Conducting an OFAC Risk Assessment & Review: An Overview
The Office of Foreign Assets Control (OFAC) expects financial institutions to conduct periodic risk assessments and reviews. This is clear from OFAC’s Examination Procedures, which specifically reference examining the efficacy of a financial institution’s compliance program “based on” or “in the context of” the institution’s risk assessment in multiple instances.
To conduct an OFAC risk assessment and review, a financial institution must work with its counsel to critically examine multiple types of records in light of the requirements imposed by the Bank Secrecy Act (BSA), OFAC’s regulations, and other pertinent sources of federal authority. The financial institution and its counsel must be able to appropriately apply the relevant requirements and governing principles to the institution’s compliance efforts to determine if these efforts are sufficient to withstand OFAC scrutiny.
“Conducting risk assessments and reviews is a key component of effective OFAC compliance management. Not only is conducting these assessments critical for assessing the efficacy of financial institutions’ compliance programs, but OFAC expects to see documentation of these assessments when conducting its own examinations.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
Too often, financial institutions and other businesses approach compliance-focused risk assessments from the perspective of trying to confirm their compliance. The organization’s leaders want to be able to find a way to say that they have done everything that is necessary and that revisiting the organization’s compliance program isn’t necessary. But, while this may be the ideal outcome, this is not the right approach—as it can lead to contorted interpretations that only serve to leave the organization’s exposure unmitigated. Instead, when conducting a risk assessment and review, the focus should be on gaining an unbiased understanding of the facts at hand so the organization’s leaders can do what is necessary going forward.
10 Steps for Conducting an OFAC Risk Assessment & Review
There are several steps involved in conducting an effective OFAC assessment and review. While the specific steps that are necessary vary case by case, here is an overview of the general process for evaluating a financial institution’s OFAC compliance program:
1. Review OFAC’s Risk Matrix
The starting point is OFAC’s Risk Matrix. This is a regulatory document that appears in the Annex to Appendix A to OFAC’s Economic Sanctions Enforcement Guidelines (31 C.F.R. Part 501). As OFAC explains:
“The purpose of a risk assessment is to identify inherent risks in order to inform risk-based decisions and controls. The Annex to Appendix A to 31 C.F.R. Part 501 . . . provides an OFAC Risk Matrix that may be used by financial institutions or other entities to evaluate their compliance programs.”
The Risk Matrix identifies 13 areas of concern and provides examples of “low,” “medium,” and “high” risk scenarios. When conducting OFAC risk assessments and reviews, financial institutions must self-assess their risk in each of these 13 areas. Then based on this assessment, they must judge the overall efficacy of their compliance programs and determine what additional steps (if any) are necessary to maintain compliance with the BSA, OFAC’s regulations, and all other pertinent sources of authority. The 13 areas identified in OFAC’s Risk Matrix are:
- The identity and geographical location (i.e., domestic or international) of the financial institution’s customer base
- The financial institution’s number of high-risk customers
- The financial institution’s number of overseas branches and correspondent accounts with foreign banks
- Whether the financial institution offers electronic products and services
- The financial institution’s volume of funds transfers involving international transactions and non-customers
- The financial institution’s volume of other international transactions
- Any history of OFAC investigations and/or enforcement actions
- Whether the financial institution’s management has adequately demonstrated a commitment to OFAC compliance
- Whether the board has approved the financial institution’s OFAC compliance program
- Whether the financial institution has adequate staffing to maintain OFAC compliance
- Whether the financial institution has appointed an OFAC compliance officer and team
- Whether all relevant personnel have received adequate OFAC compliance training
- Whether the financial institution’s quality control methods are “strong,” “limited,” or non-existent
2. Review the Financial Institution’s OFAC Compliance Documentation
At the outset of the process, counsel should thoroughly review the financial institution’s compliance documentation in light of the current governing laws and regulations. Counsel should both (i) be familiar with the financial institution’s compliance documentation during the risk assessment process, and (ii) be able to identify any deficiencies in the institution’s compliance documentation based on changes in the governing law.
3. Review Training Logs, Board Meeting Minutes, and Other Relevant Internal Records
In light of OFAC’s Risk Matrix, internal records such as training logs and board meeting minutes are key sources of information when conducting a risk assessment and review. Counsel should review these internal records to determine whether they place the financial institution in the “low,” “moderate,” or “high” risk category for each of the relevant areas of focus on the Risk Matrix.
4. Review Relevant Customer and Transaction Records
Customer and transaction records are also highly relevant when conducting an OFAC risk assessment and review. When reviewing these records, counsel must be familiar with OFAC’s definition of a “high-risk” customer as well as the various types of transactions and their OFAC-related implications. Along with reviewing these records in light of OFAC’s Risk Matrix, counsel should also assess whether any individual customers or transactions present enforcement risks (and the need to consider voluntary self-disclosure) due to potential violations of OFAC’s country-based, sector-based, or list-based sanctions.
5. Interview Internal Personnel as Necessary
During the risk assessment and review process, the financial institution’s counsel may need to interview internal personnel regarding various aspects of the institution’s compliance program, records management processes, or individual records or transactions. These personnel should generally be instructed to keep the substance of their interviews confidential, as disclosure could potentially jeopardize the institution’s defense in the event of a high-risk OFAC examination.
6. Assign “Low,” “Moderate,” and “High” Risk Ratings Based on OFAC’s Risk Matrix
After reviewing all relevant records and interviewing internal personnel as necessary, the financial institution’s counsel should assign a “low,” “moderate,” or “high” risk rating to each of the focus areas on OFAC’s Risk Matrix. While the Risk Matrix provides examples of each rating in each focus area, counsel will often need to judge how to rate a financial institution’s risk based on specific facts and circumstances that are not contemplated in the Risk Matrix.
7. Evaluate the Financial Institution’s Overall Compliance and Risk Profiles
Based on these 13 individual assessments, counsel should then evaluate the financial institution’s overall compliance and risk profiles. Is the institution’s OFAC compliance program functioning as intended? If not, where is it deficient, and why? What changes or updates are needed for the institution to begin managing compliance effectively? Based on the outcome of the risk assessment and review, what is the institution’s overall level of risk with regard to the potential for OFAC enforcement? These are all critical questions that require informed and actionable answers.
8. Evaluate the Need for Voluntary Self-Disclosure to OFAC
If a financial institution’s risk assessment and review uncovers compliance deficiencies, the institution’s counsel should consider the need to submit a voluntary self-disclosure to OFAC. As explained in OFAC’s online FAQs, “Voluntary self-disclosure to OFAC is considered a mitigating factor by OFAC in enforcement actions, and pursuant to OFAC’s Enforcement Guidelines, will result in a reduction in the base amount of any proposed civil penalty.”
However, submitting a voluntary self-disclosure is not a matter to be taken lightly. Disclosing statutory or regulatory violations to any federal agency inherently carries risk, and the risks of BSA and other similar types of violations can be particularly substantial. As a result, even when voluntary self-disclosure is the right choice, financial institutions and their counsel must still be extremely careful to navigate the process as safely as possible.
9. Revise and Update the Financial Institution’s OFAC Compliance Program As Necessary
If a financial institution’s risk assessment and review uncovers compliance deficiencies, it may also be necessary to revise and/or update the institution’s OFAC compliance program. Program deficiencies can result from oversights, ambiguities, changes in the law, and a variety of other factors. Ultimately, however, the reason for a deficiency is less important than the remedy that is needed. While understanding the reason for a deficiency can be important for protecting the financial institution in the future, in the short term, the focus should be on bringing the institution’s practices into compliance.
10. Use Lessons Learned to Implement Any Necessary Changes
Once any immediate concerns have been addressed, financial institutions should use the lessons learned from their OFAC risk assessments and reviews to implement any necessary changes going forward. Does the institution need to place greater emphasis on training? Does the institution’s compliance team need additional resources or additional personnel? Does the institution need to implement new systems and protocols to more effectively manage its risk related to high-risk customers and transactions? These are just a few examples of the types of questions financial institutions should be prepared to address with their counsel going forward.
Dr. Nick Oberheiden, founder of Oberheiden P.C., focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation.