July 12, 2005
On June 30, 2005, the Federal Financial Institutions Examination Council released the Bank Secrecy Act/Anti-Money Laundering Manual (the "BSA/AML Manual"). The manual includes guidance to federal banking agencies for examining compliance with sanctions programs administered by the Treasury Department’s Office of Foreign Assets Control (OFAC) and guidance to banking organizations on identifying and controlling money laundering and terrorist financing risks.
The BSA/AML Manual recommends that banks establish and maintain an effective, written OFAC program that is commensurate with the bank’s OFAC risk profile. The program should consist of five elements:
OFAC Risk Assessment
The first element of an effective OFAC program is an OFAC risk assessment. Each bank should assess its specific product lines, customer base, geographic locations, and the nature of its transactions in order to identify high-risk areas for OFAC transactions. While the initial identification of high-risk customers may be performed as part of the bank’s Customer Identification Program and Customer Due Diligence procedures, all areas of a bank’s operations should be reviewed. Examples of products, services, customers, geographic locations, and transactions that may carry a higher level of OFAC risk include:
Once a bank has identified areas of high OFAC risk, it should develop appropriate policies, procedures and processes for addressing the associated risks and reviewing transactions and transaction parties, including, depending on the bank’s risk profile and the available technology, account parties other than accountholders. The BSA/AML Manual recommends that banks tailor these policies, procedures and processes to the specific nature of a business line or product. It also encourages banks to periodically reassess their OFAC risk.
The second element of an effective OFAC program is the existence of appropriate internal controls for identifying suspect accounts and transactions and reporting findings to OFAC. According to the BSA/AML Manual, a bank’s internal controls should include risk-based policies, procedures and processes addressing how the bank:
According to the examination procedures, a bank’s policies, procedures and processes should require new accounts to be compared with the OFAC lists prior to account opening or shortly thereafter, e.g., during nightly processing. Where OFAC checks are performed after account opening, banks should have procedures in place to prevent transactions (other than initial deposits) from occurring until the OFAC check is completed. Periodic checks also are expected of existing customers when there are additions or changes to the OFAC lists. The frequency of these reviews should be based on the bank’s OFAC risk. However, transactions such as funds transfers, letters of credit, and non-customer transactions should be checked prior to being executed.
In addition, the bank’s procedures should include adequate controls and reviews of any third party processor or other party that performs OFAC checks on the bank’s behalf, as the bank ultimately will be held responsible for the third party’s OFAC compliance.
The third element of an effective OFAC program is independent testing of the bank’s OFAC programs. The BSA/AML Manual recommends that, generally, an in-depth audit be conducted at least once a year. The audit may be performed by the bank’s internal audit department, outside auditors, consultants, or other qualified independent parties, and should be comprehensive enough in scope to assess OFAC compliance risks and the adequacy of the OFAC program.
Designation of OFAC Responsible Person(s) and Training
The final two elements of an effective OFAC program are day-to-day management and training. The BSA/AML Manual recommends that every bank designate a qualified individual or individuals to be responsible for day-to-day compliance with the OFAC program, including reporting blocked or rejected transactions to OFAC and overseeing blocked funds. The manual also recommends that banks provide adequate OFAC-related training for their employees. The scope and frequency of the training should be consistent with each bank’s OFAC risk profile and be appropriate to employee responsibilities.
In conjunction with release of the BSA/AML Manual, OFAC has made available on its web site risk matrices for banks to consider as they review their OFAC programs. The matrices are available at http://www.treas.gov/offices/enforcement/ofac/faq/matrix.pdf.
* * * * *
For further information, please contact Judith A. Lee at (202) 887-3591, Amy Rudnick at (202) 955-8210 or Matthew Crispino at (202) 887-3617 in the Washington, D.C. office of Gibson, Dunn & Crutcher LLP.
Copyright © 2005 Gibson, Dunn & Crutcher LLP