OFAC Risk Assessments and Reviews: A Key Aspect of Effective OFAC Compliance Management
To effectively manage Office of Foreign Assets Control (OFAC) compliance, financial institutions must not only implement robust compliance programs, but they must also assess the efficacy of their compliance programs on an ongoing basis. This involves conducting periodic risk assessments and reviews. Not only are these risk assessments and reviews essential for effective compliance management, but OFAC expects financial institutions to conduct them as well. Failure to do so can raise red flags during an examination, and this can lead to further scrutiny and an increased risk of penalization.
Conducting an OFAC compliance risk assessment and review is a unique process. Financial institutions must conduct their OFAC compliance assessments and reviews with a particular focus on OFAC’s regulatory and enforcement priorities. Yet, as OFAC’s specific guidance is relatively limited, it is up to financial institutions (and their counsel) to independently determine what is necessary to satisfy OFAC’s requirements.
“Conducting risk assessments and reviews is a key component of effective OFAC compliance management. This includes not only conducting regularly scheduled assessments and reviews as part of a structured compliance program, but also conducting ad hoc assessments and reviews when concerns or additional compliance obligations arise.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
So, what does it take for financial institutions to conduct effective OFAC risk assessments and reviews? Here is an overview of some key considerations:
OFAC’s Guidance for Risk Assessments & Reviews
OFAC itself has provided some guidance. The Office has published A Framework for OFAC Compliance Commitments (the “Framework”), and the Framework includes details about OFAC’s expectations when it comes to banks’ risk assessments and reviews. In its Framework, OFAC refers to conducting risk assessments and reviews as a “central tenet” of OFAC compliance:
“OFAC recommends that organizations take a risk-based approach when designing or updating [a sanctions compliance program]. One of the central tenets of this approach is for organizations to conduct a routine, and if appropriate, ongoing ‘risk assessment’ for the purposes of identifying potential OFAC issues they are likely to encounter.”
Early in its Framework, OFAC also states that there is “no ‘one-size-fits-all’ risk assessment,” and that banks need to review their operations “from top-to-bottom” to adequately assess their compliance programs’ efficacy. As non-exclusive examples, OFAC states that banks’ risk assessments and reviews should examine the following:
- “Customers, supply chain, intermediaries, and counter-parties;”
- “The products and services it offers, including how and where such items fit into other financial or commercial products, services, networks, or systems;”
- “The geographic locations of the organization, as well as its customers, supply chain, intermediaries, and counter-parties;” and,
- “Mergers and acquisitions, particularly in scenarios involving non-U.S. companies or corporations.”
With regard to frequency, OFAC simply advises that banks should conduct risk assessments and reviews, “in a manner, and with a frequency, that adequately accounts for the potential risks.” At a minimum, banks should conduct OFAC risk assessments and reviews annually, though more-frequent periodic reviews may be necessary, and certain events may trigger the need for ad hoc reviews as well. While banks should have standardized risk assessment and review procedures, OFAC also instructs that banks should update these procedures as necessary “to account for the root causes of apparent violations or systemic deficiencies identified by the organization during the routine course of business.”
Thus, like all aspects of OFAC compliance, maintaining effective risk assessment and review procedures is an ongoing process. Bank executives and managers must have a clear understanding of transactions and other events (both actual and potential) that have OFAC-related implications. They must also have clear guidance for reporting these events so that the bank’s counsel can update its risk assessment and review procedures as necessary—and conduct ad hoc reviews as warranted.
Issues to Be Evaluated During an OFAC Risk Assessment and Review
To further identify appropriate areas of focus during financial institutions’ risk assessments and reviews, OFAC’s Framework directs financial institutions (and their counsel) to the Annex to Appendix A to OFAC’s Economic Sanctions Enforcement Guidelines (31 C.F.R. Part 501). As OFAC explains in the Framework, “The Annex . . . provides an OFAC Risk Matrix that may be used by financial institutions or other entities to evaluate their compliance programs.”
The Risk Matrix identifies 13 areas of OFAC compliance that financial institutions should evaluate when conducting both scheduled and ad hoc risk assessments and reviews. Rather than providing specific guidance on the steps financial institutions need to take to assess their compliance, OFAC’s Risk Matrix instead focuses on the substantive issues to be evaluated. OFAC largely leaves it up to financial institutions (and their counsel) to determine how to conduct these reviews—and, as explained in greater detail below, to determine when additional compliance measures are needed.
For each of the 13 areas of compliance on the Risk Matrix, OFAC provides examples of what constitute “low,” “moderate,” and “high” levels of risk. In some cases, high risk levels result from compliance deficiencies (i.e., failure to appoint an OFAC compliance officer or provide adequate training to financial institution personnel). In others, however, high risk levels arise simply out of the nature of a financial institution’s business operations—and, in these cases, assessing and managing risk is a matter of implementing compliance protocols that are suited to the circumstances.
The 13 areas of compliance identified on OFAC’s Risk Matrix are:
- The financial institution’s customer base. A stable, well-known customer base in a localized environment presents the lowest level of risk, while a changing or fluctuating customer base and a large number of international customers increase financial institutions’ risk.
- The financial institution’s volume of high-risk customers. “High-risk’ customers include nonresident aliens, foreign individuals, and foreign commercial entities. The more high-risk customers a financial institution has, the greater its risk.
- The financial institution’s number of overseas branches (if any). If a financial institution has overseas branches or correspondent accounts with foreign banks, these are both factors that present increased risk (and enhanced compliance obligations).
- The financial institution’s electronic products and services. While these days nearly all banks provide electronic products and services, this is still considered to be a risk factor under OFAC’s Economic Sanctions Enforcement Guidelines.
- The financial institution’s volume of funds transfers. Funds transfers are also considered a high-risk activity under OFAC’s Economic Sanctions Enforcement Guidelines. International funds transfers and transfers involving non-customers fall at the higher end of the risk spectrum.
- The financial institution’s other international transactions. Along with international funds transfers, conducting a high volume of other international transactions (i.e., trade finance, cross-border ACH, and sovereign debt transactions) increases a financial institution’s risk level as well.
- The financial institution’s history of OFAC actions. A prior history of OFAC investigations and enforcement actions is a risk factor under OFAC’s Risk Matrix. While financial institutions cannot undo the past, they can (and should) take steps to forge a positive relationship with OFAC going forward.
- Management’s demonstrated commitment to OFAC compliance (or lack thereof). OFAC expects financial institutions to take a top-down approach to compliance and risk management. If management has “fully assessed the institution’s level of risk based on its customer base and product lines,” this puts a financial institution on the low end of the risk spectrum. Conversely, if management “does not understand, or has chosen to ignore, key aspects of OFAC compliance risk,” this will increase the risks associated with facing scrutiny from OFAC.
- The board’s approval of the financial institution’s compliance program (or lack thereof). Similarly, OFAC considers board approval to be a key aspect of effective compliance management as well. When conducting OFAC risk assessments and reviews, financial institutions should ensure that they have adequate documentation of their board’s involvement in the compliance management process.
- The financial institution’s staffing level. If a financial institution is inadequately staffed to effectively manage OFAC compliance, this is an issue that can lead to enhanced oversight from OFAC.
- The financial institution’s appointment of an OFAC compliance officer and team. Along with maintaining adequate staffing, financial institutions must also ensure that they continuously have an appointed OFAC compliance officer and a sufficient team to effectively manage their compliance obligations.
- Employees’ training on OFAC compliance and risk management. Based on OFAC’s Risk Matrix, financial institutions should provide internal training that is “appropriate and effective based on the institution’s risk profile.” Their training programs should also “cover applicable personnel, and provide necessary up-to-date information and resources to ensure compliance.”
- The financial institution’s quality control methods. Finally, OFAC’s Risk Matrix indicates that financial institutions should employ “strong quality control methods” to assist with continuously maintaining OFAC compliance.
While OFAC’s Risk Matrix identifies low, moderate, and high-risk practices and circumstances, it does not specifically state how much risk is too much, nor does it state when a financial institution’s risk level poses a risk for possible civil or criminal enforcement action. Instead, it is up to financial institutions (and their counsel) to make these determinations case-by-case.
What is clear, however, is that there is a balancing act to be played, as financial institutions must address OFAC’s stated priorities while also giving due consideration to their financial constraints and operational limitations. Ultimately, however, compliance must carry the day, and financial institutions must work with their counsel to ensure that they are not too far on the high end of OFAC’s Risk Matrix.
Dr. Nick Oberheiden, founder of Oberheiden P.C., focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation.