February 15, 2017
By: Anna Sayre, Legal Content Writer, SanctionsAlert.com
Today, staying compliant with the continually changing breadth of sanctions regulations and laws is no easy task. Sanctions, regulated, among other agencies, by the U.S. Treasury’s Office of Foreign Assets Control (OFAC), continue to pose an increasing risk in terms of number and complexity.Though it is now quite common for a financial institution to have a Bank Secrecy Act/Anti-Money Laundering (BSA/AML) program, compliance professionals are recognizing the growing need for an OFAC risk assessment and compliance program as well. In a recent poll conducted by Sanctions Alert, when attendees were asked if the OFAC portion of the BSA/AML examination conducted by federal bank regulators was more important, less important or the same as compared to 5 years ago, a whopping 75% said that the OFAC portion of the assessment had become more important.
This increasing onus on sanctions compliance by bank regulators makes it all the more paramount to understand what is required by a bank examiner during an OFAC examination and the best ways to stay fully compliant. In a recent webinar at sanctionsalert.com, John S Karansky, a BSA Risk Examiner at the Federal Reserve Bank of Atlanta – Miami Branch,and Timothy R. White, a Sanction Automation Specialist at Banker’s Toolbox Inc., discussed the general processes involved during an OFAC compliance examination as well as how compliance professionals at financial institutions can best create a thorough sanctions compliance program.
The Regulator’s Objective
Mr. Karansky says that, often times, AML and OFAC compliance programs overlap, mainly due to the fact that they share the common goal of national security. In short, the goal of an OFAC compliance examination is to “assess the bank’s risk-based OFAC compliance program to evaluate whether it is appropriate for the OFAC risk, taking into consideration its products, services, customers, entities, transactions and geographic locations.”
Generally speaking, says Karansky, it is not the regulator’s primary role to identify OFAC violations, but rather to evaluate the sufficiency of the bank’s implementation of risk-based policies and procedures and processes to ensure compliance with OFAC laws and regulations.A bank examiner will review a number of factors in order to develop a plan for the initial examination, including: past and current examinations conducted by the bank, independent examinations conducted by third parties, and any correspondence between the bank and the regulator, evidencing the bank’s involvement and concern with regard to potential OFAC violations.
Much can be gleaned from prior behavior in dealing with potential OFAC violations, adds Karansky. Similarly, any self-examinations by the bank of their OFAC risk assessment, or independent assessments by third parties and auditors,can provide meaningful evidence of compliance, especially in terms of whether or not that profile is representative of the true risks within the organization.The examiner will also review any communications between the bank and the regulator, namely, whether the bank has made an effort to block any accounts for OFAC compliance purposes, where necessary, self-disclose any incidents, contact OFAC for advice/concerns, or generally been active in contacting the appropriate authorities.
Considerations of the Examiner
Mr. Karansky identifies some key considerations used by bank examiners in determining if a bank’s internal controls are adequate. The following, inter alia, may be considered:
- Whether a bank’s OFAC compliance program includes internal controls for identifying suspect accounts and transactions;
- Whether blocked and rejected transactions are reported to OFAC;
- For screening purposes, how the bank identifies and reviews transactions, as well as if the bank engages in timely updating of lists of sanctioned countries, individuals, and entities;
- If the bank used a third party to perform OFAC checks on its behalf in addition to any self-assessment; and
- On the basis of OFAC risk assessment, prior reports and audit findings, whether transaction testing is performed and how thoroughly this is evidenced through documentation.
Tips for Risk Assessment
Mr. White continues by sharing some valuable tips for risk assessment and how to logically meet the requirements from a banker’s point of view.
“OFAC has not always been risk-based,” Mr. White points out. Since 2005, however, sanctions have taken a front-seat in the regulatory environment and now sanctions can reach into virtually almost every area of a bank. As sanctions are constantly changing and evolving, a risk-assessment must be a thorough and ongoing process. It is important to understand the type of OFAC exposure to which your particular bank is subject.To that end, Mr. White recommends that each bank write a risk tolerance statement, which includes any potential risks to your specific institution.
As a first step, Mr. White says that it is crucial to explore any external risks to the institution, by ongoing review of:
- The OFAC section of the BSA/AML examination manual (FFIEC).
- Any new or changing sanctions programs to high-risk countries such as Iran, Cuba, Ukraine, or Myanmar (Burma). If your bank has a nexus with these countries, be sure to keep well up-to-date with any trends.
- Ongoing updates to the actual lists, and make sure that you have documented those updates.
- Recent OFAC enforcement actions.
After the external risks are understood, the next step is to assess the internal risk factors, White says. It is critical to keep on top of all exam findings, audits, policies and procedures. It is equally important to keep up-to-date with any new products/services that are being offered by the bank, new personnel, or new customers and accounts that could expose the bank to new sanctions risks. This includes current monitoring and screening software, appropriate and frequent training at all levels, and keeping all developments well documented with thorough logs and records.
Start with an Organogram
It goes without saying that, once these policies and procedures are in place, it is very important to remember to follow them, Mr. White reminds us. This seems academic, but often times, a bank has wonderful policies and procedures in place that its employees simply fail to adhere to.
Mr. White goes on to point out a few ways that a financial professional can keep on top of these issues and logically make sure nothing is left out:
- Start with an organogram of your organization and determine the risks by department. Once this is determined, make a risk-decision document for every risk identified to make sure you cover all your bases.
- If you are a low-risk OFAC institution, write policy statements that are based upon history and experience within your institution;
- Due to the high volume of enforcement actions in this area, it is highly recommended that everyone in your institution knows about ‘stripping’ and that a clear policy is adopted on how to prevent such actions; and finally
- If you are in New York, it is important to be aware that, in addition to OFAC regulations, you are also subject to ‘high bar’ set by the NY Department of Financial Services.
To sign up for future Sanctions Alert webinars, please click here.