OFAC’s recent enforcement sends message about screening
IBM Promontory
IBM Promontory is a global leader in strategy, risk management, and compliance consulting.
By Keith Sjostrom, Katherine Long , Guy Huber , and Anushka Agarwal
OFAC’s recent actions spotlight how sanctions compliance professionals should address new enforcement themes
Over the past three years, the U.S. Department of the Treasury’s Office of Foreign Assets Control’s (OFAC)’s sanctions enforcement has seen three new focus areas emerge:
Recent enforcement actions spotlight how sanctions compliance professionals should address these new enforcement themes and check the readiness of their sanctions compliance programs to respond to new risks.
Data collection and screening
One of the consistent findings of OFAC enforcement actions has been a failure to screen necessary data due to either a failure to capture or screen the necessary data. One particular data category has emerged as a root cause of sanctions failures, contributing to 19% of all enforcement during the period: IP addresses,1 and in particular, firms failing to screen IP data or restrict access from IP addresses in sanctioned jurisdictions.
The increase in IP-related enforcement demonstrates the challenges of an ever-evolving data landscape for sanctions compliance. New products and delivery channels create additional ways for customers to interact with institutions and, consequently, new data footprints. Firms must understand what data is relevant for sanctions monitoring, identify the different channels where this data is available, and implement comprehensive screening. In addition to enhancing data collection practices, institutions should consider data-mapping exercises to develop a more thorough and risk-based screening program for customer data.
Inadequate third-party screening or list providers
While issues with ineffective customer and transaction screening systems have traditionally triggered OFAC enforcement, three actions since 2021 highlight the importance of effectively overseeing a specific component of screening systems: third-party screening lists and services.
In one instance, an institution’s vendor screened customers and transactions against the specially designated nationals and blocked persons list but not against sanctioned countries. In another, an institution was unaware that its vendor only screened the customer base against sanctions lists monthly instead of daily. OFAC also settled with an institution that relied on a vendor-supplied politically exposed person (PEP) list that omitted government employees of sanctioned countries.
Institutions must oversee vendor-provided screening lists or services to ensure the screenings align with its sanctions compliance standards, including confirming the suitability of vendor-provided sanctions lists.
领英推荐
Impact of mergers and acquisitions
Institutions undergoing mergers or acquisitions often execute changes that leave the newly structured firm subject to distinct sanctions. In 2022, OFAC fined two institutions for failing to adjust to how sanctions risk profiles changed as they experienced rapid organizational expansion. In one instance, an acquiring institution breached sanctions when it processed a payment from a sanctioned customer for an outstanding invoice issued before the acquisition. Additionally, in 2023, OFAC fined an institution $30 million for trade-finance transactions with sanctioned jurisdictions made through a software platform that was part of a larger acquisition. OFAC noted that senior management’s failure to act on internal escalations related to potential sanctions violations associated with the acquisition was an aggravating factor in the enforcement.
Institutions must invest in sanctions compliance programs, appointing and empowering a sanctions or OFAC compliance officer to address risks before and after M&A activities. The right governance and organizational structure help establish a compliance tone at the top and provide the operational clarity and accountability to manage escalations effectively.
Expectations for sanctions programs
OFAC’s Framework for OFAC Compliance Commitments identifies the five pillars of an effective sanctions compliance program:
Risk-based implementation of these pillars gives firms a sustainable and efficient way to manage sanctions compliance, including challenges posed by new data monitoring expectations, M&A, and third-party services. For example, an effective sanctions governance framework includes cross-functional stakeholder engagement that would proactively identify regulatory expectations regarding geolocation data and the channels where the firm collects that information.
Similarly, risk-based testing of third parties would help establish that services align with expectations.
Each pillar synergizes with the others and is integral to the success of a sanctions program, but for any firm looking to right-size its sanctions compliance, the risk assessment is the foundation. Risk assessments provide a comprehensive, structured way to understand how changes to a firm—including new products, new geographies, and organizational changes—impact sanctions exposure. Firms should ensure they have the appropriate expertise to perform the assessment and accountability that any necessary actions are implemented and supported on an ongoing basis by the other four program pillars.
How Promontory can help
Promontory tracks regulatory and sanctions developments and is prepared and equipped to support clients in delivering a risk-based approach for sanctions compliance-related matters. Specifically, Promontory can help:
Evaluate the sanctions program and design target operating models
Footnotes