CUNA Regulatory Comment Call
January 20, 2006
OFAC Economic Sanctions Enforcement Procedures for Banking Institutions
- The U.S. Treasury Departments Office of Foreign Assets Control (OFAC) has issued an interim final rule providing a general procedural framework for the enforcement of economic sanctions enforcement programs with respect to banking institutions. OFAC will take an institutional rather than a transactional approach to enforcement of the OFAC regulatory regime to bar criminals and terrorists from using the U.S. financial system to carry out their illegal activities. OFAC rules are intended ensure that financial institutions block transactions of any person appearing on a list of Specially Designated Nationals and Blocked Persons.
- This new enforcement procedures contained in the interim final rule are applicable to banking institutions, defined as a depository institution supervised or regulated by a Federal banking regulator, including NCUA.
- The interim final rule supercedes OFACs Economic Sanctions Enforcement Guidelines, proposed in January of 2003, as they apply to banking institutions. You can access a copy of CUNAs Comment Call regarding that proposal here.
- The new enforcement procedures take into account the uniqueness of each institutions OFAC compliance program. An institutions OFAC compliance program should be based on an analysis of the institutions size, business volume, member/customer base, and product lines. Under the newly- released rule, before taking enforcement action against an institution, OFAC will review apparent violations over a period of time, rather than evaluating each apparent violation independently. In conducting that review, OFAC will consider: (1) the number and severity of apparent violations and (2) information provided by the institution and its regulator concerning the institutions OFAC compliance program and the adequacy of that program based on its OFAC risk profile.
- OFAC enforcement actions can include: an administrative subpoena; an order to cease and desist; a blocking order; an evaluative letter summarizing concerns; a civil penalty proceeding; or, if the institution is acting pursuant to an OFAC license, even a license suspension or revocation. If evidence suggests that the institution has committed a willful violation of OFAC regulations, OFAC may refer the case to other federal law enforcement agencies, such as the U.S. Department of Justice, for criminal investigation. CUNAs e-Guide page concerning OFAC can be found here.
- OFAC has published this procedural framework as an interim final rule. While the rule is effective for enforcement cases commencing on or after February 13, 2006, OFAC is also requesting comments on the rule with a view to improving its enforcement procedures.
- Comments on the proposal are due to OFAC by March 13, 2006. Please send your comments to CUNA by February 27, 2006. Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at firstname.lastname@example.org or to Senior Regulatory Counsel Catherine Orr at email@example.com; or mail them to Mary or Catherine in c/o CUNA's Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, 6th Floor - South Building, Washington, DC 20004-2601. You may also contact us if you would like a copy of the OFAC interim final rule, or you may access it here.
DESCRIPTION OF THE INTERIM FINAL RULE
Sharing of Information Between OFAC and Financial Institution Regulators
- The interim final rule states that OFAC will provide the federal banking regulators with information related to apparent violations or compliance concerns. In turn, OFAC will receive information from the banking regulators, including, for those institutions with apparent violations, evaluations of the sufficiency of each such institution's implementation of policies, procedures, and systems for ensuring OFAC compliance.
Periodic Institutional Review Economic Sanctions
- Prior to taking enforcement actions, OFAC generally will review violations or suspected violations by a particular institution over a period of time, rather than evaluating each apparent violation independently. In the case of a particularly egregious violation, OFAC may take prompt enforcement action.
- Under the revised procedures, OFAC will evaluate the institution's apparent OFAC-related violations in the context of the institution's overall OFAC compliance program and pattern of OFAC compliance. OFAC will not conduct such a review if there are no apparent violations. This does not mean a generally sound compliance history means that an institution will be immune from OFAC enforcement action.
Factors Affecting Administrative Action
- In making its decision as to the appropriate administrative /enforcement action, the
information reviewed by OFAC will include, but will not necessarily be limited to, the following:
- The institution's history of sanctions violations.
- The size of the institution and the number of OFAC-related transactions handled correctly compared to the number and nature of transactions handled incorrectly.
- The quality and effectiveness of the banking institution's overall OFAC compliance program, as determined by the institution's primary regulator and by its history of compliance with OFAC regulations.
- Whether the apparent violation or violations in question are the result of systemic failures at the banking institution or are atypical in nature.
- The voluntary disclosure to OFAC of the apparent violation or violations by the institution.
- Providing OFAC a report of, or useful enforcement information concerning, the apparent violation or violations.
- The deliberate effort to hide or conceal from OFAC or to mislead OFAC concerning an apparent violation or violations or its OFAC compliance program.
- An analysis of current or potential sanctions harm as a result of a violation or series of related violations.
- Technical, computer, or human error.
- Actions taken by the banking institution to correct the problems that led to the apparent violation or violations.
- The level of OFAC action that will best lead to enhanced compliance by the banking institution.
- The level of OFAC action that will best serve to encourage enhanced compliance by others.
- Whether other U.S. government agencies have taken enforcement action.
- Qualification of the banking institution as a small business or organization for the purposes of the Small Business Regulatory Enforcement Fairness Act, as determined by reference to the applicable regulations of the Small Business Administration.
- The interim final rule clarifies that while a voluntary disclosure by an institution is a factor that OFAC considers in its enforcement decisions, OFAC does not regard a disclosure to be voluntary when another party is required to file a report concerning the same transaction. This is the case whether or not the other party actually files a report. However, OFAC will consider such reports by an institution as cooperation and, therefore, as a mitigating factor in its enforcement decisions.
- After a review of apparent violations, OFAC will contact the financial institution, either by phone, in-person, or in writing, regarding OFAC's preliminary assessment of the enforcement action(s) it intends to pursue for each transaction or set of related transactions that appear to constitute violations of OFAC-administered sanctions programs. OFAC will ask the institution to comment and provide additional information with regard to the apparent violation(s). OFAC may grant up to thirty days plus extensions, depending on the number and complexity of the violations, for the institution respond.
- Once OFAC has reached a decision, it will notify the institution in writing as to its proposed action with regard to each apparent violation during the period under review. OFAC will provide a copy of this letter to the institution's primary federal banking regulator. If the decision is to impose a civil penalty, the institution will be afforded an opportunity for informal settlement prior to formal initiation of penalty action through the issuance of a prepenalty notice.
- In subsequent periodic reviews relating to the institution's apparent violations, all prior actions and decisions taken by OFAC, including cases in which the decision is to take no action, will be considered in deciding what action to take.
OFAC Risk Matrices
- The rule includes two matrices designed to help institutions understand whether their examiners will consider their operations to be in a category of high, moderate or low risk for OFAC violations. Indicators of an institution that can be categorized as high risk may include: a large number of high risk members/customers; the offering of a wide range of e-banking products and services (for example e-bill payment or accounts opened via the Internet); multiple recent enforcement actions by OFAC, where the institution has not addressed the underlying issues leading to the violations; and the institutions board has not approved an OFAC compliance program, or policies, procedures, controls, and information systems are significantly deficient. One matrix is taken from the FFIEC Bank Secrecy Act Anti-Money Laundering Examination Manual. You can find more information on the latest BSA developments, including a link to the BSA/AML Manual, in CUNAs e-Guide.
Sound Institution OFAC Compliance Programs
- An annex to the rule contains items that are characteristic of effective OFAC compliance
programs. They are:
- The institution should assess its specific product lines and identify high-risk areas for OFAC transactions (such as retail operations, loans and other extensions of credit -open and closed-ended; on and off-balance sheet, funds transfers, trust, Internet banking, safe deposit, payable through accounts, and merchant credit card processing).
- Internal controls for identifying suspect accounts/transactions and reporting them to OFAC. Such controls should include: (1) policies and procedures to flag and review accounts/transactions for possible OFAC violations; (2) procedures for maintaining current lists of blocked countries, entities, and individuals and for disseminating such information throughout the institution; (3) procedures for handling transactions that are validly blocked or rejected under the various sanctions programs; (4) Maintenance of an audit trail to reconcile all blocked funds; and (5) Maintenance copies of members/customers OFAC specific licenses on file.
- Except for an institution with a very low OFAC risk profile, an institution should have a periodic test of its OFAC program performed by its internal audit department or by outside auditors, consultants, or other qualified independent parties. The frequency of the independent test should be consistent with the institution's OFAC risk profile; however, an in- depth audit of each department in the banking institution might reasonably be conducted at least once a year.
- An institution to designate a qualified individual or individuals to be responsible for the day-to-day compliance of its OFAC program, including at least one individual responsible for the oversight of blocked funds.
- OFAC training should be provided to all appropriate employees. The scope and frequency of the training should be consistent with the OFAC risk profile and the particular employee's responsibilities.
QUESTIONS REGARDING THE INTERIM FINAL RULE
- Do you feel that the rule is consistent with the BSA/AML Manual in terms of
focusing on risk?
Yes ______ No ______
- Do you think the factors that OFAC will take into account in making its decision
as to the appropriate administrative/enforcement action are appropriate?
Yes ______ No ______
If not, are there other/additional factors that OFAC should take into account?
- Are the OFAC risk matrices included in the annex of the interim final rule helpful
in terms of enabling institutions to better evaluate their compliance programs?
Yes ______ No ______
If not, how could the matrices be changed to provide more assistance to institutions?
- Is the list of sound practices relating to an institutions OFAC compliance
programs in the annex to the interim final rule useful?
Yes ______ No ______
If not, how could the list be made more useful?
- Do you agree with the definition of voluntary disclosure by an institution as well
as how OFAC will look upon such disclosure (giving such cooperation due consideration
in its review of possible enforcement action(s))?
Yes ______ No ______
If not, how should the definition of voluntary disclosure be changed?
OFAC has specifically requested comment on the following 2 questions:
- How much significance, separately or collectively, should OFAC attribute in its
enforcement decisions to such factors as a regulators assessments of an institutions
compliance program, an institutions historical OFAC compliance record, an a comparison
of the record to similarly situated financial institutions?
- OFAC plans to issue enforcement procedures for certain financial sector entities
regulated by state government agencies but not by federal financial regulators. This
sector includes entities that are similar to federally-regulated banking institutions,
such as certain credit unions and banks not insured by an agency of the U.S. government.
(This refers to state-chartered credit unions that are not insured by NCUA.)
- Other comments?
Eric Richard General Counsel (202) 508-6742 firstname.lastname@example.org |
Mary Mitchell Dunn SVP & Deputy General Counsel (202) 508-6736 email@example.com
Jeffrey Bloch Assistant General Counsel (202) 508-6732 firstname.lastname@example.org
Lilly Thomas Assistant General Counsel (202) 508-6733 email@example.com
Catherine Orr Senior Regulatory Counsel (202) 508-6743 firstname.lastname@example.org