OFAC compliance issues
Contributed by Eric A Sohn, CAMS, Senior Engagement Manager, Accuity (https://accuity.com). Contributed articles do not necessarily reflect the viewpoint of ÆGIS.
Did Credit Suisse’s $536 million fine by the Treasury Department’s Office of Foreign Assets Control (OFAC) get your attention? Other than by not doing what they are alleged to have done, what should you be doing to comply with OFAC’s regulatory sanctions programs?
First, it is critical to understand what OFAC wants and what is required. This can be accomplished by reading the details of each sanctions program posted on their website (https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions-programs-and-information). You’ll notice that it’s not as simple as merely looking for the names on the OFAC Specially- Designated Nationals (SDN) list published on their site. If you’re going to choose a commercial data vendor to properly cover the things you do need to screen your data for, make sure they understand too, by asking them specifically whether they enhance the SDN list, and if so how such enhancements are done.
Next, accept the reality that the overwhelming majority of the items that look like matches will, in fact, not be true matches. BNP Paribas did an internal study that showed that, when matching listed names exactly (as opposed to using ‘fuzzy logic’ or phonetic matching), they received 1,000 of these “false positive” matches for every legitimate match. This could be due to a number of factors, including the fact that many of the terrorists and drug traffickers on the SDN list (two of the largest categories of listed individuals) have common names. Also, since nothing requires a person to supply their full or legal name when conducting business (look at your credit cards and driver’s license to see what I mean), OFAC screening entails matching incomplete data to incomplete customer data, a fact that will naturally pump up match rates and corresponding false hits.
Now, it’s time to design your program and process. What information are you screening? And, why and how are you screening the data selected? You could screen your customer database, your employees, your contractors, your vendors…and/or every business transaction you’re involved in. Is that necessary? It depends on your business. If you only deal with known counter parties, such as a existing customers and vendors, you may potentially be able to skip some or all transaction screening. When will you screen? Best practice is to screen when you establish a relationship and when you conduct transactions, as well as re-screening your static data when the OFAC SDN list changes. However, if the nature of your business makes it less likely to run into entities on the list, you may be able to perform periodic screenings on certain data, rather than screening on a more timely basis such as in screening transactions.
Who will review matches (resulting from the screening process) and who will be empowered to make decisions about vetting such matches? That’s not such a cut-and-dried question. For example, you might allow front-line staff to perform triage, weeding out obvious false positives, but require them to escalate anything requiring greater scrutiny to compliance or legal staff (or a call to OFAC to get insight as to how to proceed) If front-line staff will perform triage, you should review their work on a periodic basis; you just figure out how often, by whom and how you will accomplish it. Additionally, you’ll have to decide upon how you will document every decision made by staff, as well as how and when upper management should get involved. And please, please, please – document all this, since it will help you greatly if there is ever an investigation into violations your firm was involved in.
Lastly, let’s go back to our second point about costs. There are ways to reduce the size of your “data haystack”’ in your daily search for the needles. When selecting a screening solution vendor, you should inquire into the nature of false positive reduction tools and how they are used. Using them, of course, raises a host of other internal process questions, including: How are new system changes to reduce matches tested, and by whom? How are changes to rules or to processes used proposed, and approved – and by whom? And, since not all false positive reduction changes are without risk, what sorts of risks are acceptable in order to reduce our match rate (and your costs)?