Anda di halaman 1dari 4

OFAC agrees that financial institutions should take a risk-based approach when

considering the likelihood that they may encounter OFAC issues. The functional
regulators examine financial institutions to determine the adequacy of each institution's
OFAC program and the effectiveness of its risk management. The following provide
areas to consider as you review your OFAC procedures:

Section A (corresponds to a matrix provided in the FFIEC Bank Secrecy Act Anti-
Money Laundering Examination Manual published in 2005, Appendix M ["Quantity
of Risk Matrix--OFAC Procedures"]):

Low Moderate High

Stable, well-known customer Customer base changing due to A large, fluctuating client base in
base in a localized environment. branching, merger or acquisition an international environment.
in the domestic market.

Few high-risk customers; these A moderate number of high-risk A large number of high-risk
may include nonresident aliens, customers. customers.
foreign customers (including
accounts with U.S. powers of
attorney) and foreign
commercial customers.

No overseas branches and no Overseas branches or Overseas branches or multiple

correspondent accounts with correspondent accounts with correspondent accounts with
foreign banks. foreign banks. foreign banks.

No electronic banking (e- The bank offers limited e- The bank offers a wide array of
banking) services offered, or banking products and services. e-banking products and services
products available are purely (i.e., account transfers, e-bill
informational or non- payment, or accounts opened via
transactional. the Internet).

Limited number of funds A moderate number of funds A high number of customer and
transfers for customers and non- transfers, mostly for customers. non-customer funds transfers,
customers, limited third-party Possibly, a few international including international funds
transactions, and no international funds transfers from personal or transfers.
funds transfers. business accounts.

No other types of international Limited other types of A high number of other types of
transactions, such as trade international transactions. international transactions.
finance, cross-border ACH, and
management of sovereign debt.

No history of OFAC actions. No A small number of recent actions Multiple recent actions by
evidence of apparent violation or (i.e., actions within the last five OFAC, where the bank has not
circumstances that might lead to years) by OFAC, including addressed the issues, thus
a violation. notice letters, or civil money leading to an increased risk of
penalties, with evidence that the the bank undertaking similar
bank addressed the issues and is violations in the future.
not at risk of similar violations in
the future.

Section B (Additional factors that you might consider):

Low Moderate High

Management has fully assessed Management exhibits a Management does not
the bank’s level of risk based on reasonable understanding of the understand, or has chosen to
its customer base and product key aspects of OFAC ignore, key aspects of OFAC
lines. This understanding of risk compliance and its commitment compliance risk. The
and strong commitment to is generally clear and importance of compliance is not
OFAC compliance is satisfactorily communicated emphasized or communicated
satisfactorily communicated throughout the organization, but throughout the organization.
throughout the organization. it may lack a program
appropriately tailored to risk.

The board of directors, or board The board has approved an The board has not approved an
committee, has approved an OFAC compliance program that OFAC compliance program, or
OFAC compliance program that includes most of the appropriate policies, procedures, controls,
includes policies, procedures, policies, procedures, controls, and information systems are
controls, and information and information systems significantly deficient.
systems that are adequate, and necessary to ensure compliance,
consistent with the bank’s OFAC but some weaknesses are noted.
risk profile.

Staffing levels appear adequate Staffing levels appear generally Management has failed to
to properly execute the OFAC adequate, but some deficiencies provide appropriate staffing
compliance program. are noted. levels to handle workload.

Authority and accountability for Authority and accountability are Authority and accountability for
OFAC compliance are clearly defined, but some refinements compliance have not been
defined and enforced, including are needed. A qualified OFAC clearly established. No OFAC
the designation of a qualified officer has been designated. compliance officer, or an
OFAC officer. unqualified one, has been
appointed. The role of the
OFAC officer is unclear.

Training is appropriate and Training is conducted and Training is sporadic and does not
effective based on the bank’s management provides adequate cover important regulatory and
risk profile, covers applicable resources given the risk profile risk areas.
personnel, and provides of the organization; however,
necessary up-to-date information some areas are not covered
and resources to ensure within the training program.

The institution employs strong The institution employs limited The institution does not employ
quality control methods. quality control methods. quality control methods.

Compliance considerations are Compliance considerations were Compliance considerations are

incorporated into all products overlooked, but not in high-risk not incorporated into numerous
and areas of the organization. areas, and management promised areas of the organization, or do
corrective action when not adequately cover high-risk
deficiencies were identified. areas.

Effective policies for screening Policies for screening Policies for screening
transactions and new accounts transactions and new accounts transactions and new accounts
for Specially Designated exist but are not properly aligned do not exist.
Nationals and Blocked Persons with the bank’s level of risk.
(SDNs) and sanctioned countries
is in place. These policies take
into account the level of risk of
the type of transaction being

Compliance systems and Compliance systems and Compliance systems and

controls effectively identify and controls generally identify controls are ineffective in
appropriately report potential potential OFAC violations, but identifying and reporting OFAC
OFAC violations. Compliance the systems are not violations and are not
systems are commensurate with comprehensive based on risk or commensurate with the bank’s
risk. Records are retained that have some weaknesses that level of risk.
document such reporting. allow inaccurate reporting.

On a periodic basis, determined Accounts are periodically Existing accounts are not
by the bank’s level of risk, all checked to ensure that problem reviewed to ensure that problem
existing accounts are checked to accounts are properly blocked or accounts are properly blocked or
ensure that problem accounts are restricted, but this does not occur restricted.
properly blocked or restricted, often enough based on the
depending on the requirements bank’s level of risk.
of the relevant sanctions

Compliance systems and Compliance systems and Compliance systems and

controls quickly adapt to controls are generally adequate controls are not current and are
changes in the OFAC SDN list and adapt to changes in the inadequate to comply with and
and country programs, regardless OFAC SDN list and country adapt to changes to the OFAC
of how frequently or programs. SDN list and country programs.
infrequently those changes

Independent testing of a Overall, independent testing is in Independent testing is not in

compliance program’s place and effective, but some place or is ineffective. Testing
effectiveness is in place. An weaknesses are noted. performed is not considered
independent audit function tests independent.
OFAC compliance with regard
to systems, training and use.
Problems and potential problems Problems are generally corrected Errors and weaknesses are not
are quickly identified, and in the normal course of business self-identified. Management is
management promptly without significant investment of dependent on regulatory findings
implements meaningful money or management attention. or responds only when violations
corrective action. Management is reasonably are cited or penalties assessed.
responsive when deficiencies are

Overall, appropriate compliance In general, no significant Significant problems are evident.

controls and systems have been shortcomings are evident in The likelihood of continued
implemented to identify compliance controls or systems. compliance violations or
compliance problems and assess noncompliance is high because a
performance. corrective action program does
not exist, or extended time is
needed to implement such a