New Bank Secrecy Act/Anti-Money Laundering Manual Identifies Elements of Effective OFAC Compliance Program

July 12, 2005

On June 30, 2005, the Federal Financial Institutions Examination Council released the Bank Secrecy Act/Anti-Money Laundering Manual (the "BSA/AML Manual").  The manual includes guidance to federal banking agencies for examining compliance with sanctions programs administered by the Treasury Department’s Office of Foreign Assets Control (OFAC) and guidance to banking organizations on identifying and controlling money laundering and terrorist financing risks. 

The BSA/AML Manual recommends that banks establish and maintain an effective, written OFAC program that is commensurate with the bank’s OFAC risk profile.  The program should consist of five elements:

  • A risk assessment;
  • Appropriate internal controls for screening and reporting;
  • Independent testing for compliance;
  • The designation of a bank employee or employees responsible for OFAC compliance; and
  • Training programs for appropriate personnel in all relevant areas.

OFAC Risk Assessment

The first element of an effective OFAC program is an OFAC risk assessment.  Each bank should assess its specific product lines, customer base, geographic locations, and the nature of its transactions in order to identify high-risk areas for OFAC transactions.  While the initial identification of high-risk customers may be performed as part of the bank’s Customer Identification Program and Customer Due Diligence procedures, all areas of a bank’s operations should be reviewed.  Examples of products, services, customers, geographic locations, and transactions that may carry a higher level of OFAC risk include:

  • International funds transfers;
  • Nonresident alien accounts;
  • Foreign customer accounts;
  • Cross-border ACH transactions;
  • Commercial letters of credit;
  • Transactional electronic banking;
  • Foreign correspondent bank accounts;
  • Payable through accounts;
  • International private banking; and
  • Overseas branches or subsidiaries.

Once a bank has identified areas of high OFAC risk, it should develop appropriate policies, procedures and processes for addressing the associated risks and reviewing transactions and transaction parties, including, depending on the bank’s risk profile and the available technology, account parties other than accountholders.  The BSA/AML Manual recommends that banks tailor these policies, procedures and processes to the specific nature of a business line or product.  It also encourages banks to periodically reassess their OFAC risk. 

Internal Controls

The second element of an effective OFAC program is the existence of appropriate internal controls for identifying suspect accounts and transactions and reporting findings to OFAC.  According to the BSA/AML Manual, a bank’s internal controls should include risk-based policies, procedures and processes addressing how the bank:

  • Flags and reviews transactions and accounts for possible OFAC violations, whether manually and/or through interdiction software, including the criteria for and frequency of comparing names to the OFAC list, and how the bank will determine whether an initial OFAC hit is a valid match or false hit;

  • Timely processes updates of the OFAC lists of blocked countries, entities, and individuals and disseminates such information throughout the bank’s domestic operations and offshore offices, branches and, in some cases, subsidiaries; and

  • Reports blocked and rejected items to OFAC under the various sanction programs (and in certain circumstances, to FinCEN) and handles items that are blocked or rejected.

According to the examination procedures, a bank’s policies, procedures and processes should require new accounts to be compared with the OFAC lists prior to account opening or shortly thereafter, e.g., during nightly processing.  Where OFAC checks are performed after account opening, banks should have procedures in place to prevent transactions (other than initial deposits) from occurring until the OFAC check is completed.  Periodic checks also are expected of existing customers when there are additions or changes to the OFAC lists.  The frequency of these reviews should be based on the bank’s OFAC risk.  However, transactions such as funds transfers, letters of credit, and non-customer transactions should be checked prior to being executed.

In addition, the bank’s procedures should include adequate controls and reviews of any third party processor or other party that performs OFAC checks on the bank’s behalf, as the bank ultimately will be held responsible for the third party’s OFAC compliance.

Independent Testing

The third element of an effective OFAC program is independent testing of the bank’s OFAC programs.  The BSA/AML Manual recommends that, generally, an in-depth audit be conducted at least once a year.  The audit may be performed by the bank’s internal audit department, outside auditors, consultants, or other qualified independent parties, and should be comprehensive enough in scope to assess OFAC compliance risks and the adequacy of the OFAC program.

  Designation of OFAC Responsible Person(s) and Training

The final two elements of an effective OFAC program are day-to-day management and training.  The BSA/AML Manual recommends that every bank designate a qualified individual or individuals to be responsible for day-to-day compliance with the OFAC program, including reporting blocked or rejected transactions to OFAC and overseeing blocked funds.  The manual also recommends that banks provide adequate OFAC-related training for their employees.  The scope and frequency of the training should be consistent with each bank’s OFAC risk profile and be appropriate to employee responsibilities. 

In conjunction with release of the BSA/AML Manual, OFAC has made available on its web site risk matrices for banks to consider as they review their OFAC programs.  The matrices are available at http://www.treas.gov/offices/enforcement/ofac/faq/matrix.pdf.

* * * * *

For further information, please contact Judith A. Lee at (202) 887-3591, Amy Rudnick at (202) 955-8210 or  Matthew Crispino at (202) 887-3617 in the Washington, D.C. office of  Gibson, Dunn & Crutcher LLP.

Copyright © 2005 Gibson, Dunn & Crutcher LLP