The FFIEC started the list of higher-risk products, services, and customers in its BSA/AML Examination Manual: Office of Foreign Assets Control—Overview. Presenting the list (see also 31 CFR Part 501), FFIEC said:
In evaluating the level of risk, a bank should exercise judgment and take into account all indicators of risk. Although not an exhaustive list, examples of products, services, customers, and geographic locations that may carry a higher level of OFAC risk include:
• International funds transfers.
• Nonresident alien accounts.
• Foreign customer accounts.
• Cross-border automated clearing house (ACH) transactions.
• Commercial letters of credit and other trade finance products.
• Transactional electronic banking.
• Foreign correspondent bank accounts.
• Payable through accounts.
• Concentration accounts.
• International private banking.
• Overseas branches or subsidiaries.
In the BSA/AML Examination Manual, the FFIEC published Appendix M, Quantity of Risk Matrix—OFAC Procedures, which provides general guidance on products, services, customers, and operations (PSCO) of higher OFAC risk.
In this paper, we will examine regulations and guidance on higher risk products, services, and customers, and will end with a resource for what we believe is the most comprehensive list ever published of common products, services, and customer profiles (by NAICS code).
Building and documenting a risk-based OFAC compliance program based on this resource will, we believe, save you time and money and comply with the letter as well as the spirit of OFAC compliance regulations.
What can we learn from FFIEC’s Quantity of OFAC Risk Matrix (republished by the US Treasury Department here) together with the FFIEC Overview quoted above? We can learn the character of virtually every PSCO regulators believe carry elevated OFAC risk, which comes in very handy when the examiner scrutinizes your OFAC compliance program.
Here are the characteristics of PSCO with elevated OFAC risk according to the Matrix:
- International in nature (e.g., foreign branches/agents, transactions to or from foreign locations, customers located in foreign locations)
- Higher-risk PSCO from a BSA/AML perspective (e.g., private banking offerings, money transmitters, forex dealers, non-resident aliens, cash based businesses)
- Foreign correspondent banking relationships
- E-Banking products (e.g., bill pay, money transfers)
- Handling of non-customer funds transfers—especially international transfers
Of note are other factors FFIEC lists in the Matrix as high-risk. Largely, these factors are operational in nature and reflect the institution’s inability or unwillingness to comply with basic regulations and good risk management practices. Examples include the institution’s failure to implement and maintain a board-approved appropriately staffed OFAC compliance program starting with a comprehensive OFAC risk assessment. For the purposes of this paper, we assume the reader is interested and willing to create an accurate OFAC risk assessment and maintain a complaint OFAC compliance program.
So, the foreign component of OFAC risk is obvious. Of course, you understand the importance of including (or having our OFAC vendor include) country-based Financial Sanctions and sanctions against non-US persons.
To create and explain your risk-based OFAC compliance program though, it is helpful (we think critical) to go beyond country based sanctions and document those PSCO that regulators have identified and explain how your OFAC compliance program takes account of these. To do that, you need to compare a list of all high-risk PSCO against your PSCO.
It’s not as hard as it sounds, and we can help. If you’ll contact us at info@beregsmart.com, we’ll send you our comprehensive list of products, services, customers (by NAICS code), and operations that meet the criteria of the regulations (CFRs), FFIEC Overview, OFAC Risk Matrix. We hope you’ll use that list to create a complaint OFAC risk assessment or make the good one you already have great!
About the Author
Mark Stetler is CEO of RegSmart. He has a BBA in Finance from Baylor University (cum laude, 1985) and a law degree from the University of Texas (with honors, 1988). Mark has worked in the financial services industry for 30 years as an attorney and entrepreneur. Mark previously co-owned one of the nation’s largest firms specializing in forensic financial audits. He is a Certified Anti-Money Laundering Specialist and a chief architect of RegSmart’s anti-money laundering risk assessment and audit SaaS.
About RegSmart
RegSmart offers the best-in-class automated BSA/AML risk assessment. Supported by subject matter experts, RegSmart collects data with intuitive wizards and stores that data for regulatory compliance and change management. RegSmart delivers complete, plain language reports with actionable intelligence. Please visit us at www.beregsmart.com.
If you would like to see a demonstration of our best-in-class automated BSA/AML risk assessment and audit applications, please contact us at 214.919.4670, or email John Ravita at jrravita@beregsmart.com or Mark Stetler at mstetler@beregsmart.com. We look forward to visiting with you.