By Donya Parrish, MCU VP Risk Management

OFAC Compliance Basics

Your OFAC policy should include several of the same elements as your Bank Secrecy Act policy — a risk assessment, internal controls, independent testing, training, a dedicated compliance officer, and reporting. For this reason, many credit unions have combined their OFAC and BSA policies into a single Anti-Money Laundering or AML policy.

InfoSight360 has both a combined AML policy (#2110) and a separate OFAC policy (#2145) for you to work with, as well as a model procedure on Politically Exposed Persons (#2110.10).

One common question is whether it is acceptable to set a dollar threshold for OFAC transactions if your credit union determines you are fairly low risk during your assessment. Unfortunately, the answer is no. There is no minimum or maximum amount subject to the regulation. Despite a low-risk or more simplistic program, compliance is expected. If the transaction involves the movement of money, it is subject to OFAC regulations.

An important OFAC-related resource in this time of cybersecurity threats is the Cyber-Related Sanctions section of their website. There, you can find recent advisories, a brochure overview of Cyber-related Sanctions, Frequently Asked Questions, and Interpretive Guidance.

When to Contact the OFAC Hotline

When you have a hit in your system, it might seem easier to reach out to OFAC for clarification. However, they recommend you take the following steps to determine if your credit union has a valid OFAC match:

1. Is the hit against OFAC’s SDN list or “hitting” for some other reason? If your potential match is hitting against one of the lists, continue to #2. If it is hitting for some other reason, contact the keeper of the list (i.e., the FBI if on the FBI Most Wanted list) or your software provider.
2. Compare the name in your transaction with the name on the SDN list. Is the name in your transaction an individual, while the name on the SDN list is a vessel, organization, or company? If yes, you do not have a valid match; if no, continue to #3.
3. How much of the SDN’s name matches that of your account holder? Is it just one of two or more names (i.e., just the last name)? If yes, you do not have a valid match; if no, continue to #4.
4. Compare other information you have (like an address, nationality, date of birth, former names, etc.) Are you missing a lot of this information for the name of your account holder? If yes, go back, get more information, and then compare; if no, continue to #5.
5. Are there several similarities or exact matches? If yes, contact the OFAC Compliance Hotline or call 1-800-540-6322 for guidance. If no, you don’t have a valid match and can just log the details of your process and move on.

Broad Screening

According to the FFIEC BSA/AML Exam Manual on OFAC, new accounts should be compared with OFAC lists either before or shortly after being opened. However, “the extent to which the [credit union] includes account parties other than accountholders (e.g., beneficiaries, guarantors, principals, beneficial owners, signatories, and powers of attorney) in the initial OFAC review during the account opening process, and during subsequent database reviews of existing accounts, will depend on the [credit union’s] risk profile and available technology.”

Based on your OFAC risk profile for each area and available technology, your credit union should establish policies, procedures, and processes for reviewing transactions and parties.

Prohibited Countries

It is common to request or look for a list of countries on the OFAC list. Some credit unions may want to include it in their policy or procedures, but it is not that simple.

According to OFAC, “U.S. sanctions programs vary in scope. Some are broad-based and oriented geographically (i.e., Cuba, Iran). Others are ‘targeted’ (i.e., counter-terrorism, counter-narcotics) and focus on specific individuals and entities. These programs may encompass broad prohibitions at the country level as well as targeted sanctions.” Due to the diversity among sanctions, OFAC advises using the Sanctions Programs and Country Information page for information on a specific program.

Other Sanctions Lists

In addition to the Specially Designated Nationals and Blocked Persons list, OFAC maintains other sanctions lists. They provide a search tool that includes additional lists. A few of the more common on their Additional Sanctions Lists page include the following:

• The Sectoral Sanctions Identifications (SSI) List contains persons prohibited from transacting business located in sectors of the Russian economy.

• Foreign Sanctions Evaders (FSE) List targets individuals and entities involved in violating U.S. sanctions on Syria or Iran.

• Non-SDN Palestinian Legislative Council (PLC) List authorizes U.S. financial institutions to reject transactions with members of the PLC who were elected to the PLC on the party slate of Hamas, any other Foreign Terrorist Organization, Specially Designated Terrorist (SDT), or Specially Designated Global Terrorist (SDGT).

There are other lists detailed on the OFAC website, including the specific details of all sanction programs. Contact your software vendor if you have any questions about these lists. Your credit union’s OFAC policy should include a process for timely updating of the lists through software updates.

You can also sign up to receive email updates from OFAC on their communication page.