Written by: Leo Moulis
Recently, federal and state examiners have heightened their regulatory scrutiny of financial institutions’ process and procedures for updating Office of Foreign Assets Control (OFAC) listings, filtering criteria/match threshold settings, and periodic testing of the matching methodology during Safety and Soundness Examinations. Financial institutions should have robust processes and controls in this area, especially given how common cross-border transactions are in the world of 21st century globalization.
Examiners expect financial institutions to have documented evidence of periodic OFAC compliance evaluations and test this process during Anti-Money Laundering/Countering the Finance of Terrorism (AML/CFT) examinations. Examiners are beginning to request evidence of recorded updates to the OFAC list scanning function as well as country sanctions screening configurations. Recent examinations have also criticized institutions with filtering criteria/matching thresholds set at “100%,” stating that it is too rigid and not risk-appropriate. Institutions should perform some type of analysis or testing of the matching methodology on a regular basis.
Periodic scanning of a financial institution’s customer database, new customer scanning, and transaction scanning against OFAC sanctions lists are part of an effective overall AML/CFT/OFAC compliance program. At the very least, installed OFAC lists should include the OFAC Specially Designated National and Blocked Persons (SDN) and Consolidated Lists, and may include a version of a Politically Exposed Persons (PEP) list. In addition, the software should have a sanctioned country configuration. Recent OFAC action against Russian oligarchs emphasized the “50% ownership rule” to sanction individuals not specifically on the SDN list.
As OFAC is a “risk-based” process, financial institutions are expected to maintain certain controls to ensure that the OFAC function allows the financial institution to address areas identified in the overall OFAC risk assessment. To that end, one of the major compliance hurdles is ensuring that scans are run against the most frequent lists, as OFAC updates the lists frequently. The majority of OFAC scanning software solutions will update the lists automatically, however documentation to support the updates may not be evident to the process owners, who are then unable to prove to examiners that the scanned lists are the most recent at any point in time.
Typically, scanning occurs nightly on new profiles and changes to existing profiles, and against the entire customer database with each OFAC update in most available AML/OFAC software, wire interdiction, and banking core systems. If the updates are not evident on the face of the scanning results, every effort should be made to ensure these dates are recorded and can be produced for examiners, especially if the lists must be manually updated by financial institution staff. Some financial institutions will test periodic updates to their software by entering a sample of names from the most recent Treasury SDN list into their OFAC filtering software for new accounts, database, teller functions, and wire interdiction to determine whether the names are present (whether the lists truly updated in their systems) and document the results.
Recent examinations have also criticized financial institutions for “exact match” filtering criteria, as any variance – either as an input error or slight spelling differences – may miss a potential match. While OFAC FAQs state that there is no “set threshold,” best practices for settings typically range between 80-90%, based on the documented risk the institution identifies for database, transaction, and new customer areas. Some software solutions also incorporate complex word and letter pattern methodologies, with no real set “threshold” that the process owners should be familiar with and able to explain to examiners, and produce supporting documentation on demand.
Finally, examiners expect financial institutions to periodically test their systems through “fuzzy logic” name variation or “no alert” testing to ensure that the system is functioning as intended. Some financial institutions will modify names from the SDN and run them through the various OFAC systems to test whether the systems are able to produce a “hit” on slight spelling variations (“fuzzy logic”), once validating that the systems updated to the most current list, as noted above.
While there is no defined period, best practice would be to perform any testing at the time AML/CFT parameter reviews are scheduled, or at least annually. Testing results and any changes to settings should be documented for audit trail purposes.
Our professionals offer comprehensive compliance and advisory services to financial institutions in these areas – contact our experts to learn how we can help.