Skip to content
 

The Control List

There is often confusion about the differences between OFAC, the Control List, and suspicious activity reporting. These are three different functions that together can provide powerful information to law enforcement investigators. The trick is to understand what each is and how to comply.

The OFAC list is public information. The list is available to anyone - terrorists included - on OFAC's website. OFAC should now be part of your institution's routine for many functions, including the teller line, the wire room, and any function that receives or transmits assets. Everyone should know what OFAC is, where to find the OFAC list, and how to use it.

Unlike the OFAC list, the control list is confidential. No-one should discuss or share names on the Control List. Names on the list are under investigation. They may be innocent, in which case no-one should be slandering their good name. More important, maintaining confidentiality gives investigators the advantage.

The Control List comes to the institution from the regulatory agency. It is sent by e-mail to a designated person. Having a designated person is therefore essential to proper handling of the Control List.

The Control List - so far - is sent out every few months. There is no set schedule. It is compiled and sent on an as appropriate basis. You need to watch for it and respond promptly when it arrives.

The process you follow is very similar to the OFAC checking process. When the list arrives in the institution, the institution must check all its account and business relationships to find out whether any of the names on the Control List are doing business with the institution. This means that the list must be run against all names in the institution.

When you have a hit on the Control List, you also take steps similar to - but different from - finding a hit on the OFAC list. You have to notify the federal government that you have a match. But remember that the Control List is a list of names of individuals that are under investigation. There have been no determinations as to guilt. Moreover, the investigators don't want to alert the suspects to the fact that they are under investigation. Therefore the Control List is highly confidential.

When you have a hit, send an e-mail to the New York Federal Reserve Bank. The NYFRB is the conduit for all Control List information. The NYFRB sends the information to appropriate law enforcement for investigation purposes.

Your e-mail is very simple. You simply say: "we have a positive response to the list." That is all you say. Law enforcement takes it from there.

The response on the Control List does not change the fact that federal laws, such as the Right to Financial Privacy Act, protect the individual and the information. Law enforcement must comply with the RFPA when seeking access to the information you may have. You don't simply hand over the information because the name was on the Control List. Ask the investigators for the subpoena or other official document giving them access to the information.

Having responded to the Control List by sending your e-mail to the NYFRB, you do not need to also file a SAR. This individual or organization is already under scrutiny. However, if you identify suspicious activity independently from the Control List, then go ahead and file the SAR. That is probably additional or different information that may be useful.

Suspicious activity reporting is separate and distinct from the OFAC list and the Control List. However, it is reasonable to expect a great deal of overlap. If you have an account that is on the Control List, it would be a good idea to carefully review the activity in that account. Information relating to the suspicious activity would be described and identified as you would for any other Suspicious Activity Report.

Both suspicious activity reporting and Control List findings are completely and totally confidential. No-one in the institution should discuss these outside of work. Training should reinforce this confidentiality.

ACTION STEPS

  • Ensure that someone (perhaps you) is the designated person for receiving and acting upon the Control List.
  • Review your system for checking names on the OFAC and Control Lists. Make sure you have the capacity to comply with Control List checks.
  • Find out when you last did training on the Right to Financial Privacy Act. If it wasn't yesterday, schedule sessions to train people on responding to requests for information from government officials.
  • This is a non-competitive issue. Talk with other compliance managers in your area to find out what they are doing and the share ideas about how to comply.
  • Set up a record system for tracking the Control List and any responses that you make. Be ready for law enforcement when they come.
  • Remind employees periodically of the need to keep the Control List and SAR reports confidential.

Copyright © 2002 Compliance Action. Originally appeared in Compliance Action, Vol. 7, No. 8, 7/02

First published on 07/01/2002

Filed under: 
Compliance
Filed under compliance as: 
Control List
Federal Reserve
Financial Privacy
IT
OFAC
Privacy
Reporting
RFPA
SAR
Suspicious Activity
Training

Report a problem with this page

Search Topics