Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

Key components of a strong sanctions compliance program

Terri Luttrell, CAMS-Audit, CFCS
March 2, 2022
Read Time: 0 min

Create an effective sanctions program

Considering the current economic and political environment, it is crucial that financial institutions maintain a strong sanctions compliance program (SCP).

Would you like others articles like this in your inbox?

Sanctions compliance has always been an integral part of a strong Bank Secrecy Act (BSA) program, but now more than ever financial institutions must be diligent and understand all sanctions relating to the Russian/Ukraine conflict. The risk to a financial institutions for missing a sanctioned transaction is not only financial, but the reputational aspect relating to Russian sanctions cannot be overlooked.

The Office of Foreign Assets Control (OFAC) of the U.S. Treasury Department has long administered and enforced economic and trade sanctions against foreign countries, regimes, terrorists, international narcotics traffickers, and transnational organized crime. What once may have been as simple as an “are they on the list or not,” OFAC compliance has increased in complexity and clarity with guidance released within the past few years. Compliance professionals clearly understand the stakes of sanctions violations. The civil monetary penalties and reputational risk underscore the need for financial institutions to employ seasoned sanctions officers and automated scanning solutions.

Considering the current economic and political environment, both globally and domestically, it is crucial that financial institutions maintain a strong sanctions compliance program (SCP). The release of the FinCEN Files in 2020 detailed the extraordinary amount of illicit funds flowing through our financial institutions from kleptocrats, international money launderers, and terrorists. Greater regulatory scrutiny has been placed on transactions to and from sanctioned countries, individuals, and entities, and it is expected to continue as a hot topic for examiners, especially as the situation with Russia escalates. In 2019, OFAC issued new guidance on the essential components of a strong OFAC compliance program. Now more than ever, the guidance is an important tool in creating an effective SCP.

Stay OFAC-compliant while providing efficiency and integrity to your BSA program.

learn more
OFAC guidance

Five key components to effective OFAC sanctions compliance

A financial institution’s sanctions compliance program should be risk-based and unique to each financial institution. Each institution's SCP will vary depending on its size and complexity, products and services, customers and counter-parties, and geographic locations. In the guidelines, OFAC identifies five key components for OFAC compliance that are not unlike the BSA program requirements that financial institutions have been implementing for years.

1. Management commitment

As with any compliance program, one of the most important aspects of a strong SCP is a “culture of compliance,” from the top, to the middle, to the front line. As seldom seen from the regulatory authorities, the Guidelines generally defines management as senior leadership, executives, or the board of directors. In addition to promoting a culture of compliance, effective senior management is expected to:

  • Review and approve the institution’s sanctions compliance program
  • Deploy policies and procedures with direct reporting lines between the SCP function and senior management to include periodic meetings between the two groups
  • Allocate adequate resources (human capital, expertise, information technology, and other resources), including a dedicated OFAC sanctions compliance officer with appropriate experience, qualifications, and position within the organization
  • Report sanctions misconduct without fear of reprisal and to have SCP oversight of actions concerning OFAC sanctions
  • Recognize sanctions compliance deficiencies and implement necessary measures to reduce future violations through addressing root causes and applying systemic solutions

2. Risk assessment

OFAC recommends that financial institutions take a risk-based approach to sanctions compliance. To determine potential risks in sanctions, institutions should conduct a routine and ongoing sanctions risk assessment. While there is no one-size-fits-all, the guidance states that a holistic top to bottom review is necessary to identify areas where to use valuable resources to mitigate those risks. The guidance outlines expectations of a sanctions risk assessment including:

  • Frequency that adequately accounts for potential risks posed by customers, products, services, supply chain, intermediaries, counter-parties, transaction, and geographic locations
  • Updates to account for any root causes or systemic deficiencies of sanctions violations
  • Due diligence efforts such as on-boarding and mergers and acquisitions

3. Internal controls

The guidance is clear that an effective sanctions compliance program should include internal controls. The purpose of internal controls is to outline clear expectations, define procedures and processes pertaining to OFAC compliance (including reporting and escalation chains), and minimize the risks identified by the institution’s risk assessments. General aspects of internal controls should include:

  • Policies and procedures outlining the SCP, which should be enforced
  • Controls that adequately address the OFAC risk assessment
  • Recordkeeping that adequately accounts for pursuant to the requirements of OFAC
  • Remediation of root causes of weaknesses identified
  • Clear communication of SCP policies and procedures to all relevant staff
  • Personnel to integrate SCP’s policies and procedures into daily operations

4. Testing and auditing

A comprehensive, independent, and objective testing or audit function within an SCP ensures that an organization identifies program weaknesses and deficiencies. It is the organization’s responsibility to enhance its program, including all program-related software, systems, and other technology. The SCP program should include:

  • Controls to ensure the testing or audit function is accountable to senior management and is independent of the functional structure
  • Testing or audit procedures appropriate to the risk-based SCP
  • Controls around identified weaknesses until the root cause can be determined and remediated

5. Training

The training program should be provided to all appropriate employees and personnel on a periodic basis, at a minimum annually. Effective SCP training should be:

  • Job-specific and based and should be tailored all stakeholders
  • Applicable for the products and services offered, customers and geographic regions
  • Conducted at a frequency based on the institution’s OFAC risk assessment
  • Enhanced and conducted upon a confirmed deficiency concerning relevant personnel
  • Easily accessible resources and materials

Within the guidance, OFAC further points out several common root causes for SCP deficiencies. Being proactive and thorough with your SCP will help ensure your institution does not fall into unknown weaknesses. Common root causes include:

  • Lack of a formal OFAC SCP
  • Misinterpretation or failure to understand OFAC regulations
  • Facilitating transactions by non-U.S. persons
  • Exporting or re-exporting U.S.-origin goods, technology, or services to OFAC sanctioned persons or countries
  • Utilizing the U.S. financial system, or processing payments to or through U.S. financial institutions, for commercial transactions involving OFAC-sanctioned persons or countries
  • Sanctions screening software or filter faults
  • Improper due diligence on customers
  • De-centralized compliance functions and inconsistent application of an SCP
  • Utilizing non-standard payment or commercial practices
  • Individual liability, particularly in supervisory, managerial, or executive-level positions

Moving forward

The guidance is similar to the BSA program requirements that financial institutions have been implementing for years. The guidance describes the same components for an institution’s SCP, and the requirements now mirror the sanctions section of the FFIEC BSA/AML Manual. Now is the time to shore up your AML and SCPs. Nothing dictates how a financial institution should accomplish this. In fact, the guidance stresses the importance of a risk-focused, unique approach. Should an institution include the SPC as part of the overall BSA/AML program? It is up to each institution, but since the guidance is specific to an SPC, it may be prudent to separate the two to ensure each is comprehensive and dynamic. For further information on OFAC or the recommendations for a SCP, visit the OFAC website or OFAC Frequently Asked Questions.

About the Author

Terri Luttrell, CAMS-Audit, CFCS

Compliance and Engagement Director
Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size.

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.