OFAC’s new compliance framework: 5 takeaways for credit unions
Recently, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published “A Framework for OFAC Compliance Commitments” to help organizations—including credit unions—take a risk-based approach to developing a sanctions compliance program.
Entities like the Wolfsberg Group and the Financial Crimes Enforcement Network (FinCEN) have released similar guidance in the past, but issuing an official sanctions compliance framework is new territory for OFAC. OFAC’s motivation for publishing the framework is unclear, but it could be the seemingly record-setting pace for enforcement cases in 2019. OFAC has levied more than $1.2 billion in civil money penalties against businesses so far this year.
It’s important to remember that a one-size-fits-all sanctions compliance program doesn’t exist. Each program will vary depending on several factors, including your credit union’s size, geographic location and members. However, the OFAC framework recommends that every sanctions program should focus on these five essential components of compliance:
- Management Commitment
- Risk Assessment
- Internal Controls
- Testing and Auditing
- Training
So, how should your credit union incorporate ideas from the framework? Here are specific takeaways, based on the five compliance components above, that you can implement right away to improve your OFAC compliance efforts.
1. Choose Your Credit Union’s OFAC Compliance Officer
Identifying an OFAC compliance officer to serve as a compliance linchpin and promote a “culture of compliance” enterprisewide is crucial to the success of your sanctions program.
This is someone you can hire or promote from within if you have a qualified internal candidate. The OFAC officer will fuel leadership’s engagement every step of the way, ensure employees are properly trained and continuously monitor your program for deficiencies.
2. Risk Assessment: Don’t Re-invent the Wheel
Risk assessments can be scary and daunting, but they needn’t be. Your risk assessment should inform due diligence efforts during events like onboarding and mergers and acquisitions, so chances are you already have a decent risk assessment in place.
Remember, the OFAC framework states there is no such thing as a universal sanctions program that works for every credit union. Build the assessment around your organization’s parameters, making sure to include specific members, products, services and geographic locations. Take a look at OFAC’s risk matrices to make sure your risk assessment is configured correctly.
3. Internal Controls: Mind Compliance Gaps with Tech
According to the framework, “An effective sanctions compliance program should include internal controls, including policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that may be prohibited by the regulations and laws administered by OFAC.” As you complete your risk assessment, identify any potential gaps in your OFAC compliance efforts and look to incorporate controls that will remediate those shortcomings.
In addition, credit unions must adjust rapidly when the Treasury Department issues OFAC updates. In other words, if you’re using a manual process to scan OFAC lists, it’s time to look for an automated solution that can keep up with OFAC changes and your business environment.
You should also be able to customize your screening solution based on your organization’s unique needs. Make sure your transaction thresholds are set properly, that you understand how the algorithms work and how matches are returned. Lastly, audit your solutions regularly to ensure proper calibration.
4. Testing and Auditing: Always Be Checking
Speaking of regular audits, testing and auditing your sanctions program at least once a year should be a no-brainer, yet this is a deficiency we keep hearing about from regulatory agencies.
The negative effects that a lack of testing can spur are evident when you scroll through any list of OFAC violations and enforcement actions. However, scrolling through that list can also inspire good ideas for testing your credit union’s sanctions program, in addition to identifying any inadequacies in your risk assessment.
Sanctions change almost every day, and it’s up to you to stay on top of the changes and make sure your screening solution’s thresholds and settings are set to yield accurate results.
5. Training: Can You Be More Specific?
Training is a critical aspect of any compliance program. However, training is not nearly as effective when it isn’t tailored to specific jobs.
For example, a frontline teller who processes wire transactions or accepts deposits needs to know how OFAC regulations tie into these specific scenarios—and understand what can happen if they complete a transaction for someone on a watch list.
Provide training to all appropriate employees and personnel on a periodic basis (annually, at a minimum). Your training program should:
- Provide job-specific knowledge
- Communicate the sanctions compliance responsibilities for each employee
- Hold employees accountable for sanctions compliance training through assessments
If you’re found engaging in business with parties on the OFAC SDN List, even inadvertently, your credit union could sustain massive penalties. Using the above takeaways to build a comprehensive sanctions compliance program is an excellent way to ensure your organization steers clear of such infractions.
Learn More about OFAC Compliance
Looking for a deeper understanding of how to better understand and meet your credit union’s OFAC compliance obligations? Download our “Understanding OFAC: A Best Practices Compliance Guide for Businesses.”
