A Credit Union Refresher on OFAC’s Compliance Framework
As the Office of Foreign Assets Control (OFAC) celebrates the two-year anniversary of its first ever Framework for OFAC Compliance Commitments, credit unions have a time-sensitive opportunity. Increased use of sanctions in response to Russia’s February 2022 invasion of Ukraine could inevitably lead to more heightened scrutiny of sanctions compliance programs (SCP), particularly at traditional banks and credit unions that American Banker notes are on the front lines of this fight.
Consequently, now is the time for every credit union to ensure its SCP meets all the expectations detailed in OFAC’s 2019 framework, or else potentially face enforcement action.
Five Essential Components of OFAC Compliance
OFAC’s framework strongly encourages the use of a risk-based SCP that incorporates five essential components. The following checklist makes it easy for your credit union to compare its SCP against OFAC’s stated expectations for each component.
1. Management commitment: Your credit union’s senior management legitimizes and emphasizes the importance of its SCP by:
- Reviewing and approving the program
- Delegating sufficient authority and autonomy to it
- Drawing direct reporting lines from them to the SCP office
- Meeting routinely and periodically with the SCP office
- Providing ample resources, including human capital and information technology, to the SCP
- Naming a dedicated and experienced OFAC sanctions compliance officer
- Ensuring that risk-based controls support the SCP
- Promoting a culture of compliance throughout the credit union
- Allowing personnel to report sanctions concerns or issues without fear of reprisal
- Discouraging sanctions-related misconduct and highlighting the repercussions of it
- Letting the SCP office oversee everyone’s adherence to sanctions compliance
- Demonstrating the seriousness of any violations and implementing remedial measures
2. Risk assessment: As the foundational base of its SCP, your credit union periodically and holistically identifies and evaluates OFAC risks associated with these external touchpoints:
- Direct engagement with OFAC-prohibited persons, parties, countries or regions
- Indirect engagement with the same, including violations of OFAC’s 50% rule
- Your members, supply chains, intermediaries and counter-parties
- Your product and services offerings
- Your geographic footprint and the locations of your members, suppliers, intermediaries and counterparties
- Your member on-boarding due diligence, including independent research that uncovers non-transparent associations with OFAC-prohibited persons, parties, countries or regions
- Potential mergers with or acquisitions of other credit unions or the M&A activity of your members or suppliers
3. Internal controls: Using the risk assessment as a guide, your credit union has written OFAC compliance policies and procedures that are used to achieve the following objectives:
- Select and calibrate your sanctions screening solution
- Enforce your internal controls through internal and/or external audits
- Establish and maintain adequate OFAC compliance recordkeeping
- Respond to identified OFAC compliance weaknesses with immediate and effective action
- Share the internal controls with all relevant staff through clear communication
- Appoint staff responsible for integrating the internal controls throughout the credit union
4. Testing and auditing: In order to assess existing internal controls and identify any program deficiencies, your credit union’s SCP includes a comprehensive, independent and objective testing or audit function that meets the following description:
- Accountable to senior management
- Independent of the audited activities
- Sufficiently backed with appropriate authority, skills, expertise and resources
- On par with your risk assessment and SCP’s level of sophistication
- Results in a comprehensive and objective assessment of your SCP
- Has a mechanism for immediately identifying and mitigating the root causes of deficiencies
5. Training: Your credit union conducts an OFAC training program that covers the following bases:
- Provides adequate, role-based information and guidance to all employees
- Pays particular attention to those who handle functions that pose higher OFAC risks
- Discusses the risk posed by your products, services, members, vendors and footprint
- Occurs annually or more frequently if your risk profile warrants it
- Addresses negative test or audit results by immediately re-training relevant personnel
- Provides easy access to OFAC training and resource materials to all applicable staff
Heed Prior OFAC Warnings
If there is any doubt about how important OFAC views its framework, consider this: OFAC began regularly referencing its framework in enforcement actions six months after its May 2019 publication. The references typically indicate that the framework is an outline for how OFAC may incorporate the five essential SCP components into its evaluation, investigation and resolution of apparent violations.
That message was included in every 2020 and 2021 enforcement action, which together amounted to more than $44 million in civil money penalties. Clearly, OFAC believed that the vast majority of the deficiencies found in those cases—everything from management awareness of violations to inadequate assessments of indirect sanctions risk and insufficient customer due diligence—could have been appropriately identified and addressed with an SCP that fully included all five essential components outlined in its framework.
So far in 2022, OFAC continues pounding this drum. Is your credit union listening?
To delve deeper into OFAC compliance, check out our white paper exploring OFAC’s 50% Rule.
Terry Corley is Director of Strategic Product Management for CSI’s Business Solutions Group.