When we open an acccount we verify the names to the OFAC list as part of CIP. Must we keep that proof of verification for 5 years from that date or 5 years from when the account closes to comply?

Ok. Let me re-word this. What is the retention on reviewing OFAC matches that are false positives? If it's a true hit is the retention 5 years from date of hit or 5 years after it is released from the government.

I'm not finding anything to support either.

OFAC compliance is "risk based;" since you don't have to do anything specific there are no record retention requirements in connection with what you choose to do. If you are simply trying to convince examiners that you do perfrom OFAC checks, then the unofficial retention period would be from one examination to the next.

Although you may use your "CIP Form" to show you did the OFAC check, the check itself is not connected to CIP.

I understand.

What are other banks using for retention of OFAC checks?

Unless we receive a hit, we are not retaining anything to show we performed the search. Also there is no field we complete that says Yes- Ofac. This is one of those where a verbal test is used. During the branch operational audits when we sit with the new account clerks and ask them to walk us through a new account opening.

We use a combination of an in-house system front end which uses ID Flag for the actual OFAC search. The ID Flag 1-page report image is stored and the 1-page report is printed and kept at the location where the report was run. Because this is part of our "written" BSA/AML program, we follow the BSA record retention requirements outlined in 31 CFR 103.38, which states: All records required to be retained by Part 103 must be retained for a period of five (5) years. There is also the requirement in 103.34 that you retain for five years the taxpayer identification for each deposit account opened.

I'm not advocating that anyone choose to retain OFAC records for five years, as we do. It's just that in the absence of clear retention directives specific to the OFAC check, and absent any other method to prove you performed the check, we determined that the overall retention window relative to a BSA/AML written program -- as defined by OCC, OTS, and the FDIC -- made us feel that we should retain evidence of our having performed the OFAC checks.

Frankly, I don't know how you could not have at least some type of record to demonstrate to the examiners that the check was performed, even if it is similar to what Ken mentions which is from exam to exam. I know people hate recordkeeping, but I've never found that being conservative in recordkeeping ever hurt me -- and this is especially true for BSA/AML/PATRIOT.

Im not orig poster but what if a small institution with manageable new accounts is manually looking up names on OFAC list. If FDIC asks us to prove we actually look up names, we don't keep any way to prove that. I know that some tellers don't really look up name on OFAC list but thye just say the check was done. This could be a issue if we get asked to prove the check was done.

Some regulators like to see some type of notation that OFAC was checked (particularly on wire transfers). Others may just question new account personnel as to your new account procedures and if OFAC is included in the process, they are satisfied. I've seen it vary.

Posted on FinCEN's What's New on April 28, 2005, from the Interagency Interpretive Guidance on Customer Identification Program Requirements Under Section 326 of the USA PATRIOT Act is the following shown on page 11, FAQ (frequently asked question) No. 1 under 31 CFR 103.121(b)(3)(ii) - Retention of Records : "The CIP rule requires that a bank retain the identifying information obtained about the customer at the time of account opening for five years after the date the account is closed or, in the case of credit card accounts, five years after the account is closed or becomes dormant."

www.fincen.gov click "What's New"

I believe that this has always been a part of the CIP requirements. I don't see anything new there.

I think the only requirement is to either block opening or freeze accounts for persons whose name appears on the OFAC SDN list. There is no requirement that a bank scan. However, in the event that the regulators find an account opened and no freeze in place, you could mitigate the deficiency by providing evidence that you a have a policy to screen names. If such cannot be asserted (because you don't scan) or because you don't retain evidence of performance, the regulator can elevate the singular event to a more egregious institutional deficiency.

Ok, but that has nothing to do with how long or even if you should retain records of an OFAC check.

The CIP regulations do not require banks to check the OFAC list. CIP's reference to checking a list of "known or suspected terrorists," is clearly explained in the regulations' preamble as a reference to a list that was not in existence at the time the final regulations were published:

The final rule states that a bank’s CIP must include procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal government agency and designated as such by Treasury in consultation with the Federal functional regulators. Because Treasury and the Federal functional regulators have not yet designated any such lists, the final rule cannot be more specific with respect to the lists banks must check in order to comply with this provision.

As the CIP requirements do not require banks to check the OFAC list, OFAC checks are not part of CIP's record retention requirements.

No list of known or suspected terrorists has been published in the interim. It is apparently part of a contingency plan that will only be implemented if we are the object of another terrorist attack. If such a list is ever published, then evidence that the list was checked would be incorporated in the 5 year record retention requirement.

Prior thread.

So then this means when we check the OFAC listing at the time of a new account being opened we don't have to prove we verified the check. We use Chexsystem and we were printing out the check each time, now we won't do this anymore since no OFAC proof is needed.

That's right...no requirement to document OFAC check but evidence of checking will mitigate harm resultant from "missing" a hit at account opening. Also as the list changes, you should match against your entire depositor base to ensure an existing customer has not been added.

Anon:

You retain the information you relied upon during the new account opening for a period of five years from the date that the account closes. If you are verifying the information through nondocumentary means, you have the option to describe the method(s) and the results undertaken, but if you are using some type of verification system, then it is just as easy to retain an image or to print out the page from the verification check you've conducted.

We all recognize from the discussions during the past two years on BOL that there is no official Section 326 listing, but this wasn't your question. Your question was directed at the totality of the account opening process that your institution follows as part of your CIP. You asked whether the proof of your verification process -- i.e., regardless of whether the process is nondocumentary, documentary, or a described method -- requires that you retain the records for five years from account opening or account closing.

Mary Beth Guard noted some time ago in two BOL articles which specifically addressed the absence of the Section 326 listing -- Section 326: Where is the government list? and CIP Final Rules: 10 Quick Changes -- that institutions are required to keep the records used in the account verification process for five years from account closing. In other words, the information that was relied upon to verify the identity is retained. If there was a Section 326 listing (OFAC) check that happened to be integrated into the verifcation process, then just keep this data. There is no violation for retaining this record. In reality, the "process" for account opening as practiced by most institutions is integrated. Verification and list checking is conducted in juxtaposition and is not viewed as separate procedures that are mutually exclusive. In fact, most nondocumentary "PATRIOT" systems are designed to simultaneously generate risk results from name and address verification, driver's license issuance, social security correlation, while also conducting a separate indication of the new customer's OFAC status.

Forgetting for a moment that you mentioned 'OFAC check' as being incorporated into your account verification routine, you should keep whatever you relied upon to verify the identity information for five years from the account's closing. Notice I did not say that you are keeping a record of an 'OFAC check'; instead, I'm acknowledging that account opening procedures are in actuality conducted as an integrated routine. The information that you relied upon to verify the accountholder identity is kept for five years from account closing, and there is no violation if the verification routine included the (OFAC) terrorist listing check.

Is there anybody who really thinks in this climate that examiners performing a BSA/AML examination are going to accept as an explanation that the reason you aren't checking OFAC and keeping records is that you are waiting for an official 326 list to be identified? C'mon! Every regulator has other language incorporated into their CIP guidelines that makes it clear you are on the hook for checking the OFAC SDN listing.

From the FDIC: "The CIP, while important, is only one part of a bank's BSA/AML compliance program. Adequate implementation of a CIP, standing alone, will not be sufficient to meet your other obligations under the BSA, or regulations promulgated by the Office of Foreign Assets Control."

On the OFAC site there is a prominent link to the SDN and blocked persons list, which is updated daily, so I don't know how anyone can say they don't understand the spirit of OFAC and that they are waiting for a list. If you think they aren't enforcing OFAC checking, look at the recent enforcement actions and sanctions at the FDIC or OFAC. There has to be at least 20 banks placed under cease and desist status just since March 1st!

Quote:

---

Ok, but that has nothing to do with how long or even if you should retain records of an OFAC check.

---

I am the original poster. Didn't think this would cause so much chatter. However, I made a decision to keep it for 5 years and I will ask our regulator when they come in. Also, someone brought up a very interestering point that may answer some of the comments in this post. We are required to keep what we used to verify the identity of the customer. OFAC is a check the name to a list deal, not a ID tool. This doesn't ID the customer. He's right.

Jay-Risk,
You've got more red herrings than a trawler. The original question was about checking names at account opening. You are now pretending it was in some way connected with keeping records on blocked property. Also, as you have on prior occasions, you have raised the issue posting as Anonymous in another thread.

It's unusually easy to put you in perspective today...I will trust that anyone who reads this can separate the wheat from the chaff.

This is easy.

Please review your post, number 355187. That would be the post in which you said, "OFAC compliance is risk-based; since you don't have to do anything specific there are no record retention requirements in connection with what you choose to do." That was your answer. You stated that there were no retention requirements.

The original anonymous poster then re-qualified his original post in post 355179, saying he/she wished to re-word the post, then asked as part of the question whether the OFAC information in a positive hit should be retained for a 5-year period from the date of the "hit", or whether the 5-year period is after the release/unblocking. The anonymous poster's question was clear. Not only did I answer it correctly from the outset, but I later provided the link to the BOL section discussing the specific retention requirements for OFAC. The support information was taken right from BOL.

In summary, I told the original poster to keep the information used in verifying a new accountholder for five years. Then, I subsequently provided support information showing that there are also instances where OFAC data is also kept for a 5-year period. The information was taken right from BOL.

Frankly, I don't see any mention of any 5-year retention for anything, about anything, or for anything in any of your posts, and it was clear in both of the poster's questions that the records retention issue was the gist of the question -- not CIP, not Section 326, not lists in general. You are correct about prior occasions, because on those occasions you also would not concede you were wrong, and you continued to mask that by obfuscating even further -- to the point of answering questions that weren't asked.

I correctly stated that there is a 5-year retention for CIP information gathered at new account opening, and I correctly stated that there are requirements to retain OFAC data under certain conditions -- also for a 5-year period. Finally, I do note that the anon poster has responded that he is retaining the data for five years; consequently, there is nothing more to discuss and we can simply agree to disagree. There is nothing more to say.