A fundamental element of a sound OFAC program is the bank’s assessment of its specific product lines, customer base, and nature of transactions and identification of the high-risk areas for OFAC transactions.  The initial identification of high-risk customers for purposes of OFAC may be performed as part of the bank’s CIP and CDD procedures.  As OFAC sanctions can reach into virtually all areas of its operations, banks should consider all types of transactions, products, and services when conducting their risk assessment and establishing appropriate policies, procedures, and processes.  An effective risk assessment should be a composite of multiple factors (as described in more detail below), and depending upon the circumstances, certain factors may be weighed more heavily than others.

Another consideration for the risk assessment is account and transaction parties.  New accounts should be compared with OFAC lists prior to being opened or shortly thereafter.  However, the extent to which the bank includes account parties other than accountholders (e.g., beneficiaries, guarantors, principals, beneficial owners, nominee shareholders, directors, signatories, and powers of attorney) in the initial OFAC review during the account opening process, and during subsequent database reviews of existing accounts, will depend on the bank’s risk profile and available technology.

Based on the bank’s OFAC risk profile for each area and available technology, the bank should establish policies, procedures, and processes for reviewing transactions and transaction parties (e.g., issuing bank, payee, endorser, or jurisdiction).  Currently, OFAC provides guidance on transactions parties on checks.  The guidance states if a bank knows or has reason to know that a transaction party on a check is an OFAC target, the bank’s processing of the transaction would expose the bank to liability, especially personally handled transactions in a high-risk area.  For example, if a bank knows or has a reason to know that a check transaction involves an OFAC-prohibited party or country, OFAC would expect timely identification and appropriate action.

In evaluating the level of risk, a bank should exercise judgment and take into account all indicators of risk.  Although not an exhaustive list, examples of products, services, customers, and geographic locations that may carry a higher level of OFAC risk include:

• International funds transfers
• Nonresident alien accounts.
• Foreign customer accounts.
• Cross-border automated clearing house (ACH) transactions.
• Commercial letters of credit.
• Transactional electronic banking.
• Foreign correspondent bank accounts.
• Payable through accounts.
• International private banking.
• Overseas branches or subsidiaries.

Identifying and reviewing suspect transactions.  The bank’s policies, procedures, and processes should address how the bank will identify and review transactions and accounts for possible OFAC violations, whether conducted manually, through interdiction software, or a combination of both.  For screening purposes, the bank should clearly define its criteria for comparing names provided on the OFAC list with the names in the bank’s files or on transactions and for identifying transactions or accounts involving sanctioned countries.  The bank’s policies, procedures, and processes should also address how it will determine whether an initial OFAC hit is a valid match or a false hit. A high volume of false hits may indicate a need to review the bank’s interdiction program.

The screening criteria used by banks to identify name variations and misspellings should be based on the level of OFAC risk associated with the particular product or type of transaction.  For example, in a high-risk area with a high-volume of transactions, the bank’s interdiction software should be able to identify close name derivations for review.  The SDN list attempts to provide name derivations; however, the list may not include all derivations.  More sophisticated interdiction software may be able to catch variations of an SDN’s name not included on the SDN list.  Low-risk banks or areas and those with low volumes of transactions may decide to manually filter for OFAC compliance.  Decisions to use interdiction software and the degree of sensitivity of that software should be based on a bank’s assessment of its risk and the volume of its transactions.  In determining the frequency of OFAC checks and the filtering criteria used (e.g., name derivations), banks should consider the likelihood of incurring a violation and available technology.  In addition, banks should periodically reassess their OFAC filtering system.  For example, if a bank identifies a name derivation of an OFAC target, then OFAC suggests that the bank add the name to its filtering process.

New accounts should be compared with the OFAC lists prior to being opened or shortly thereafter (e.g., during nightly processing).  Banks that perform OFAC checks after account opening should have procedures in place to prevent transactions, other than initial deposits, from occurring until the OFAC check is completed.  Prohibited transactions conducted prior to completing an OFAC check may be subject to possible penalty action.  In addition, banks should have policies, procedures, and processes in place to check existing customers when there are additions or changes to the OFAC list.  The frequency of the review should be based on the bank’s OFAC risk.  For example, banks with a low OFAC risk level may periodically (e.g., monthly or quarterly) compare the customer base against the OFAC list.  Transactions such as funds transfers, letters of credit, and noncustomer transactions should be checked against OFAC lists prior to being executed.  When developing OFAC policies, procedures, and processes, the bank should keep in mind that OFAC considers the continued operation of an account or the processing of transactions post-designation, along with the adequacy of their OFAC compliance program, to be a factor in determining penalty actions. The bank should maintain documentation of its OFAC checks on new accounts, the existing customer base and specific transactions.

If a bank uses a third party, such as an agent or service provider, to perform OFAC checks on its behalf, as with any other responsibility performed by a third party, the bank is ultimately responsible for that third party’s compliance with the OFAC requirements.  As a result, banks should establish adequate controls and review procedures for such relationships.