Managing Risk Under OFAC’s Cyber-Related Sanctions Program

Written by Shari R. Pogach, NAFCU Regulatory Paralegal

Yesterday, members of the Federal Financial Institutions Examination Council (FFIEC) (including the National Credit Union Administration and the Bureau of Consumer Financial Protection) released a joint statement on actions taken by Treasury’s Office of Foreign Assets Control (OFAC) under its Cyber-Related Sanctions Program. The statement notes these sanctions might impact a financial institution’s information technology and other operations, including the use of services of a sanctioned entity.

OFAC’s program was implemented on April 1, 2015, due to the threat to the U.S. national security, foreign policy and economy from malicious cyber-related activities originated or directed by parties outside of the U.S. Since its inception, OFAC has issued sanctions against a number of entities either involved in or responsible for malicious cyber-enabled activities by providing material and technological support to parties targeting U.S. organizations. Some of these sanctioned entities claim they are U.S. based and offer services to financial institutions. If an institution continues to use products or services from a sanctioned entity, whether directly or indirectly through a service provider, it risks increased operational and OFAC compliance risk that may result in violations of law, civil money penalties, enforcement actions, and reputational damage.

In order to mitigate its risk, a financial institution should ensure its OFAC compliance and risk management processes can identify, assess and mitigate any risks resulting from possible interactions with a sanctioned entity. OFAC compliance, fraud, security, IT, third-party risk management and risk functions within the institution should collaborate to assess any potential risk. An institution’s sanctions screening system should be updated and its processes and procedures should be in place in order to comply with these sanctions.

According to the joint statement, prohibited transactions include trade or financial transactions and other dealings, which may be broadly interpreted to include technical transactions such as downloading a software patch from a sanctioned entity. Continued use of software and technical services from a sanctioned entity may also increase cybersecurity risk for an institution. An institution’s third-party service provider may have used, or continue to use, products and services of a sanctioned entity on its behalf. In some cases, the sanctioned entity might be providing a critical service or control that cannot be immediately discontinued. In such instances, an institution should identify and implement an alternative solution as quickly as possible.

Due to the complexities of some third-party relationships and transactions relative to the sanctions or for any operational issues presented by the sanctions deadlines, impacted financial institutions are encouraged to contact OFAC, their legal counsel and/or their security offices for additional guidance. A financial institution may contact OFAC on its telephone hotline at 1-800-540-6322 or by email at ofac_feedback@treasury.gov.

The following additional resources are also available:

***

I vacationed in Porto, Portugal, last month, here are a few snaps that don’t do justice to the light and the gorgeous weather. And, roasted chestnuts from a street vendor along with a port wine tasting makes a lovely way to while away the time...............