Do you know what an SDN is? More important, do you know if you are doing business with one of them?

If you're a governance, risk management, and compliance (GRC) professional at a company that conducts any sort of international business, you ought to.

An SDN is a "specially designated national" or person, which means you should take special care to avoid doing business with a person who has this designation -- or risk running afoul of the Office of Foreign Assets Control (OFAC).

OFAC [1] is the U.S. Department of the Treasury agency that "administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States."

OFAC maintains an SDN list [2], which is available here. In addition to individuals, countries, such as North Korea, Iran ,and Cuba also appear on the list. (Buying Cuban cigars violates OFAC rules).

"OFAC is a concern for a growing number of U.S. companies," notes Gene Truono [3], managing director, BDO Consulting, which is a division of BDO Seidman, LLP.

Truono ought to know: he oversees his firm's financial institution consulting practice, which includes a hefty emphasis on regulatory compliance initiatives, including anti-money laundering work. Earlier in his career, Truono served as vice president of compliance and ethics and chief compliance officer at American Express Bank Limited.

OFAC compliance can be tricky because:

1. Companies with newly global operations may not be well-versed in the requirements;
2. OFAC rules, along with the names on the SDN list, change periodically (for example, as of last month Western Union [4] can now send wire transfers with fewer limits to Cuba);
3. Compliance can be tricky (Hewlett-Packard recently received scrutiny [5] after news broke that one of its resellers distributes HP products in Iran).

Large, U.S. corporations with extensive global operations and sophisticated risk and compliance programs typically include OFAC compliance in their normal due diligence (of vendors and customers) and internal auditing processes. Smaller companies just venturing outside the U.S. may not have sufficient steps in place.

Correcting that is not terribly complex.

To begin with, GRC professionals ought to recognize and, if necessary, correct two common OFAC compliance misconceptions.

First, many companies overlook the value of documentation. "You might say, "I know this individual," or "I know this company," but do you really?" Truono notes. "How well do you know them? More important, how well have you documented that you know them? Documentation substantiates your knowledge and understanding of that individual or third party."

Second, failing to uncover any negative information about a new vendor or customer does not mean that your due diligence is complete. "If you don't find any information about a [company or person's] name, that also should raise a red flag," Truono emphasizes. "Why isn't this person or entity more well-known?"

Companies that do not have mature OFAC compliance programs in place should start by ratcheting up the level of due diligence they conduct and by performing a risk assessment of their current portfolio of international trading partners. Truono suggests the following steps:

• Start due diligence now. Sometimes, the simplest investigations are the most useful. Start by using the Internet. "I find Google to be a very good first source of information," says Truono, "and it's free." Since Google remains somewhat U.S.-centric in its reach Truono suggests considering using a service to run deeper data-mining on new trading partners if in-house due diligence efforts produce little in the way of documentation. Many of the major accounting and consulting firms offer "investigative due diligence (IDD)" services; sometimes, these services are housed in a consulting firm's Anti--Money Laundering (AML) practice [6].
• Examine your trading partners' gatekeepers. How well do you know their accountants, lawyers, and other advisors, and what type of due diligence have you done on those individuals to ensure that they are legitimate and that there is nothing negative out there about them?" Truono asks. "Taking this step will help protect you from a regulatory perspective, and also from a fraud-prevention perspective."
• Conduct a risk assessment of your existing portfolio. Take a page from banks, which are required to conduct risk assessments of their customers. Truono suggests risk-ranking trading partners according to where they are located, how well you know the customer or vendor, and what the types of services or products is involved in the relationship. Ranking trading partners in those risk areas can help risk and compliance managers see what level of additional due diligence as well as ongoing monitoring should be applied to each partner.

"The risk ranking makes sense from an overall business perspective," Truono adds. "It can also help companies avoid fraud losses and credit losses."