31 C.F.R. Appendix A to Part 501—Economic Sanctions Enforcement Procedures for Banking Institutions
Title 31 - Money and Finance: Treasury
Note: This appendix provides a general procedural framework for the enforcement of all economic sanctions programs administered by the Office of Foreign Assets Control (“OFAC”) only as they relate to banking institutions, as defined herein. I. Definitions A. Banking regulator means the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, or the Office of Thrift Supervision. B. Banking institution, for purposes of this appendix to Part 501, means a depository institution supervised or regulated by a banking regulator. C. OFAC means the Department of the Treasury's Office of Foreign Assets Control. D. Voluntary disclosure means notification to OFAC of an apparent sanctions violation by the banking institution that has committed it. However, such notification to OFAC is not deemed a voluntary disclosure if OFAC has previously received information concerning the conduct from another source, including, but not limited to, a regulatory or law enforcement agency or another person's blocking or funds transfer rejection report. Notification by a banking institution is also not a voluntary disclosure if another person's blocking or funds transfer rejection report is required to be filed, whether or not this required filing is made. Responding to an administrative subpoena or other inquiry from OFAC is not a voluntary disclosure. The submission of a license request is not a voluntary disclosure unless it is accompanied by a separate disclosure. II. Enforcement of Economic Sanctions in General A. OFAC Civil Investigation and Enforcement Action. OFAC is responsible for civil investigation and enforcement with respect to economic sanctions violations committed by banking institutions. In these efforts, OFAC may coordinate with banking regulators. OFAC investigations may lead to one or more of the following: an administrative subpoena, an order to cease and desist, a blocking order, an evaluative letter summarizing concerns, or a civil penalty proceeding. In addition to or instead of such actions, if the banking institution involved is currently acting pursuant to an OFAC license, that license may be suspended or revoked. B. OFAC's Evaluation of Violative Conduct. The level of enforcement action undertaken by OFAC involving a banking institution depends on the nature of the apparent violation, the enforcement objectives, and the foreign policy goals of the particular sanctions program involved. In evaluating whether to initiate a civil penalty action, OFAC determines whether there is reason to believe that a violation of the relevant regulations, statutes, or Executive orders has occurred. In making determinations about the disposition of apparent violations by banking institutions, including evaluative letters and civil penalties, OFAC will consider information provided by the banking institution and its banking regulator concerning the institution's compliance program and the adequacy of that program based on its OFAC risk profile. Further information about the evaluation of compliance programs commensurate with the risk profile of a banking institution and a description of a sound OFAC compliance program are provided in Annexes A and B. C. Criminal Investigations and Prosecutions. If the evidence suggests that a banking institution has committed a willful violation of a substantive prohibition or requirement, OFAC may refer those cases to other federal law enforcement agencies for criminal investigation. Cases that an investigative agency has referred to the Department of Justice for criminal prosecution also may be subject to OFAC civil penalty action. III. Periodic Institutional Review A. Except for those significant violations for which prompt action, such as a civil penalty proceeding or referral to other federal law enforcement agencies, is appropriate, OFAC will review institutions with violations or suspected violations on a periodic basis. OFAC will review each such institution's apparent violations over a period of time deemed appropriate in light of the number and severity of apparent violations and the institution's OFAC compliance history. B. Upon completing this review, OFAC will preliminarily determine the type of enforcement action it will pursue for each apparent violation or related apparent violations. OFAC will then seek comment from the banking institution and ask it to provide additional information with regard to the apparent violation or violations. OFAC also will ask the institution to explain what actions led to the apparent violation or violations and what actions, if any, it has taken to overcome the deficiencies in its systems that led to the apparent improper handling of the transactions or accounts. Depending on the number and complexity of the apparent violations, OFAC may grant up to 30 days for a banking institution to respond and may grant further extensions at its sole discretion where it determines this is appropriate. Upon receipt of the institution's response, OFAC will decide whether to pursue the intended administrative action or whether some other action would serve the same purpose. C. OFAC will subsequently send the banking institution a letter detailing its findings and further actions, if any, concerning the apparent violations. OFAC will provide the banking institution's primary banking regulator with a copy of this letter. IV. Factors Affecting Administrative Action In making its decision as to administrative action, if any, OFAC will consider a number of factors, including, but not limited to, the following: A. The institution's history of sanctions violations. B. The size of the institution and the number of OFAC-related transactions handled correctly compared to the number and nature of transactions handled incorrectly. C. The quality and effectiveness of the banking institution's overall OFAC compliance program, as determined by the institution's primary banking regulator and by its history of compliance with OFAC regulations. D. Whether the apparent violation or violations in question are the result of systemic failures at the banking institution or are atypical in nature. E. The voluntary disclosure to OFAC of the apparent violation or violations by the banking institution. F. Providing OFAC a report of, or useful enforcement information concerning, the apparent violation or violations. Providing a report, but not a voluntary disclosure, of the apparent violation or violations will generally be accorded less weight as a mitigating factor than would provision of a voluntary disclosure. G. The deliberate effort to hide or conceal from OFAC or to mislead OFAC concerning an apparent violation or violations or its OFAC compliance program. H. An analysis of current or potential sanctions harm as a result of a violation or series of related violations. This analysis will focus both on the specifics of the apparent violation or violations and the institution's compliance effort. I. Technical, computer, or human error. J. Applicability of a statute of limitations and any waivers thereof. K. Actions taken by the banking institution to correct the problems that led to the apparent violation or violations. L. The level of OFAC action that will best lead to enhanced compliance by the banking institution. M. The level of OFAC action that will best serve to encourage enhanced compliance by others. N. Evidence that a transaction or transactions could have been licensed by OFAC under an existing licensing policy. O. Whether other U.S. government agencies have taken enforcement action. P. Qualification of the banking institution as a small business or organization for the purposes of the Small Business Regulatory Enforcement Fairness Act, as determined by reference to the applicable regulations of the Small Business Administration. V. License Suspension and Revocation In addition to or in lieu of other administrative actions, OFAC authorization to engage in a transaction or transactions pursuant to a general or specific license may be suspended or revoked with respect to a banking institution for reasons including, but not limited to, the following: A. The banking institution has made or caused to be made in any license application, or in any report required pursuant to a license, any statement that was, at the time and in light of the circumstances under which it was made, false or misleading with respect to any material fact, or it has omitted to state in any application or report any material fact that was required; B. The banking institution has failed to file timely reports or comply with the recordkeeping requirements of a general or specific license; C. The banking institution has violated any provision of the statutes enforced by OFAC or the rules or regulations issued under any such provision or relevant Executive orders and such violation or violations are significant and merited civil penalty or other enforcement action; D. The banking institution is reasonably believed to have counseled, commanded, induced, procured, or knowingly aided or abetted the violation of any provision of any legal authority referred to in paragraph C; E. Based on the information available to it, OFAC considers the banking institution's compliance program inadequate; or F. The banking institution has committed any other act or omission that demonstrates unfitness to conduct the transactions authorized by the general or specific license. VI. Civil Penalties The procedures for addressing the actions of banking institutions that OFAC decides merit civil penalty treatment are provided in the regulations governing the particular sanctions program involved, or, in the case of sanctions regulations issued pursuant to the Trading with the Enemy Act, in this Part. The factors listed in Section IV will be considerations in the civil penalty process. Annex B—Sound Banking Institution OFAC Compliance Programs A. Identification of High Risk Business Areas. A fundamental element of a sound OFAC compliance program rests on a banking institution's assessment of its specific product lines and identification of the high-risk areas for OFAC transactions. As OFAC sanctions reach into virtually all types of commercial and banking transactions, no single area will likely pass review without consideration of some type of OFAC compliance measure. Relevant areas to consider in a risk assessment include, but are not limited to, the following: retail operations, loans and other extensions of credit (open and closed-ended; on and off-balance sheet, including letters of credit), funds transfers, trust, private and correspondent banking, international, foreign offices, over-the-counter derivatives, internet banking, safe deposit, payable through accounts, money service businesses, and merchant credit card processing. B. Internal Controls. An effective OFAC compliance program should include internal controls for identifying suspect accounts and transactions and reporting to OFAC. Internal controls should include the following elements: 1. Flagging and Review of Suspect Transactions and Accounts. A banking institution's policies and procedures should address how it will flag and review transactions and accounts for possible OFAC violations, whether conducted manually, through interdiction software, or a combination of both methods. For screening purposes, a banking institution should clearly define procedures for comparing names provided on the OFAC list with the names in its files or on the transaction and for flagging transactions or accounts involving sanctioned countries. In high-risk and high-volume areas in particular, a banking institution's interdiction filter should be able to flag close name derivations for review. New accounts should be compared with the OFAC lists prior to allowing transactions. Established accounts, once scanned, should be compared regularly against OFAC updates. 2. Updating the Compliance Program. A banking institution's compliance program should also include procedures for maintaining current lists of blocked countries, entities, and individuals and for disseminating such information throughout the institution's domestic operations and its offshore offices, branches and, for purposes of the sanctions programs under the Trading with the Enemy Act, foreign subsidiaries. 3. Reporting. A compliance program should also include procedures for handling transactions that are validly blocked or rejected under the various sanctions programs. These procedures should cover the reporting of blocked and rejected items to OFAC as provided in §501.603 of this Part and the annual report of blocked property required by §501.604 of this Part. 4. Management of blocked accounts. An audit trail should be maintained in order to reconcile all blocked funds. A banking institution is responsible for tracking the amount of blocked funds, the ownership of those funds, interest paid on those funds, and the release of blocked funds pursuant to license. 5. Maintaining License Information. Sound compliance procedures dictate that a banking institution maintain copies of customers' OFAC specific licenses on file. This will allow a banking institution to verify whether a customer is initiating a legal transaction. If it is unclear whether a particular transaction is authorized by a license, a banking institution should confirm this with OFAC. Maintaining copies of licenses will also be useful if another banking institution in the payment chain requests verification of a license's validity. In the case of a transaction performed under general license (or, in some cases, a specific license), it is sound compliance for a banking institution to obtain a statement from the licensee that the transaction is in accordance with the terms of the license, assuming the banking institution does not know or have reason to know that the statement is false. C. Testing. Except for a banking institution with a very low OFAC risk profile, a banking institution should have a periodic test of its OFAC program performed by its internal audit department or by outside auditors, consultants, or other qualified independent parties. The frequency of the independent test should be consistent with the institution's OFAC risk profile; however, an in-depth audit of each department in the banking institution might reasonably be conducted at least once a year. The person(s) responsible for testing should conduct an objective, comprehensive evaluation of OFAC policies and procedures. The audit scope should be comprehensive and sufficient to assess OFAC compliance risks across the spectrum of all the institution's activities. If violations are discovered, they should be promptly reported to both OFAC and the banking institution's banking regulator. D. Responsible Individuals. It is sound compliance procedure for an institution to designate a qualified individual or individuals to be responsible for the day-to-day compliance of its OFAC program, including at least one individual responsible for the oversight of blocked funds. This individual or these individuals should be fully knowledgeable about OFAC statutes, regulations, and relevant Executive orders. E. Training. A banking institution should provide adequate training for all appropriate employees. The scope and frequency of the training should be consistent with the OFAC risk profile and the particular employee's responsibilities. [71 FR 1974, Jan. 12, 2006]
Title 31: Money and Finance: Treasury
PART 501—REPORTING, PROCEDURES AND PENALTIES REGULATIONS
Subpart F—Paperwork Reduction Act
Appendix A to Part 501—Economic Sanctions Enforcement Procedures for Banking Institutions
Annex A._OFAC Risk Matrices [The following matrices can be used by banking institutions to evaluate their compliance programs. Matrix A is from the FFIEC Bank Secrecy Act Anti-Money Laundering Examination Manual published in 2005, Appendix M (``Quantity of Risk Matrix_OFAC Procedures'')]------------------------------------------------------------------------ Low Moderate High------------------------------------------------------------------------ Matrix A------------------------------------------------------------------------Stable, well-known customer Customer base A large, fluctuating base in a localized changing due to client base in an environment. branching, merger international or acquisition in environment. the domestic market.Few high-risk customers; A moderate number of A large number of these may include high-risk customers. high-risk nonresident aliens, foreign customers. customers (including accounts with U.S. powers of attorney) and foreign commercial customers.No overseas branches and no Overseas branches or Overseas branches or correspondent accounts with correspondent multiple foreign banks. accounts with correspondent foreign banks. accounts with foreign banks.No electronic banking (e- The bank offers The bank offers a banking) services offered, limited e-banking wide array of e- or products available are products and banking products purely informational or non- services. and services (i.e., transactional. account transfers, e-bill payment, or accounts opened via the Internet).Limited number of funds A moderate number of A high number of transfers for customers and funds transfers, customer and non- non-customers, limited mostly for customer funds third-party transactions, customers. transfers, and no international funds Possibly, a few including transfers. international funds international funds transfers from transfers. personal or business accounts.No other types of Limited other types A high number of international transactions, of international other types of such as trade finance, transactions. international cross-border ACH, and transactions. management of sovereign debt.No history of OFAC actions. A small number of Multiple recent No evidence of apparent recent actions actions by OFAC, violation or circumstances (i.e., actions where the bank has that might lead to a within the last not addressed the violation. five years) by issues, thus OFAC, including leading to an notice letters, or increased risk of civil money the bank penalties, with undertaking similar evidence that the violations in the bank addressed the future. issues and is not at risk of similar violations in the future.------------------------------------------------------------------------ Matrix B. This matrix consists of additional factors that may be considered by banking institutions in assessing compliance programs in addition to Appendix M of the FFIEC Bank Secrecy Act Anti-Money Laundering Examination Manual.------------------------------------------------------------------------Management has fully Management exhibits Management does not assessed the bank's level a reasonable understand, or has of risk based on its understanding of chosen to ignore, customer base and product the key aspects of key aspects of OFAC lines. This understanding OFAC compliance and compliance risk. of risk and strong its commitment is The importance of commitment to OFAC generally clear and compliance is not compliance is satisfactorily emphasized or satisfactorily communicated communicated communicated throughout the organization. throughout the throughout the organization, but organization. it may lack a program appropriately tailored to risk.The board of directors, or The board has The board has not board committee, has approved an OFAC approved an OFAC approved an OFAC compliance compliance program compliance program, program that includes that includes most or policies, policies, procedures, of the appropriate procedures, controls, and information policies, controls, and systems that are adequate, procedures, information systems and consistent with the controls, and are significantly bank's OFAC risk profile. information systems deficient. necessary to ensure compliance, but some weaknesses are noted.Staffing levels appear Staffing levels Management has adequate to properly appear generally failed to provide execute the OFAC to adequate, but some appropriate properly execute the OFAC deficiencies are staffing levels to compliance program. noted. handle workload.Authority and accountability Authority and Authority and for OFAC compliance are accountability are accountability for clearly defined and defined, but some compliance have not enforced, including the refinements are been clearly designations of a qualified needed. A qualified established. No OFAC officer. OFAC officer has OFAC compliance been designated. officer, or an unqualified one, has been appointed. The role of the OFAC officer is unclear.Training is appropriate and Training is Training is sporadic effective based on the conducted and and does not cover bank's risk profile, covers management provides important applicable personnel, and adequate resources regulatory and risk provides necessary up-to- given the risk areas. date information and profile of the resources to ensure organization; compliance. however, some ares are not covered within the training program.The institution employs The institution The institution does strong quality control employs limited not employ quality methods. quality control control quality methods. control methods.------------------------------------------------------------------------
