OFAC Issues in the News

It’s rare these days to go very long without some kind of news regarding OFAC sanctions. The Russia-related sanctions have made OFAC compliance trickier, with updated designations, FAQs, and licenses that seem to come more frequently than ever.

In light of that, it’s important that everyone in your institution understands your OFAC controls and procedures and how to implement them. Two recent violations are good examples of the cost of non-compliance. In both cases, controls were in place but were either misunderstood or not carried out effectively.

On July 21, 2022, OFAC issued violations to MidFirst Bank for maintaining accounts and processing transactions for persons on the OFAC list. The bank utilized a third-party vendor for “periodic” screening of its existing customers against the OFAC list; however, it mistakenly believed that the entire customer base was being screened on a daily basis. In reality, it was only being screened monthly. Only new customers and certain existing customers with name/address changes were screened on a daily basis. As a result, newly sanctioned individuals conducted transactions for two weeks before the bank learned they had, in fact, been added to the OFAC list. Not surprisingly, the vast majority of funds were moved just hours after the individuals had been added to the OFAC list, and those initial transactions may not have even been stopped by a daily screening process. That said, it’s difficult to defend a risk-based approach if you don’t understand how your controls are actually functioning. Make sure you understand how your OFAC screening processes work when there are changes to the OFAC list.

In another recent OFAC settlement with American Express National Bank, the issue surrounded a cardholder who was added to the OFAC list. Within days of being added to the list, the bank’s internal screening system generated a “high confidence alert” which matched the cardholder with the OFAC designation. However, the alert was erroneously closed and there was no second review conducted which was required by the bank’s procedures.  An internal analyst did make the connection between the cardholder and OFAC designation just over a month later, which resulted in the account being suspended. However, no comments were included as to why the account was suspended, and the suspension was removed the following day. While the AML team did find that the suspension had been removed and directed it be put back in place, a wrong code was used during the reinstatement process which resulted in additional transactions to be conducted. During the time period in which the bank was suspending the account, removing the suspension, and using incorrect codes, over 200 transactions were conducted which exceeded $155,000. Further, the bank has been ordered to pay over $430,000.

Many institutions consider themselves to have a low risk for OFAC violations, and while OFAC compliance programs should be based on risk, it’s still very important to understand your specific controls. You also need to effectively implement your OFAC procedures because the cost of non-compliance is high.

Published
2022/08/05