Ten Keys to Creating an OFAC Compliance Policy

Schedule a Free Consultation Today
Brian Kuester
Attorney Brian Kuester
OFAC Compliance Team Lead
Former US Attorney
Former District Attorney
Ellen Comley
Attorney Ellen Comley
Defense Team Lead
Senior Counsel
Roger Bach
Roger Bach
Team Consultant
Former Special Agent (OIG)

Financial institutions and businesses have numerous federal compliance obligations. While many of these compliance obligations are designed to protect consumers and investors, banks and businesses also have compliance obligations that are designed to protect the national security interests of the United States.

These include the compliance obligations enforced by the Office of Foreign Assets Control (OFAC).

OFAC is an agency within the U.S. Department of the Treasury. While its primary role is to administer and enforce economic sanctions based on U.S. foreign policy, OFAC also enforces several other statutory and regulatory requirements for banks and businesses. These requirements combine to create an extensive list of compliance obligations—which banks and businesses must address through the development and implementation of OFAC compliance policies that are custom-tailored to their specific risks and needs.

What Does it Take to Maintain OFAC Compliance in 2023?

From doing business with foreign entities to conducting transactions on cryptocurrency platforms like Tornado Cash, OFAC’s enforcement authority covers an extremely broad range of financial activities. To maintain compliance, banks and businesses must address the pertinent statutes, rules, and regulations in all aspects of their operations. With this in mind, here are 10 keys to creating an OFAC compliance policy in 2023:

1. A Custom-Tailored Approach

When developing an OFAC compliance program, a custom-tailored approach is critical. OFAC itself makes this clear, stating in an FAQ that, “[t]here is no prepackaged compliance program that fits the needs of every bank” or business.” In A Framework for OFAC Compliance Commitments (the “Framework”), the agency also states that, “each risk-based [compliance program] will depend on a variety of factors—including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations.” Thus, each entity must independently assess its compliance obligations, and then it must develop compliance policies and procedures that address OFAC’s expectations and requirements within the specific context of its operations—including its financial transactions with foreign entities.

2. An Industry-Specific Approach

Part of taking a custom-tailored approach to OFAC compliance involves taking an industry-specific approach. While several of the government statutes, rules, and regulations apply to banks and businesses generally, OFAC has also provided specific guidance for certain industry groups. These industry groups include:

  • Credit Reporting
  • Exporters and Importers
  • Financial Sector
  • Instant Payment Systems
  • Insurance Industry
  • Legal and Compliance Services Sector
  • Money Service Businesses
  • Non-Governmental Organizations (NGO)/Non-Profit
  • Virtual Currency Industry

OFAC expects banks and businesses to use all of the compliance resources it makes available. Thus, these industry-specific guidance documents are essential compliance tools for entities in these groups. Again, however, a custom-tailored approach is critical, and banks and businesses must use OFAC’s industry-specific guidance documents as reference material rather than guideposts or frameworks for compliance.

3. Clear and Actionable OFAC Compliance Documentation

In 2023, OFAC expects banks and businesses to do more than just develop compliance documentation. It also expects banks and businesses to effectively implement their compliance policies and procedures. Additionally, OFAC inspects entities’ compliance policies and procedures; and, despite not providing comprehensive guidance, it makes its own independent determination of the efficacy of entities’ compliance programs.

As a result, clear and actionable OFAC compliance documentation is key. Banks and businesses must be able to effectively implement their OFAC compliance policies, and they must be able to affirmatively demonstrate compliance to the agency when necessary. Without both actual compliance and proof of actual compliance, entities won’t be able to fully withstand OFAC scrutiny.

4. Appointment of an OFAC Compliance Officer

A key aspect of any OFAC compliance policy is the appointment of an OFAC compliance officer. As OFAC states in the Framework, “[t]his may be the same person serving in other senior compliance positions, e.g., the Bank Secrecy Act Officer or an Export Control Officer, as many institutions, depending on size and complexity, designate a single person to oversee all areas of financial crimes or export control compliance.” The key is to designate an OFAC compliance officer in more than title only. The compliance officer must have a clearly delineated role and responsibilities—and must execute these responsibilities consistently on an ongoing basis.

5. An OFAC Compliance Needs Assessment

Getting beyond the fundamentals, determining a bank’s or business’s specific needs starts with conducting an OFAC compliance needs assessment. If an entity has an existing OFAC compliance policy, this will begin with reassessing the policy’s scope and effectiveness. If not, it will begin with analyzing all sources of guidance and requirements, including (but not limited to):

  • The applicable OFAC Sanctions
  • Any applicable OFAC General Licenses
  • A Framework for OFAC Compliance Commitments
  • OFAC’s Information for Industry Group’s
  • OFAC’s FAQs
  • OFAC’s Economic Sanctions Enforcement Guidelines (the “Guidelines”)
  • The OFAC Risk Matrix (in the Annex to the Guidelines)

Banks and businesses subject to OFAC’s oversight must also ensure strict compliance with the Bank Secrecy Act (BSA) and other pertinent federal statutes. While OFAC compliance will typically overlap with other aspects of federal compliance in certain respects, entities must address compliance not only from the perspective of meeting their obligations, but also from the perspective of being able to clearly demonstrate that they have met their obligations when necessary. As a result, when developing their OFAC compliance policies, entities should consider creating stand-alone compliance documentation even when they have already addressed compliance with the same statutes in other areas.

6. Comprehensive Policies and Procedures

We’ve touched on this already, but it bears repeating: When it comes to OFAC compliance, comprehensiveness is key. Banks and businesses must meticulously address all pertinent aspects of compliance, and their policies and procedures must clearly demonstrate their efforts to assess and address their obligations while also providing clear instructions for implementation.

7. A Top-Down Commitment to OFAC Compliance

According to OFAC, “Senior Management’s commitment to, and support of, an organization’s risk-based [compliance program] is one of the most important factors in determining its success.” In fact, in the Framework, “Management Commitment” is the first topic that OFAC addresses. This again highlights the fact that effectively managing OFAC compliance in 2023 is about much more than just policies and procedures. Banks and businesses must take a top-down approach to OFAC compliance, and their leadership teams must play an active role in fostering a compliance-first environment.

8. Establishment of Internal Controls

In the Framework, OFAC advises that entities should adopt internal controls “in order to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that may be prohibited by the regulations and laws administered by OFAC.” Crucially, however, OFAC also notes that due to the “dynamic nature of U.S. economic and trade sanctions,” entities must be prepared to modify their internal controls as necessary. As a result, similar to entities’ OFAC compliance policies, entities’ internal controls must be structured in such a way that they can easily be updated when the need arises.

9. Entity-Wide Training

Too often, compliance training is an afterthought. After developing their compliance policies, banks and businesses simply provide copies of these policies to their employees and require them to sign an acknowledgement. When it comes to OFAC compliance, however, this is insufficient. Banks and businesses should develop training materials hand-in-hand with developing their OFAC compliance policies, and then they should conduct active entity-wide training that reflects employees’ specific roles in helping to maintain strict OFAC compliance. s

10. OFAC Compliance Testing and Auditing

Finally, along with incorporating training into their OFAC compliance policies, banks and businesses should also incorporate protocols for testing and auditing. Testing and auditing are key aspects of OFAC compliance management, as they allow entities to proactively identify and address failures and breakdowns before they lead to OFAC scrutiny or enforcement action.

Understanding the “Root Causes” of OFAC Compliance Program Failures

When determining what it takes to maintain compliance, past compliance failures can provide critical insights for avoiding future scrutiny. In its Framework, OFAC has provided a list of “root causes of OFAC sanctions compliance program breakdowns and deficiencies.” Recognizing that these failures have led to prior OFAC administrative actions, banks and businesses should work with their counsel to ensure that they avoid these issues. Some examples include:

  • Lack of a formal OFAC compliance policy
  • Misinterpreting or failing to understand the applicability of OFAC’s regulations
  • Facilitating transactions by non-U.S. persons (including through overseas subsidiaries or affiliates)
  • Exporting or re-exporting U.S.-origin goods, technology, or services to sanctioned entities or individuals
  • Executing or processing commercial transactions involving sanctioned entities or individuals
  • Using ineffective sanctions screening software
  • Inadequate due diligence on customers and clients
  • Relying on de-centralized compliance functions
  • Inconsistent application of an entity’s OFAC compliance program
  • Utilizing non-standard payment or commercial practices

Speak with an OFAC Compliance Policy Lawyer at The Criminal Defense Firm

At The Criminal Defense Firm, our lawyers represent banks, businesses, and individuals in OFAC enforcement cases. We also rely on our experience in these cases to help banks and businesses develop comprehensive and custom-tailored OFAC compliance policies. If you would like to speak with one of our lawyers about creating an OFAC compliance policy in 2023, please call 866-603-4540 or inquire online today.

Dallas 214-817-2053
Houston 713-454-7814
Detroit 313-634-0925
Baton Rouge 225-269-8749
New York 332-239-7345
Winter Park 407-890-0460
Miami 786-751-3247
Portland 207-222-7742
Nationwide 866-603-4540