FDIC’s Supervision of Financial Institutions’ OFAC Compliance Programs December 2006 Report No. 07-001 AUDIT REPORT Background and Purpose of Audit The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is responsible for promulgating, developing, and administering economic and trade sanctions such as trade embargoes, blocked assets controls, and other commercial and financial restrictions under the provisions of various laws. In general, OFAC regulations prohibit financial institutions from engaging in transactions with the governments of, or individuals or entities associated with, foreign countries against which federal law imposes economic sanctions. Sanctions also can be used against dangerous groups and individuals, such as international narcotics traffickers, terrorists, and foreign terrorist organizations, regardless of national affiliation. As part of its enforcement efforts, OFAC publishes a list of individuals and companies controlled by, or acting for or on behalf of, targeted countries. The list also includes individuals and entities such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and entities are called Specially Designated Nationals and Blocked Persons (SDN). The objective of this audit was to determine whether the FDIC’s Division of Supervision and Consumer Protection (DSC) provides effective supervision of compliance with OFAC regulations by FDIC-supervised institutions. Results of Audit The FDIC’s supervisory approach to OFAC compliance includes examinations of controls established and implemented by FDIC-supervised financial institutions to ensure compliance with OFAC regulations. For the examinations we reviewed, FDIC examiners generally followed interagency guidelines in assessing the appropriateness of implemented controls and whether those controls were commensurate with the financial institutions’ specific product lines, customer base, nature of transactions, and identification of high-risk areas. In addition, the FDIC has taken important steps to address institutions’ OFAC compliance, such as participating in developing and issuing interagency guidance for examiners and banking organizations, including notifications on updates to OFAC’s SDN list; conducting OFAC-related training and outreach activities for examiners and the banking industry; issuing Bank Secrecy Act-related cease and desist orders that included OFAC-related provisions; and signing an interagency Memorandum of Understanding, which governs information-sharing between the Federal Banking Agencies and OFAC. The FDIC, however, could enhance its supervisory approach to OFAC compliance by monitoring and tracking financial institution OFAC sanctions violations, compliance program deficiencies, and OFAC-related enforcement actions. In addition, examiner work paper documentation and reports of examination could be improved with respect to examination planning and contact with OFAC, completing core examination procedures, and concluding on the adequacy of OFAC compliance programs and interdiction systems used by financial institutions. These measures could assist the FDIC and OFAC in addressing the risks associated with financial institution noncompliance with OFAC regulations. We also identified a matter for congressional consideration regarding examination and enforcement authorities associated with institution compliance with OFAC regulations. Specifically, a more comprehensive statutory and regulatory framework exists for the examination and enforcement of Bank Secrecy Act (BSA) compliance and the establishment of BSA compliance programs than for OFAC compliance, although both BSA and OFAC requirements address national security and law enforcement concerns. Recommendations and Management Response The report makes four recommendations for DSC to enhance its supervisory approach to OFAC compliance by monitoring and tracking financial institution OFAC sanctions violations, compliance program deficiencies, and OFAC-related enforcement actions; and issuing additional guidance to examiners to ensure consistent and comprehensive documentation of OFAC compliance to better assist the FDIC and subsequent examination teams in ensuring financial institution compliance with OFAC laws and regulations. DSC management concurred with two of the recommendations and agreed with the intent of the remaining two recommendations. Completed and planned actions are responsive to all recommendations. TABLE OF CONTENTS BACKGROUND RESULTS OF AUDIT DSC’S SUPERVISORY APPROACH TO OFAC COMPLIANCE Evaluation of OFAC Compliance Supervisory Monitoring Conclusion Recommendation Corporation Comments and OIG Evaluation DOCUMENTATION OF DSC’S EXAMINATION COVERAGE OF FINANCIAL INSTITUTION OFAC COMPLIANCE Recommendations Corporation Comments and OIG Evaluation MATTER FOR CONGRESSIONAL CONSIDERATION – AUTHORITIES FOR SUPERVISION OF OFAC COMPLIANCE Examination and Enforcement Authority for BSA Compliance Examination and Enforcement Authority for OFAC Compliance Conclusion APPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY APPENDIX II: REGULATORY AUTHORITY AND OVERSIGHT FOR OFAC AND BSA COMPLIANCE APPENDIX III: CORPORATION COMMENTS APPENDIX IV: MANAGEMENT RESPONSE TO RECOMMENDATIONS ACRONYMS AML Anti-Money Laundering BSA Bank Secrecy Act C&D Cease and Desist Order C.F.R. Code of Federal Regulations DSC Division of Supervision and Consumer Protection ED Examination Documentation FBA Federal Banking Agency FDI Federal Deposit Insurance FFIEC Federal Financial Institutions Examination Council FIL Financial Institution Letter FinCEN Financial Crimes Enforcement Network FRB Federal Reserve Board GAO Government Accountability Office MOU Memorandum of Understanding NCUA National Credit Union Administration OCC Office of the Comptroller of the Currency OFAC Office of Foreign Assets Control OIG Office of Inspector General OTS Office of Thrift Supervision RFPA Right to Financial Privacy Act SDN Specially Designated Nationals and Blocked Persons TEOAF Treasury Executive Office for Asset Forfeiture TFI Office of Terrorism and Financial Intelligence U.S.C. United States Code ViSION Virtual Supervisory Information on the Net

DATE:	December 14, 2006
MEMORANDUM TO:	Sandra L. Thompson, Director
	Division of Supervision and Consumer Protection
FROM:	Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]
	Assistant Inspector General for Audits
SUBJECT:	FDIC’s Supervision of Financial Institutions’ OFAC Compliance Programs (Report No. 07-001)

This report presents the results of the subject FDIC Office of Inspector General (OIG) audit. The audit objective was to determine whether the FDIC’s Division of Supervision and Consumer Protection (DSC) provides effective supervision of compliance with Office of Foreign Assets Control (OFAC) regulations by FDIC-supervised institutions. All U.S. persons and entities, including U.S. banks, holding companies, and non-bank subsidiaries, must comply with OFAC regulations.^{[ 1 ]}

To address our audit objective, we (1) assessed the FDIC’s statutory and regulatory authorities for ensuring OFAC compliance by the institutions it supervises, (2) reviewed DSC’s supervisory and examination processes for OFAC compliance, and (3) reviewed DSC’s OFAC examination coverage at 16 sampled financial institutions. Our observations on statutory and regulatory authorities may apply equally to the other Federal Banking Agencies (FBA),^{[ 2 ]}which also examine financial institutions for OFAC compliance. Appendix I of this report discusses our objective, scope, and methodology in detail.

BACKGROUND

Within the U.S. Department of the Treasury (Treasury Department), the Office of Terrorism and Financial Intelligence (TFI) marshals the department's intelligence and enforcement functions for the purposes of safeguarding the nation’s financial system against illicit use and combating terrorist facilitators, money launderers, drug kingpins, and various national security threats. TFI is composed of several offices, including OFAC, the Financial Crimes Enforcement Network (FinCEN), and the Treasury Executive Office for Asset Forfeiture (TEOAF).

OFAC is responsible for developing, promulgating, and administering sanctions for the Secretary of the Treasury under various laws, including, but not limited to, the Trading With the Enemy Act and the International Emergency Economic Powers Act. In general, OFAC regulations prohibit financial institutions from engaging in transactions with the governments of, or individuals or entities associated with, foreign countries against which federal law imposes trade or economic sanctions. Sanctions can be used against dangerous groups and individuals, such as international narcotics traffickers, terrorists, and foreign terrorist organizations, regardless of national affiliation. Many of the sanctions are based on United Nations and other international mandates, are multilateral in scope, and involve close cooperation with allied governments. The U.S. Government has used economic sanctions as a tool against international terrorist organizations since 1995, marking a significant departure from the traditional use of sanctions against hostile countries or regimes. Following the terrorist attacks on September 11, 2001, Executive Order 13224 entitled, Blocking Property and Prohibiting Transactions With Persons Who Commit, Threaten to Commit, or Support Terrorism, was signed, significantly expanding the scope of U.S. sanctions against international terrorists and terrorist organizations.

As part of its enforcement efforts, OFAC publishes a list of individuals and companies controlled by, or acting for or on behalf of, targeted countries. The list also includes individuals and entities such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and entities are called Specially Designated Nationals and Blocked Persons (SDN).

OFAC regulations require financial institutions to block or reject accounts and transactions^{[ 3 ]} that involve any persons, entities, or countries that are included on the SDN list. Specifically, financial institutions must block transactions that are:

• by or on behalf of a blocked individual or entity,
• to or through a blocked entity, or
• in connection with a transaction in which a blocked individual or entity has an interest.

Further, financial institutions must file (1) initial reports within 10 days for accounts and transactions that are blocked and/or rejected and (2) annual comprehensive reports on all blocked property^{[ 4 ]} (held as of June 30) no later than September 30. An OFAC publication entitled, Foreign Assets Control Regulations for the Financial Community, dated November 23, 2005, provides guidance to financial institutions on monitoring financial transactions to ensure that SDNs, narcotics traffickers, and terrorists do not benefit from access to our nation’s financial system.

Violations of OFAC sanctions occur when a financial institution processes a transaction, with or for an SDN, that should have been blocked or rejected.^{[ 5 ]} OFAC can impose civil money penalties for violations of established sanctions. In addition, Title 18 United States Code (U.S.C.) §1001 provides for criminal penalties associated with OFAC noncompliance.

FDIC safety and soundness examinations of FDIC-supervised financial institutions include an assessment of financial institution compliance with Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) requirements.^{[ 6 ]} As part of the BSA/AML examinations, the FDIC assesses financial institutions’ OFAC compliance programs. Interagency guidance^{[ 7 ]} entitled, Bank Secrecy Act/Anti-Money Laundering Examination Manual,^{[ 8 ]} issued in June 2005 by the FFIEC provides examination procedures related to BSA, AML, and OFAC examinations. OFAC assisted in the development of the manual sections that relate to OFAC reviews. Further, in January 2006, OFAC published guidelines entitled, Economic Sanctions Enforcement Procedures for Banking Institutions,^{[ 9 ]} in the Federal Register that complement and expand upon examination guidance for OFAC examinations.

RESULTS OF AUDIT

The FDIC’s supervisory approach to OFAC compliance includes examinations of controls established and implemented by FDIC-supervised financial institutions to ensure compliance with OFAC regulations. For the examinations we reviewed, FDIC examiners generally followed interagency guidelines in assessing the appropriateness of controls implemented and whether those controls were commensurate with the financial institutions’ specific product lines, customer base, nature of transactions, and identification of high-risk areas. In addition, the FDIC has taken important steps to address institutions’ OFAC compliance at FDIC-supervised financial institutions.

The FDIC, however, could enhance its supervisory approach to OFAC compliance by monitoring and tracking financial institution OFAC sanctions violations, compliance program deficiencies, and OFAC-related enforcement actions (DSC’s Supervisory Approach to OFAC Compliance).

Further, examiner workpaper documentation and reports of examination could be improved with respect to examination planning and contact with OFAC, completing core examination procedures, and concluding on the adequacy of OFAC compliance programs and interdiction systems^{[ 10 ]} used by FDIC-supervised financial institutions (Documentation of DSC’s OFAC Reviews).

We also identified a matter for congressional consideration regarding examination and enforcement authorities associated with institution compliance with OFAC regulations. Specifically, a more comprehensive statutory and regulatory framework exists for the examination and enforcement of BSA compliance and the establishment of BSA compliance programs than for OFAC compliance and a related program, although both BSA and OFAC requirements address national security and law enforcement concerns (Matter for Congressional Consideration – Authorities for Supervision of OFAC Compliance).

DSC’S SUPERVISORY APPROACH TO OFAC COMPLIANCE

DSC’s supervisory approach to OFAC compliance includes examinations of controls established and implemented by FDIC-supervised financial institutions to ensure compliance with OFAC regulations. For the examinations we reviewed, FDIC examiners generally followed interagency guidelines in assessing the appropriateness of controls implemented and whether those controls were commensurate with financial institutions’ OFAC risk assessments. In addition, DSC has taken the following steps to address institutions’ OFAC compliance:

• participated in developing and issuing interagency guidance for examiners and banking organizations, including notifications on updates to OFAC’s SDN list;
• conducted OFAC-related training and outreach activities for examiners and the banking industry;
• issued BSA-related Cease & Desist (C&D) Orders that include OFAC-related provisions; and
• signed an interagency Memorandum of Understanding (MOU), which governs information-sharing between the FBAs and OFAC.

DSC could, however, enhance its supervisory approach to OFAC compliance by monitoring and tracking financial institution OFAC sanctions violations, compliance program deficiencies, and OFAC-related enforcement actions. These steps could assist the FDIC and OFAC in better addressing the risks associated with financial institution noncompliance with OFAC regulations and sanctions.

Evaluation of OFAC Compliance

DSC has implemented interagency guidelines for evaluating institutions’ OFAC compliance and taken additional steps in support of OFAC regulations. According to the FFIEC BSA/AML Examination Manual, to facilitate an examiner’s understanding of the financial institution’s risk profile and to adequately scope an OFAC examination, an examiner should review the financial institution’s:

• OFAC risk assessment that considers types of products, services, customers, transactions, and geographic locations;
• independent testing of its OFAC program;
• correspondence received from OFAC and, as needed, OFAC’s Web site to determine whether the institution has received any warning letters, fines, or penalties imposed by OFAC since the most recent examination; and
• correspondence related to periodic reporting of prohibited transactions and, if applicable, annual reports on blocked property.

The manual states that it is not the FBAs’ primary role to identify OFAC violations. Rather, the examination procedures are designed to help examiners determine whether financial institutions have policies, procedures, and processes in place for compliance with OFAC laws and regulations commensurate with an institution’s OFAC risk profile. DSC officials stated that if examiners identify significant issues with OFAC compliance during examinations, examiners may conduct additional transactional testing related to those issues.

Additional steps taken by the FDIC in support of OFAC regulations and sanctions are described below.

Interagency Guidance. DSC participated in the development of the FFIEC BSA/AML Examination Manual, issued in June 2005, and an updated version issued in July 2006. The project was a collaborative effort by the FBAs, OFAC, and FinCEN to ensure consistency in the application of the BSA/AML and OFAC regulations. With respect to OFAC compliance, the manual provides:

• expectations on OFAC compliance program elements;
• information on financial institutions’ responsibilities to report blocked and rejected accounts or transactions to OFAC;
• core procedures related to OFAC examinations; and
• an OFAC risk matrix, which examiners should use, as appropriate, when assessing a financial institution’s risk of encountering OFAC issues.

The manual is available to the banking industry as a reference guide for OFAC-related issues. In addition, DSC has issued financial institution letters (FIL) to announce new regulations and policies, including updates to OFAC’s SDN list.

Examiner Training and Outreach Activities. DSC has conducted and/or participated in a number of activities to familiarize examiners and financial institutions with guidance in the FFIEC BSA/AML Examination Manual. These events included:

• a training Webcast in July 2005 for approximately 1,200 federal and state bank examiners to discuss the BSA/AML manual;
• a series of teleconferences in August 2005 for bankers that included an overview of the BSA/AML manual and a question-and-answer session;
• banker outreach and examiner training events in August 2005 in 5 major U.S. cities; and
• nationwide BSA/AML conference calls for the examination staff and financial institutions in September 2006 to discuss the July 2006 changes to the FFIEC BSA/AML Examination Manual. More than 1,500 examiners and 10,650 bankers and industry representatives participated.

In addition, according to the FFIEC Annual Report 2005, the FFIEC has conducted extensive outreach activities with federal and state examiners and the banking industry on the FFIEC BSA/AML Examination Manual and regulatory expectations, reaching more than 23,000 bankers and examiners.

OFAC-Related Enforcement Actions. The FDIC has included OFAC-related provisions in BSA-related C&Ds. We reviewed the FDIC Enforcement Decisions and Orders Web site to identify C&Ds that included OFAC provisions for the period January 2004 through August 11, 2006. Although we did not identify any OFAC-specific C&Ds, we identified 10 cases in which the FDIC had included OFAC provisions in BSA-related C&Ds. Those OFAC provisions primarily related to financial institutions that had not implemented an adequate OFAC compliance program and/or institutions that had not implemented policies and procedures to ensure account databases were adequately compared against the OFAC SDN list.

Information Sharing With OFAC. To increase the level and extent of information sharing, the FBAs signed an MOU with OFAC in April 2006. In accordance with the MOU, the FBAs and OFAC can share information regarding OFAC’s administration and enforcement of economic sanctions, compliance with OFAC regulations by financial institutions, and financial institutions’ violations of OFAC sanctions. Specifically, the FBAs are to notify OFAC of:

• apparent, unreported sanctions violations identified during examinations of financial institutions;
• significant deficiencies^{[ 11 ]} in a banking organization’s policies, procedures, and processes for ensuring compliance with OFAC regulations.

In turn, OFAC will notify the respective FBA of enforcement actions OFAC takes against a financial institution. In August 2006, DSC issued a memorandum to its regional offices to formally communicate the information-sharing provisions of the MOU and establish a process for the exchange of information with OFAC.

Supervisory Monitoring

DSC has not established a comprehensive process for monitoring and tracking financial institution OFAC sanctions violations, compliance program deficiencies, or OFAC-related enforcement actions. DSC field staff review OFAC-related concerns on an examination-by-examination basis. Further, DSC does not consolidate this information to identify institution, regional, or national trends or patterns of noncompliance or program deficiencies. Specifically, we found that OFAC compliance information for FDIC-supervised institutions was not available on the following items:

• the number of violations of OFAC regulations,
• specific financial institutions that had not implemented the expected OFAC compliance program elements,
• FDIC enforcement actions that include provisions related to OFAC noncompliance,
• OFAC enforcement actions against FDIC-supervised financial institutions for apparent violations of trade or economic sanctions, or
• historical examination results related to OFAC compliance.

In a prior audit report issued in March 2004, we reported that the FDIC tracked supervisory actions related to BSA violations.^{[ 12 ]} Similarly, in another prior report issued in September 2006, we noted that the FDIC also tracks supervisory actions related to a range of other regulatory compliance requirements.^{[ 13 ]}

In the absence of monitoring data from DSC, we contacted OFAC for information on FDIC-supervised institutions. OFAC identified nine instances during 2004 and 2005 in which FDIC-supervised financial institutions may have violated sanctions by failing to block transactions as far back as 2001. The FDIC was aware of some, but not all, of the nine instances. At the time that we contacted OFAC, only two of those nine instances had been resolved by OFAC.

Conclusion

DSC has implemented interagency guidelines for evaluating institutions’ OFAC compliance and taken additional steps in support of OFAC regulations. However, DSC has not implemented certain supervisory controls for OFAC compliance, such as a system or process to monitor and track OFAC program deficiencies, institutions that may have violated OFAC sanctions, and enforcement actions taken by the FDIC and/or OFAC. As a result, the level of focus placed on OFAC compliance may not be sufficient to ensure that financial institutions implement the necessary controls to comply with OFAC regulations and take necessary actions to correct identified deficiencies and prevent future deficiencies or violations.

DSC could enhance its supervisory approach to OFAC compliance by monitoring and tracking financial institution violations of OFAC sanctions, compliance program deficiencies, and OFAC-related enforcement actions. A monitoring and tracking process would assist the FDIC in identifying those financial institutions that may have a history of not implementing effective controls to ensure compliance with OFAC regulations and, subsequently, may require further supervisory and/or enforcement consideration.

Recommendation

We recommend that the Director, DSC:

1. Implement a process to monitor and track OFAC sanctions violations, deficient OFAC compliance programs, and OFAC-related enforcement actions to assist in monitoring OFAC compliance.

Corporation Comments and OIG Evaluation

The Director, DSC, provided a written response to a draft of this report on December 8, 2006. DSC’s response is presented in its entirety in Appendix III of this report. DSC concurred with recommendation 1 and implemented a process in November 2006 to track and monitor OFAC sanctions violations and program compliance deficiencies. This process will help support DSC’s coordination with OFAC, such as on the seven unresolved instances OFAC identified in 2004-2005 in which FDIC-supervised institutions may have violated OFAC sanctions. DSC’s action for recommendation 1 is responsive, and we consider the recommendation resolved. However, the recommendation will remain open until we have determined that this action has been completed and is effective. Appendix IV presents a summary of DSC’s responses to our recommendations.

DOCUMENTATION OF DSC’S EXAMINATION COVERAGE OF FINANCIAL INSTITUTION OFAC COMPLIANCE

As instructed by the FFIEC BSA/AML Examination Manual OFAC core examination procedures, examiners generally (1) relied on the financial institutions’ risk assessments and the results of the institutions’ internal or external audits and (2) included documentation in the examination workpapers on financial institutions’ OFAC compliance programs, including OFAC-related policies and procedures, a designated compliance officer, internal controls, training, and independent testing. However, examiner workpaper documentation and reports of examination could be improved with respect to examination planning and contact with OFAC, completing core examination procedures, and concluding on the adequacy of OFAC compliance programs and interdiction systems used by the institutions. More complete documentation would ensure that examiner conclusions regarding financial institutions’ controls established and implemented for OFAC compliance are adequately documented, supported, and reported.

DSC’s Regional Directors Memorandum entitled, Guidelines for Examination Workpapers and Discretionary Use of Examination Documentation Modules (Transmittal 2001-039, dated September 25, 2001), defines standards for examination workpaper documentation. According to the guidelines, examination documentation should (1) demonstrate a clear trail of decisions and supporting logic and (2) provide written support for examination and verification procedures performed and conclusions reached and support the assertions of fact or opinion in reports of examination. Although the use of Examination Documentation (ED) Modules^{[ 14 ]} is discretionary, the guidelines recommend that examiners use the ED Modules for the BSA examinations, which include reviews of OFAC policies and procedures. DSC updated the ED Modules in July 2006 by incorporating the BSA/AML examination procedures, which include procedures for OFAC compliance.

We reviewed examination documentation on OFAC reviews conducted by 2 DSC regional offices for 16 financial institutions and made the following observations.

• Examination pre-planning documentation explicitly addressed OFAC compliance as a factor in determining the scope of examinations for 6 of the 16 institutions, while the pre-planning documentation for the other examinations did not specifically mention OFAC compliance. In some of these cases, examiners addressed BSA compliance in the examination pre-planning documentation, but it was not clear whether OFAC compliance had been considered. According to DSC guidance, examiners are to limit information in the pre-examination planning memoranda to an “exception only” basis for areas considered higher or lower-than-normal risk. Examiners are not required to comment on areas subject to regular examination procedures. Thus, we could not determine whether examiners had not considered OFAC compliance or there was “normal” risk that did not warrant mention in the pre-planning documentation.
• Although examiners reviewed OFAC correspondence that the financial institution maintained, there was no indication whether examiners had contacted their regional office, DSC headquarters, or OFAC before, during, or after the examination to determine whether those institutions have had any OFAC compliance civil money penalties or warning/cautionary letters or whether OFAC was conducting investigations or audits related to the financial institution being examined.
• Examination documentation of the extent of work completed was inconsistent for the OFAC-related core examination procedures provided in the FFIEC BSA/AML Examination Manual. For 5 of the 16 examinations, the core procedures had not been completed. Additionally, in four cases, examiners used check marks or symbols for some of the procedures without providing explanations of the symbols. However, in cases where the core procedures had not been completed, the workpapers contained evidence of documentation for some of the procedure steps. On the other hand, in seven cases, examiners provided detailed responses for each core procedure question.
• Examination workpapers and reports of examination did not usually include an overall conclusion on the sufficiency of the financial institution’s OFAC compliance program or the effectiveness of the financial institution’s interdiction system used to compare the institution’s accounts and transactions to the OFAC SDN list. Specifically, for 5 of the 16 examinations, the examination results did not include the examiner’s conclusion on the sufficiency of the bank’s OFAC compliance program. Documentation for only 2 of the 16 examinations presented conclusions on the adequacy of the financial institution’s interdiction system.

Additionally, we found it was difficult to identify information on the results of OFAC reviews because such information is embedded within the BSA/AML examination comments when BSA/AML deficiencies are identified. The FFIEC BSA/AML Examination Manual states that BSA and OFAC regulations are distinct and separate. However, financial institutions generally incorporate procedures related to OFAC compliance programs into BSA programs. For example, a financial institution’s OFAC officer is likely to be the institution’s BSA compliance officer, OFAC training is often conducted simultaneously with BSA training, independent testing of the OFAC program may be conducted concurrently with independent testing of the BSA program, and OFAC policies and procedures may be included in the financial institution’s overall BSA policies and procedures. One DSC official stated that all BSA/AML examinations should include a review of a bank’s OFAC compliance; however, we found that examiners were not consistent in including OFAC-related issues in examination comments.

Consistent and comprehensive documentation and reporting of OFAC compliance would better assist the FDIC and subsequent examination teams in ensuring financial institution compliance with OFAC laws and regulations. Additional examination guidance could help ensure that OFAC concerns are clearly identified apart from BSA-related observations.

Recommendations

We recommend that the Director, DSC:

2. Issue examination guidance to clarify the nature and extent of documentation expected for OFAC examination coverage, including documentation related to the planned scope of OFAC compliance coverage, OFAC actions related to the institution, the completion of core examination procedures, examination results and conclusions, and the effectiveness of the institution’s interdiction system.
3. Issue examination guidance on including the scope of work performed and conclusions on OFAC compliance in reports of examination.
4. Issue examination guidance to ensure that OFAC concerns at financial institutions are clearly identified apart from BSA-related observations for monitoring and tracking purposes.

Corporation Comments and OIG Evaluation

The Director, DSC, provided a written response to a draft of this report on December 8, 2006. DSC’s response is presented in its entirety in Appendix III of this report. DSC concurred with recommendation 2 and agreed with the intent of recommendations 3 and 4.

The FDIC and the other FBAs issued the Revised Bank Secrecy Act/Anti-Money Laundering Examination Manual in July 2006, which provides additional OFAC examination guidance and addresses aspects of recommendations 2 and 3. For recommendations 2 and 4, DSC agreed to review its examination guidance and by September 30, 2007, issue revised guidance or reminders to examiners, where necessary, to clarify the nature and extent of documentation expected for OFAC examination coverage. With respect to recommendation 3, DSC issued examination guidance on December 1, 2006, addressing the presentation of the scope of examination work and conclusions on OFAC compliance in reports of examination. The guidance adequately addresses our concerns. Therefore, we consider recommendation 3 to be resolved and closed.

DSC’s completed and planned actions for recommendations 2 and 4 are responsive to the recommendations, and we consider these recommendations resolved. However, these recommendations will remain open until we have determined that agreed-to corrective actions have been completed and are effective. Appendix IV presents a summary of DSC’s responses to our recommendations.

MATTER FOR CONGRESSIONAL CONSIDERATION – AUTHORITIES FOR SUPERVISION OF OFAC COMPLIANCE

As shown in detail in Appendix II, a more comprehensive statutory and regulatory framework exists for ensuring compliance with the BSA than for OFAC compliance, although both laws address national security and law enforcement concerns. The following sections summarize our analysis of the differences and their potential implications.

Examination and Enforcement Authority for BSA Compliance

Under Sections 8 and 10 of the Federal Deposit Insurance (FDI) Act, the FDIC has plenary authority to examine banks and enforce compliance with laws and regulations. Nevertheless, the Treasury Department has overall authority for BSA enforcement and compliance and has delegated examination authority to the FBAs for institution compliance with BSA record-keeping and reporting requirements. Further, of particular note:

• Section 8 of the FDI Act provides direct authority to the FBAs for BSA examination and enforcement.
• The FDI Act requires each FBA to (1) prescribe regulations requiring insured depository institutions to establish and maintain procedures reasonably designed to ensure and monitor compliance with the BSA, (2) review such procedures during examinations, (3) enforce compliance with the BSA monetary transaction recordkeeping and reporting requirements, and (4) issue C&Ds when deemed appropriate.
• The FDI Act authorizes the FBAs to impose civil money penalties for violations of C&D provisions.

Additionally, the FDIC Rules and Regulations, section 326.8, Bank Secrecy Act Compliance, outlines the compliance program elements that FDIC-supervised banks must establish and maintain to assure and monitor their compliance with BSA recordkeeping and reporting provisions.

Failure by an FDIC-supervised financial institution to comply with the BSA requirements can result in regulatory actions by the Treasury Department and/or the FDIC. The BSA and its underlying regulations give the Treasury Department authority to assess civil money penalties for violations and to refer cases to the Department of Justice for possible criminal prosecution. The FDIC is required to report all identified BSA violations to the Treasury Department and to refer violations that warrant penalties. Such referrals, however, do not preclude the FDIC from taking regulatory action when BSA violations are identified.

Examination and Enforcement Authority for OFAC Compliance

The statutory and regulatory framework for OFAC compliance is generally limited to OFAC-specific oversight and enforcement activities and focuses on transaction and account-level requirements and penalties. Specifically, as discussed earlier, OFAC has overall responsibility for developing, promulgating, and administering sanctions for the Treasury Department. In addition:

• OFAC can review an institution’s compliance with OFAC-administered economic sanctions programs and take enforcement action through delegations of authority from the Secretary of the Treasury. However, these authorities have not been delegated to the FBAs that routinely perform OFAC compliance reviews as part of BSA/AML examinations. Additionally, the Government Accountability Office (GAO) and Treasury Department OIG have concluded that OFAC is limited in its ability to monitor financial institution compliance with foreign sanction requirements and does not have the authority to conduct examinations or proactively monitor financial institutions for compliance.^{[ 15 ]}
• Executive Order 13224 expanded the scope of U.S. sanctions against international terrorists and terrorist organizations and OFAC’s authority related to such activities. However, the Executive Order was not accompanied by comparable changes in the statutory framework for OFAC compliance. Additionally, the Executive Order did not address the FBAs’ authority in this area.
• Although financial institutions must comply with OFAC regulations and sanctions, there are no laws or regulations requiring institutions to have an OFAC compliance program. Therefore, the FBAs and OFAC must rely on financial institutions to implement appropriate controls to ensure compliance with OFAC-related laws and regulations as a matter of sound banking practice, not as a requirement. DSC officials have stated that (1) FDIC-supervised financial institutions are complying, to a great extent, with OFAC requirements and that (2) the lack of a statutory or regulatory requirement has not limited the extent of the FDIC’s oversight and supervision of OFAC compliance programs.
• The FBAs lack specific statutory and regulatory authority for taking enforcement actions associated with institution noncompliance with OFAC regulations. Instead, U.S.C. Title 12 authorizes the FBAs to take certain enforcement actions if they determine that an institution is engaging in unsafe and unsound practices or has violated any applicable law or regulation. The FBAs have interpreted this authority to allow them to take formal enforcement actions aimed at addressing violations of OFAC regulations. However, we did not identify any instances in which the FDIC had taken enforcement actions solely related to OFAC sanctions violations or program deficiencies. Rather, some supervisory actions that addressed BSA violations and deficiencies also addressed OFAC deficiencies.

The FDIC and OFAC have provided guidance to financial institutions that outline controls that financial institutions are expected to implement to ensure compliance with OFAC requirements. The guidance states that financial institutions should establish and implement controls similar to those required for BSA compliance programs. According to the FFIEC BSA/AML Examination Manual, as a matter of sound banking practice and in order to ensure compliance with OFAC regulations, financial institutions should establish and maintain an effective, written OFAC compliance program commensurate with their specific product lines, customer base, nature of transactions, and identification of high-risk areas for OFAC transactions. Recognizing high-risk areas, an institution should include in its compliance program appropriate internal controls necessary to meet established expectations and ensure compliance. Those controls should include:

• a risk assessment based on product lines, customer base, nature of transactions, and identification of high-risk areas for OFAC transactions;
• policies and procedures;
• a designated compliance officer;
• a system of internal controls;
• training; and
• independent testing.

In addition, OFAC’s guidance entitled, Foreign Assets Control Regulations for the Financial Community, dated November 23, 2005,^{[ 16 ]} outlines the type of controls that could be implemented to ensure that financial institutions properly identify and block or reject prohibited transactions and report these transactions to OFAC. The guidance, however, does not constitute a legally-enforceable requirement for a compliance program.

Conclusion

Although Executive Order 13224 expanded the scope of U.S. sanctions against international terrorists and terrorist organizations, and OFAC’s authority related to such, there was no statutory change to recognize OFAC’s expanded authority. Additionally, the Order did not address the FBAs’ authorities related to OFAC examination coverage or enforcement. Whether additional and specific authority is needed to better ensure compliance with OFAC regulations and sanctions is a matter for congressional consideration. In that regard, we are providing this information to assist the Congress in considering whether more specific statutory authorities, particularly as they relate to OFAC compliance programs and enforcement action, would heighten the extent of institution and regulatory attention to this area and help mitigate the increased risk associated with terrorist and other criminal activities using the Nation’s financial system.

OBJECTIVE, SCOPE, AND METHODOLOGY

Objective

The objective of this audit was to determine whether DSC provides effective supervision of compliance with OFAC regulations by FDIC-supervised institutions. To address our audit objective, we (1) assessed the FDIC’s statutory and regulatory authorities for ensuring OFAC compliance by the institutions it supervises, (2) reviewed DSC’s supervisory and examination processes for OFAC compliance, and (3) reviewed 16 sampled examinations for DSC coverage of OFAC compliance.

This report discusses statutory and regulatory issues that have a bearing on the FDIC’s oversight of financial institutions’ OFAC compliance programs. These issues may apply equally to the other FBAs, which also examine financial institutions for OFAC compliance. In addition, this report includes observations from our review of OFAC examination coverage by DSC at sampled financial institutions. We performed our audit from March through August 2006 in accordance with generally accepted government auditing standards.

Scope and Methodology

We performed the following steps to address the audit objective.

• Interviewed FDIC officials at DSC headquarters in Washington, D.C., and the Atlanta and New York Regional Offices.
• Identified applicable laws, regulations, criteria, and other guidance on OFAC and BSA compliance as follows:

• OFAC regulations, C.F.R. Title 31, Money and Finance Treasury Part V-Foreign Assets Control Regulations, (31 C.F.R., Chapter V).
• OFAC guidance, entitled, Foreign Assets Control Regulations for the Financial Community, dated November 23, 2005.
• OFAC guidance in the Federal Register entitled, Economic Sanctions Enforcement Procedures for Banking Institutions, dated January 12, 2006 (Interim final rule 31 C.F.R. Part 501).
• Bank Secrecy Act of 1970, Public Law 91-508, codified to 31 U.S.C. Section 5311 et seq., also known as the Currency and Foreign Transactions Reporting Act.
• 31 C.F.R. Part 103, Financial Recordkeeping and Reporting of Currency and Foreign Transactions, the BSA’s implementing regulation.
• FDIC Rules and Regulations:

• Section 326.8, codified to 12 C.F.R. Section 326.8,
• Section 337.12, codified to 12.C.F.R. Section 337.12, and
• Section 353, codified to 12 C.F.R. Section 353.

• Section 8 and Section 10(b) of the FDI Act.
• DSC’s examination policies and procedures, including:

• Risk Management Manual of Examination Policies, Section 8.1, Bank Secrecy Act, Anti-Money Laundering and Office of Foreign Assets Control.
• FFIEC BSA/AML Examination Manual, issued June 30, 2005 and updated July 28, 2006.

• FILs announcing the issuance of the FFIEC BSA/AML Examination Manual and updates to the OFAC SDN list.

• Reviewed DSC’s Regional Directors Memoranda entitled, Guidelines for Examination Workpapers and Discretionary Use of Examination Documentation Modules, Transmittal 2001-039; Monitoring and Tracking of BSA Problem Institutions, Transmittal 2004-025; and Compliance with Office of Foreign Assets Control Memorandum of Understanding, Transmittal 2006-024.
• Reviewed the Right to Financial Privacy Act (RFPA) of 1978 (12 U.S.C. Section 3401), which governs the sharing of financial information held by financial institutions.
• Met with OFAC officials and reviewed the Treasury Department’s OIG and Government Accountability Office (GAO) reports on OFAC compliance.
• Identified applicable laws and regulations related to DSC’s examination and enforcement authority for BSA/AML and OFAC.
• Reviewed a judgmental sample of 16 financial institution BSA/AML examinations started on or after September 1, 2005 and ended on or before April 10, 2006 to determine the extent of examination coverage for OFAC compliance. We reviewed reports of examination and examination workpapers that included preplanning documentation, financial institution BSA/AML and OFAC risk assessments, core examination procedures, correspondence files, documentation supporting OFAC training, independent testing, policies and procedures, updates to the SDN list, and designations of an OFAC compliance officer.
• Reviewed information on possible FDIC-supervised financial institutions’ failures to comply with OFAC regulations.
• Reviewed the FDIC’s Web site for information on C&Ds issued for BSA and/or OFAC noncompliance for January 1, 2004 through August 11, 2006.

In addition, we coordinated with the FDIC Ombudsman’s Office to determine whether that office had (1) received general concerns, comments, or complaints related to OFAC compliance or (2) generated any related trend information or bankers’ perspectives. The Ombudsman’s Office responded that it did not have a sufficient basis on which to identify trends regarding OFAC nor would such data address our audit’s goal of determining the effectiveness of the FDIC’s supervision of state non-member banks’ compliance with OFAC regulations.

In addition, we coordinated with the OIGs for Treasury, FRB, and NCUA regarding previous or ongoing audit work related to OFAC compliance.

Evaluation of Internal Controls

We gained an understanding of the internal control activities relevant to the FDIC’s examination process for OFAC compliance by identifying and reviewing applicable policies and procedures related to the FDIC’s examination of financial institution examination for OFAC compliance, including guidance provided to FDIC examiners (FFIEC BSA/AML Examination Manual, DSC Risk Management of Examination Policies, FILs, OFAC regulations, and OFAC guidance issued January 12, 2006). Additionally, we interviewed DSC officials responsible for BSA/AML and OFAC examinations in DSC headquarters and selected regional and field offices.

Our assessment of internal controls determined that the FDIC has implemented some internal controls and interagency guidance related to examinations of financial institution compliance with OFAC regulations. However, controls related to the implementation of OFAC compliance programs need improvement, as indicated in our Results of Audit.

Reliance on Computer-based Data

We used computer-based data and reports from the Virtual Supervisory Information on the Net (ViSION) system to identify the universe of examinations conducted from September 1, 2005 through April 10, 2006. However, we did not test the reliability of computer-based data extracted from ViSION because the data were not significant to our conclusions or recommendations.

Compliance With Laws and Regulations

We reviewed applicable laws and regulations on OFAC compliance. We determined that there are no laws or regulations that apply to or require the FDIC’s examination of financial institutions for OFAC compliance, except those that relate, in general, to the FDIC’s overall examination authority (Section 10(b) of the FDI Act, and Section 337.12 of the FDIC Rules and Regulations). In addition, we determined that the FDIC does not have specific authority to enforce OFAC compliance. In the absence of such specific authority, the FDIC relies on its general authority to impose enforcement actions under Section 8 of the FDI Act to take action for OFAC compliance as it relates to operating a financial institution in an unsafe and unsound manner or noncompliance with laws and regulations.

Although financial institutions must comply with OFAC regulations and sanctions, no laws or regulations require financial institutions to have an OFAC compliance program. According to the FDIC Risk Management Manual of Examination Policies, there are no regulatory program requirements for institutions’ OFAC compliance. Additionally, DSC officials stated that there are no express statutory or regulatory provisions for financial institutions to have programs that comply with OFAC-administered laws or to check OFAC’s SDN list before processing a transaction or opening an account. However, DSC officials also indicated that failure to have an adequate OFAC compliance program could be an unsafe and unsound practice. This report identifies actions that DSC could take to improve management controls over the supervision of OFAC compliance.

Government Performance and Results Act

We reviewed DSC’s performance measures under the Government Performance and Results Act, Public Law 103-62. We reviewed the FDIC’s 2005-2010 Strategic Plan and 2006 Corporate Annual Performance Plan to determine whether the FDIC has established goals related to OFAC compliance. Neither plan includes goals, objectives, or indicators specifically related to OFAC compliance. Those documents, however, include information related to BSA examinations and compliance and reference OFAC in a discussion on BSA/AML training.

Fraud and Illegal Acts

The nature of the audit objective did not require that we assess the possibility for fraud and illegal acts. However, we were alert to the possibility of fraud and illegal acts, and none came to our attention during this audit.

Summary of Prior Audit Coverage

The FDIC OIG has not previously performed an audit specifically focused on OFAC examination coverage. However, on March 31, 2004, the FDIC OIG issued Audit Report No. 04-017 entitled, Supervisory Actions Taken for Bank Secrecy Act Violations. That audit addressed FDIC BSA/AML examinations, which included coverage of OFAC compliance.

We reviewed audit reports related to OFAC compliance issued by the Treasury Department OIG and the GAO. The Treasury Department’s OIG issued a report entitled, Foreign Assets Control: OFAC’s Ability To Monitor Financial Institution Compliance Is Limited Due To Legislative Impairments (OIG-02-082, dated April 26, 2002), which concluded that OFAC is limited in its ability to monitor financial institution compliance with foreign sanctions. The report recommended that the Treasury Department inform the Congress that:

• OFAC lacks sufficient authority to ensure financial institution compliance with foreign sanctions, and
• OFAC’s ability to ensure financial institution compliance with foreign sanctions would be enhanced through a legislative change that would enable bank regulators to share information about their compliance examinations with OFAC.

The report concluded that information sharing could be accomplished by amending the RFPA to include OFAC in the definition of “bank regulator.” In response, OFAC agreed that its current legislative authority could be improved in terms of the information shared by bank regulators but stated that, despite statutory limitations, OFAC and the financial regulators have created an adequate compliance system. In February 2004, OFAC’s Director informed the Senate Finance Committee that OFAC had engaged in discussions with the Treasury Department about the desirability of adopting the recommendation for legislative change for information sharing and that the Treasury Department was reviewing whether certain changes in the technical definitions of the RFPA would further enhance OFAC’s ability to ensure compliance. The FBAs signed an MOU with OFAC in April 2006 that governs information sharing between the FBAs and OFAC and addresses some of the limits on sharing individual financial account information by relying on financial institutions to provide this information directly to OFAC, when needed.

GAO issued a report entitled, Foreign Regimes’ Assets: The United States Faces Challenges in Recovering Assets, but Has Mechanisms That Could Guide Future Efforts (GAO-04-1006, dated September 14, 2004). GAO reported the following:

• The primary way OFAC learns about violations of its regulations is through its review of mandatory reports filed by financial institutions.
• In every instance in which a U.S. bank has acted inappropriately, OFAC has sent information regarding the transaction to the appropriate financial regulator.
• In a limited number of instances, OFAC learns about violations of its regulations through “self-disclosure” by financial institutions or when a second institution involved in a transaction subsequent to the first institution blocks a transaction and notifies OFAC, thus also informing OFAC of the first institution’s involvement in the transaction.

GAO also reported that OFAC’s ability to monitor financial institutions’ compliance with its regulations is hampered because the varied legislation under which OFAC operates does not provide it with the authority to proactively monitor financial institution compliance with foreign sanctions. GAO further stated that OFAC’s ability is limited because it does not have supervisory authority over financial institutions and, thus, relies on the financial institutions’ regulators to monitor institutions’ OFAC compliance programs. GAO recommended, among other things, that the Treasury Department seek legislative authority to allow financial regulators to share complete information from examinations. The Treasury Department responded that it was working on this issue and was uncertain whether a legislative change was needed to allow OFAC access to information from financial regulators’ examinations. In addition, the Treasury Department stated that it was working with the financial regulators for comprehensive arrangements for information sharing. Our current audit addressed the information-sharing MOU signed by OFAC and the FBAs.

[ D ]

[ D ]

[ D ]

	Rec. Number		Corrective Action: Taken or Planned/Status		Expected Completion Date		Monetary Benefits		Resolved: [ a ] Yes or No		Open or Closed [ b ]
	1		DSC has implemented a centralized process to track violations of OFAC sanctions and institutions with compliance program deficiencies. Records for all enforcement actions, including those with OFAC provisions, are stored in ViSION’s Formal and Informal Actions Tracking module.		November 30, 2006		$0		Resolved		Open
	2		DSC will review examination guidance for opportunities to provide additional clarification. On July 28, 2006, DSC issued a Regional Directors Memorandum entitled, Revised Bank Secrecy Act/Anti-Money Laundering Examination Manual, which provides guidance on the review of a financial institution’s risk assessment and audit. In addition, on December 9, 2005, DSC issued a Regional Directors Memorandum entitled, Formal and Informal Actions Procedures Manual, which provides guidance on administrative procedures for formal and informal corrective actions.		September 30, 2007		$0		Resolved		Open
	3		DSC agreed with the intent of this recommendation. On December 1, 2006, DSC issued examination guidance addressing the presentation of the scope of examination work and conclusions on OFAC compliance in reports of examination.		December 1, 2006		$0		Resolved		Closed
	4		DSC agreed with the intent of this recommendation. As stated in response to recommendation 1, DSC has implemented a centralized system to track violations of OFAC sanctions and institutions with compliance program deficiencies. In addition, DSC will review existing guidance and, as necessary, issue revised guidance or reminders to examiners.		September 30, 2007		$0		Resolved		Open