The Office of Foreign Assets Control (OFAC) issued its first ever Framework for OFAC Compliance Commitments in 2019, leading credit unions and other institutions to meet complex compliance obligations. Increased use of sanctions in response to Russia’s February 2022 invasion of Ukraine has also led to heightened scrutiny of sanctions compliance programs (SCP), particularly at traditional banks and credit unions.

As the regulatory landscape continues to evolve, now is the time for every credit union and regulated business to ensure its SCP meets all the expectations detailed in OFAC’s 2019 framework, or else potentially face enforcement action.

What is the Framework for OFAC Compliance Commitments?

To strengthen sanctions compliance practices, OFAC developed a framework comprised of five essential components for an SCP. In its framework, OFAC reiterates the need for an SCP based on a “company’s size and sophistication, products and services, customers and counterparties, and geographic locations.”

This framework applies to U.S. financial institutions and other organizations—as well as foreign entities—doing business in or with the U.S., U.S. persons, or using U.S.-originated goods and services.

Want additional insight into OFAC compliance? Watch our on-demand webinar.

Five Essential Components of OFAC Compliance

OFAC’s framework strongly encourages using a risk-based SCP that incorporates five essential components. The following checklist makes it easy for your credit union to compare its SCP against OFAC’s stated expectations for each component.

1. Management commitment:

Your credit union’s senior management legitimizes and emphasizes the importance of its SCP by:

• Reviewing and approving the program
• Delegating sufficient authority and autonomy to it
• Drawing direct reporting lines from them to the SCP office
• Meeting routinely and periodically with the SCP office
• Providing ample resources, including human capital and information technology, to the SCP
• Naming a dedicated and experienced OFAC sanctions compliance officer
• Ensuring that risk-based controls support the SCP
• Promoting a culture of compliance throughout the credit union or organization
• Allowing personnel to report sanctions concerns or issues without fear of reprisal
• Discouraging sanctions-related misconduct and highlighting the repercussions of it
• Letting the SCP office oversee everyone’s adherence to sanctions compliance
• Demonstrating the seriousness of any violations and implementing remedial measures

2. Risk assessment:

As the foundation of its SCP, your credit union periodically and holistically identifies and evaluates OFAC risks associated with these external touchpoints:

• Direct engagement with OFAC-prohibited persons, parties, countries or regions
• Indirect engagement with the same, including violations of OFAC’s 50% rule
• Your members, supply chains, intermediaries and counterparties
• Your product and service offerings
• Your geographic footprint and the locations of your members, suppliers, intermediaries and counterparties
• Your member onboarding due diligence, including independent research that uncovers non-transparent associations with OFAC-prohibited persons, parties, countries or regions
• Potential mergers with or acquisitions of other credit unions or the M&A activity of your members or suppliers

3. Internal controls:

Using the risk assessment as a guide, your credit union has written OFAC compliance policies and procedures that are used to achieve the following objectives:

• Select and calibrate your sanctions screening solution
• Enforce your internal controls through internal and/or external audits
• Establish and maintain adequate OFAC compliance recordkeeping
• Respond to identified OFAC compliance weaknesses with immediate and effective action
• Share the internal controls with all relevant staff through clear communication
• Appoint staff responsible for integrating the internal controls throughout the credit union or organization

4. Testing and auditing:

To assess existing internal controls and identify any program deficiencies, your credit union’s SCP includes a comprehensive, independent and objective testing or audit function that meets the following description:

• Accountable to senior management
• Independent of the audited activities
• Sufficiently backed with appropriate authority, skills, expertise and resources
• On par with your risk assessment and SCP’s level of sophistication
• Results in a comprehensive and objective assessment of your SCP
• Has a mechanism for immediately identifying and mitigating the root causes of deficiencies

5. Training:

Your credit union conducts an OFAC training program that covers the following bases:

• Provides adequate, role-based information and guidance to all employees
• Pays particular attention to those who handle functions that pose higher OFAC risks
• Discusses the risk posed by your products, services, members, vendors and footprint
• Occurs annually or more frequently if your risk profile warrants it
• Addresses negative test or audit results by immediately re-training relevant personnel
• Provides easy access to OFAC training and resource materials to all applicable staff

Heed Prior OFAC Warnings

If there is any doubt about how important OFAC views its framework, consider this: OFAC began regularly referencing its framework in enforcement actions six months after its May 2019 publication. The references typically indicate that the framework outlines how OFAC may incorporate the five essential SCP components into its evaluation, investigation and resolution of apparent violations. Every enforcement action in 2020 included a reference to this framework, further indicating OFAC’s intention to hold organizations subject to U.S. sanctions compliance accountable.

That message was reinforced in 2022 and 2023 enforcement actions, which together amounted to more than $1.5 billion in civil money penalties. Clearly, OFAC believed that the vast majority of the deficiencies found in those cases—everything from management awareness of violations to inadequate assessments of indirect sanctions risk and insufficient customer due diligence—could have been appropriately identified and addressed with an SCP that fully included all five essential components outlined in its framework.

It’s clear that OFAC will continue pounding this drum. Is your credit union listening?

To delve deeper into OFAC’s compliance framework, watch our on-demand webinar.

Watch now

Amber Goodrich is a compliance analyst at CSI.