Compliance Blog

I'd be curious to know how many credit unions use dollar thresholds in their OFAC compliance program.  Dollar thresholds seem to be a logical way to build risk-based internal controls that control OFAC-related risk. 

For example, if a member wants to get a cashier's check for $1, would you check the name of a non-member payee against the OFAC SDN list?   What if the check was for $10?  Or $100?  or $1,000?  If I am allowed to build risk-based policies and procedures, it might seem reasonable to limit SDN reviews to items above a certain threshold.  And the 2007 BSA/AML Examiner's Manual indicates that it is every credit union's duty to build risk-based policies and procedures, based on their risk profile.   Here's the Manual's OFAC Chapter.  That being said, I am not aware that any regulator has publicly blessed the threshold system.

And OFAC is quick to point out that their requirements apply to every transaction, regardless of dollar amount. Here's their Q and A that addresses this issue.  And just to add to the puzzle, in 2006, OFAC released these enforcement guidelines. (Note that OFAC retains enforcement authority for its regulatory regime.) The guidelines seem to imply that should OFAC see a violation of its rules, it will review the strength of the institution's compliance program before it decides whether to start an enforcement action.

One more thought: does one want to risk their reputation by showing up in an OFAC enforcement action? 

At the end of the day, compliance officers are left in the middle.  When they look to the right, they see the strict liability of OFAC requirements.  When they look to the left, they see their ability to craft risk-based policies and procedures.  It isn't a fun place to be.

I wish I had an easy answer on this one.  Feel free to weigh in.