigations on persons who have engaged in willful or reckless conduct, attempted to conceal their activity (e.g., by stripping or manipulating payment messages, or making false representations to their non-U.S. or U.S. financial institution), engaged in a pattern or practice of conduct for several months or years, ignored or failed to consider numerous warning signs that the conduct was prohibited, involved actual knowledge or involvement by the organization's management, caused significant harm to U.S. sanctions program objectives, and were large or sophisticated organizations.

许多非美国人为美国金融机构或通过美国金融机构处理涉及OFAC制裁国家、地区或个人商业活动的金融交易（几乎全部以美元计价）而违反了OFAC规定。虽然受美国管辖的企业表面上可能没有参与底层交易行为——例如将货物从第三国运输到受OFAC制裁的国家——将美国金融机构卷入到与这些交易相关的付款通常会导致发生被禁止的行为（例如，将服务从美国出口或再出口到一个受到全面制裁的国家，或者处理在美国被封锁的财产）。OFAC在其执法调查中一般重点关注以下情形：故意或疏忽行为、试图隐瞒其行为（例如通过剥离或操纵支付信息或对非美国或美国金融机构作出虚假陈述）、违规行为持续几个月或几年、忽视或未对许多表明被禁止行为的警告信号进行考虑、管理层的明知或参与、对美国制裁方案目标造成重大损害、大型或复杂企业。

VI.  Sanctions Screening Software or Filter Faults

制裁筛查软件或过滤器故障

Many organizations conduct screening of their customers, supply chain, intermediaries, counter-parties, commercial and financial documents, and transactions in order to identify OFAC-prohibited locations, parties, or dealings. At times organizations have failed to update their sanctions screening software to incorporate updates to the SDN List or SSI List, failed to include pertinent identifiers such as SWIFT Business Identifier Codes for designated, blocked or sanctioned financial institutions, or did not account for alternative spellings of prohibited countries or parties-particularly in instances in which the organization is domiciled or conducts business in geographies that frequently utilize such alternative spellings (i.e., Habana instead of Havana, Kuba instead of Cuba, Soudan instead of Sudan, etc.).

许多企业对其客户、供应链、中间商、相对方、商业和财务文件及交易进行筛查，以识别被OFAC禁止的地点、各方当事人或交易。有时，企业未能更新其制裁筛选软件从而未纳入更新后的SDN清单或SSI清单，或未能涵盖被指定、阻止、或被制裁的金融机构相关标识符，例如SWIFT商业标识代码，或没有特别说明被禁止国家或地区的替代拼写，特别是在企业所在地或在经常使用这种替代拼写的地区开展业务的情况下，比如，以Habana替代Havana、Kuba替代Cuba、Soudan替代Sudan等。

VII.  Improper Due Diligence on Customers/Clients (e.g., Ownership, Business Dealings, etc.)

对客户（例如，所有权、业务往来等）的不当尽职调查

One of the fundamental components of an effective OFAC risk assessment and SCP is conducting due diligence on an organization's customers, supply chain, intermediaries, and counter-parties. Various administrative actions taken by OFAC involved improper or incomplete due diligence by a company or corporation on its customers, such as their ownership, geographic location(s), counter-parties, and transactions, as well as their knowledge and awareness of OFAC sanctions.

有效的OFAC风险评估和SCP的基本组成部分之一是对企业的客户、供应链、中间商和交易对手进行尽职调查。很多情况下，OFAC采取行政措施的理由是公司对其客户的尽职调查不当或不完整，例如对所有权、地理位置、交易对手、交易本身以及对OFAC制裁的了解和知晓程度。

VIII. De-Centralized Compliance Functions and Inconsistent Application of an SCP

分散化的合规职能及SCP适用的不一致性

While each organization should design, develop, and implement its risk-based SCP based on its own characteristics, several organizations subject to U.S. jurisdiction have committed apparent violations due to a de-centralized SCP, often with personnel and decision-makers scattered in various offices or business units. In particular, violations have resulted from this arrangement due to an improper interpretation and application of OFAC's regulations, the lack of a formal escalation process to review high-risk or potential OFAC customers or transactions, an inefficient or incapable oversight and audit function, or miscommunications regarding the organization's sanctions-related policies and procedures.

虽然每个企业都应根据自己的特点设计、开发和实施基于风险的SCP，但受美国管辖的企业通常因分散的SCP（人员和决策者分散在各个办公室或业务部门）导致了明显违规行为的发生。特别是，由于对OFAC法规的解释和适用不当、缺少对高风险或潜在的OFAC客户或交易进行审查的正式上报程序、监督和审计职能低效或不起作用、企业对制裁有关政策和程序沟通不畅，导致了违规行为的发生。

IX.  Utilizing Non-Standard Payment or Commercial Practices

非标准的付款或商业惯例

Organizations subject to U.S. jurisdiction are in the best position to determine whether a particular dealing, transaction, or activity is proposed or processed in a manner that is consistent with industry norms and practices. In many instances, organizations attempting to evade or circumvent OFAC sanctions or conceal their activity will implement non-traditional business methods in order to complete their transactions.

受美国管辖的企业最容易确定即将进行或处理的特定业务、交易或行为是否符合行业规范和惯例。在许多情况下，试图逃避或规避OFAC制裁或隐瞒其行为的企业往往会采用不同寻常的商业方法去完成其交易。

X.  Individual Liability

个人责任

In several instances, individual employees-particularly in supervisory, managerial, or executive-level positions-have played integral roles in causing or facilitating violations of the regulations administered by OFAC. Specifically OFAC has identified scenarios involving U.S.-owned or controlled entities operating outside of the United States, in which supervisory, managerial or executive employees of the entities conducted or facilitated dealings or transactions with OFAC-sanctioned persons, regions, or countries, notwithstanding the fact that the U.S. entity had a fulsome sanctions compliance program in place. In some of these cases, the employees of the foreign entities also made efforts to obfuscate and conceal their activities from others within the corporate organization, including compliance personnel, as well as from regulators or law enforcement. In such circumstances, OFAC will consider using its enforcement authorities not only against the violating entities, but against the individuals as well.

在一些案例中，个别员工-特别是监督、管理或行政级职位的员工在导致或促进违反OFAC法规方面发挥了不可或缺的作用。按OFAC的认定，尤其是在美国境外运营的由美国拥有或控制实体的场景下，尽管美国实体已实施了充分到位的制裁合规方案，但其监督、管理或执行人员仍然与被OFAC制裁的人员、地区或国家发生或促成交易。在其中的一些案例中，外国实体的员工也故意向公司企业内其他人，包括合规人员以及监管机构或执法部门混淆和隐瞒这些活动。在这种情况下，OFAC将考虑不仅针对违规实体进行执法，还会针对个人进行执法。

______________________________________

Note:

1. This may be the same person serving in other senior compliance positions, e.g., the Bank Secrecy Act Officer or an Export Control Officer, as many institutions, depending on size and complexity, designate a single person to oversee all areas of financial crimes or export control compliance. （可以是承担其他高级合规职位的同一人员，例如银行保密法官员或出口管制官员，因为许多机构按照规模和复杂程度，指定一个人来监督所有金融犯罪或出口管制领域合规性。）