The two-day series is a quick refresher!
OFAC COMPLIANCE BASICS
Your OFAC policy should include several of the same elements as your Bank Secrecy Act policy -- a risk assessment, internal controls, independent testing, training, a dedicated compliance officer, and reporting. For this reason, many credit unions have combined their OFAC and BSA policies into a single Anti-Money Laundering (AML) policy.

CU PolicyPro has both a combined AML policy (#2110) and a separate OFAC policy (#2145) for you to work with, as well as a policy on Politically Exposed Persons (#2110.10).

One common question is whether it is acceptable to set a dollar threshold for OFAC transactions if your credit union determines you are fairly low risk during your assessment. Unfortunately, the answer is no. There is not a minimum or maximum amount subject to the regulation. Despite a low-risk or more simplistic program, compliance is expected, and if the transaction involves the movement of money, it is subject to OFAC regulations.

An important OFAC-related resource in this time of cybersecurity threats is the September 2021 advisory that highlights the sanctions risk to those who facilitate ransomware payments that may violate OFAC regulations. The Cyber-related Sanctions FAQ were updated in Sept. 2022 to reflect additional details. The U.S. Treasury also has detailed FAQ on virtual currency and how it relates to OFAC sanctions that might be a helpful read.
WHEN TO CALL THE OFAC HOTLINE
Prior to contacting them, OFAC recommends you take the following steps to determine if your credit union has a valid OFAC match:

1) Is the hit against OFAC's SDN list or "hitting" for some other reason? If your potential match is hitting against the SDN list, continue to #2. If it is hitting for some other reason, contact the keeper of the list (i.e. the FBI if on FBI Most Wanted list) or your software provider. 

2) Compare the name in your transaction with the name on the SDN list. Is the name in your transaction an individual, while the name on the SDN list is a vessel, organization, or company? If yes, you do not have a valid match; if no, continue to #3.

3) How much of the SDN's name matches that of your account holder? Is just one of two or more names (i.e. just the last name)? If yes, you do not have a valid match; if no, continue to #4.
 
4) Compare other information you have (like an address, nationality, date of birth, former names, etc.) Are you missing a lot of this information for the name of your account holder? If yes, go back, get more information, and then compare; if no, continue to #5.

5) Are there a number of similarities or exact matches? If yes, call the hotline at 1-800-540-6322. If it is an in-process wire transaction, use the OFAC hotline for guidance. If no, you don't have a valid match and can just log the details of your process and move on.
SOME COMPLIANCE TIDBITS
Broad Screening

According to the FFIEC BSA/AML Exam Manual on OFAC, new accounts should be compared with OFAC lists either before or shortly after being opened. However, "the extent to which the [credit union] includes account parties other than accountholders (e.g., beneficiaries, guarantors, principals, beneficial owners, signatories, and powers of attorney) in the initial OFAC review during the account opening process, and during subsequent database reviews of existing accounts, will depend on the [credit union's] risk profile and available technology."

Based on your OFAC risk profile for each area and available technology, your credit union should establish policies, procedures, and processes for reviewing transactions and parties.
Recent Actions

If you are interested in recent actions that OFAC has taken, their website has a comprehensive list.

The settlement with virtual currency exchange Kraken showed an agreement to remit $362k to settle possible liability for violations of sanctions against Iran.

An October settlement with the online virtual currency exchange and hosted wallet services company, Bittrex, showed the company paid $24 million for violations of sanctions against Cuba, Ukraine-related, Iran, Sudan, and Syria.

OFAC also settled with American Express and noted the amount "reflects OFAC's determination that the apparent violations were not voluntarily self-disclosed and were non-egregious."
Prohibited Countries

It is common to request or look for a list of countries on the OFAC list. Some credit unions want to include it in their policy or procedures, but it is not that simple. 

According to OFAC, "U.S. sanctions programs vary in scope. Some are broad-based and oriented geographically (i.e. Cuba, Iran). Others are "targeted" (i.e. counter-terrorism, counter-narcotics) and focus on specific individuals and entities. These programs may encompass broad prohibitions at the country level as well as targeted sanctions." Due to the diversity among sanctions, OFAC advises using the Sanctions Programs and Country Information page for information on a specific program.
OTHER SANCTIONS LISTS
In addition to the Specially Designated Nationals and Blocked Persons list, OFAC maintains other sanctions lists. They provide a search tool that includes the additional lists. A few of the more common include the following:

Sectoral Sanctions Identifications (SSI) List contains persons prohibited to transact business located in sectors of the Russian economy.

Foreign Sanctions Evaders (FSE) List targets individuals and entities involved in violating U.S. sanctions on Syria or Iran.

Non-SDN Palestinian Legislative Council (PLC) List authorizes U.S. financial institutions to reject transactions with members of the PLC who were elected to the PLC on the party slate of Hamas, any other Foreign Terrorist Organization, Specially Designated Terrorist (SDT), or Specially Designated Global Terrorist (SDGT).

Non-SDN Iranian Sanctions List includes implementation of certain sanctions set forth in the Iran Threat Reduction and Syria Human Rights Act of 2012. 

Cuba Sanctions have changed frequently in recent years. An updated FAQ was added in October 2020 along with fact sheets on some of the recent changes.

There are other lists detailed on the OFAC website, including the specific details of all sanction programs. Contact your software vendor if you have any questions about these lists. Your credit union's OFAC policy should include a process for timely updating of the lists through software updates.

You can also sign up to receive email updates from OFAC on their communication page.
For additional information on OFAC Compliance, visit the InfoSight page or our Compliance Training Tools website. Contact me if you have any problems or need access.
Donya Parrish, VP Risk Management | donya@mcun.coop | 406.324.7374