Preparing for an OFAC Review An Examiner s Perspective

Transcription

1 Preparing for an OFAC Review An Examiner s Perspective John Reynolds Examining Officer and Team Leader, Legal and Consumer Compliance Risk Department Federal Reserve Bank of New York January 27, 2012 Disclaimer: The views and comments expressed herein are those of the presenter and do not necessarily represent those of the Federal Reserve Bank of New York or the Federal Reserve System. Neither these slides nor this presentation is intended to provide the reader with a complete description of regulatory focus for examining OFAC Compliance Programs at supervised institutions. For that, the reader should refer to applicable laws, statutes, interpretations and the FFIEC AML-BSA Examination Manual.

2 Objective Assess the risk-based OFAC program to evaluate whether it is appropriate for the institution s OFAC risk, taking into account products, services, customers, transactions, and geographic locations Written Program including elements Responsible officer Risk assessment Internal control structure Independent testing Training Transaction testing

3 What is the process? Entry-letter questionaire First Day Letter from the examiners Information preparation provided to examiner Examiner review and transaction testing (discussed on subsequent slides) Identification of potential issues / discussion with management Fed Internal vetting process and finalization of issues Formal close-out meeting with examined institution Written Report provided to examined institution Institution Response Corrective action implementation and follow-up

4 OFAC Risk Assessment OFAC sanctions can reach into virtually all areas of bank operations Banks should consider all types of transactions, products, services, activities and available technology when conducting the risk assessment Some examples of products, services, customers, and geographic locations which may carry higher OFAC risk include: International funds transfers Nonresident alien accts. Embassy/Foreign Consulate accts. Politically exposed persons Foreign customer accts. Cross-border ACH transactions Foreign correspondent banking accts. Commercial letters of credit Payable through accts. International private banking Overseas branches and subsidiaries Transactional electronic banking Remote deposit capture Trust/Asset management services Cash/currency services shipment Lending activities

5 Evaluate the OFAC internal control structure Internal controls should include the following elements: Screening and reviewing potential prohibited transactions Updating OFAC lists Reporting blocked or rejected transactions Maintaining license information

6 Evaluate the OFAC internal control structure Screening /reviewing potential prohibited transactions The method of screening should be defined: manual, interdiction software or combination of both. Screening criteria for comparing names to the OFAC list and identifying transaction involving sanctioned countries should be specified Address the accounts and transactions that should be screened and the frequency of screening New accounts: Should be compared with the OFAC lists prior of shortly thereafter (e.g. nightly processing) Transactional: Funds transfers, letters of credit, non-customer transactions should be checked against OFAC lists prior to being executed Existing customers: Screening should be done when there are additions/changes to the OFAC lists. The frequency of the screening should be based on the bank s risk (e.g. monthly or quarterly). ACH Screening: Originating institution responsible for verifying originator is not a blocked party & the receiving institution responsible for verifying the receiver is not a blocked party

7 Evaluate the OFAC internal control structure Screening and reviewing potential prohibited transactions It is important for the policies and procedures to address how personnel will determine whether an initial OFAC hit is valid match or a false hit Policies and procedures should address the escalation process for determining false or positive matches and ensuring positive matches area appropriately blocked or rejected. Policies and procedures should provide guidance for appropriate documentation required to support decisions made Updating OFAC lists The bank should have a process for timely updating the lists (manual or interdiction software) of blocked countries, entities, and individuals, when applicable The procedure should also include a process for disseminating the updated information throughout the organization

8 Evaluate the OFAC internal control structure Maintaining license information Does bank maintain copies of customer s OFAC licenses Allows verification of whether a transaction is legal and provides awareness of license expiration date Useful if another bank in payment chain requests verification of the license Copies should be maintained for five years following the most recent transaction conducted in accordance with the license Bank should confirm with OFAC if it is unclear if the transaction is authorized by the license Reporting blocked or rejected transactions Policies and procedures should address handling items that are valid blocked or rejected items Policies and procedures should address the management of blocked accounts

9 Determine the adequacy of independent testing Independent Testing Independent test should be performed by the internal audit department, outside auditors, consultants, or other qualified independent parties The frequency and area of independent testing should be based on the specific risk of the business area The testing should include a comprehensive evaluation of the OFAC policies, procedures, and processes The scope should be comprehensiveness to assess the OFAC compliance risks and evaluate the overall adequacy of the program

10 Determine the adequacy of OFAC training Should provide training to all appropriate employees Can be included with general BSA-AML training The scope and frequency of training should be consistent with the bank s OFAC risk profile and aligned with employee responsibilities Staff members with specific OFAC responsibilities may need more in-depth training to effectively fulfill responsibilities

11 Transaction testing Sample new accounts across business lines and evaluate the filtering process and the documentation evidencing the search Sample transaction (e.g. wire transfers) and evaluate the filtering process and the documentation evidencing the search Assess the timing of when necessary OFAC updates are made to the bank s systems and/or communicated to employees Evaluate whether all the bank s databases are run against the automated filtering system and the frequency of such screening Review potential OFAC matches and evaluate the resolution for blocking, rejecting, or clearing transactions Review a sample of reports to OFAC for completeness and timeliness If the bank has blocked accounts, test controls to verify the account is blocked, ensure adequate records of amounts blocked and ownership of blocked funds, and that a commercially reasonable interest rate is being paid

12 Why should we care? Selected OFAC Fine/Penalty Information

13 QUESTIONS?