Written by Michael Coleman, Regulatory Compliance Counsel
Yesterday, June 12th, 2012, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced a settlement with ING Bank N.V. (ING Bank) for potential violations of U.S. sanctions in the amount of $619 million, the largest OFAC settlement of any kind to date. The settlement resolves OFAC’s investigation into ING Bank’s intentional and systemic violation of U.S. sanctions. In light of this monumental settlement, I thought it might be useful to highlight some guidance on OFAC compliance programs.
OFAC’s Frequently Asked Questions directory contains a large number of useful Q&A’s concerning OFAC requirements. If you have not visited the site before it is worth taking a look. Here is a Q&A from the directory concerning financial institutions’ OFAC compliance programs:
No. There is no single compliance program suitable for every financial institution. OFAC is not itself a bank regulator; its basic requirement is that financial institutions not violate the laws that it administers. Financial institutions should check with their regulators regarding the suitability of specific programs to their unique situations. [09-10-02]”
As the OFAC Q&A points out, there are no specific regulations requiring compliance with OFAC requirements. Rather, financial institutions, including credit unions, should look to their regulators for their OFAC compliance expectations. NCUA’s expectations regarding a credit union’s OFAC compliance program can be found in the Federal Financial Institutions Examination Council (FFIEC), BSA/AML Examination Manual. The FFIEC BSA/AML Examination Manual contains an OFAC Overview section which talks about OFAC compliance programs, it reads:
“OFAC Compliance Program
While not required by specific regulation, but as a matter of sound banking practice and in order to ensure compliance, banks should establish and maintain an effective, written OFAC compliance program commensurate with their OFAC risk profile (based on products, services, customers, and geographic locations). The program should identify higher-risk areas, provide for appropriate internal controls for screening and reporting, establish independent testing for compliance, designate a bank employee or employees as responsible for OFAC compliance, and create training programs for appropriate personnel in all relevant areas of the bank. A bank’s OFAC compliance program should be commensurate with its respective OFAC risk profile.” (emphasis added).
As the guidance indicates, a credit union’s OFAC compliance program is a risk based program in nature. The OFAC overview also contains a section on Internal Controls, and states that an effective OFAC compliance program should include the following internal control elements:
- Identifying and reviewing suspect transactions
- Updating OFAC lists
- Screening Automated Clearing House (ACH) transactions
- Maintaining license information
The FFIEC BSA/AML Examination Manual OFAC Overview provides a very good summary of NCUA’s expectations concerning OFAC compliance, I would suggest taking a look through it if you have not already. OFAC compliance is sure to continue to be a hot topic with NCUA in examinations, and as this U.S. Treasury settlement with ING Bank shows, non-compliance can be costly.
NAFCU's BSA Webcast. Now is the perfect time to get your annual BSA training. Check our NAFCU's June 27th webcast: BSA for Compliance Experts. Sign up by June 20 to Save $100!