Site icon Federal Lawyer

OFAC Risk Assessments and Reviews: OFAC’s Risk Matrix and the Steps for Assessing OFAC Compliance


For financial institutions in the United States of all sizes, complying with the Bank Secrecy Act (BSA) and the various other laws and regulations enforced by the Office of Foreign Assets Control (OFAC) needs to be a priority. Failure to effectively manage OFAC compliance can create substantial legal exposure, and it can even have criminal implications in some cases.

The first step toward effectively managing OFAC compliance is implementing a comprehensive and custom-tailored compliance program. But, this is far from all that financial institutions need to do. Financial institutions must proactively manage compliance on an ongoing basis, and this includes conducting OFAC risk assessments and reviews.

Risk Assessments and Reviews are a Key Component of Effective OFAC Compliance Management

Not only are risk assessments and reviews an important aspect of managing compliance, but they are also critical for demonstrating compliance to OFAC. As its Examination Procedures make clear, OFAC expects all financial institutions to conduct documented risk assessments and reviews. When examining financial institutions for compliance, OFAC takes steps including (but not limited to):

Understanding the OFAC Risk Matrix and Its Importance When Conducting Risk Assessments and Reviews

Key to understanding OFAC’s expectations is understanding the OFAC Risk Matrix. This is a regulatory document that appears in the Annex to Appendix A to OFAC’s Economic Sanctions Enforcement Guidelines (31 C.F.R. Part 501). The OFAC Risk Matrix identifies 13 areas of concern, and requires financial institutions to self-assess whether they fall into a “low,” “moderate,” or “high” risk category. The areas of concern in the OFAC Risk Matrix that financial institutions should evaluate with conducting an OFAC assessment and review include:

The Steps for Conducting an Effective OFAC Risk Assessment & Review

When evaluating their compliance efforts in light of the OFAC Risk Matrix, financial institutions need to take an informed and structured approach. They must also conduct their risk assessments and reviews with an unbiased perspective—truly focused on evaluating, rather than attempting to confirm, compliance. With this in mind, some of the critical steps for conducting an effective OFAC risk assessment and review are:

1. Gathering All OFAC Compliance Documentation

To begin the process, financial institutions should gather all OFAC compliance documentation. This includes not only their compliance policies and procedures, but also any documentation of their ongoing compliance efforts and any reports or other records generated by the OFAC compliance officer.

2. Reviewing Training Logs, Board Minutes, and Other Pertinent Records

An OFAC risk assessment and review should also entail an examination of training logs, board minutes, and other pertinent records in light of the OFAC Risk Matrix. Financial institutions should have documentation on hand to substantiate all aspects of their ongoing efforts to maintain compliance with the BSA and other relevant laws and regulations.

3. Reviewing Pertinent Customer, Business, and Transaction Records

An OFAC risk assessment and review also necessarily involves a review of pertinent customer, business, and transaction records. These records should be reviewed in light of the OFAC Risk Matrix and with an eye toward assessing whether a financial institution’s existing compliance program is adequate in light of its current operations.

4. Assessing Risk in Each of the OFAC Risk Matrix’s Areas of Focus as “Low,” Moderate,” or “High”

After gathering and reviewing all relevant documentation, a financial institution should assess its risk in each of the OFAC Risk Matrix’s areas of focus as “low,” “moderate,” or “high.” For “moderate” and “high” areas in particular, the financial institution should determine whether these assessments are based on discrete events or ongoing risks that will continue to create exposure going forward.

5. Evaluating the Efficacy of the Financial Institution’s OFAC Compliance Program and Determining Next Steps

In light of a financial institution’s assessment under the OFAC Risk Matrix, the financial institution, with its counsel, should evaluate the efficacy of its OFAC compliance program and determine appropriate next steps. Depending on the circumstances, these next steps may range from staying the course and continuing to document the institution’s compliance efforts or conducting an immediate overhaul of its compliance program while also proactively addressing past violations that could lead to OFAC enforcement action.

Exit mobile version