How detailed should my OFAC policy be? I am rewriting our entire BSA Policy and am trying to remove unnecessary items from the policy and put them into procedures. I know the OFAC Policy doesn't need to be too specific but would "it is our policy to comply with OFAC and risk based procedures have been developed to address these risks" sufficient? There was basically nothing in the last policy that addressed OFAC except the fact that we run a scrub X amount of times a month.
What have other banks done as far as in depth of the OFAC policy?
osucpa
Diamond Poster
Joined: May 2011
Posts: 1,410
I believe your policy should be very general. Most banks put to much information in a policy and forget about it. Then at some point they end up not complying with their policy.
Our OFAC Policy and Risk Assessment are combined. The policy itself is only 2 pages, so it's pretty generic, the risk assessment describes each line of business and how searches are performed, reviewed, and retained. With a risk score, of course.