Money Laundering, Terrorism and Financial Institutions - USA Patriot Act Monitor

News Releases

3/03/2006 OFAC Describes Best Practices
The Office of Foreign Assets Control has provided best practice guidelines for banking institutions in fulfilling their OFAC-related responsibilities.  Included in the release are two risk matrices, one from Appendix M of the FFIEC Exam Manual released last year (the Manual was discussed in the November and December Monitors), and a second listing six additional factors to help determine a bank’s risk level. OFAC, like FinCEN, has begun to emphasize staffing levels of compliance departments, looking beyond the fact that someone is designated with compliance responsibility to determine that the designated individual or individuals have time to do the job.  (See the discussion of the Oppenheimer fine in the forthcoming March Monitor.)  Matrix B (materials in addition to the FFIEC Manual) is reproduced below:

Matrix B    
Management has fully assessed the bank’s level of risk based on its customer base and product lines. This understanding of risk and strong commitment to OFAC compliance is satisfactorily communicated throughout the organization. Management exhibits a reasonable understanding of the key aspects of OFAC compliance and its commitment is generally clear and satisfactorily communicated throughout the organization, but it may lack a program appropriately tailored to risk. Management does not understand, or has chosen to ignore, key aspects of OFAC compliance risk. The importance of compliance
is not emphasized or communicated throughout the organization.
The board of directors, or board committee, has approved an OFAC compliance program that includes policies, procedures, controls, and information systems that are adequate, and consistent with the bank’s OFAC risk profile. The board has approved an OFAC compliance program that includes most of the appropriate policies, procedures, controls, and information systems necessary to ensure compliance, but some weaknesses are noted. The board has not approved an OFAC compliance program, or policies, procedures, controls, and information systems are significantly deficient.
Staffing levels appear adequate to properly execute the OFAC compliance program Staffing levels appear generally adequate, but some deficiencies are noted. Management has failed to provide appropriate staffing levels to handle workload.
Authority and accountability for OFAC compliance are clearly defined and enforced, including the designations of a qualified OFAC officer. Authority and accountability are defined, but some refinements are needed.  A qualified OFAC officer has been designated. Authority and accountability for compliance have not been clearly established. No OFAC compliance officer, or an unqualified one, has been appointed. The role of the OFAC officer is unclear.
Training is appropriate and effective based on the bank’s risk profile, covers applicable personnel, and provides necessary up-to-date information and resources to ensure compliance. Training is conducted and management provides adequate resources given the risk profile of the organization; however, some areas are not covered within the training program. Training is sporadic and does not cover important regulatory and risk areas.
The institution employs strong quality control methods. The institution employs limited quality control methods The institution does not employ quality control methods.


USA PATRIOT ACT MONITOR is published by Civic Research Institute, Inc., 4478 U.S. Route 27, P.O. Box 585, Kingston, NJ 08528, 609-683-4450,, as an update service for Money Laundering, Terrorism and Financial Institutions: Law · Regulation · Compliance · USA PATRIOT Act Monitor © 2004 Civic Research Institute, Inc. All rights reserved. Unauthorized copying expressly prohibited. The information in this publication is not intended to replace the services of a trained legal professional. Neither the editors, nor the contributors, nor Civic Research Institute, Inc. are by this publication engaged in rendering legal, accounting, or other professional services. The editors, contributors, and Civic Research Institute, Inc., specifically disclaim any liability, loss, or risk, personal or otherwise, which is incurred as a consequence, directly or indirectly, of the use or application of the contents of this publication.

<< News Releases Main Page