What are the key failures and program trends OFAC has highlighted in major enforcement actions against financial institutions and multinational corporations?

In just-released guidance by the U.S. Treasury, federal officials have laid out what they want to see in a sanctions compliance program, and, even more importantly, given banks and corporates alike a roadmap of some of the root causes for many of the major penalties and enforcement actions.

The Office of Foreign Assets Control (OFAC), the government body managing the country’s sanctions programs, released a detailed description of the key elements of a sanctions compliance program, covering prongs such as the depth of involvement and oversight of management, sanctions risk assessments and even internal testing to uncover gaps.

But what will be required reading for compliance professionals tasked with building and running these sanctions programs is a section in the guidance called “Root Causes of OFAC Sanctions Compliance Program Breakdowns or Deficiencies Based on Assessment of Prior OFAC Administrative Actions,” detailing the failings that have broadly led to sanctions penalties soaring into the billions of dollars, including:

Lack of a formal OFAC compliance program: If a company has not created a formal sanctions compliance program, it may not even be looking, or even be aware, of its sanctions risk exposure points. Not surprisingly, it also won’t find any sanctions missteps because it has no formal program to check against.

Misinterpreting the applicability of OFAC regulations: Some banks in high-profile enforcement actions have thought not dealing with OFAC-designated entities and jurisdictions simply meant scrubbing out all references to sanctioned countries. This also means knowing ownership levels to more than 50 percent and a realization that exposure can come from transacting in U.S. dollars or having a transactional nexus to the United States, such as New York.

Facilitating sanctioned transactions for foreign individuals and companies through overseas subsidiaries or affiliates: Banks have paid as high as $9 billion for this particular failure, in some cases by rogue foreign operations. The lesson here: having reams of policies and procedures and even sanctions screening systems means nothing if an institution still has areas of non-compliance, where illicit insiders purposely evade corporate procedures.

Exporting or re-exporting U.S.-origin goods, technology, or services to OFAC sanctioned persons/countries: For compliance professionals and corporates writ large, keeping up with what items at what time are allowed or off limits for certain entities and jurisdictions can be a daunting task. For instance, certain items, like food or medicine, may be permitted by OFAC under a general license.

But another item, even if it can be used for medical equipment, may call for a specific license or even be blacklisted because some of the technology could have a “dual use” in nuclear proliferation. These very nuanced and complex scenarios in sanctions analysis and screening require individuals reviewing such trade and related transactions to be curious, creative and understand what technologies have both civilian and military applications and overlap.

Utilizing the U.S. financial system, or processing payments to or through U.S. financial institutions, for commercial transactions involving OFAC-Sanctioned persons/countries: Similar to the above-referenced $9 billion penalty, if one part of a bank decides to boost revenues by helping a designated entity get access to U.S. dollars or move funds through the international financial system, all of the bank may be held accountable. In some cases, as mentioned, there were pockets of non-compliance coaching blacklisted entities to evade filters, in others, bank insiders stripped wires of references to OFAC hits, a move even spelled out in the bank’s policies and procedures and blessed by top managers.

Weak or lax due diligence on customers: If the anti-money laundering (AML), know-your-customer (KYC) or business line staffer doesn’t ask enough questions, they won’t be able to ferret out a company or individual trying to evade sanctions rules on behalf of blacklisted regimes or terror groups. Answers that don’t add up, or transactions that don’t match with what someone said is their expected business relationships or regions, are red flags for an operation in the business of evasion.

Sanctions screening software gaps, filter faults and related poor decision-making: Apart from wholesale flouting of the rules, if sanctions screening systems aren’t tuned properly, they can create too few, or too many, alerts for analysts, wasting resources and missing actual hits. This issue has been a running theme in nearly every major bank OFAC sanctions penalty. In some cases, because a bank had too little staff, or their overall experience level accumulated acumen  was weak, the bank simply tuned the screening system to produce only enough alerts that could be handled by screening staff. The result is that an untold number of potential sanctions hits were simply never looked at, at all – until the expensive remediation began years later.

AML, sanctions compliance connections, conundrums

This is not the first time the U.S. Treasury has attempted to teach on OFAC best practices, but it is one of the most clear, concise and concentrated guidance. It contains actionable, practical steps to immediately improve program processes, practices and people. Overall, OFAC has reams of resources on the finer points of OFAC compliance, asking and answering dozens of questions in recent years, but it has mainly remained mum on what a specific sanctions compliance program could or should look like.

That is not surprising as sanctions compliance has always been in an interesting gray area when it comes to overall financial crime compliance programs. OFAC rules don’t specifically call for a compliance program, like AML, but these compliance and control areas are often spoken in the same breath and linked together under the overarching rubric of financial crime compliance risks.

How closely are AML compliance reviews and OFAC linked, you ask?

The term OFAC is only mentioned more than 300 times in the FFIEC interagency AML manual, which concludes that “while not required by specific regulation, but as a matter of sound banking practice and in order to mitigate the risk of noncompliance with OFAC requirements, banks should establish and maintain an effective, written OFAC compliance program that is commensurate with their OFAC risk profile.”

The sanctions compliance program “should identify higher-risk areas, provide for appropriate internal controls for screening and reporting, establish independent testing for compliance, designate a bank employee or employees as responsible for OFAC compliance, and create training programs for appropriate personnel in all relevant areas of the bank,” according to the AML manual.

But unlike AML, there is no legal requirement to create a dedicated sanctions compliance program.

However, in a persisting interlinked irony, if a financial institution is found to have violated OFAC rules – it’s a strict liability standard – a potential penalty is only mitigated by the presence and strength of a sanctions compliance program, including the resources and funds devoted to running, remediating and updating such operations. OFAC even stated as such in prior responses to the oft-asked “How do I set up on OFAC compliance program,” on its resources page.

Here are some snippets:

Does OFAC itself require that banks set up a certain type of compliance program?

  • There is no single compliance program suitable for every financial institution. OFAC is not itself a bank regulator; its basic requirement is that financial institutions not violate the laws that it administers.
  • Financial institutions should check with their regulators regarding the suitability of specific programs to their unique situations. [09-10-2002]

How do I setup a compliance program for my bank?

  • There is no prepackaged compliance program that fits the needs of every bank. Banks, obviously, range in size from small to some of the largest institutions in the world. A good starting point is to go to the OFAC website and look under “Regulations by Industry.”
  • Then read the brochure for the Financial Community. This brochure provides insight as to how your particular bank could set up a compliance program. There are also a number of articles written for banking industry publications available on OFAC’s website.
  • Banks should also review OFAC’s Frequently Asked Questions, its SDN and other sanctions list pages and finally, OFAC’s dedicated sanctions program pages. It may be helpful to contact your counterparts in other banks to see what they are doing and talk to your regulator. [01-30-2015]

This relatively terse and straightforward guidance from OFAC may feel like a breath of fresh air for compliance officers, but even with the aid of the sanctions framework, professionals at banks and corporates alike will still be challenged. They still must build an OFAC compliance program, keep it agile and informed, and staff it with experienced, dedicated and creative teams. They must be committed to both keep pace with the ever expanding and constricting regimes of U.S. and international sanctions programs and counter the craftiness of evil-doing evaders and rogue regimes.

Need more OFAC answers? Choose your own adventure

But as many non-bank OFAC penalties have taught us, any corporate can get into trouble when dealing with a sanctioned entity. So what are some tips that can help corporates if they are not a bank?

OFAC has some answers, but going through them may bring back childhood memories from the 1980s when you were reading “choose your own adventure” books, where depending on your decision, you would jump to one page, or another. In many cases, the eventual end to this journey will be calling the OFAC hotline below.

Here are some of the “due diligence” steps under “When should I call the OFAC Hotline?” to help determine a potential match for a “live” transaction, like a wire transfer:

Step One – Will the real OFAC list please stand up:Is the “hit” or “match” against OFAC’s SDN list or targeted countries, or is it “hitting” for some other reason (i.e., “Control List” or “PEP,” “CIA,” “Non-Cooperative Countries and Territories,” “Canadian Consolidated List (OSFI),” “World Bank Debarred Parties,” “Blocked Officials File,” or “government official of a designated country”), or can you not tell what the “hit” is?

If it’s hitting against OFAC’s SDN list or targeted countries, continue forward.

If it’s hitting for some other reason, you should contact the “keeper” of whichever other list the match is hitting against. For questions about other lists, go here.

If you are unsure whom to contact, please contact your interdict software provider which told you there was a “hit.”

If you can’t tell what the “hit” is, you should contact your interdict software provider which told you there was a “hit.”

Step Two – Quality versus quantity:Now that you have established that the hit is against OFAC’s SDN list or targeted countries, you must evaluate the quality of the hit. Compare the name in your transactions with the name on the SDN list. Is the name in your transaction an individual while the name on the SDN list is a vessel, organization or company (or vice-versa)?

And skipping ahead to the last step:

Step Five – Hurry up and wait, on the phone that is:Are there a number of similarities or exact matches?

  • If yes, please call the hotline at 1-800-540-6322.
  • If no, you do not have a valid match.*

As we mentioned above, understanding, investigating and reporting potential sanctions violations, to actually get it right, is not easy.

It’s a challenging, subjective combination amalgam of the proper amount of due diligence and OFAC risk assessments at the front end, properly tuned screening systems in the middle, and decision-making at the end, hopefully done by professionals with a deep understanding of compliance, criminal trends and the tactics employed to evade sanctions programs. While this may be a frustrating exercise resulting in a frantic phone call to OFAC, the good news is that the latest guidance reinforces that any efforts on the front end to create a program won’t be wasted.

In short, putting more resources and into a compliance program at the front end – even if the company is found to have made faulty or incorrect decisions – are moves that can gain an operation credit and be leveraged to mitigate penalties at the negotiating table later.