Does Your Compliance Program Fit Within the OFAC Framework for Sanctions Compliance?

The U.S. Department of the Treasury recently published A Framework for OFAC Compliance Commitments to provide financial institutions and other organizations with OFAC’s perspective on the essential components of a sanctions program. Andrea M. Gacki, Director of the Office of Foreign Assets Control, stated that “OFAC developed this framework in our continuing effort to strengthen sanctions compliance practices across the board.”

OFAC has emphasized that a successful OFAC compliance program should be risk-based by developing a sanctions compliance program suitable for the size, risk profile, sophistication, products and services, customers, and geographic locations of the institution.

This newly published document mirrors what we know about the requirements of a sound BSA/AML program. The document highlights these five essential compliance components:

• Management Commitment (Culture of Compliance)
• Risk Assessment
• Internal Controls
• Testing and Auditing
• Training

The publication also includes several root causes of recent OFAC enforcement actions in which deficiencies were identified. These include:

• Lack of a formal OFAC Sanctions Compliance Program (SCP)
  • Although OFAC regulations do not require a formal SCP, OFAC encourages organizations to adopt a formal SCP, particularly if the organization engages in international trade or has clients located outside of the United States. Such guidance suggests that it would be prudent for financial institutions to have a Board approved SCP, as outlined in the FFIEC Exam Manual as being sound business practice.
• Misinterpreting or not understanding OFAC’s regulations
  • Several organizations have committed sanctions violations simply by misinterpreting OFAC’s regulations. While many of the sanction programs can be complex, it is still the responsibility of each organization to know and understand the regulations. A financial institution’s OFAC Officer must be qualified to make important OFAC determinations regarding certain transactions. If your institution would like assistance with questions concerning certain transactions or your OFAC program in general, you may contact OFAC directly with the information provided here.
• Facilitating transactions by non-U.S. persons (including through or by overseas subsidiaries or affiliates)
  • Many organizations have engaged in transactions that violated OFAC’s regulations by facilitating dealings between their organization’s non-U.S. locations and OFAC-sanctioned countries, regions, or persons. The root cause of these enforcement actions was due to the misinterpretation of OFAC regulations.
• Exporting or re-exporting U.S.-origin goods, technology or services to OFAC sanctioned persons or countries
  • Non-U.S. persons have repeatedly purchased U.S. goods with the intention of exporting to a region covered by OFAC sanctions. Many of these organizations ignored warning signs that violations will be made if the transactions are conducted with the sanctioned countries.
• Using the U.S. financial system or processing payments to or through U.S. financial institutions for commercial transactions involving OFAC-sanctioned persons or countries
  • Many non-U.S. persons have conducted sanctioned transactions by masking their identity which in turn end up in U.S. financial institutions. OFAC has generally posed enforcement actions on the individuals, unless a U.S. financial institution has failed to detect based on faulty procedures or willful blindness.
• Sanctions screening software or filter faults
  • Some organizations have failed to update their sanctions screening software to incorporate updates to the SDN Lists or failed to include identifiers such as SWIFT Codes. In addition, some did not account for alternative spellings of prohibited countries or parties (i.e., Habana instead of Havana, Kuba instead of Cuba, Soudan instead of Sudan, etc.).
• Improper due diligence on customers/clients (e.g., ownership, business dealings, etc.)
  • One of the cornerstones of an effective SCP is conducting customer due diligence. Various actions taken by OFAC involved improper or incomplete due diligence, such as ownership, geographic location(s), counterparties, and transactions.
• De-centralized compliance functions and inconsistent application of an SCP
  • Several organizations have committed violations due to a de-centralized SCP, often with personnel and decision-makers scattered in various offices or business units. This has led to a lack of escalation processes and inefficient policies, procedures, and oversights functions.
• Using non-standard payment or commercial practices
  • In many instances, organizations attempting to evade or circumvent OFAC sanctions or conceal their activity will implement non-traditional business methods in order to complete their transactions.
• Individual liability
• Several violations have occurred due to individual employees, usually in managerial or executive level positions, who have played integral roles in causing OFAC violations. In these cases, OFAC will consider posing enforcement actions against the individual rather than the organization.

Financial institutions have the tools needed to ensure a sound OFAC Compliance Program thanks to this new guidance. With the use of the FFIEC Exam manual coupled with OFACs input and root cause analysis, each financial institution should be able to develop a risk-based program sure to pass OFAC’s scrutiny. A strong culture of compliance is essential to both your OFAC and AML programs, from the top, to the middle, and all the way to the front line. There is no excuse not to be ready.

If you feel your institution is not ready or needs help bringing your compliance program up to speed, contact our Advisory Services team. They are experienced BSA professionals who can help ensure your compliance program fully complies with the OFAC standards.