OFAC Risk Assessments and Reviews: OFAC’s Risk Matrix and the Steps for Assessing OFAC Compliance
For financial institutions in the United States of all sizes, complying with the Bank Secrecy Act (BSA) and the various other laws and regulations enforced by the Office of Foreign Assets Control (OFAC) needs to be a priority. Failure to effectively manage OFAC compliance can create substantial legal exposure, and it can even have criminal implications in some cases.
The first step toward effectively managing OFAC compliance is implementing a comprehensive and custom-tailored compliance program. But, this is far from all that financial institutions need to do. Financial institutions must proactively manage compliance on an ongoing basis, and this includes conducting OFAC risk assessments and reviews.
Risk Assessments and Reviews are a Key Component of Effective OFAC Compliance Management
Not only are risk assessments and reviews an important aspect of managing compliance, but they are also critical for demonstrating compliance to OFAC. As its Examination Procedures make clear, OFAC expects all financial institutions to conduct documented risk assessments and reviews. When examining financial institutions for compliance, OFAC takes steps including (but not limited to):
- “Determin[ing] whether the board of directors and senior management of the bank have developed policies, procedures, and processes based on their risk assessment to ensure compliance with OFAC laws and regulations;”
- “Review[ing] the bank’s OFAC compliance program in the context of the bank’s OFAC risk assessment;” and,
- “Review[ing] the adequacy of the bank’s OFAC training program based on the bank’s OFAC risk assessment.”
Understanding the OFAC Risk Matrix and Its Importance When Conducting Risk Assessments and Reviews
Key to understanding OFAC’s expectations is understanding the OFAC Risk Matrix. This is a regulatory document that appears in the Annex to Appendix A to OFAC’s Economic Sanctions Enforcement Guidelines (31 C.F.R. Part 501). The OFAC Risk Matrix identifies 13 areas of concern, and requires financial institutions to self-assess whether they fall into a “low,” “moderate,” or “high” risk category. The areas of concern in the OFAC Risk Matrix that financial institutions should evaluate with conducting an OFAC assessment and review include:
- The identity and geographic location of the financial institution’s customer base;
- The financial institution’s volume of high-risk customers (defined as “nonresident aliens, foreign customers (including accounts with U.S. powers of attorney), and foreign commercial customers”);
- The financial institution’s number of overseas branches and correspondent accounts with foreign banks (if any);
- The nature and volume of the financial institution’s electronic products and services;
- The financial institution’s volume of funds transfers, including specifically transfers involving non-customers and cross-border transactions;
- The financial institution’s volume of other international transactions (including “trade finance, cross-border ACH, and management of sovereign debt”);
- The financial institution’s history of OFAC investigations and enforcement actions (if any);
- Management’s demonstrated commitment (or lack thereof) to OFAC compliance;
- The board’s approval (or lack thereof) of the financial institution’s compliance program;
- Whether the financial institution’s staffing level is adequate to effectively manage OFAC compliance;
- Whether the financial institution’s has appointed an OFAC compliance officer and team, and whether these personnel are performing their job functions effectively;
- Whether other bank employees have received adequate training (both initial and ongoing) on OFAC compliance and risk management; and,
- Whether the financial institution’s quality control methods are “strong,” “limited,” or non-existent.
The Steps for Conducting an Effective OFAC Risk Assessment & Review
When evaluating their compliance efforts in light of the OFAC Risk Matrix, financial institutions need to take an informed and structured approach. They must also conduct their risk assessments and reviews with an unbiased perspective—truly focused on evaluating, rather than attempting to confirm, compliance. With this in mind, some of the critical steps for conducting an effective OFAC risk assessment and review are:
1. Gathering All OFAC Compliance Documentation
To begin the process, financial institutions should gather all OFAC compliance documentation. This includes not only their compliance policies and procedures, but also any documentation of their ongoing compliance efforts and any reports or other records generated by the OFAC compliance officer.
2. Reviewing Training Logs, Board Minutes, and Other Pertinent Records
An OFAC risk assessment and review should also entail an examination of training logs, board minutes, and other pertinent records in light of the OFAC Risk Matrix. Financial institutions should have documentation on hand to substantiate all aspects of their ongoing efforts to maintain compliance with the BSA and other relevant laws and regulations.
3. Reviewing Pertinent Customer, Business, and Transaction Records
An OFAC risk assessment and review also necessarily involves a review of pertinent customer, business, and transaction records. These records should be reviewed in light of the OFAC Risk Matrix and with an eye toward assessing whether a financial institution’s existing compliance program is adequate in light of its current operations.
4. Assessing Risk in Each of the OFAC Risk Matrix’s Areas of Focus as “Low,” Moderate,” or “High”
After gathering and reviewing all relevant documentation, a financial institution should assess its risk in each of the OFAC Risk Matrix’s areas of focus as “low,” “moderate,” or “high.” For “moderate” and “high” areas in particular, the financial institution should determine whether these assessments are based on discrete events or ongoing risks that will continue to create exposure going forward.
5. Evaluating the Efficacy of the Financial Institution’s OFAC Compliance Program and Determining Next Steps
In light of a financial institution’s assessment under the OFAC Risk Matrix, the financial institution, with its counsel, should evaluate the efficacy of its OFAC compliance program and determine appropriate next steps. Depending on the circumstances, these next steps may range from staying the course and continuing to document the institution’s compliance efforts or conducting an immediate overhaul of its compliance program while also proactively addressing past violations that could lead to OFAC enforcement action.
Dr. Nick Oberheiden, founder of Oberheiden P.C., focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation.