Blog
Complying with OFAC Financial Sector Sanctions
Contents
Complying with OFAC Financial Sector Sanctions
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) administers and enforces economic and trade sanctions against targeted foreign countries, regimes, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction. OFAC acts under presidential national emergency powers and specific legislation to impose controls on transactions and freeze assets under U.S. jurisdiction.
Financial institutions operating in the United States must comply with OFAC sanctions. This means implementing a risk-based program to identify, mitigate, and manage potential exposure to sanctioned entities and blocked individuals and assets. Failure to comply can result in significant fines and penalties, as discussed in the Consequences section below.
Overview of OFAC Sanctions Programs
OFAC currently administers over 30 economic sanctions programs targeting various countries, groups, and individuals. Some of the major programs include:
- Sanctions on Cuba, Iran, North Korea, Syria, and the Crimea region of Ukraine
- Sanctions against terrorists, narcotics traffickers, and proliferators of weapons of mass destruction
- Sanctions against specific entities and individuals identified on OFAC’s Specially Designated Nationals (SDN) list
Transactions and dealings with targeted countries, entities, and individuals are broadly prohibited. However, each sanctions program contains certain exemptions and authorizations. Financial institutions need to understand the restrictions and exemptions applicable to each program.
Key Components of an OFAC Compliance Program
An effective OFAC compliance program generally contains the following elements:
- Management Commitment – Senior management must commit sufficient resources and provide active oversight of the compliance program.
- Risk Assessment – The organization must conduct an OFAC risk assessment and develop a risk profile. This will inform the design of policies and procedures.
- Internal Controls – Policies, procedures, and processes must be in place to identify, escalate, report, and keep records pertaining to OFAC matches.
- Testing and Auditing – The program must be periodically tested and audited to evaluate effectiveness.
- Training – Relevant personnel must be trained on OFAC compliance duties according to their roles and responsibilities.
The precise contours of the compliance program depend on the organization’s risk profile. Higher-risk institutions need enhanced due diligence, escalation protocols, and oversight.
Sanctions Screening Essentials
A core component of any OFAC compliance program is sanctions screening. This involves checking customers, suppliers, transactions, and other business dealings against OFAC’s SDN list and other prohibited parties lists. Hits should be escalated for further investigation and potential reporting.
Sanctions screening is required whenever there is a financial transaction, trade deal, or other activity involving a U.S. person or that otherwise touches the U.S. financial system. Screening should take place both at onboarding and during periodic reviews.
Effective screening requires:
- Screening software that checks names, addresses, dates of birth, government IDs, and other relevant data points
- Screening in languages relevant to the customers and jurisdictions served
- Screening of all parties involved in a transaction – originators, beneficiaries, intermediaries, etc.
- Screening of relevant non-party data – vessel names, property information, etc.
- Configuring screening software to catch misspellings, name variations, abbreviations, etc.
- Periodically updating screening software against the latest OFAC changes
Responding to Potential OFAC Matches
Upon identifying a potential OFAC match, financial institutions must investigate further. Although many hits turn out to be false positives, others require reporting to OFAC within specified timeframes.
Key steps when escalating potential OFAC matches include:
- Freezing or blocking the transaction or account as required
- Gathering all relevant details about the match – customer info, transaction details, documentation, etc.
- Verifying whether the match is a valid hit or false positive
- If valid, reporting to OFAC within required timeframes
- Seeking clearance from OFAC before proceeding with the transaction
Maintaining detailed documentation and records is critical, as is coordination between AML, legal, and compliance teams.
Consequences of OFAC Violations
Failure to comply with OFAC sanctions can lead to significant enforcement actions resulting in multi-million dollar penalties. Recent cases include:
- JP Morgan Chase paid over $88 million for violations of multiple sanctions programs.
- American Express paid $860,000 for facilitating transactions with SDNs.
- PayPal paid $7.6 million for facilitating payments related to Cuba and other sanctioned jurisdictions.
In addition to corporate liability, individual company executives and compliance officers may face civil penalties upwards of $250,000 per violation. Criminal charges are also possible in egregious Cases where criminal charges are possible for OFAC violations include:
- Knowingly conducting prohibited transactions with sanctioned entities or individuals
- Facilitating money laundering or terror financing through sanctions evasion
- Falsifying records to conceal sanctions violations
- Obstructing OFAC investigations
- Conspiring to violate sanctions through coordinated schemes
Some factors that can lead to criminal prosecution include[1]:
- Systemic or egregious violations over an extended period
- Concealment of willful misconduct by senior management
- Knowingly processing transactions for narcotics traffickers or terrorists
- Involvement of shell or front companies to evade sanctions
- Lack of cooperation with OFAC investigations
Criminal penalties can include fines up to $1 million and imprisonment up to 20 years per violation[2]. Corporations can face fines up to $100 million[3].
In 2019, UniCredit paid $1.3 billion to resolve US sanctions violations, including conspiracy to violate sanctions and bank fraud charges[4]. In some cases, compliance officers and executives have also faced criminal charges[5].
Given these severe consequences, financial institutions must implement adequate controls, training, and oversight to prevent willful or systemic sanctions violations. Proactive risk management and self-disclosure of potential issues is advised to mitigate penalties.