How to Conduct an OFAC Risk Assessment & Review

The Office of Foreign Assets Control (OFAC) regulates transactions between U.S. businesses and individuals and certain foreign entities. To avoid OFAC penalties, banks in the U.S. must have controls in place to identify these transactions, document them, and decline to facilitate them when necessary.

This involves three key steps. First, banks must develop comprehensive and custom-tailored OFAC compliance programs. Second, they must implement these programs in all aspects of their operations. Third, banks must conduct OFAC risk assessments and reviews to assess whether their compliance programs are effectively preventing violations of the Bank Secrecy Act (BSA) and other pertinent legislation.

OFAC expects banks to conduct periodic risk assessments and reviews—and assessing compliance with this expectation is part of OFAC’s own examination procedures. Thus, not only is conducting OFAC risk assessments and reviews a critical aspect of internal compliance management, but it is a critical aspect of external risk management as well.

So, how does a bank effectively conduct an OFAC risk assessment and review?

Issues to Be Examined During an OFAC Risk Assessment & Review

While banks must custom-tailor their OFAC risk assessments and reviews to their particular needs, OFAC has provided a risk matrix that banks (and their counsel) can use to inform their decision-making processes. This risk matrix appears in the Annex to Appendix A to OFAC’s Economic Sanctions Enforcement Guidelines, which are encoded in 31 C.F.R. Part 501.

OFAC’s risk matrix identifies 13 areas of concern, all of which banks should adequately address in their compliance programs, including in their risk assessment and review procedures. For each area, the risk matrix identifies “low,” “moderate,” and “high” levels of risk. Although high risk levels do not necessarily translate to non-compliance, they represent particular areas of concern, and they are highly likely to draw enhanced scrutiny from OFAC in the event of an investigation.

The areas of concern in OFAC’s risk matrix are:

1. Customer Base

Customer base is a key factor in determining banks’ OFAC compliance obligations and compliance-related risks. The larger, less consistent, and more geographically dispersed a bank’s customer base, the more risk it has to manage:

• Low: “Stable, well-known customer base in a localized environment.”
• Moderate: “Customer base changing due to branching, merger, or acquisition in the domestic market.”
• High: “A large, fluctuating client base in an international environment.”

2. High-Risk Customers

For purposes of OFAC compliance, high-risk customers include nonresident aliens, foreign individuals, and foreign commercial entities. The more high-risk customers a bank has, the greater its compliance risks and needs:

• Low: “Few high-risk customers.”
• Moderate: “A moderate number of high-risk customers.”
• High: “A large number of high-risk customers.”

3. Overseas Branches

OFAC also views banks that operate overseas branches as generally presenting a higher risk for non-conforming transactions, including transactions with specially designated nationals (SDNs). The risk levels under OFAC’s matrix for overseas branches are:

• Low: “No overseas branches and no correspondent accounts with foreign banks.”
• Moderate: “Overseas branches or correspondent accounts with foreign banks.”
• High: “Overseas branches or multiple correspondent accounts with foreign banks.”

4. Electronic Products and Services

Electronic banking and other electronic products and services continue to be viewed as “high risk” under OFAC’s matrix. In today’s world, nearly all banks fall into the high-risk category. To manage this risk effectively, banks must have substantial logical security controls in place that are suited specifically to the financial services industry and its governing laws and regulations:

• Low: “No electronic services . . . offered, or products available are purely informational or non-transactional.”
• Moderate: “The institution offers limited electronic . . . products and services.”
• High: “The institution offers a wide array of electronic . . . products and services (i.e., account transfers, e-bill payment, or accounts opened via the Internet).”

5. Number of Funds Transfers

Electronic fund transfers also continue to factor into OFAC’s risk analysis. In particular, OFAC focuses on electronic fund transfers executed for non-bank customers:

• Low: “Limited number of funds transfers for customers and non-customers, limited third-party transactions, and no international funds transfers.”
• Moderate: “A moderate number of funds transfers, mostly for customers. Possibly, a few international funds transfers from personal or business accounts.”
• High: “A high number of customer and non-customer funds transfers, including international funds transfers.”

6. Other Types of International Transactions

Along with electronic fund transfers, OFAC views various other types of cross-border transactions as potentially high-risk with regard to money laundering and other aspects of BSA compliance as well. These include trade finance transactions, cross-border ACTH transactions, and transactions related to management of sovereign debt:

• Low: “No other types of international transactions.”
• Moderate: “Limited other types of international transactions.”
• High: “A high number of other types of international transactions.”

7. History of OFAC Actions

Crucially, OFAC considers a bank’s history of prior enforcement actions as a risk factor as well. In other words, banks that have faced OFAC scrutiny due to violations in the past are at greater risk for facing additional scrutiny in the future:

• Low: “No history of OFAC actions. No evidence of apparent violation or circumstances that might lead to a violation.”
• Moderate: “A small number of recent actions (i.e., actions within the last five years) by OFAC, including notice letters, or civil money penalties, with evidence that the institution addressed the issues and is not at risk of similar violations in the future.”
• High: “Multiple recent actions by OFAC, where the institution has not addressed the issues, thus leading to an increased risk of the institution undertaking similar violations in the future.”

8. Management’s Understanding of OFAC Compliance

Management’s participation in a bank’s OFAC compliance efforts is a key factor as well. OFAC expects banks’ management teams to be fully aware of their compliance obligations and efforts:

• Low: “Management has fully assessed the institution’s level of risk based on its customer base and product lines.”
• Moderate: “Management exhibits a reasonable understanding of the key aspects of OFAC compliance and its commitment is generally clear and satisfactorily communicated throughout the organization, but it may lack a program appropriately tailored to risk.”
• High: “Management does not understand, or has chosen to ignore, key aspects of OFAC compliance risk.”

9. Board Approval

Board approval of a bank’s OFAC compliance program is another key factor on OFAC’s risk matrix. While board approval suggests adequate institutional processes and controls, lack of board approval suggests that the institution is not following all requisite procedures or giving due consideration to its compliance obligations:

• Low: “The board of directors, or board committee, has approved an [adequate] OFAC compliance program.”
• Moderate: “The board has approved an OFAC compliance program that includes most of the appropriate policies, procedures, controls, and information systems necessary to ensure compliance, but some weaknesses are noted.”
• High: “The board has not approved an OFAC compliance program, or policies, procedures, controls, and information systems are significantly deficient.”

10. Staffing Levels

Effectively managing OFAC compliance requires adequate staffing. If a bank’s staffing level is insufficient, OFAC considers this to be a red flag for non-compliance:

• Low: “Staffing levels appear adequate to properly execute the OFAC compliance program.”
• Moderate: “Staffing levels appear generally adequate, but some deficiencies are noted.”
• High: “Management has failed to provide appropriate staffing levels to handle workload.”

11. Authority and Accountability for Compliance

To effectively manage OFAC compliance, all banks should have a designated OFAC compliance officer. Depending on a bank’s size and its level of risk, it may need to have additional personnel devoted to managing OFAC compliance as well:

• Low: “Authority and accountability for OFAC compliance are clearly defined and enforced, including the designation of a qualified OFAC officer.”
• Moderate: “Authority and accountability are defined, but some refinements are needed. A qualified OFAC officer has been designated.”
• High: “Authority and accountability for compliance have not been clearly established. No OFAC compliance officer, or an unqualified one, has been appointed.”

12. OFAC Compliance Training

All bank personnel who have a role to play in the institution’s OFAC compliance efforts must receive adequate training. This includes not only initial training, but ongoing training as well:

• Low: “Training is appropriate and effective based on the institution’s risk profile, covers applicable personnel, and provides necessary up-to-date information and resources to ensure compliance.”
• Moderate: “Training is conducted and management provides adequate resources given the risk profile of the organization; however, some areas are not covered within the training program.”
• High: “Training is sporadic and does not cover important regulatory and risk areas or is nonexistent.”

13. Quality Control Methods

In addition to all of the above, OFAC also expects banks to implement adequate quality control methods to ensure compliance on a day-to-day basis. However, OFAC’s guidance in this area is slight; and, as a result, it is up to banks (and their counsel) to ensure that they are doing enough to manage their risk effectively:

• Low: “The institution employs strong quality control methods.”
• Moderate: “The institution employs limited quality control methods.”
• High: “The institution does not employ quality control methods.”

Put our highly experienced team on your side

Dr. Nick Oberheiden

Founder

Attorney-at-Law

Lynette S. Byrd

Former DOJ Trial Attorney

Partner

Brian J. Kuester

Former U.S. Attorney

Hon. Kevin McCarthy

55th Speaker, U.S. House of Representatives (ret.)

Government Consultant

Mike Pompeo

Of Counsel

Former U.S. Secretary of State

John W. Sellers

Former Senior DOJ Trial Attorney

Linda Julin McNamara

Federal Appeals Attorney

Nicholas B. Johnson

Former Prosecutor

Roger Bach

Former Special Agent (DOJ)

Chris J. Quick

Former Special Agent (FBI & IRS-CI)

Michael S. Koslow

Former Supervisory Special Agent (DOD-OIG)

Ray Yuen

Former Supervisory Special Agent (FBI)

Speak with an OFAC Attorney at Oberheiden P.C. in Confidence

We help banks manage all aspects of OFAC compliance. This includes conducting OFAC risk assessments and reviews. If you would like to speak with an OFAC attorney, please call 888-680-1745 or tell us how we can reach you online today.