How detailed should my OFAC policy be? I am rewriting our entire BSA Policy and am trying to remove unnecessary items from the policy and put them into procedures. I know the OFAC Policy doesn't need to be too specific but would "it is our policy to comply with OFAC and risk based procedures have been developed to address these risks" sufficient? There was basically nothing in the last policy that addressed OFAC except the fact that we run a scrub X amount of times a month.

What have other banks done as far as in depth of the OFAC policy?

I believe your policy should be very general. Most banks put to much information in a policy and forget about it. Then at some point they end up not complying with their policy.

That's the goal, but I didn't feel like not addressing OFAC in the policy would not be sufficient. I wondered how detailed others are being.

Our OFAC Policy and Risk Assessment are combined. The policy itself is only 2 pages, so it's pretty generic, the risk assessment describes each line of business and how searches are performed, reviewed, and retained. With a risk score, of course.

Have you bothered to Google: "ofac policy sample" ?? Take your pick.

That's the first thing I do before posting on here.

Then what is wrong with this one if you want to keep it short and sweet??

http://www.neach.org/uploads/resources/doc/sampleofac_policy__proc.pdf

Nothing at all. Just wanted some feedback on what others were doing... Thanks for the link.