OFAC Compliance Policy: A Deep Dive
While OFAC compliance policy and sanctions regulations seem relatively straightforward, establishing the appropriate policies and practices to comply with them is often challenging. OFAC’s well-publicized penalties assessed against major banks and corporations combined with a lack of understanding of the nuances of OFAC compliance, can create elevated concern from senior management and boards that compliance professionals must be able to address.
Laurie Kelly, CAMS shares her knowledge and experience gained from 20 years in building and leading the OFAC sanctions compliance function for a $148 billion U.S. financial institution. In the first part of this webinar, Laurie provides an overview of the importance of OFAC compliance policy and the purpose and categories of U.S. sanctions programs in place today. She also describes the importance of a formal Sanctions Compliance Program and how it should be structured. Then she takes viewers on some “deep dives” into some of the more complex – and often misunderstood – aspects of OFAC compliance: screening practices and the Specially Designated Nationals list; what to do with an OFAC match; the enigmatic “50% Rule”; and what we can learn from OFAC enforcement actions against financial institutions and corporate entities.
Questions on OFAC Compliance Policy Best Practices
Q: Can financial institutions include OFAC compliance within their AML compliance program?
A: I do not see why not, just as long as you have those basic elements. If you can demonstrate that you have internal controls, that you are doing staff training and that you have a management committee, I do not see why it could not be incorporated.
Q: Does the legislation require OFAC screening to be done if the domestic transfer is related to an entity outside the US or, say, for the benefit of a company or entity outside of the US? For example, if the parent company is outside of the US and the subsidiary company is within the US, is there a requirement for the entity who will send funds outside of the US to ensure OFAC screening is done?
A: First, remember that there is no requirement to screen anything. I want to emphasize that this is based on your risk tolerance. If you believe that there may be a potential for OFAC risk, then you should screen the transaction.
In this example, I am assuming one of them is your customer and the other one is a counterparty for your customer. As long as you are sure that your customer is not on the SDN list, and that the affiliate is not either then you would not necessarily have to screen it. Again, it is based on risk.
Q: Can financial institutions deal with clients in Iran, provided we conduct stringent EDD measures?
A: You need to double check the general licensing for Iran sanctions. I’m not going to answer that specifically because the Iran sanctions are incredibly complex, so the answer to that question would be very much determined by the nature of your customer, the nature of your banking relationship with that customer, and then double checking all of the general licenses under the Iran sanctions.
Potentially, the answer could be yes, but because these Iran sanctions are so complicated, you would just want to double check and make sure.
Q: What are your thoughts on completely removing, weak AKAs from the filtering system to reduce the volume of false positives?
A: In my opinion, I am totally for it. OFAC has opined on it that these are not something that they would expect somebody would be screening against. These names are often times the most ridiculous names you’ve ever heard, and they are acronyms and they do generate lots of false positives – that’s why they designate them as weak.
Q: Would you be able to direct us to guidance that indicates it is not necessary to screen domestic ACH transactions?
A: I do not have the specific references at hand, but they are easy to find. You can just do a search on OFAC’s website for either one of those topics. But especially, the question about domestic ACHs, that has been a long-standing practice.
For as long as I have worked in compliance, 20 plus years, that practice has always been in place, because there are requirements for a bank to participate in the ACH network and to be able to receive and send transactions. Through the network and the customer due diligence requirements that are expected of banks to participate, that is what makes perfect sense. And when they introduced the internationally ACH transactions, the expectation from the ACH network is that you would screen those yourself.
Q: How long can funds remain blocked?
A: For years, literally. My bank had one blocked account that was in a bank in Iran that was a correspondent account where we kept a small amount of funds on deposits with all of our correspondents at that time, and this was before even before 9/11.
After 9/11, this bank became sanctioned and I think that it took about 15 years before that money was released. And so, we filed our annual report of block property every year on it and then finally, one day, we got a letter from OFAC saying, OK, send these funds from this blocked account to this bank somewhere. And so that’s what we did.
Q: Why does OFAC issue these licenses in the first place?
A: So we do not want to hurt our own economic situation or hurt industries. So for example, my bank was an agricultural credit bank. All of our customers were in the agricultural or agribusiness space and what is interesting is that virtually every type of country sanction has some kind of exception for agricultural exports because we did not want to hurt our agribusiness sector.
So, we said, it’s OK for you to still sell our goods to these sanctioned countries because a lot of our, I think there’s something like at least 25% of our agricultural production in the US is exported and for some specific commodities, it can be up to 75% is exported. So if we blocked all of that, then we would be hurting ourselves.
So that’s kind of where that comes into play, and then as I mentioned, humanitarian activities, exports of medicine and things like that, we’re trying to mitigate the impact to us while still cutting off the sanction party’s from access to the United States.
Q: What is your experience on screening individuals, based on AKA names? [To give you some context, this person is evaluating certain systems and not all of them are able to screen, or not as well, based on the AKA names.]
A: So my take on that is that valid or strong aliases are the equivalent of a primary name. I think you should be screening against them. When you look at a lot of them, especially of government-related entities or terrorist groups, for example, they may go by a number of different names and I think that it is important that we capture or screen against those when they are considered a strong, valid alias. I would recommend that person explore that further with the software that they are looking at.
Q: Our incoming IAT transactions are processed through an intermediary, which is the domestic FI. Is it safe to assume these IATs are lower risk by relying that the intermediary bank perform OFAC screening already?
A: That’s a really good question and something I didn’t really touch on here today. You cannot offload your own OFAC risk to a third-party. So, even if that that other FI is doing OFAC screening, if there’s something that they miss and you wind up having a transaction with a sanction party, OFAC doesn’t care that you were relying on this other FI, they’re going to come after you first because ultimately you are ultimately responsible.
For a lot of outsourcing screening service providers that provide that [service], usually within your contract with them, there is going to be some language in there that says, “hey, we’re doing this for you, but it’s ultimately your problem if there’s something we have missed”.
So, that’s my general take on this but you’ll want to look at what is the volume or where’s the general source of these foreign IATs, and then decide for yourself if this is something that you can, within your risk tolerance, decide to rely on this third-party processor and their OFAC screening.
You may want to delve more deeply and examine their own OFAC compliance program processes to feel good about what they are doing. Does it seem like they really have a handle on it? Then again, as I said, document this in your risk assessment and why you made the decision to rely on them, and not do the screening yourself, or do a second round of screening yourself?
So, again, it’s that risk tradeoff. Are we talking about 100 transactions a month or a million transactions a month? What are the source countries? So all those things would come into play and in deciding that. But do remember that it is ultimately on you, not the third-party.
Q: How do you handle transactions involving the Crimea? Since, it’s not technically its own country, and neither Russia, or Ukraine are under comprehensive sanctions.
A: Right, so that comes back into play, where, for example, OFAC has the name of the OFAC sanctions program is the “Ukraine sanctions”, but they’re not a on the Ukraine but they’re on the Russian military and other aspects of the Russia’s economy and not on anybody in the Ukraine.
So it’s a targeted type of sanctions program more than comprehensive, I would say, because it’s very much party-based. So it’s not as much activity based like a narcotics trafficking or a cybercrime type of sanctions program. It is specifically targeting Russia for punishing them for what they did in the Ukraine, or have been doing in the Ukraine by, targeting some of hitting them, where it hurts in the pocketbook to get them to stop. So focus on the SDN list.
Q: How do you deal with a bank that has a sanctioned branch, and the transaction goes, or comes from a non-sanctioned bank?
A: That’s a good question. And I have had that experience, especially with these big, global, multinational banks and the one that I’m thinking of was in Sudan. So there was one branch of a very large multinational bank that was the “something something branch” in, actually it was Syria, in Damascus, Syria [not Sudan]. So transactions with that branch would be prohibited but not with other branches or subsidiaries of that financial institution. So just because the one branch in that sanctioned country may be blocked, the rest of that institution is not blocked.
Q: If you have an OFAC match, do you need to file a SAR?
A: That is a good question, too. Not necessarily. Remember, we are talking about two different types of regulatory violations.
You file a SAR if you thought that there was some kind of fraud or money laundering or other financial crime that was associated with that. Many types of sanctions violations are often companies in the US that are trying to get around the sanctions and export their goods to a sanctioned country because they want to keep selling to that sanctioned country. That is not necessarily a financial crime, it is a violation of US economic sanctions, but it does not involve money laundering or fraud. It was a legitimate activity, just with the wrong people. So, I think you just really have to explore that and look at each individual circumstance independently.
Q: What happens to funds designated for wire transfer internationally if the intermediary bank detects the receiver on the SDN list and the transaction is blocked? Does the fund get back to the originator?
A: It would typically come back to the originating bank. Then depending on the situation, the originating bank would then so the intermediary bank would rejected and the originating bank would then either block or reject the transaction.
Q: OFAC risk assessment is often incorporated with the BSA AML risk assessment matrix, however, the BSA AML also has quantitative analysis with points assigned but we do not have it for the OFAC. Should the OFAC risk assessment also have a quantitative analysis? And, if so, how would you assign points?
A: To me, it is a little more qualitative then quantitative. You could do some analysis of what is the volume of your foreign wire transfers, what countries are they coming from and you may have already done that as a part of your AML risk assessment. But then you could apply it to the OFAC risk assessments using the same sort of quantitative analysis.
But it’s really, it always to me, always kind of had more of a qualitative flavor, where you go through all the different processes at your bank does, and then you examine, for each one of them, what is your risk of having dealings with a sanctioned party or country out of this process?
So, obviously, wire transfers are one of the biggest ones, export financing is another big one. Payments and counterparties.
You can certainly do an analysis of those bases and then use that to provide more substance to your risk-based decision on what kind of processes you are going to use to detect any kinds of OFAC violations, but I agree that it does not follow in many ways the AML risk assessment quantitative analysis is done.
Disclaimer: The contents of this article are intended to provide a general understanding of the subject matter. It is not intended to provide legal or other professional advice, and should not be relied on as such.