Publications & Resources
January/February 2008
Focus: Compliance
Common OFAC Errors and How to Avoid Them
By Kathlyn L. (Lyn) Farrell, CRCM, CAMS
Office of Foreign Assets Control (OFAC) regulations are
perhaps the most misunderstood piece of the overall Bank Secrecy Act/Anti-Money
Laundering (BSA/AML) compliance requirements. OFAC enforces ten separate federal
statutes and a number of different executive orders. These laws are not uniform
and, unlike most banking laws, they are not limited – they apply to all
transactions, without any thresholds.
OFAC compliance is reviewed during the BSA/AML regulatory
examination by the federal regulatory agencies; in accordance with the FFIEC’s
BSA/AML Examination Manual. The banking agencies can issue enforcement actions
for non-compliance that include requirements to improve an institution’s OFAC
program. OFAC itself can issue civil money penalties for violations.
In 2007 OFAC
issued civil money penalties to five financial institutions, with fines up to
$100,000. OFAC takes into account mitigating factors when they issue penalties.
Actions like self-reporting violations and implementing interdiction software
can substantially reduce penalties.
Most OFAC errors can be avoided with a strong compliance
program. The following is a list of common OFAC errors and how to avoid them.
1. Failure to block or reject a transaction
All of the 2007 OFAC civil money penalties involving banks
were caused by the failure to block or reject a transactions. Blocking a
transaction means the bank freezes the funds in its possession. Rejecting the
transaction means that the bank refuses to process the transaction and returns
the funds to the customer. If a banker rejects a transaction instead of blocking
it, funds will be improperly released.
Transactions involving persons on the Specially Designated
Nationals (SDN) list should be blocked—the funds should be frozen. Blocked
transactions must be reported to OFAC within 10 business days.
If no SDNs are involved but the transaction violates one of the OFAC
laws, the transaction must be rejected.
The following are examples:
a. A bank
customer orders a wire transfer to
pay a person in
b. A bank
customer orders a wire transfer to pay a Russian supply company through the
If a SDN attempts to open an account and the bank checks
the SDN list prior to receiving a deposit, the bank can reject the account.
However, if the bank already has the opening deposit in its possession –
whether or not it has been credited – the bank is obligated to block the funds
and report it to OFAC.
The best defense against this potentially costly error is
training. All appropriate employees should be trained on blocking and rejecting
transactions.
2. Failure to document an OFAC risk assessment
The requirement to create an OFAC risk assessment is not
found in a law or regulation. But, according to the FFIEC Examination Manual, it
is a “fundamental element of a sound OFAC program”. One of the specific
examination procedures requires the examiner to determine if the bank’s OFAC
policy is based on a risk assessment. Enforcement actions can name the failure
to conduct an OFAC risk assessment as an examination deficiency.
Preparing an OFAC risk assessment is not difficult. It
should be documented and include three assessment criteria: an institution’s
products, customer base and previous OFAC actions. Appendix M of the FFIEC
Examination Manual covers the factors
mentioned in the OFAC risk matrix. The OFAC risk assessment should be updated
periodically when any of the risk criteria changes.
3. Failure to check transactions
based on the bank’s risk
The purpose of preparing an OFAC risk assessment is to
implement policies consistent with the bank’s risk profile. OFAC rules cover
all banking transactions; they have no thresholds or limits. A bank must decide
how all transactions will be handled – those that are automatically processed
and those that are not.
-
Interdiction software is often used to scan a bank’s customer database as well as to check parties to wire transfers. However, manually handled payment processes also should be covered in the policies, including a check of non- accountholders, such as account signors, guarantors, trustees, beneficiaries, or third party payees, such as recipients of loan proceeds
-
Monetary instrument payees-- even when purchased by customers
-
Check cashing – “on us” checks cashed for non-customers
-
Vendors and expense check payees
All transactions should be evaluated for risk and
procedures established based on the level of risk they carry. For example, a
bank may not check on every $25 on-us check cashed in the bank’s lobby, but it
is a good practice to check on checks cashed for large amounts. .
4. Failure to use updated and
complete lists
Transactions involving members of the Palestinian
Liberation Council (PLC) must be rejected by
The SDN list is updated periodically. Failing to update
lists or use the latest version is a compliance deficiency.
Banks should also understand the tolerance settings and
filters on their OFAC software. Most filters are phonetic and should be
sensitive enough to catch names that are close.
Conclusion
While OFAC is not legally a part of BSA/AML compliance, it
is covered in BSA examinations and
will continue to receive a high level of scrutiny. A sound BSA/AML program
includes a well-documented OFAC risk assessment and policy. A compliance officer
should know OFAC regulations and sanctions. Regulatory expertise and the
establishment of internal controls
to mitigate OFAC risk are the essence of a
successful, and robust OFAC compliance program.
Lyn Farrell is the managing director of risk management services for Sheshunoff Management Services, L.P. She can be reached at 512-426-1686 or lfarrell@smslp.com.
Unauthorized reproduction of all or part of this material without the express written consent of the author is strictly prohibited. All rights reserved.