Bridger Insight
Interested? Call 1-877-922-5757 ChoicePoint
James M. BedsoleOFAC - A Hot Topic!
by James M. Bedsole, CRCM, CBA, CFSA
Senior Vice President, Director of Internal Audit and Compliance
Anchor Bank, Myrtle Beach, SC (revised 1999)

The list of "hot" compliance issues includes a newcomer - the area related to regulations of the Office of Foreign Assets Control (OFAC).

OFAC doesn't just affect banks. All U.S. citizens, including permanent resident aliens, are obligated to comply with OFAC regulations. Companies located in the U.S., as well as overseas branches of U.S. companies, and in some cases, overseas subsidiaries, are subject to compliance with these regulations.

The Office of Foreign Assets Control is a division of the U.S. Department of the Treasury. OFAC administers and enforces economic and trade sanctions against targeted foreign countries, terrorism sponsoring organizations and international narcotics traffickers based on U.S. foreign policy and national security goals. OFAC acts under Presidential wartime and national emergency powers, as well as authority granted by specific legislation, to impose controls on transactions and freeze foreign assets under U.S. jurisdiction. Many of the sanctions are based on United Nations and other international mandates, are multilateral in scope, and involve close cooperation with allied governments. To accomplish this mission, OFAC has implemented regulations that require (in most cases) the freezing of all assets and property of these targeted entities. These frozen assets and property are pooled for the benefit of U.S. claimants.

The OFAC regulations, as they affect financial institutions, can be summed up fairly succinctly in most cases - block any transaction that has any connection to an enemy of the United States, freeze any assets involved, and report the transaction to the Office of Foreign Assets Control. It sounds pretty easy, doesn't it? So what's the big issue? Well, the first problem is in identifying who those enemies are. The second problem is in how the bank matches its transactions against those identified enemies.

OFAC regulations have been implemented in thirteen different areas. Ten of these are countries that have been designated as U.S. enemies. They are:
  • Burma (Myanmar)
  • Cuba
  • Federal Republic of Yugoslavia (including Serbia, Montenegro, and Serb-controlled Bosnia)
  • Iran
  • Iraq
  • Libya
  • North Korea
  • Unita (Angola)
  • Sudan
  • Taliban
  • Narcotics Sanctions
  • Terrorism Sanctions
  • Weapons of Mass Destruction Trade Control
In addition, there are regulations involving terrorists and narcotics traffickers. These regulations are codified at 31 CFR Title V. The regulations contain specific requirements and restrictions on the types of trade and financial activity that can take place involving the countries on the list. Specific information about these sanctions has been summarized and is available at blocked_countries.htm.

Also, from within these countries and groups, OFAC has identified hundreds of individuals and companies that are restricted from trading in the U.S. OFAC maintains an "Alphabetical Listing of All Blocked Persons, Specially Designated Nationals, Specially Designated Terrorists, and Specially Designated Narcotics Traffickers." This listing is included as Appendix A to 31 CFR Title V. And there are names on the list that sound all too innocent. For instance one of the names on the list is John G. Abbott, 34 Grosvenor Street, London W1X 9FG, England. But it just so happens that Mr. Abbott is a front man for Libyan nationals. And sending Mr. Abbott a wire transfer is a definite OFAC no-no.

So what do you do with this list? There is no regulation requiring you to do anything with the list. The regulations simply say that if someone on the list is involved in the transaction, you must (in most cases) block the transaction, freeze the assets, and notify OFAC. But all of the banking regulators agree - if you don't have a control system in place to detect these transactions, there is a significant risk that the bank will violate the OFAC regulations at some point, so the bank regulators have stepped up their examination of this important area. This is why it's now a "hot" regulation.

Banks are expected to filter their transactions against the current OFAC list. They are to evaluate any suspects to determine if they are genuine hits. They are to keep good records (audit trail) and they are to contact OFAC if a genuine hit occurs or a question arises. The amount of internal control needed is a risk issue that each institution must measure. What are satisfactory controls for one institution may not be sufficient for another. Obvious risk measures would include asset size, number of foreign transactions, and geographic location.

With the risk assessment complete, you're ready to begin filtering transactions against the list. You can do this manually, but it is a very inefficient method. There are several alternatives. You can use stand-alone PC software. Search Alta Vista on "OFAC", "OFAC software", and "OFAC compliance", and you will find several vendors. Some PC-based platform or wire transfer applications come with integrated OFAC interdiction software. There are also stand-alone and integrated mainframe software solutions available. Your risk assessment should also point you in the direction you should go for filtering transactions. From there, move on to letters of credit, new account entry and ACH. Finally, consider filtering your entire existing customer base - after all, who knows who you've let come in the door before you put these controls in place.

Consider how you will set up your interdiction process. Do you want to incorporate OFAC into your existing application processes, or maintain it as a separate process? You want consistency. One avenue you may check out - ask your correspondent banks what approach they are using. After all, most OFAC violations are discovered through correspondent banks. What happens is that your correspondent has better controls than you and they detect a blocked entity involved in a wire transfer that you process through the correspondent. They block the transaction, freeze the assets and notify OFAC. When OFAC starts checking the trail of the wire, it leads right to your doorstep. The next sound you hear will be OFAC enforcement officers knocking on your door, asking to see your interdiction procedures and controls. And the level of controls you have determines how much mitigation takes place on your potential fines. And the fines can be steep.

OFAC penalties run up to $250,000 per transaction. As stated above, OFAC does have the capability to mitigate these fines depending on the level of control that exists in your organization. If you have good controls, but one slips through the cracks, you are much more likely to see a reduced fine than the shop that responds to the examiners by saying, "What's OFAC?"

There are some resources on the Internet that can help you with OFAC compliance. As was already mentioned, many interdiction software vendors have a presence on the Internet. In addition, OFAC itself maintains a web site at: http://www.ustreas.gov/ofac. You will find summaries of all of the OFAC regulations there, as well as the OFAC list in various formats. One format in which the list is available is in ASCII delimited format.

Changes to the OFAC list are published in the Federal Register. You can go there through the GPO Gate at: http://www.access.gpo.gov/su_docs/index.html.

Looking for model OFAC policies and procedures? Check out the one at the Bridger Insight website: OFAC Policy and Procedure Guide.

Whatever your risk assessment reveals for you, with the resources available on the Internet, you, as a technologically competent compliance officer, should have no excuse when the examiners come asking about your OFAC compliance program.

About our Contributing Editor:

James M. Bedsole, CRCM, CBA, CFSA

Mr. Bedsole is Director of Internal Audit and Compliance for The Anchor Bank, a $1.2 billion financial institution based in Myrtle Beach, SC. Mr. Bedsole has served Anchor since 1995. Mr. Bedsole has spent a total of 14 years involved with bank auditing and bank compliance. He is a 1986 graduate of The Citadel, in Charleston, SC. Mr. Bedsole is also a graduate of the National Graduate School of Compliance Management at Indiana University/Purdue University, Indianapolis. He is certified as a Bank Auditor, Financial Services Auditor, and Regulatory Compliance Manager. Mr. Bedsole has spoken to local, regional and national audiences on the topics of auditing, compliance and use of Internet and Intranet resources. He had authored articles appearing in both regional and national publications, including ABA Bank Compliance Magazine. Most recently, Mr. Bedsole was a key speaker for the Bank Administration Institute in a series of workshops conducted nationwide on the topic of Internet Banking Risk Issues. He is also scheduled to speak in Spring, 2000 at national conferences on Insurance Risk Management, Internet Banking, and the Bank Administration Institute’s annual Audit, Compliance and E-Security conference.

This article was first published in 1996, on the MoneyPage Compliance Desk website and has since been updated. Republished here with permission from the author.
Privacy At ChoicePoint
PrivacyTerms of UseSite Map
Home Solutions Industry Solutions Resources Company Client Services SolutionsFree TrialIdentity VerificationRegulatory ComplianceEnhanced Due Diligence ResourcesFaq'sFree Services CompanyAbout UsPress ReleasesClientsSuccess StoriesPartnershipsEmploymentContact Us