On Monday, OFAC published new enforcement guidelines in the federal register. You can access them here. These guidelines supersede earlier enforcement guidelines issued in 2003 and 2006. The are effective immediately.
In short, OFAC wanted to share the process it navigates when it decides whether to punish an entity for OFAC violations, or whether to do anything at all. From my reading, these guidelines are designed to reward institutions with strong OFAC compliance programs, and especially those that voluntarily disclose the violation to OFAC. Conversely, those violations that are deemed to be reckless, willful, etc., will be treated more harshly. An egregious case (yes, that's defined) where there was no voluntary self-disclosure could end up with a $250,000 penalty.
If you are in charge of your credit union's OFAC program, this is a must read.
Here are some other OFAC resources: