Who Must Comply with OFAC?
The Office of Foreign Assets Control (OFAC) is an agency within the U.S. Treasury Department that is responsible for overseeing cross-border transactions. While not all cross-border transactions have federal legal or regulatory implications, many do—and financial institutions, businesses, and individuals must all take adequate steps to ensure that they do not engage in or facilitate prohibited transactions.
While most people are unaware of OFAC and the role it plays in regulating cross-border transactions, OFAC’s reach is extremely broad. As the agency itself explains:
“U.S. persons must comply with OFAC regulations, including all U.S. citizens and permanent resident aliens regardless of where they are located, all persons and entities within the United States, all U.S. incorporated entities and their foreign branches. In the cases of certain programs, foreign subsidiaries owned or controlled by U.S. companies also must comply. Certain programs also require foreign persons in possession of U.S.-origin goods to comply.”
This means that domestic and foreign financial institutions, domestic and foreign businesses, and U.S. and foreign citizens living in the U.S. and abroad can all potentially face scrutiny from OFAC. As a result, all U.S. and foreign entities and individuals doing cross-border business must evaluate the implications of the Bank Secrecy Act (BSA) and OFAC’s sanctions programs, and they must implement compliance efforts and programs that are suitable to the risks at hand.
Understanding the Breadth of OFAC’s Enforcement Authority
With a statement like, “All entities and individuals are subject to OFAC compliance,” it is easy to dismiss specific entities’ and individuals’ compliance obligations. But, while some entities and individuals certainly ignore (or are unaware of) what OFAC requires, this is not an excuse for non-compliance. OFAC regularly pursues enforcement actions targeting both entities and individuals; and, in doing so, it targets all types of statutory, regulatory, and sanctions-related violations.
With this in mind, here is a closer look at who must comply with OFAC in 2023:
1. “Financial Institutions” Under the Bank Secrecy Act
OFAC is one of several federal agencies responsible for enforcing the Bank Secrecy Act. The BSA applies to “financial institutions,” which are defined broadly in 31 U.S.C. Section 5312(a)(2). Financial institutions that are subject to the BSA (and subject to OFAC oversight) include:
- FDIC-insured banks
- Commercial banks and trust companies
- Private bankers
- U.S. agencies and branches of foreign banks
- Credit unions
- Thrift institutions
- Brokers and dealers registered with the U.S. Securities and Exchange Commission (SEC)
- Unregistered securities and commodities brokers and dealers
- Investment bankers
- Investment companies
- Currency exchanges
- Issuers, redeemers, and cashers of traveler’s checks, money orders, and “similar instruments”
- Credit card system operators
- Insurance companies
- Precious metals, stones, and jewels dealers
- Loan and financing companies
- Travel agencies
- Licensed money transmission businesses
- Telegraph companies
- Automobile, airplane, and boat dealers
- Casinos and other gambling establishments
- Futures commission merchants, commodity trading advisors, and commodity pool operators registered under the Commodity Exchange Act (CEA)
- Other businesses and agencies designated by the U.S. Treasury Department
As you can see, this list is much broader than most people’s conception of what qualifies as a financial institution. Not only does it cover various types of businesses, but it also covers individuals in various financial, securities, and commodities-related occupations.
2. Other Business Entities in the U.S. and Abroad
In addition to regulating “financial institutions” under the BSA, OFAC also regulates other types of business entities in the U.S. and abroad. As noted in the quote above, OFAC’s regulatory authority extends to:
- All entities within the United States
- All U.S.-incorporated entities and their foreign branches (regardless of where they are located)
- Certain foreign subsidiaries owned or controlled by U.S. companies
- Certain foreign “persons” (which includes business entities) in possession of U.S.-origin goods
While companies that exclusively do business domestically within the United States generally will not encounter transactions with OFAC-related implications, even a single cross-border transaction can be enough to trigger OFAC compliance obligations. In some cases, companies won’t necessarily have control over whether they face OFAC implications (i.e., if they receive an inquiry from a foreign customer in a sanctioned country)—yet they must still be prepared to meet OFAC’s requirements in this scenario.
3. U.S. Citizens and Residents
Even certain individuals can face OFAC compliance obligations in 2023. OFAC’s regulations and sanctions programs apply to “all U.S. citizens and permanent resident aliens regardless of where they are located, [and] all [other] persons . . . within the United States.” While individuals may not have the same compliance burdens as financial institutions and other businesses, they must still take adequate steps to ensure that they are not engaging in transactions that violate the BSA or OFAC’s rules or sanctions. The consequences of violating any of these sources of authority can be substantial, and OFAC has shown a willingness to target both entities and individuals in enforcement actions in recent years.
4. OFAC’s Sanctions Programs
While there are numerous aspects to OFAC compliance in 2023, financial institutions and other businesses and individuals must pay particular attention to the prohibitions imposed by OFAC’s sanctions programs. These programs prohibit transactions with certain foreign entities and individuals—whether specifically (i.e., those labeled as Specially Designated Nationals (SDNs)) or as a result of being located in a specified country or involved in a specified industry sector.
OFAC’s sanctions lists (including the SDN List) are publicly available, and OFAC expects all entities and individuals to review these lists before engaging in or facilitating transactions that involve foreign parties. Additionally, OFAC’s country-based sanctions currently prohibit or restrict transactions with parties in the following nations (regardless of whether they are individually designated as SDNs):
- Hong Kong
- North Korea
- Sudan, Darfur, and South Sudan
As OFAC updates its sanctions programs regularly, it is important that financial institutions and other businesses and individuals review OFAC’s lists regularly to ensure that they are adequately addressing their compliance duties. Even inadvertent OFAC violations can lead to penalties, and “willful ignorance” is not a defense to engaging in or facilitating a prohibited transaction.
What Does it Take to Comply with OFAC in 2023?
Given the extraordinarily long list of who must comply with OFAC in 2023, financial institutions and businesses of all sizes (as well as many individuals) must assess their compliance obligations. So, what does it take to maintain OFAC compliance?
OFAC compliance obligations vary depending on financial institutions’ and other businesses’ and individuals’ risks. The nature and volume of an entity’s or individual’s cross-border business will determine the extent of its compliance obligations, and the size and geographic disbursement of an entity’s operations can play a role in determining its compliance program needs as well.
With this in mind, here are some of the overarching considerations involved in addressing OFAC compliance:
1. Conducting an OFAC Compliance Needs Assessment
At-risk entities and individuals that have not yet conducted OFAC compliance needs assessments (or that have not done so recently) should work with experienced legal counsel to determine the scope of their compliance obligations and assess what they need to do to satisfy OFAC’s requirements. OFAC compliance requires a custom-tailored approach, as entities and individuals must meet all applicable statutory and regulatory requirements without unnecessarily devoting resources to compliance obligations that do not apply.
2. Applying OFAC’s Framework and Risk Matrix
A Framework for OFAC Compliance Commitments and OFAC’s Risk Matrix are two key tools for assessing entities’ and individuals’ OFAC compliance obligations. Applying these to an entity’s or individual’s cross-border financial activity is an important (but non-exclusive) step toward effectively managing OFAC compliance.
3. Developing Adequate Policies and Procedures
After conducting a compliance needs assessment and applying OFAC’s guidance, entities and individuals can then focus on developing adequate policies and procedures. Once again, each entity’s and individual’s compliance efforts must be custom-tailored to its specific risks and needs.
4. Compliance Program Implementation and Training
Along with developing a custom-tailored OFAC compliance program, effective implementation is also key. This includes conducting adequate training, implementing effective software tools (i.e., sanctions screening software), and putting in place protocols that are designed to allow for the systematic identification of high-risk transactions.
5. Testing, Auditing, Enforcement, and Incident Response
Effectively managing OFAC compliance on an ongoing basis requires testing, auditing, and enforcement. Entities and individuals must also have protocols in place to respond to inadvertent compliance failures. Depending on the circumstances, this may (or may not) include making a voluntary self-disclosure to OFAC in order to mitigate their exposure to civil monetary penalties (CMP).
Contact the OFAC Compliance and Defense Lawyers at Oberheiden P.C.
Do you need to know more about who must comply with OFAC or what it takes to manage an effective OFAC compliance program in 2023? If so, we invite you to contact us for more information. We represent financial institutions and other businesses and individuals in all OFAC matters nationwide. To schedule an appointment with an OFAC lawyer at Oberheiden P.C., please call 888-680-1745 or tell us how we can help online today.
Dr. Nick Oberheiden, founder of Oberheiden P.C., focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation.