OFAC’s new Compliance Commitments is organized in more traditional fashion and focusses on the key elements found in many common sources, such as the COSO standards: (i) management commitment, (ii) risk assessment, internal controls, (iii) testing and auditing, and (iv) training. Of course, OFAC has injected OFAC-specific requirements into each of these elements, such as “Senior management ensures that its compliance unit(s) is/are delegated sufficient authority and autonomy to deploy its policies and procedures in a manner that effectively controls the organization’s OFAC risk ” (emphasis added). OFAC has appended to its guidance a section entitled “Root Causes of OFAC Sanctions Compliance Program Breakdowns or Deficiencies Based on Assessment of Prior OFAC Administrative Actions,” which is intended to catalog common issues identified in prior enforcement actions. While a number of these items resemble true root causes or deficiencies (such as “Lack of a Formal OFAC [compliance program]”), many others more closely resemble violation-types, such as “Facilitating Transactions by Non-U.S. Persons (Including Through or By Overseas Subsidiaries or Affiliates)” or “Exporting or Re-exporting U.S.-origin Goods, Technology, or Services to OFAC-Sanctioned Persons or Countries.” Either way—whether root causes or enforcement categories—OFAC’s appendix highlights those issues OFAC considers most serious when meting out penalties and is worthy of attention.