Bank's Sanctions Violations Provide Insight Into OFAC Compliance Expectations, Firms Say
The Office of Foreign Assets Control’s recent finding of a violation sent to Midfirst Bank can serve as useful insight into OFAC’s compliance expectations, various firms focusing on compliance said. The enforcement notice, which outlined several mistakes by the bank in its attempt to comply with U.S. sanctions, also represents a warning to companies with insufficient screening processes, the firms said.
OFAC issued the finding of a violation to Midfirst last month after saying it misunderstood how frequently its vendor screened new Specially Designated National List names against its existing customer base (see 2207210057). Companies, particularly financial institutions, should be “regularly” screening their entire customer list against the SDN List, Herbert Smith Freehills said in a recent Sanctions Notes blog, or “otherwise ensuring that additions to the SDN List are promptly reflected in the Bank’s compliance posture.” Companies also need to be “well informed” of the frequency and types of screening procedures being conducted by third-party vendors.
Although MidFirst’s vendor conducted regular screening, it screened MidFirst’s entire customer base only once a month. Comply Advantage, a reg tech company, said companies should make sure a comprehensive screening is conducted more frequently, particularly because of how often sanctions lists can change. Having a “list management solution” that consolidates data and provides real-time updates is “crucial” to reacting to sanctions developments, the firm said in a recent post.
“Firms can be in violation of a sanctions regime a matter of minutes or hours after updates have been made,” Comply Advantage said. “Not only does this call for a robust understanding of the scope and frequency of a firm’s screening process, but it also underlines the importance of real-time monitoring of the latest news and alerts.”
Compliance teams also need to make sure they understand their vendor agreements and have “appropriate oversight and rigor” around their compliance programs, Comply Advantage said. Bracewell said that should include risk assessments and testing at “regular intervals,” including a “thorough review of clients, products, services, and geographic locations,” which allows companies to “adjust and tailor” their approach.
The firm said OFAC used the MidFirst enforcement notice to highlight the “five essential components” of a compliance program: buy-in from senior management, “thorough and routine” risk assessments, comprehensive testing and auditing, periodic training and defined internal controls and recordkeeping. Bracewell said internal controls need to give staff “streamlined policies and procedures that inform responses to potential prohibited activity.”
Firms should use the OFAC notice and the agency’s sanctions compliance guidelines as an “opportunity” to customize their sanctions program to better fit their organization, the firm said. “OFAC’s response to MidFirst Bank’s violation is an instructive development in its assessment of compliance measures, and an encouraging result for companies similarly working to comply with OFAC’s guidelines,” Bracewell said.