Compliance Update with Amy K
by Amy Kleinschmit
Chief Compliance Officer


Earlier this month, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) published “A Framework for OFAC Compliance Commitments” which can be found here.

In the press release that announced the release of these commitments, the Department noted that, “The document also outlines how OFAC may incorporate these components into its evaluation of apparent violations and resolution of investigations resulting in settlements.” Emphasis is added by me – is this a possible sign of things to come on the enforcement side? Either way, it is a good time to review your OFAC program to make sure things are in line with these recently published “commitments.”

As noted in the Framework for OFAC Compliance Commitments, at the link above, there are five essential components for compliance: “(1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.”

A strong compliance program starts with management’s commitment. As discussed by OFAC, it is a “critical factor in determining the success” of the compliance program.

“Effective management support includes the provision of adequate resources to the compliance unit(s) and support for compliance personnel’s authority within an organization. The term “senior management” may differ among various organizations, but typically the term should include senior leadership, executives, and/or the board of directors.”

Another important component is the risk assessment: “A fundamental element of a sound SCP is the assessment of specific clients, products, services, and geographic locations in order to determine potential OFAC sanctions risk. The purpose of a risk assessment is to identify inherent risks in order to inform risk-based decisions and controls.”

An OFAC Risk Matrix can be found here (scroll to end of Appendix A).

Internal controls, which includes written policies and procedures are extremely important as well. “The purpose of internal controls is to outline clear expectations, define procedures and processes pertaining to OFAC compliance (including reporting and escalation chains), and minimize the risks identified by the organization’s risk assessments.” The internal controls need to address the results of the OFAC risk assessment and profile.

The testing/auditing component is key to ensure the program is working as designed. This component is also important to identify any weaknesses and deficiencies.

Finally, training - an effective training program is an integral component of a successful compliance program. “The training program should be provided to all appropriate employees and personnel on a periodic basis (and at a minimum, annually) and generally should accomplish the following: (i) provide job-specific knowledge based on need; (ii) communicate the sanctions compliance responsibilities for each employee; and (iii) hold employees accountable for sanctions compliance training through assessments.”

The recently released OFAC guidance expands on each of these components and it is important that every credit union/OFAC compliance officer take a moment to review.

The guidance ends with a list of “root causes of OFAC sanctions compliance program breakdowns or deficiencies based on assessment of prior OFAC administrative actions.” While all root causes are important for review, a few caught my eye one included, “Sanctions Screening Software or Filter Faults.” The guidance explained “… At times, organizations have failed to update their sanctions screening software to incorporate updates to the SDN List or SSI List, failed to include pertinent identifiers such as SWIFT Business Identifier Codes for designated, blocked, or sanctioned financial institutions, or did not account for alternative spellings of prohibited countries or parties—particularly in instances in which the organization is domiciled or conducts business in geographies that frequently utilize such alternative spellings (i.e., Habana instead of Havana, Kuba instead of Cuba, Soudan instead of Sudan, etc.)”

As always, CUAD members may contact Amy Kleinschmit with any compliance related questions.



<< Go to Memo List