Day #2

OFAC COMPLIANCE BASICS

Your OFAC policy should include several of the same elements as your Bank Secrecy Act policy -- a risk assessment, internal controls, independent testing, training, a dedicated compliance officer, and reporting. For this reason, many credit unions have combined their OFAC and BSA policies into a single Anti-Money Laundering or AML policy.


CU PolicyPro has both a combined AML policy (#2110) and a separate OFAC policy (#2145) for you to work with, as well as a policy on Politically Exposed Persons (#2110.10).


One common question is whether it is acceptable to set a dollar threshold for OFAC transactions if your credit union determines you are fairly low risk during your assessment. Unfortunately, the answer is no. There is not a minimum or maximum amount subject to the regulation. Despite a low-risk or more simplistic program, compliance is expected, and if the transaction involves the movement of money, it is subject to OFAC regulations.


An important OFAC-related resource in this time of cybersecurity threats is Cyber-Related Sanctions section of their website. There you can find recent advisories, a brochure overview of Cyber-related Sanctions, Frequently Asked Questions, and Interpretive Guidance.

WHEN TO CALL THE OFAC HOTLINE

Prior to contacting them, OFAC recommends you take the following steps to determine if your credit union has a valid OFAC match:


1) Is the hit against OFAC's SDN list or "hitting" for some other reason? If your potential match is hitting against the SDN list, continue to #2. If it is hitting for some other reason, contact the keeper of the list (i.e. the FBI if on FBI Most Wanted list) or your software provider. 


2) Compare the name in your transaction with the name on the SDN list. Is the name in your transaction an individual, while the name on the SDN list is a vessel, organization, or company? If yes, you do not have a valid match; if no, continue to #3.


3) How much of the SDN's name matches that of your account holder? Is just one of two or more names (i.e. just the last name)? If yes, you do not have a valid match; if no, continue to #4.

 

4) Compare other information you have (like an address, nationality, date of birth, former names, etc.) Are you missing a lot of this information for the name of your account holder? If yes, go back, get more information, and then compare; if no, continue to #5.


5) Are there a number of similarities or exact matches? If yes, call the hotline at 1-800-540-6322. If it is an in-process wire transaction, use the OFAC hotline for guidance. If no, you don't have a valid match and can just log the details of your process and move on.

SOME COMPLIANCE TIDBITS

Broad Screening



According to the FFIEC BSA/AML Exam Manual on OFAC, new accounts should be compared with OFAC lists either before or shortly after being opened. However, "the extent to which the [credit union] includes account parties other than accountholders (e.g., beneficiaries, guarantors, principals, beneficial owners, signatories, and powers of attorney) in the initial OFAC review during the account opening process, and during subsequent database reviews of existing accounts, will depend on the [credit union's] risk profile and available technology."


Based on your OFAC risk profile for each area and available technology, your credit union should establish policies, procedures, and processes for reviewing transactions and parties.

Recent Actions


If you are interested in recent actions that OFAC has taken, their website has a comprehensive list.


A March 2023 settlement with Wells Fargo for $30m after their acquisition of Wachovia Bank and Wachovia's relationship with a European Bank showed that even mergers do not dissolve the responsibility for OFAC violations.


A November settlement with the Cayman Islands company, Binance, for $968 million was part of the broader enforcement action against the virtual currency exchange. The company was accused of matching and executing virtual currency trades on its online exchange platform between U.S. persons and users in sanctioned jurisdictions or blocked persons. It was noted Binance "took steps to project an image of compliance," but instead mislead third parties about its controls and actions.

Prohibited Countries


It is common to request or look for a list of countries on the OFAC list. Some credit unions want to include it in their policy or procedures, but it is not that simple. 


According to OFAC, "U.S. sanctions programs vary in scope. Some are broad-based and oriented geographically (i.e. Cuba, Iran). Others are "targeted" (i.e. counter-terrorism, counter-narcotics) and focus on specific individuals and entities. These programs may encompass broad prohibitions at the country level as well as targeted sanctions." Due to the diversity among sanctions, OFAC advises using the Sanctions Programs and Country Information page for information on a specific program.

OTHER SANCTIONS LISTS

In addition to the Specially Designated Nationals and Blocked Persons list, OFAC maintains other sanctions lists. They provide a search tool that includes the additional lists. A few of the more common include the following:


Sectoral Sanctions Identifications (SSI) List contains persons prohibited to transact business located in sectors of the Russian economy.


Foreign Sanctions Evaders (FSE) List targets individuals and entities involved in violating U.S. sanctions on Syria or Iran.


Non-SDN Palestinian Legislative Council (PLC) List authorizes U.S. financial institutions to reject transactions with members of the PLC who were elected to the PLC on the party slate of Hamas, any other Foreign Terrorist Organization, Specially Designated Terrorist (SDT), or Specially Designated Global Terrorist (SDGT).


There are other lists detailed on the OFAC website, including the specific details of all sanction programs. Contact your software vendor if you have any questions about these lists. Your credit union's OFAC policy should include a process for timely updating of the lists through software updates.


You can also sign up to receive email updates from OFAC on their communication page.

For additional information on OFAC Compliance, visit the InfoSight OFAC page or our Compliance Training Tools website. Contact me if you have any problems or need access.

Donya Parrish, VP Risk Management | donya@mcun.coop | 406.324.7374