A bank’s responsibilities under the Office of Foreign Assets Control (OFAC) regulations are perhaps the most misunderstood piece of the overall Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance responsibilities. For starters OFAC regulations are not technically a part of the legal framework of BSA/AML. OFAC enforces at least ten federal statutes and a number of separately issued executive orders that apply to financial institutions. Most of these laws apply sanctions to one or two countries and each has civil and/or criminal penalties attached for violations. They are not uniform and, unlike most banking laws, they are not limited—they apply to all transactions, without any thresholds.
While they are not technically a part of the BSA/AML regulatory scheme, a financial institution’s OFAC compliance is reviewed during the BSA/AML regulatory examination by the bank’s primary federal regulatory agency. OFAC examination procedures and guidance for assessing risks are included in the FFIEC’s BSA/AML Examination Manual. The federal banking agencies can issue enforcement actions for non-compliance (including cease and desist orders) that include requirements to improve an institution’s OFAC program. However, it is OFAC itself that usually issues civil money penalties for violations.
OFAC has a continuum of enforcement actions from cautionary and warning letters to civil and criminal penalties. In 2007 (through November) OFAC issued civil money penalties to four financial institutions, with fines up to $100,000. It is important to note that OFAC takes into account mitigating factors when they issue fines and penalties. For example, if the institution self-reported the error or has interdiction software in place to prevent errors in the future, the fine or civil money penalty could be reduced. In one penalty action issued during 2007, the total fine was reduced by 90% based on these factors. While some of the most common OFAC errors could easily be avoided or are easily fixed once found, the most serious ones are a bit more complicated. The following is the All Star list of OFAC errors and how to avoid them.
- Failure to block or reject a transaction: All of the civil money penalties issued against financial institutions by OFAC in 2007 involved situations where the bank did not properly block or reject the transaction. To block a transaction means to freeze the funds once they are in the possession of the bank. If a banker believes that a transaction should be rejected when it should be blocked, then funds will be released and the bank will be responsible for them.
Transactions involving persons on the Specially Designated Nationals (SDN) list should be blocked—that is the funds should be deposited in the bank and frozen. The transaction must be reported to OFAC within 10 business days. However, if no party involved in the transaction is an SDN but the transaction violates one of the statutes OFAC enforces, then the transaction must be rejected.
- The following are examples:
- A bank receives a wire transfer order from its U.S. based customer to pay a person in Sudan. The beneficiary in Sudan is on the SDN list. The customer’s account should be debited and the funds blocked (i.e., frozen). A report should be sent to OFAC. This transaction should be blocked because the payee was on the SDN list. A bank is required to block transaction sent to or from SDNs.
- A bank receives an order from its U.S. based customer to pay a technical supply company in Russia through the Moscow branch of Bank Saderat, an Iranian government-controlled institution. Neither the bank’s customer, nor the beneficiary of the wire transfer is on the SDN list. However, the transaction should be rejected because the payment would be made through the Iranian-controlled bank and would violate the law against promoting trade with Iran. Since no SDN is paying or receiving the funds, it does not have to be blocked.
Failure to document an OFAC risk assessment: The requirement to conduct an OFAC risk assessment is not found in any law or regulation, but, according the FFIEC BSA/AML Examination Manual, it is a “fundamental element of a sound OFAC program”. The first OFAC examination procedure in the Manual asks the examiner to determine if the bank has based its OFAC policy on a risk assessment. Also, enforcement actions can name the failure to conduct an OFAC risk assessment as a deficiency of an institution’s OFAC compliance program.
Preparing an OFAC risk assessment is not difficult. It should be documented in writing and include three criteria: an institution’s products, customer base and previous OFAC actions. It should take all of the institution’s lines of businesses into consideration. It is best, when writing the risk assessment to refer to Appendix M of the FFIEC BSA/AML Examination Manual and refer to the factors mentioned in the OFAC risk matrix. Each of the three criteria should have a risk level assigned and the institution’s overall level should be stated. The OFAC risk assessment should be approved by the board of directors and updated whenever there are changes to any of three factors initially considered; an institution’s products, customer base and OFAC history
Failure to check transactions based on the bank’s risk: The purpose of preparing a risk assessment is to implement policies and procedures that are consistent with the bank’s OFAC risk profile. OFAC rules cover all banking transactions. The regulations do not have thresholds or limits. The bank should decide how all transactions will be handled —those that are automatically processed and those that are not.
- Most institutions now use interdiction software to scan their customer database on a regular basis—daily, weekly, monthly, etc. Many banks use software to check parties to wire transfers, since these are generally considered to be high risk. However, there are processes in nearly every institution that are handled manually and should be covered in the policies and procedures. These may include: Parties that are not account holders, such as signors on corporate accounts, guarantors, trustees, beneficiaries, or any third party payees, such as recipients of loan proceeds
- Monetary instrument sales—the payees of these instruments
- Check cashing—such as “on us” checks cashed for non-customers in the lobby of the bank
- Vendors and expense check payees
These types of transactions should be evaluated for risk and procedures established to check them based on the type of risk they carry. For example, while it may not be necessary to check every $25 on-us check cashed in the bank’s lobby, it may be a good practice to check on all checks cashed for $2,500 or more. Each institution should evaluate its OFAC risks and implement procedures accordingly
Failure to use updated and complete lists: Transactions involving members of the Palestinian Liberation Council (PLC) must be rejected by U.S. financial institutions. The members of the PLC are not on the SDN list. If a bank uses only the SDN list to check its transactions it could allow a transaction to be processed that should be rejected.
The SDN list changes from time to time when OFAC updates the list. Failing to update lists or use the latest version of the list is a compliance deficiency and can cause the bank to fail to block or reject a transaction.
Financial institutions should understand not only which databases are included on lists that they purchase but also the tolerance settings and filters on its OFAC software. Most filters are phonetic and should be sensitive enough to catch names that are close.
If a person on the SDN list attempts to open an account and the bank checks the SDN list prior to receiving a deposit, the bank can reject the account. However, if the bank already has the opening deposit in its possession—whether or not it has been credited—the bank is obligated to block the funds and report it to OFAC.
The best defense against this potentially costly error is training. All persons with payment responsibilities should be trained to know when funds should be blocked and when transactions should be rejected.
Conclusion: While OFAC is not legally a part of BSA/AML compliance—it has been linked to BSA/AML for purposes of regulatory examinations. Therefore it will continue to receive a high level of regulatory attention for the foreseeable future. A sound BSA/AML program will include a well-documented, written OFAC risk assessment and policy. The OFAC compliance officer should have a working knowledge of OFAC regulations, sanctions and understand when transactions should be blocked or rejected. Understanding the common types of OFAC violations and establishing internal controls to mitigate these will go a long way toward a successful, robust OFAC compliance program.
[This article first appeared in Western Independent Banker January 2008]