We all know what we're supposed to do, identify all areas where OFAC inquiries are necessary, then formulate risk-based compliance procedures for our institution to follow. What could possibly go wrong? Dissecting the reasons things go wrong - and identifying which controls may have been missing, broken, or become ineffective - can help you design a more effective controls environment in your own institution. We'll go through some high profile OFAC enforcement actions over the past few years to help you understand how to avoid incidents like these:
July 27, 2016: Screening Software and Communication
Compass Bank’s sanction screening software failed to include dormant and inactive accounts, resulting in a finding of violation. It was determined that the Bank had reason to know of this oversight for two reasons: (1) the names of individuals were publicized in the media as being on the OFAC list; and (2) because subsequent “internet searches” were conducted by the institution’s personnel regarding the sanctioned parties. This was “due to a misconfiguration of its sanctions screening filter that precluded dormant or inactive accounts from being screened against changes to the SDN List for more than four years.”
October 21, 2015: Program Controls and Communication
BMO Harris Bank NA was issued a finding of violation as a successor of M & I Bank that processed six prohibited funds transfers during February and March 2011 for a customer added to its “false hit list” in 2009. Subsequent revocation of a general license for the importing of Iranian origin carpets in 2010 without adjustment to the false hit list allowed transactions to be processed. A downstream financial institution stopped the funds transfer in February 2011 and communicated this to M & I Bank. The M & I Bank staff member failed to escalate the information about this transaction. The bank subsequently processed five additional funds transfers. It was determined that the compliance program did not implement proper procedures and controls to ensure that internal lists omitting repetitive false/positives were reviewed following changes to the list or sanctions programs.
January 13, 2017 Product Channel and Communication
TD Bank settled potential civil liability for $516,105 for 167 apparent violations and also received a finding of violation. Beginning in 2003/2004, the bank failed to screen OFAC sanctioned countries or entities prior to processing transactions involving export letters of credit for “a number of years, up to and including 2011.” It was noted that “several employees within TD Bank (including those in its compliance unit and supervisory management personnel) were aware that the bank processed USD transactions on behalf of a Cuban entity and were aware of a gap in the bank's procedures permitting such transactions to clear through the U.S. financial system.” The base penalty for these transactions was $955,750, which was reduced due to self-disclosure and other factors.
Examples of Common Mistakes
In the cases mentioned above, errors and oversights triggered findings of violation.
Other common mistakes often found by auditors may include:
- Filtering criteria that’s too loose, generating too many hits (false positives)
- Filtering criteria that’s too strict, potentially missing real hits (false negatives)
- Closing alerts without proper investigation due to backlog or staffing constraints
- Excluding certain transactions from the filtering process without first assessing the risk this poses
- No access to older alerts that have already been investigated or closed
- Watch list filtering is not carried out frequently and not clearly scheduled
- Persons and entities on the suppression list are not screened periodically or when changes are made to the lists
- Up-to-date sanctions lists are not used
- The status of all account types or transactions are not captured
What if Something Went Wrong?
If you discover through any channel that you may have been banking an entity or conducting transactions for someone or somewhere that is on the sanctions list, there’s a little-known process that may impact reputation risk and possibly reduce or avoid civil money penalties. It’s a nifty little thing called “Self-Disclosure.” According to the official FAQs, “a company can and is encouraged to voluntarily disclose a past violation. Self-disclosure is considered a mitigating factor by OFAC in Civil Penalty proceedings.”
How Much Does 'Wrong' Cost?
Fines for violations can be substantial. In many cases, civil and criminal penalties can exceed several million dollars. Civil money penalties attributed to OFAC violations assessed by the U.S. Department of the Treasury to date for 2017 have reached $118,103,168MM compared to a total $21,609,315MM in 2016. Voluntary self-disclosure of either type of conduct, egregious or non-egregious, may result in cutting the applicable civil money penalty by one half or by eliminating the fine altogether!
Generally, if a violation is disclosed through voluntary self-disclosure, at a minimum, for the base amount of a proposed civil penalty may be reduced by one-half of the transaction value. In determining potential penalty OFAC considers a number of mitigating factors. The enforcement decision may be influenced by the extent to which the conduct was egregious (willful or reckless); the degree of management culpability; the level of harm to the policy objectives of the sanctions program; and prior violations. Moreover, OFAC may consider the volume of violations; the quality of the compliance program; remedial response, and whether there was cooperation by self-disclosing and agreeing to sign a tolling agreement to extend the period of time that OFAC can investigate the apparent violation beyond that five year period.
What Does 'Wrong' Look Like in New York? Will This Trend Spread?
New York Rule
Watch list screening tools and protocols have recently received close attention from regulators. The New York Department of Financial Services issued a new rule effective January 1, 2017 that expanded the responsibility of New York State banks to detect money laundering and terrorist financing. The rule specifically states that banks must annually test their monitoring systems but also their “watch list filtering program”. An annual certification must be signed by each Board member or Senior Officer that testing of both monitoring and filtering systems (OFAC) has been performed.
How to Prevent Things From Going Wrong
Below are some tips on program elements you may want to revisit in light of the increased regulatory focus:
- Risk: Understand how your filtering criteria (percentage of match, deviation from misspellings) works for each vendor used to perform OFAC screenings and be able to explain the criteria to auditors and regulators and be able to explain this to auditors and regulators.
- Risk: Understand the timing for resolving OFAC false/positives.
- Are transactions posted prior to review?
- Are transactions posted prior to review?
- Risk: Identify all customer types and areas where funds enter or leave your institution.
- Policies: Look at all vendors used for OFAC screening and determine if their processes meet the risk criteria set by your institution.
- Procedures: Address all funds movement whether you opt to perform OFAC inquiries or not.
- System Upgrades: Verify that your vendor’s software is capturing all account types and statuses, especially after any system updates.
- Training: Ensure there is open communication and a process for escalation. Employees need to understand that the BSA/OFAC Officer may not be aware of every situation.
- Remind all personnel if you know something, say something. Whether it's from the news, another bank, documents provided, or statements made by a customer, these are all situations where further inquiry may be warranted.
- Monitoring: If you maintain a false hit/suppression list of frequent regulars from your database scans to reduce the review of false/positives, make sure that you document periodic reviews, especially when there’s a change to the sanctions program.
- Monitoring: Consider implementation and documenting of self monitoring efforts (spot testing) to ensure that OFAC inquires are being performed as defined in your procedures and/or OFAC Risk Assessment.
- Corrective Action: Consider adding the steps for self-disclosure to procedures.
It’s just not enough to have a program in place and think that just because you’ve never had a “hit” that everything is working well. As we’ve seen, there is much that can go wrong in a complacent OFAC program.
Institutions and the individuals named responsible for OFAC compliance are ultimately responsible for any third parties engaged to comply with OFAC screening. You need to be able to articulate to auditors and examiners how things work at your institution including identification of products, entities, accuracy and timing of reviews. Based on the renewed attention in maintaining OFAC compliance, now is a good time to take a fresh look at your OFAC Program.
What are your thoughts around the reasons something can go wrong? We'd love to hear your feedback, feel free to leave a comment below.
Continuity’s RegAdvisor Pro solution can assist you in implementing a regulatory change system and RegControls™ includes pre-built compliance monitoring programs. Contact us at firstname.lastname@example.org if you'd like to learn more about how we can help!