The critical part of an OFAC program is development of a comprehensive compliance regime. Key elements of the program:
An effective OFAC program must be risk-sensitive. The organization must evaluate its customers, geography, products and services, and company as a whole on where there could be a potential OFAC issues. Resources and controls should be allocated to where the risks are the highest.
OFAC publishes a list of Specially Designated Nationals and Blocked Persons (SDNs) that includes over 6,000 names of companies and individuals who are located throughout the world. The list includes foreign narcotics traffickers, foreign terrorists, and proliferators of weapons of mass destruction. United States citizens and companies are prohibited from engaging in trade and financial transactions with SDNs wherever they are located, and all SDN assets must be blocked (or frozen).
On November 9, 2009, OFAC issued a final rule entitled “Economic Sanctions Enforcement Guidelines” to provide guidance to persons subject to its regulations. The document explains the procedures that OFAC follows in determining the enforcement response to apparent violations.
Some enforcement responses may result in the issuance of a civil penalty that, depending on the sanctions program affected, may be as much as $250,000 per violation or twice the amount of a transaction, whichever is greater. The Guidelines outline the various factors that OFAC takes into account when making enforcement determinations, not the least of which is the adequacy of a compliance program in place within an institution to ensure compliance with OFAC regulations
A regulatory examiner will seek to test all aspects of a OFAC program to determine if any deficiencies are isolated or systemic. More guidance can be found in the FFIEC BSA/AML Examination Manual (see Resources).
Training should be made critical to a compliance program by the board of directors and senior management. All OFAC training programs and materials should outline employee accountability for ensuring OFAC compliance and provide a comprehensiveness of training that considers specific risks related to individual business lines. It should also cover policies, procedures, processes, and new rules and regulations.
Penalties for noncompliance with internal policies and regulatory requirements should be discussed. Training should be required of personnel from all applicable areas of the firm, it should be periodic yet frequent, and their attendance should be documented.