Compliance Commitments: Respondent has terminated the conduct described above and has established and agrees to maintain for at least five years following the date this Agreement is executed, sanctions compliance measures that are designed to minimize the risk of recurrence of similar conduct in the future. Specifically, OFAC
and Respondent understand that the following compliance commitments have been made:
a.
Management Commitment:
i. Respondent commits that senior management has reviewed and approved Respondent’s sanctions compliance program.
ii. Respondent commits to ensuring that its senior management, including senior leadership, executives, and the board of directors, are committed to supporting Respondent’s OFAC compliance program.
iii. Respondent commits to ensuring that all compliance units are delegated sufficient authority and autonomy to deploy its policies and procedures in a manner that effectively controls Respondent’s OFAC risk.
iv. Respondent commits to ensuring that all compliance units receive adequate resources—including in the form of human capital, expertise, information technology, and other resources, as appropriate—that are relative to Respondent’s breadth of operations, target and secondary markets, and other factors affecting its overall risk profile.
v. Respondent commits to ensuring that senior management promotes a “culture of compliance” throughout the organization.
Risk Assessment:
i. Respondent represents that it conducts and will continue to conduct an OFAC risk assessment in a manner, and with a frequency, that adequately accounts for potential risks. Such risks could be posed by its clients and customers, products, services, supply chain, intermediaries, counter-parties, transactions, and geographic locations, depending on the nature of the organization. The risk assessment will be updated to account for the root causes of any apparent violations or systemic deficiencies identified by Respondent during the routine course of business.
ii. Respondent represents that it has developed a methodology to identify, analyze, and address the particular risks it identifies. The risk assessments will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by Respondent during the routine course of business, for example, through a testing or audit function.
Internal Controls:
i. Respondent has designed and implemented written policies and procedures outlining its sanctions compliance program. These policies and procedures
are relevant to the organization, capture Respondent’s day-to-day operations and procedures, are easy to follow, and designed to prevent employees from engaging in misconduct.
ii. The organization has implemented internal controls that adequately address the results of its OFAC risk assessment and profile. These internal controls should enable Respondent to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activity that may be prohibited by OFAC. To the extent information technology solutions factor into Respondent’s internal controls, Respondent has selected and calibrated the solutions in a manner that is appropriate to address Respondent’s risk profile and compliance needs, and Respondent routinely tests the solutions to ensure effectiveness.
iii. Respondent commits to enforcing the policies and procedures it implements as part of its sanctions compliance internal controls through internal or external audits.
iv. Respondent commits to ensuring that its OFAC-related recordkeeping policies and procedures adequately account for its requirements pursuant to the sanctions programs administered by OFAC.
v. Respondent commits to ensuring that, upon learning of a weakness in its internal controls pertaining to sanctions compliance, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
vi. Respondent has clearly communicated the sanctions compliance program’s policies and procedures to all relevant staff, including personnel within the sanctions compliance function, as well as relevant gatekeepers and business units operating in high-risk areas (e.g., customer acquisition, payments, sales, etc.) and to external parties performing sanctions compliance responsibilities on behalf of Respondent.
vii. Respondent has appointed personnel to integrate the sanction compliance program’s policies and procedures into Respondent’s daily operations. This process includes consultations with relevant business units and confirms that Respondent’s employees understand the policies and procedures.
viii. Specifically with respect to the conduct outlined above, AL Middle East agreed to adopt heightened review and screening processes for Iran-related transactions that require sign-off for each such transactions by AL Middle East’s Sales Administration and Contracts Manager.
d.
Testing and Audit:
i. Respondent commits to ensuring that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, resources, and authority within the organization.
ii. Respondent commits to ensuring that it employs testing or audit procedures appropriate to the level and sophistication of its sanctions compliance program and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of Respondent’s OFAC- related risk assessment and internal controls.
iii. Respondent commits to ensuring that, upon learning of a confirmed negative testing result or audit finding pertaining to its sanctions compliance program, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
e. Training:
i. Respondent commits to ensuring that its OFAC-related training program provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties) in order to support Respondent’s sanctions compliance efforts.
ii. Respondent commits to providing OFAC-related training with a scope that is appropriate for the products and services it offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.
iii. Respondent commits to providing OFAC-related training with a frequency that is appropriate based on its OFAC risk assessment and risk profile and, at a minimum, at least once a year to all relevant employees.
iv. Respondent commits to ensuring that, upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its sanctions compliance program, it will take immediate and effective action to provide training to relevant personnel.
v. Respondent’s training program includes easily accessible resources and materials that are available to all applicable personnel.
vi. Specifically with respect to the conduct outlined above, AL Middle East has agreed to conduct additional in-person training to reinforce Alfa Laval’s Export Control Policy.
Oh, and…
Annual Certification: On an annual basis, for a period of five years, starting from 180 days after the date the Agreement is executed, a senior-level executive or manager of Respondent will submit a certification confirming that Respondent has implemented and continued to maintain the sanctions compliance measures as committed above.
Link: