OFAC consistently states there’s no “one size fits all” approach to screening accounts and transactions for potential sanctions violations. However, the Finding of Violation (FOV) recently issued to MidFirst Bank calls that position into question. OFAC issued the FOV because MidFirst maintained and processed 34 transactions in accounts for individuals added to OFAC’s SDN List. MidFirst Bank used a third-party vendor to handle its sanction screenings. The transactions took place within the first 14 days – after the individuals were added to the SDN List. The FOV stated that an “aggravating factor” was that MidFirst “should’ve known” their vendor screened existing customers every 30 days. As OFAC updates the sanction lists on a daily basis, it concluded that “by allowing the accounts to operate for two weeks post-designation, there was … potential for significant harm.”
Accordingly, the FOV can clearly be interpreted to require daily sanction screening by US financial institutions that maintain accounts for persons or entities who can use their accounts to transfer funds. Which, in effect, has substituted OFAC’s often-stated “risk-based approach” for one that imposes daily compliance obligations.
Why this is important. First, it’s a clear signal that daily sanction screening of existing account holders is required. At least, if the account holder has the ability to transfer funds from their account. Second, the outsourcing of burdensome compliance tasks to third party vendors has become common practice. However, it’s essential that the financial institution clearly understand what the vendor is – and is not – delivering. If a vendor offering is incomplete or falls short of regulatory expectations, it has the potential to create massive risks and liabilities for the financial institution.