Skip to main content

Lesson 08 of 25

Governance: Senior Management, the SCO, and Building the Program

4 min read · CGSS

Build the program the regulators expect using OFAC's five-component Framework. Place the Sanctions Compliance Officer in the three-lines-of-defense model and learn to spot the governance gaps that turn ordinary breaches into enforcement cases.

The program is the answer to most scenarios

  • Sanctions risk is managed by a structured program
  • OFAC's five components are the backbone
  • Senior management owns the tone
  • Know the components and who does what

Most CGSS scenarios resolve to one question: did the institution have, and follow, a proper sanctions compliance program? So this lecture gives you the backbone every program is built on. OFAC's twenty-nineteen Framework names five components a credible program needs, and that list is worth knowing cold because it doubles as a checklist for almost any what-should-the-firm-have-done question.

We'll walk the five components, then place the people, senior management and the sanctions compliance officer, into the three-lines-of-defense model. Build this mental model and you'll answer governance questions almost on autopilot.

OFAC's five components

  • 1) Management commitment
  • 2) Risk assessment
  • 3) Internal controls
  • 4) Testing and auditing
  • 5) Training

Here are the five components of OFAC's Framework, in order. One, management commitment, leadership funds, empowers, and visibly supports the program. Two, risk assessment, the firm regularly identifies where its sanctions risk actually sits across customers, products, geographies, and channels.

Three, internal controls, the policies, procedures, screening systems, and escalation paths that turn risk findings into day-to-day action. Four, testing and auditing, an independent check that the controls work as designed. And five, training, so staff can recognize and act on sanctions risk.

Memorize these five. When a question asks what was missing in a failed program, the gap almost always maps to one of them, no risk assessment, weak controls, no independent testing, untrained staff, or absent leadership.

Management commitment and culture

  • Senior leaders set the tone and the budget
  • A reporting line that protects independence
  • Empower the SCO to escalate and stop business
  • Tone-at-the-top is tested

Of the five, management commitment is listed first for a reason: without it, the others wither. Senior leaders and the board set the tone, approve policy, fund the technology and the headcount, and make clear that compliance can stop a deal. That commitment shows up concretely: a sanctions compliance officer with enough authority and independence to escalate over the business, a reporting line that doesn't bury bad news, and a culture where raising a sanctions concern is rewarded, not punished.

The exam frequently signals weak commitment, an under-resourced team, a compliance officer overruled by revenue, alerts piling up unworked, and expects you to identify that as the root problem. Strong programs start at the top.

The Sanctions Compliance Officer and the three lines

  • First line — the business that owns the risk
  • Second line — compliance/sanctions sets policy & monitors
  • Third line — independent audit tests the program
  • SCO sits in the second line with real authority

Now place the people. Most institutions organize risk in three lines of defense. The first line is the business, the front-office staff who onboard customers and move payments, and who own the risk day to day.

The second line is compliance, including the sanctions function and the Sanctions Compliance Officer, the S-C-O, who sets policy, runs screening governance, and monitors. The third line is independent audit, which tests whether the whole program works. The S-C-O lives in the second line and needs genuine authority and independence to be effective.

A common exam trap is blurring these lines, for instance, treating second-line monitoring as if it were independent audit. It isn't; embedded oversight is not the same as the independent third-line check.

Tying governance to risk

  • Program intensity should match the risk
  • Risk assessment feeds controls and resourcing
  • Document decisions and rationale
  • Sets up the evasion and diligence domains

The thread that ties governance together is the risk-based approach, which FATF places at the center of effective compliance. A program isn't strong because it's big; it's strong because it's proportionate, its controls, screening intensity, and resources match where the real sanctions risk lives, as identified by the risk assessment. That means a firm with heavy dollar-clearing and trade-finance exposure should look very different from a small domestic lender, and both can be compliant if their programs fit their risk.

Always document the rationale, because regulators evaluate the reasoning, not just the outcome.

Testing and training, the easy-to-skip pillars

  • Independent testing checks the program actually works
  • Findings must be tracked to closure
  • Training equips staff to spot and escalate risk
  • Sets up the evasion domain next

Two of OFAC's five components get neglected, and the exam punishes that. Testing and auditing means an independent check, separate from the people who run the controls, that the program actually works as designed, and crucially, that the findings are tracked to closure rather than filed away. An audit that surfaces a screening gap and then nobody fixes it is worse than no audit at all, because now the failure is documented and ignored.

Training is the other quiet pillar: staff across the first and second lines need enough knowledge to recognize a sanctions red flag and to escalate it, and training should be tailored to the role and refreshed as risks change. When a scenario shows alerts going unworked, an audit finding left open, or front-office staff who didn't recognize an obvious flag, those point straight at the testing and training components. That closes our governance domain.

Next, we change perspective and look at how the other side works, the typologies of sanctions evasion you're built to detect, starting with how evasion happens and the red flags that give it away.

Sources

  • OFAC 'A Framework for OFAC Compliance Commitments' (May 2019) — five components
  • Wolfsberg Group guidance on sanctions compliance
  • three-lines-of-defense model
  • FATF Recommendation 1 (risk-based approach) and Recommendation 18 (internal controls)

Test your knowledge

A few CGSS questions on this material — pick an answer to see the explanation.

  1. Q1. A compliance team is evaluating whether to use a single watchlist aggregator versus sourcing each sanctions list directly from its issuing authority. What is the primary compliance risk of relying exclusively on a third-party aggregator?

  2. Q2. A screening system flags a customer as a potential SDN match. After investigation, the analyst confirms the customer's name is similar but the customer is a different person with different DOB, nationality, and address. What is the appropriate disposition?

  3. Q3. Which data point, when included in a customer record, is most useful for resolving a potential SDN name-match alert?

  4. Q4. During a sanctions alert investigation, an analyst discovers that the beneficial owner of the transacting entity — not the entity itself — is on the SDN List. What is the correct next step?

Ready to practice?

Put this lesson to work on real CGSS questions.

Drill the full CGSS bank →