I have been asked to review the IAT requirements, from a compliance standpoint, that were effective September 18, but have no prior experience with ACH.
From what I have read, we should update our BSA/OFAC policy to include IATs and any other ACH Policy and/or agreement, as applicable. The policy should outline RDFI and ODFI procedures for checking IATs against the OFAC lists and what corrective action should be taken when a positive hit is received. Are those the only policies that I should be concerned about?
On a side note....we have always included OFAC in our BSA Policy, as our OFAC risk is low; however, we are now considering the FedACH International Mexico Service which will obviously increase both our compliance (OFAC) risk and financial risk. Because of this additional level of risk, should the OFAC policy and risk assessment be separate from the BSA Policy and risk assessment? What about the upcoming ACH risk assessment that will be required effective June 2010? Can that be included with another risk assessment, or should it be separate?
When an ODFI originates an IAT, we must include the 7 addenda records (BSA Travel Rule requirements). Do we have to maintain this same information when we are a RDFI of an IAT?
Any guidance is appreciated.