Connect ► twitter| youtube|  Log In ► Members Only  |  Corporate One Safekeeping  |  Search

BSA/AML/OFAC: Recent settlement highlights complicated OFAC sanctions compliance

By Jennifer Morrison, VP, Senior Risk Manager

April 28, 2016 -- On February 8, 2016, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced a $2,485,690 settlement with Barclays Bank Plc (Barclays) over its potential civil liability for 159 apparent violations of the Zimbabwe Sanctions Regulations, 31 C.F.R. Part 541. Like all legal and regulatory actions, this is informative for credit unions as we approach pending “beneficial ownership” rules and regulations and its possible program obligations.

2016 Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) Compliance Webinar Series

Live webinar
May 4, 2016

On-demand webinar
Available through December 31, 2016

OFAC alleged that Barclays processed these transactions totaling $3,375,617 to or through financial institutions located in the U.S., including Barclays’ New York branch, for or on behalf of corporate customers of Barclays Bank of Zimbabwe Limited. These corporate clients were owned 50% or more, directly or indirectly, by a person identified on OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN List).

In previous months, the pending regulation also known as “beneficial ownership” has been discussed in this column. This settlement gives us an example of the level of knowledge that may be expected following the enactment of this pending regulation, including the identification of those with ownership at or above a 25% threshold. The necessary customer (member) due diligence could have and should have been conducted by Barclays in-country, resulting in knowledge of the true owner(s) of the corporate entities involved.

This is also an example of the reach of the Bank Secrecy Act (BSA) and the U.S.A. Patriot Act. On a global basis, it is unusual that one finds financial regulation imposed upon activities conducted by non-citizens, but U.S. law is applied to foreign citizens and entities that conduct business in the U.S. or with U.S. citizens and entities in other countries.

OFAC requires all parties to a transaction to be in compliance with the law. It is not just the originating depository financial institution (ODFI) or receiving depository financial institution (RDFI), or even the payment processor who must be compliant. ALL parties must be compliant with OFAC. And a financial institution cannot rely on any of the other parties to the transaction for their compliance.

About OFAC and sanctions programs

OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the U.S.

As part of its enforcement efforts, OFAC publishes a list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called "Specially Designated Nationals" or "SDNs." Their assets are blocked, and U.S. persons are generally prohibited from dealing with them.  

Sanctions programs are altogether different. Sanctions programs cover a range of activity with no dollar limit. Sanctions may be issued initially by a global entity like the United Nations, targeting certain behaviors in a country or region, but the issuance has no force of law until a government acts. Unlike OFAC that follows U.S. citizens and entities into other nations, sanctions have no force of law outside of the U.S. in the case of U.S. sanction programs. Other nations like Japan and the U.K. issue sanctions, as does the European Union (EU).

OFAC, at its Resource Center, publishes a list of sanctions programs with a last updated “date” listed for reference. It is critical for credit unions that conduct international wire transactions to not only utilize the OFAC SDN lists, but also to become familiar with the list of sanctions, including the list of countries and jurisdictions impacted.

A credit union should filter international wire transfers, including all wire instructions (beneficiaries, originators, and all financial institution intermediaries) for these higher risk geographies. FinCEN, in its FIN-2016-A001 Advisory, reminds financial institutions that enhanced due diligence (EDD) is required (31 C.F.R. § 1010.610(b)) when conducting transactions involving jurisdictions with AML/CFT deficiencies. This would also extend to sanctions programs.

Higher-risk products and services

I have written several times about the need to understand your credit union’s risk appetite, but it is equally important to provide products and services consistent with your institution’s risk appetite. There is nothing ‘wrong’ with providing international wire transfers to these higher risk jurisdictions unless your board and management are not comfortable with the risks.

As a compliance professional, you need to educate your board and management about the BSA/AML, OFAC and sanctions risks inherent in the products and services you provide, the members you serve, the geographies served, and the channels in which you provide the products and services (i.e. branches, web, mobile). This is where your BSA/AML and OFAC and perhaps even a separate sanctions risk assessment, conducted at least annually, is critical to your overall compliance program. The board must act to accept the risk assessment(s), at least annually, and their action must be reflected in the board minutes.

The only time a regulator should criticize your level of risk taking, assuming it is consistent with your risk appetite, is when you are taking risks without sufficient mitigation.

If you think of an equation, you have a level of inherent risk in every activity conducted by your credit union, including products and services, members and geographies served. Your mitigation is in the controls you put in place and the effectiveness of the controls. What remains is residual risk. The level of residual risk is what the board has to be comfortable with, assuming that your controls are and remain effective. Residual risk is “what can go wrong even with effective controls in place” plus, “what can go wrong when or if controls fail.”

Controls include your EDD program—the automated and manual monitoring systems that identify riskier transactions, monitoring members who conduct riskier transactions across all account relationships, training your branch personnel to be observant of certain “red flags,” and some of the third parties you might use for SDN and sanctions screening.

For example, a credit union may find it has a member conducting wire transactions to or from Russia. To ensure sanctions compliance, it is necessary to fully understand the purpose of the transaction(s), the parties to the transaction, and the source and/or use of the funds involved in the transfers. The U.S. sanctions program targets the Crimea Region and limits certain financial activities with target persons and entities. Many of the entities have global reach. It is critical to not only OFAC-scan all parties to a wire transfer, but it is also critical to investigate the entities to ascertain if there is ownership of any named entity by persons and entities covered by the sanctions program and/or on the SDN list. There can be literally hundreds of layers of ownership, and without proper due diligence, you could find your credit union in violation of a sanctions program.

Failure to comply with various sanctions can bring significant fines. One need only look at recent OFAC settlements, such as Barclays.

If you decide to serve higher-risk geographies, become an expert on the relevant sanctions programs, as well. Make sure you have the tools necessary to do the investigations into the beneficial owners and controllers of the entities, subscribe to the appropriate search tools and databases, and know how to go beyond a “Google” search when seeking relevant information on foreign entities and persons. The website SearchEngineColossus.com is a relevant tool for finding open-source search tools for other nations.

In addition, sign up for emailed alerts of all OFAC changes on the U.S. Treasury website. Even if your provider does not update your SDN list immediately, the OFAC update is effective immediately. You must be compliant in real time.

Reliance on OFAC scanning and SDN searches also means you must periodically test that the SDN list you are using is current. Testing your SDN list’s compliance can be quickly accomplished using the emailed SDN changes from the alert site above. For example, if you input the emailed changes to the SDN list in your membership-opening procedure, you can determine if your SDN list is getting timely updates. This quick procedure done with each SDN list change meets the required OFAC compliance testing found in the FFIEC BSA/AML Examination Manual.

Certain OFAC and sanctions transactions require a license. Information regarding licenses can be found at the OFAC website, including how to validate the license.

In the event of a question regarding the permissibility of a particular transaction, contact OFAC. The following webpage walks through a series of questions to help determine if you have a possible match to the SDN list or another of the sanctions lists:

When should I call the OFAC Hotline?

If in doubt, call the OFAC hotline, leaving a message requesting a call-back (1-800-540-6322).

OFAC and sanctions compliance is key and critical to your overall compliance program. It is critical to preventing unnecessary risk, examiner findings and possible fines.