Bank Secrecy Act
Office of Foreign Assets Control
Objective. Assess the bank’s risk-based Office of Foreign Assets Control (OFAC) compliance program to evaluate whether it is appropriate for the bank’s OFAC risk, taking into consideration its products, services, customers, entities, transactions, and geographic locations.
1. Determine whether the board of directors and senior management of the bank have developed policies, procedures, and processes based on their risk assessment to ensure compliance with OFAC laws and regulations.
2. Review the bank’s OFAC compliance program in the context of the bank’s OFAC risk assessment. Consider the following:
- The extent of, and method for, conducting OFAC searches of each relevant department or business line (e.g., automated clearing house (ACH) transactions, monetary instrument sales, check cashing, trusts, loans, deposits, and investments) as the process may vary from one department or business line to another.
- The extent of, and method for, conducting OFAC searches of account parties other than accountholders, which may include beneficiaries, guarantors, principals, beneficial owners, nominee shareholders, directors, signatories, and powers of attorney.
- How responsibility for OFAC is assigned.
- Timeliness of obtaining and updating OFAC lists or filtering criteria.
- The appropriateness of the filtering criteria used by the bank to reasonably identify OFAC matches (e.g., the extent to which the filtering or search criteria includes misspellings and name derivations).
- The process used to investigate potential matches, including escalation procedures for potential matches.
- The process used to block and reject transactions.
- The process used to inform management of blocked or rejected transactions.
- The adequacy and timeliness of reports to OFAC.
- The process to manage blocked accounts (such accounts are reported to OFAC and pay a commercially reasonable rate of interest).
- The record retention requirements (e.g., five-year requirement to retain relevant OFAC records; for blocked property, record retention for as long as blocked; once unblocked, records must be maintained for five years).
3. Determine the adequacy of independent testing (audit) and follow-up procedures.
4. Review the adequacy of the bank’s OFAC training program based on the bank’s OFAC risk assessment.
5. Determine whether the bank has adequately addressed weaknesses or deficiencies identified by OFAC, auditors, or regulators.
6. On the basis of a bank’s risk assessment, prior examination reports, and a review of the bank’s audit findings, select the following samples to test the bank’s OFAC compliance program for adequacy, as follows:
- Sample new accounts (e.g., deposit, loan, trust, safe deposit, investments, credit cards, and foreign office accounts,) and evaluate the filtering process used to search the OFAC database (e.g., the timing of the search), and documentation maintained evidencing the searches.
- Sample appropriate transactions that may not be related to an account (e.g., funds transfers, monetary instrument sales, and check-cashing transactions), and evaluate the filtering criteria used to search the OFAC database, the timing of the search, and documentation maintained evidencing the searches.
- If the bank uses an automated system to conduct searches, assess the timing of when updates are made to the system, and when the most recent OFAC changes were made to the system. Also, evaluate whether all of the bank’s databases are run against the automated system, and the frequency upon which searches are made. If there is any doubt regarding the effectiveness of the OFAC filter, then run tests of the system by entering test account names that are the same as or similar to those recently added to the OFAC list to determine whether the system identifies a potential hit.
- If the bank does not use an automated system, evaluate the process used to check the existing customer base against the OFAC list and the frequency of such checks.
- Review a sample of potential OFAC matches and evaluate the bank’s resolution for blocking and rejecting processes.
- Review a sample of reports to OFAC and evaluate their completeness and timeliness.
- If the bank is required to maintain blocked accounts, select a sample and evaluate that the bank maintains adequate records of amounts blocked and ownership of blocked funds, that the bank is paying a commercially reasonable rate of interest on all blocked accounts, and that it is accurately reporting required information annually (by September 30) to OFAC. Test the controls in place to verify that the account is blocked.
- Pull a sample of false hits (potential matches) to check their handling; the resolution of a false hit should take place outside of the business line.
7. Identify any potential matches that were not reported to OFAC, discuss with bank management, advise bank management to immediately notify OFAC of unreported transactions, and immediately notify supervisory personnel at your regulatory agency.
8. Determine the origin of deficiencies (e.g., training, audit, risk assessment, internal controls, management oversight), and conclude on the adequacy of the bank’s OFAC compliance program.
9. Discuss OFAC related examination findings with bank management.
10. Include OFAC conclusions within the report of examination, as appropriate.