This is one of those questions that keep OFAC Officers up at night. Due to the complexity of the OFAC sanctions and the scope of application, it is a challenge to create a robust program and think of everything. However, with the potential of fines with even one violation, and the size of fines being issued for multiple violations, it is imperative that financial institutions have a strong OFAC program. A strong program must be built on a good foundation, so here are some reminders to consider when building your foundation.
To begin, it is important to remember that OFAC is not a bank regulator; it is an enforcement agency. OFAC does not dictate what institutions must do. They do not even require financial institutions search their database against the SDN list! OFAC’s basic requirement is that financial institutions do not violate the laws that OFAC administers. i Therefore, institutions must take a risk-based approach when establishing their OFAC program.
On May 2, 2019, OFAC issued A Framework for OFAC Compliance Commitments to share their perspective of the essential components of a sanction’s compliance program. ii The document stressed five areas for institutions to consider:
- Management Commitment
- Risk Assessments
- Internal Controls
- Testing and Auditing
- Training
The guidance reminded institutions that it is incumbent upon Senior Management to understand the serious nature of violations of OFAC laws and regulations and develop a Culture of Compliance throughout the financial institution. Senior Management must ensure that the OFAC Officer and his/her staff have sufficient authority, resources, and ability to manage the organization’s OFAC risk. The support and commitment of Senior Management is one of the most essential factors to a successful program.
When determining an institution’s OFAC risk, there are many factors to consider. Institutions need to evaluate the risk posed by customers or members, products, services, supply chain, intermediaries, counterparties, transactions, and geographies. Recent consent orders highlight the fact that willful ignoring of OFAC risks can be very costly. In December 2020, BitGo Inc. received a $98,830 penalty for sanction violations tied to its digital wallet services. They tracked users IP addresses for security purposes related to account logins but did not use that information for sanction compliance purposes. In March 2021, UniControl, a Cleveland, Ohio company, received a $216,414 penalty for OFAC violations. They shipped goods to two European companies ignoring multiple warning signs that the goods were intended specifically for supply, transshipment, or re-exportation to Iran. Financial institutions must have programs in place to address these types of risks and ensure compliance with the various OFAC sanction programs.
Remember too, that on 10/1/2020, OFAC issued an “Advisory on Potential Sanction Risks for Facilitating Ransomware Payments.”iii With cyber actors targeting online systems even more during the COVID pandemic, OFAC warned financial institutions, among others, to be sure not to violate OFAC regulations when facilitating payments on behalf of ransomware victims.
To mitigate the risk of OFAC violations, institutions must incorporate strong internal controls, including policies and procedures to identify, prohibit or block, and report any activity that may violate the OFAC regulations. These internal controls must be enforced by Senior Management and weaknesses should be addressed and corrected to ensure no violations occur. The institution should ensure that those policies and procedures are clearly communicated to all staff and applicable outside parties.
Communication is not just telling staff who is responsible for each part of the OFAC program. Effective training must be tailored to the appropriate job function of each employee and include the products and services offered, the customers, clients, and partnership relationships the institution maintains, and the geographic regions in which it operates. Training should include applicable resources and materials that are easily accessible to all employees.
Once your entire risk-based program is implemented and trained, it is vital to conduct a comprehensive and objective test or audit of the program to identify program weaknesses and deficiencies. When weaknesses or deficiencies are found, the institution must commit to rectifying those and ensuring that the problems do not resurface.
OFAC warned that many of the deficiencies they see stem from several key problems including, improper due diligence on customers/clients (such as ownership and business dealings), misinterpretation or failing to understand the applicability of OFAC’s regulations, exporting or re-exporting U.S. origin goods, technology, or services to OFAC sanctioned person or countries, and software screening or filter failures. To ensure none of these problems affect your institution, begin by creating a formal sanctions compliance program. OFAC’s website is the first place to begin. There is a wealth of information including all the sanction lists, frequently asked questions, and step-by-step guidance on clearing alerts. Of course, the FFIEC Exam Manual is another great resource to show you what examiners will expect during the examination process. Whenever you are unsure if a transaction violates OFAC regulation, be sure to reach out to OFAC directly. They are the experts and can ensure you receive the right answer to your questions.
When setting up a program, most institutions are well aware of the SDN List and the importance of running it against their customer data base and other types of transactions. However, OFAC lists 3 key areas iv to consider including the Specially Designated Nationals List, the Consolidated Sanction List and “Additional OFAC Sanction Lists”.
The Consolidated Sanctions List v includes the following:
- Foreign Sanctions Evaders List “FSE List”
- Sectoral Sanctions Identifications List “SSI List”
- Palestinian Legislative Council List (NS-PLC List) – not updated since 2016
- The List of Foreign Financial Institutions Subject to Part 561 (Part 561 List)
- Non-SDN Iran Sanctions Act List (NS-ISA List)
- List of Foreign Financial Institutions Subject to Correspondent Account or Payable-Through Account Sanctions (CAPTA List)
- Non-SDN Menu-Based Sanctions (NS-MBS) List; CAATSA – Russia-related – as of 12/14/2020
An Additional OFAC Sanctions List that is not in the Consolidated List is the 311 Special Measures.vi This list involves “Special Measures for Jurisdictions, Financial Institutions, or International Transactions of Primary Money Laundering Concern.” It has not been updated since 2018.
What is important to remember about all these lists, is that not all of them are on the SDN list. So, be sure that when you set up your software filters, these lists are being included. For more details on the specific requirements of each list, be sure to visit the OFAC website. Also, ensure that your institution’s OFAC sanction program includes a model validation plan and a plan for testing the changes to any of the sanction lists when OFAC updates them.
Finally, when it comes to OFAC sanctioned countries, some institutions confuse the country lists put out by FATF and FinCEN and the country sanctions implemented by OFAC. Just like institutions are to conduct a risk assessment for OFAC sanctions, institutions should be assessing the risk for all the countries with which your institution conducts business. There are various types of risk to consider besides OFAC when it comes to high–risk jurisdictions such as drug trafficking, human trafficking, money laundering, and terrorist financing. When determining your risk, understand the intent of whatever group puts out the country list.
For example, the Financial Action Task Force (FATF) “is the global money laundering and terrorist financing watchdog. The inter-governmental body sets international standards that aim to prevent these illegal activities and the harm they cause to society. As a policy-making body, the FATF works to generate the necessary political will to bring about national legislative and regulatory reforms in these areas.”vii They have developed standards or Recommendations to ensure a coordinated global effort to fight organized crime, corruption, and terrorism. They conduct “Mutual Evaluations” of countries and rate them based on their risk. Several times a year, they issue rankings of jurisdictions for increased monitoring or a “Call for Action”. When FATF issues their report on jurisdictions, shortly thereafter, you will see FinCEN issue an Advisory with the same jurisdictions listed. Financial institutions should implement a BSA policy and procedures to mitigate the risks of doing business with other countries, particularly ones identified by FATF and FinCEN. However, those countries list are not to be confused with OFAC’s list of countries. “OFAC administers a number of different sanctions programs. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.” viii Institutions need to click on the hyper link for each country or sanction program to fully comprehend the scope of each program. If questions arise, and you are unsure how to proceed, it is always wise to contact OFAC as they are the ones who can tell you with absolute certainty exactly how you should proceed or not proceed. Since they are an enforcement agency and will levy fines based on any violation, getting your questions answered directly by them is always the prudent path to follow.
The more your institution’s customers or customer’s customers transact business globally, the greater your OFAC risk. There are many tools at your disposal to ensure that you have a robust program in place. Be sure to utilize them and protect your institution from the risk of violations.
[i] https://home.treasury.gov/policy-issues/financial-sanctions/faqs/topic/1596/print See question 25.
[ii] https://home.treasury.gov/news/press-releases/sm680
[iii] https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
[iv] https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions-programs-and-information#fragment-7
[v] https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-list-search-tool
[vi] https://home.treasury.gov/policy-issues/financial-sanctions/other-ofac-sanctions-lists
[vii] https://home.treasury.gov/policy-issues/financial-sanctions/consolidated-sanctions-list/list-of-foreign-financial-institutions-subject-to-correspondent-account-or-payable-through-account-sanctions-capta-list
[viii] https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information/countering-americas-adversaries-through-sanctions-act
[ix] https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201214_33
[x] http://www.fatf-gafi.org/about/
[xi] https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information