Many of you received our annual BSA Email Series in late November. This two-day training concentrates on another aspect of your anti-money laundering policy -- OFAC. Compliance with the Office of Foreign Assets Control has many similar components to your BSA policy, and much of it is handled by software. Because of the automated check in many systems, you may not think about or interact with your credit union's OFAC compliance efforts often, but you should still understand how and why your credit union is involved in it.

Last month you learned about the agencies involved in BSA oversight and enforcement. The Department of Justice has another role that includes oversight and administration of OFAC regulations. Because OFAC requirements are similar to those of the BSA, credit unions and banks often combine them into a single anti-money laundering (AML) policy.

What is OFAC?

The Office of Foreign Assets Control enforces economic and trade sanctions that prohibit all U.S. persons (individuals, businesses, or organizations) from doing business with known terrorists, organizations, and countries the U.S. has imposed economic and trade sanctions against.

Compliance Requirement

Your credit union is required to support these sanctions. Failure to comply could expose the credit union to adverse publicity, fines, and even criminal penalties.

OFAC issues, and sporadically updates, a Specially Designated Nationals and Blocked Persons (SDN) list, and all U.S. persons are prohibited from doing business with any person or entity on the list. This requires your credit union to regularly check that funds are not flowing to or from anyone on the list.

OFAC encourages financial institutions to have a risk-based approach to compliance that includes a policy, training, internal controls, a designated compliance officer, and independent testing. That is also why it can be confused with BSA requirements, since the components are similar. Today we'll cover the basics of OFAC compliance, and tomorrow we'll discuss a few current topics and some recent news.

OFAC sanctions prohibit your credit union from doing business with anyone on the SDN list. This requires a review of the list to detect matches before sending funds to or accepting funds from, opening accounts in, offering loans to, or conducting other business transactions for someone on the list. The list and sanctions also change, so continued vigilance is necessary. To accomplish this, a multi-tier approach to OFAC screening is needed.

Initial Screening: The initial full screening of the SDN list against your credit union's membership database was likely done in 2002 after the events of 9/11 caused OFAC enforcement to greatly ramp up. The SDN list grew fast, and many credit unions purchased software to assist with the screening process. Now, whenever you open any new deposit or loan account, you need to screen all parties to the account.

Ongoing Screening: The SDN list is updated frequently but sporadically, so your credit union needs to ensure existing members are not added. This requires a process to make certain any changes or additions to the SDN list do not include any persons your credit union has an account or relationship with.

Transaction Screening: As transactions occur at the credit union during a business day, OFAC screening may need to be performed. Some processes (i.e. wire transfers) have the functionality built into the software, but others (i.e. bill payment systems) may not, so your credit union also needs a process for screening other parties to make sure OFAC rules are not violated.

Single Search: A "one name at a time" check may be needed in the loan department (for checking a collateral owner) or on the frontline (for checking a payee). OFAC has an SDN Search Tool that allows the user to search the SDN list and the consolidated non-SDN lists. The Financial Industry Regulatory Authority (FINRA) used to have a single-search option, but it was retired.

Changes Coming: OFAC announced that it will retire its public-facing file transfer protocol (FTP) server on or about June 10, 2024 to comply with updated Treasury security policies. If your credit union uses this FTP capability, now is the time to plan for your transition. Find out more about other file options in this blog.

Blocking Assets



When a credit union encounters a transaction involving an individual on the SDN list, the funds involved in the transaction must be blocked. Another word for this situation is "freezing."

After consultation with OFAC, they may advise the credit union to either accept and freeze the funds or reject the whole transaction. It is recommended you document conversations with OFAC for your own records.

Training

A fairly new U.S Treasury video series explains the basics of OFAC. The first episode, The Office of Foreign Assets Control discusses the history, mission, and focus of the office. A second video, Blocking and Non-Blocking Sanctions, goes into more detail on OFAC expectations for enforcing their sanctions. More episodes are coming in the future to incorporate into your own training programs.

Rejecting Transactions



Certain transactions need to be intercepted because the underlying transaction is prohibited. These transactions are typically rejected, cancelled, or returned after consultation with OFAC.

Reporting

Both blocked and rejected transactions must be reported to OFAC within 10 business days. An annual report must be filed by each September 30, but it is required to be filed only if the credit union holds any blocked property as of June 30 of the same year.

OFAC provides details in their July 2023 guidance to assist with the annual report process.

False Positives

It is not unusual for software to indicate a possible match, but base the hit on only a portion of a name or even a location. It is important for each credit union to review the known information on your own member and determine whether or not the match is valid.

Individual credit unions can set the threshold for OFAC hits in their software, so if you are getting a high number of false positives, you may need to review and adjust your level.

It's a good idea to maintain a log or record for all matches, including those that are determined to be false positives. This provides your credit union with good documentation on how you determined the next step -- whether that was blocking or freezing funds, ignoring the potential match, or contacting OFAC for further guidance and direction.