Date: August 17, 2016
The US Treasury Department’s Office of Foreign Assets Control (OFAC) plays, arguably, the biggest role in implementation and enforcement of US sanctions. All US persons, including US financial institutions, must comply with OFAC regulations. Despite this fact, OFAC does not specifically require that financial institutions set up policies or programs to ensure compliance with sanctions laws. OFAC simply requires that financial institutions do not break the laws that it administers. Nevertheless, the potential consequences of not having a comprehensive sanctions compliance policy should not be taken lightly.
US financial institutions regularly undergo examinations by federal and state banking agencies, such as the FDIC, OCC, Federal Reserve, as well as their state financial regulator. These “examiners” are tasked with reviewing records, policies, accounts, and documents to evaluate whether an institution’s internal procedures are in line with applicable laws and regulations, including those of OFAC. As such, even though OFAC does not specifically require financial and non-financial institutions to have a compliance program in place, the lack of written safeguards and policies against backlisted persons and entities can be a risky move for banks and other financial institutions.
BSA/AML examinations by bank regulators
The Bank Secrecy Act (BSA) is a federal law that requires banks and other financial institutions to bring large cash transactions and other dubious activity to the attention of regulators. The BSA also requires financial institutions to have complex controls in place to detect any criminal activity, including an “anti-money laundering (AML) program”. In order to assess compliance with the BSA, and AML laws, an assessment is conducted called the BSA/AML Examination.
Federal bank regulators conduct formal assessments for adherence to AML laws and the BSA. In order to make sure that the examiners use uniform standards, the Federal Financial Institutions Examination Council (FFIEC), an interagency body, has issued the FFIEC BSA/AML Examination Manual (the Manual). The Manual, first issued in 2005, and last updated in 2014, provides vital information on what to expect from the examiner with respect to their review of an institution’s OFAC/sanctions compliance program. Even though OFAC is not part of the FFIEC, it assists in the development of the sections of the manual that relate to OFAC reviews.
OFAC assessment takes a front seat
Despite their name, BSA/AML examinations test for more than just AML compliance. The examination of the compliance program for adherence to OFAC rules by the examiner takes a primary role during the review. In fact, the Manual mentions the word “OFAC” 316 times, including in the first sentence, which reads: “This Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Examination Manual provides guidance to examiners for carrying out BSA/AML and Office of Foreign Assets Control (OFAC) examinations.” The Manual’s section “Core Examination Overview and Procedures for Regulatory Requirements and Related Topics” consists of 14 sections, one of which is entirely devoted to OFAC compliance called “OFAC Overview and Examination Procedures”. This section on OFAC takes up 10% of the Core Procedures, and consists of 11 pages. Based on the number of pages, it is the 2nd largest section, only surpassed by the section on Suspicious Activity Reports.
At the start of the examination, as part of the scoping and planning procedures, the examiner must take a look at the institution’s OFAC risk assessment procedures and independent testing.
To facilitate the examiner’s understanding of the bank’s risk profile and to adequately establish the scope of the OFAC examination, the examiner completes several steps, including:
- A review of the bank’s OFAC risk assessment. The risk assessment, which may be incorporated into the bank’s overall BSA/AML risk assessment, should consider the various types of products, services, customers, entities, transactions, and geographic locations in which the bank is engaged, including those that are processed by, through, or to the bank, to identify potential OFAC exposure. Though not specifically stated in the manual, best practice dictates that a larger financial institution creates a stand-alone OFAC Risk Assessment Policy with an in-depth review of sanctions risks.
- A review of the bank’s independent testing of its OFAC compliance program. This refers to supporting documents of the independent testing (audit) of the institution’s OFAC compliance program. The federal banking agencies’ reference to “audit” does not confer an expectation that the required independent testing be done by a specifically designated external or internal auditor, however, the person performing the independent testing must not be involved in any part of the bank’s OFAC compliance program. This includes both persons developing policies and procedures and conducting training.
- A review of the civil penalties area on the OFAC website. This is to determine whether the bank has had any warning letters, fines, or penalties imposed by OFAC since the most recent examination.
- A review of correspondence between the bank and OFAC. The examiner will be looking for relevant communications, including periodic reporting of prohibited transactions to OFAC and, if applicable, annual OFAC reports on blocked property.
OFAC training requirements
OFAC laws and regulations may not specifically require training, but the federal bank examiner will ask financial institutions to show evidence of OFAC training as part of the BSA/AML Examination. According to the Manual, the examiner will:
- request an “OFAC training schedule with dates, attendees, and topics”,
- request “a list of persons in positions for which the bank typically requires OFAC training but who did not participate in the training.”; and
- “review the adequacy of the bank’s OFAC training program based on the bank’s OFAC risk assessment.”
Potential actions by bank regulators
The federal banking agencies can issue enforcement actions for non-compliance, including requirements to reform the bank’s OFAC program and impose civil money penalties.
In a case involving Deutsche Bank AG, the Federal Reserve imposed a $58 million penalty and consent cease and desist order against the German banking giant, related to violations of US sanctions. The 2015 order required Deutsche Bank to implement and enhanced program to ensure global compliance with US sanctions administered by OFAC.
Informing OFAC of irregularities
Federal banking agencies also often have a duty to inform OFAC when they spot problematic behavior, for example involving transactions to or from sanctioned countries or a lack of written controls to comply with sanctions laws.
This duty is usually derived from an agreement made with OFAC called a “Memorandum of Understanding” (MOU). These MOU agreements set forth procedures for the exchange of certain information between the parties, including a full report of the findings during an examination as they relate to sanctions enforcement. Such agreements exist with institutions like the Federal Reserve and the FDIC as well as almost every state financial regulator. For a list of state and federal agencies with which OFAC currently has an MOU, please click here.
The MOU between OFAC and the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), the National Credit Union (NCUA), the Office of Comptroller of the Currency (OCC) and the now defunct Office of Thrift Supervision (OTS) was signed ten years ago, in 2006. To see it, please click here. Information that can be shared includes unreported violations of sanctions, and other examination findings, such as “significant deficiencies in a banking organization’s policies, procedures, and processes for ensuring compliance with OFAC regulations.”
OFAC compliance program as a mitigating factor
In identifying a potential sanctions violation, OFAC uses “Enforcement Guidelines,” the framework for the enforcement of all economic sanctions programs it administers. This document says that OFAC will consider some general factors in determining an enforcement action for an apparent breach of sanctions. One of the factors is General Factor E, Compliance Program: the existence, nature and adequacy of a risk-based OFAC compliance program at the time of the apparent violation, where relevant. OFAC will follow the procedures set forth in the MOU and consults the regulator on the quality and effectiveness of the compliance program in place. Even in the absence of an MOU, OFAC may take into consideration the views of federal, state, or foreign regulators, where relevant. In case of a breach of sanctions laws, having a sound OFAC compliance program can mitigate an OFAC enforcement action.
Salvatore Scotto, of Sanctions Forensics & FCC Advisory Services, explains that “OFAC, with its MOUs with various federal, state and other regulators relies on their examinations for insight to a financial institution’s ability to effectively comply with the regulations. We are at a state where sanctions programs are more complicated and technology has become more sophisticated, an institution can no longer just buy an off the shelf interdiction tool and issue a compliance policy statement. Sanctions compliance programs require comprehensive governance to meet regulatory expectations. While a regulatory examination can be a bit stressful, the regulators may see something you do not see, embrace their findings as an opportunity to strengthen your sanctions program and hopefully the strength of your sanctions program may one day mitigate an OFAC Enforcement Action”.