LONG POST!
OFAC Comments-ABA AML Conference Washington D.C. 10/25/2004
I promised Ken I would post a report on the OFAC session.
Expectations are definitely higher on OFAC. Examiners are looking for written programs with written risk assessments, etc.
Laurie Bender, Federal Reserve - OFAC Examination Process
“The bar has been raised since 9/11” - bank’s are expected to have an OFAC Program that is tested and audited, with employee training imperative, and instructions for what to do with hits in the screening process.
The OFAC review is conducted during the BSA exam. The Fed is developing enhanced OFAC exam procedures, consulting with other regulatory agencies. The new procedures take a program approach to OFAC, like BSA and AML.
The Fed (and presumably other agencies) will be looking for:
A written risk assessment of the bank’s OFAC program, taking into consideration:
Bank’s products
Bank’s customers
Transactions
Bank’s location
They will review:
How you receive your updates
Audit exceptions received by the regulators from OFAC (errors by banks not treated as violations with penalties.) The Fed is working on a sharing agreement with OFAC where OFAC can share with Fed (and vice versa) if a bank has an OFAC problem.
Policies, procedures and programs
Consideration of risk
Designation of responsible individual(s)
Appropriate internal controls
Independent testing of accounts to check for prior testing as required by your program, and to test the validity of the results. The regulator will be checking names in your transactions against OFAC list to check validity of your process. They expect you to be doing the same.
An SAR process describing when you will file SARs on OFAC hits. This was mentioned several times by different presenters as a very important part of the process. The regulators (including OFAC) are looking for a combined approach to SARs on OFAC hits. (Don’t hold your breath.)
Are you adequately assessing your risk?
Management oversight of program
Appropriate internal controls including who makes decisions on OFAC hits, who contacts OFAC
Audit process
Methods of screening - manual vs. automated - what parameters you set for filters, how your system’s matching works (complete name, fuzzy logic, etc.)
During OFAC counsel’s presentation he said that there is essentially no conflict between requirement for OFAC reporting and filing of a SAR - they are 2 different reports of different information going to different parties and there is no conflict and no duplication. Nonetheless the regulators are considered someway to bring the 2 items together.
Check payees: realize bank’s can’t check every payee on customers checks
Cashiers Checks: (In a later session, regulators were asked about need to check payees on cashier’s checks - response was that “the absolutely correct answer is that of course you should, but who is? It is a decision to be made in your risk assessment.”)
Fed is working with OFAC to obtain guidance on some screening issues: example, one bank had an OfAC problem because they didn’t screen a particular Arabic name to the 15th derivation!
Jamal El-Hindi, Attorney/Advisor OFAC
Discussed OFAC’s role. OFAC is an umbrella regulator over export in general with a broader mandate than Dept of State, etc. An OFAC sanction may be lifted but exports to country may still be blocked by Dept of State.
OFAC has jurisdiction over US citizens and permanent resident aliens located around the globe, ANY individual physically located in the US and, under the International Emergency Economic Powers Act programs, corporations organized under US law including foreign branches of US firms, and any corp. or company physically located in the UD, including US branches, agencies and reps of foreign corps.
Trend is shifting from comprehensive country sanctions to thematic list based . Caution: because someone is not on list, does not mean they are not sanctioned. Sanctions can cover anyone affiliated with, owned by, acting for an individual on list - all of those are also blocked. You as bank need to determine who that might be!
Contacting OFAC: OFAC is trying to get better about answering phones! If you just can’t get through and have an urgent need for an answer, you can try the Chief counsel’s office: 202-6222-2490 or 1800-540-6322. No guarantees that will help. If you really need to make a decision by a specific time and can’t get anyone from OFAC to answer or to get back to you, then you as a bank must make your own decision based on the facts you have.
Targeted countries: Transactions with Targeted countries (non-cooperative countries)- some are okay. Bank must decide! No specific prohibition.
What to report: Example: a ‘listed’ person comes to a bank branch and tries to send a wire. The wire is not sent. There are no funds to block, etc. There is really no requirement to notify OFAC - HOWEVER - keep in mind that the fact that this individual tried to conduct a transaction with a US bank may very well be of interest to OFAC. Encourage bank’s to do what makes sense - if this info may be of use to OFAC, let them know that this person tried to conduct a transaction. Think of the point of the rules - the government wants to know what transactions these individuals are conducting. Consider an SAR using same thought process.
Bank of America and Capital One reviewed their programs, need for risk based approach, need for formal program, training, centralized decisions on hits. Be prepared to discuss your risk decisions such as frequency of batch testing, etc.