Domestic ACH Transactions: To OFAC or Not to OFAC, That is the Question; Programming Note
Wade Gustafson is sending a domestic ACH to Jean Lundegaard through your credit union. Should an Office of Foreign Assets Control (OFAC) check be run on both Mr. Gustafson (originating party) and Ms. Lundegaard (the recipient)? And, should this be performed in real-time to allow for the transaction to be stopped?
The conundrum here is that there isn’t a specific regulatory requirement that will tell you which transactions to run against OFAC. If a credit union facilitates a prohibited transaction, there is an OFAC violation. So, each credit union has to come up with an OFAC compliance program designed to ensure compliance based on the institution’s own risk. That basically means these accounts – and their related OFAC risks – should be addressed in your risk assessment, and then your policy designed to mitigate that risk.
The Federal Financial Institutions Examination Council's (FFIEC) Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual has a section on OFAC compliance and ACH transactions that discusses the expectations for Originating Depository Financial Institutions (ODFIs) and Receiving Depository Financial Institutions (RDFIs). It essentially appears to say that ODFIs are responsible for verifying the status of the originator and RDFIs are responsible for verifying the status of the receiver/beneficiaries. In the section (pp. 217-224) on Automated Clearing Transactions – Overview, the manual states:
"Because of the nature of ACH transactions and the reliance that ODFIs and RDFIs place on each other for OFAC reviews and other necessary due diligence information, it is essential that all parties have a strong CDD program for regular ACH customers.
With respect to domestic ACH transactions, the Originating Depository Financial Institution (ODFI) is responsible for verifying that the Originator is not a blocked party and making a good faith effort to ascertain that the Originator is not transmitting blocked funds. The Receiving Depository Financial Institution (RDFI) similarly is responsible for verifying that the Receiver is not a blocked party. In this way, the ODFI and the RDFI are relying on each other for compliance with OFAC regulations.
If an ODFI receives domestic ACH transactions that its customer has already batched, the ODFI is not responsible for unbatching those transactions to ensure that no transactions violate OFAC's regulations. If an ODFI unbatches a file originally received from the Originator in order to process "on-us" transactions, that ODFI is responsible for the OFAC compliance for the on-us transactions because it is acting as both the ODFI and the RDFI for those transactions. ODFIs acting in this capacity should already know their customers for the purposes of OFAC and other regulatory requirements. For the residual unbatched transactions in the file that are not "on-us," as well as those situations where banks deal with unbatched ACH records for reasons other than to strip out the on-us transactions, banks should determine the level of their OFAC risk and develop appropriate policies, procedures, and processes to address the associated risks. Such policies might involve screening each unbatched ACH record. Similarly, banks that have relationships with third-party service providers should assess those relationships and their related ACH transactions to ascertain the bank's level of OFAC risk and to develop appropriate policies, procedures, and processes to mitigate that risk." (Emphasis added).
The BSA/AML Examination Manual indicates noncustomer transactions should be checked against OFAC lists prior to being executed. Although the manual discusses these "responsibilities" as being separated, the duty on both financial institutions to prevent prohibited transactions from occurring is absolute. Both institutions are completely responsible for not facilitating a prohibited transaction.
If the credit union has a particular relationship with another institution (beyond mutual participation in NACHA), there could be contractually-agreed processes for running OFAC checks or due diligence conducted that might justify a decision not to run checks on everyone. Still reliance on the NACHA rules does not necessarily appear to be sufficient. NACHA issued its own OFAC compliance whitepaper, which states:
"…In terms of the ACH Network, this means that all U.S. ACH participants, including Originators, Originating Depository Financial Institutions (ODFIs), Receiving Depository Financial Institutions (RDFIs), Receivers and third-parties need to be aware that they can be held accountable for sanctions violations by the U.S. Government and must understand their compliance obligations.
Debit Entries: In the event that the ODFI inadvertently processes an unlawful ACH debit entry to a blocked account, the RDFI holding the blocked account (or an intermediary receiving point such as a correspondent or third-party processor able to identify the transaction), in compliance with OFAC policies, should return the entry in accordance with the NACHA Operating Rules using Return Reason Code R16 (Account Frozen). In this way, the proceeds do not leave the blocked account and the ODFI is informed of the reason.”
The expectation is that ODFIs and RDFIs will work together to prevent OFAC violations. However, NACHA emphasizes that the ODFI also bears the responsibility to make a good faith effort to determination that the originator is not transmitting funds to a blocked party. Similarly, the RDFI is also responsible for knowing and responding properly if a transaction is made from a party subject to sanctions. Ultimately, there is not a "right" answer to this question. It is a question of risk-based decision-making for the credit union and the expectations of the credit union's examiners.
Programming Note. NAFCU will close at noon today and be closed on Monday for the holiday weekend. We will be back to blogging on Wednesday.
NAFCU's compliance attorneys are in San Diego, California, the rest of next week at the fall session of Regulatory Compliance School and the 2017 Regulatory Compliance Seminar. We appreciate your patience as your compliance questions will be answered, but our replies might be slightly delayed with the time difference.
Enjoy your weekend!