March 10, 2006

Assistant Director of Records
Office of Foreign Assets Control
Department of the Treasury
1500 Pennsylvania Avenue, N.W.
Washington D.C. 20220

Attention: Request for Comments (Enforcement Procedures)

Re: Economic Sanctions Enforcement Procedures for Banking Institutions
71 FR 1971 (January 12, 2006)

Dear Madam or Sir:

America’s Community Bankers (ACB) appreciates the opportunity to comment on the interim final rule issued by the Office of Foreign Assets Control (OFAC) that sets forth economic sanctions enforcement procedures for federally regulated depository institutions. Significantly, the rule modernizes OFAC’s enforcement procedures to reflect the necessity of risk-based compliance systems. The revised procedures also clarify that the federal banking agencies will examine depository institutions for compliance and will refer any apparent violations to OFAC for further investigation and possible enforcement action. OFAC will consider a list of sixteen factors in determining whether or what kind of enforcement action is warranted.

ACB Position

Community bankers recognize that OFAC compliance helps ensure that terrorists and international narcotics traffickers do not gain access to the United States financial system. However, perfect compliance with OFAC economic sanctions requirements is not possible due to the volume of financial transactions that are processed each day. Therefore, we strongly endorse OFAC’s departure from a strict liability standard for OFAC compliance. We believe it is appropriate for OFAC to apply the sixteen factors enumerated in the interim final rule when determining what kind of enforcement action is warranted in a particular case.
While we appreciate the important changes set forth in the interim final rule, we request OFAC to clarify that:
1) A separate, formal OFAC program is not a regulatory requirement; and
2) Institutions may incorporate OFAC policies, procedures, and controls into the overall anti-money laundering (AML) program.
3) OFAC is working to balance compliance requirements with the size and capacity of the depository institution.

While OFAC’s new risk-based approach is appropriate for insured depositories, we do not believe this standard is appropriate for financial service providers that are not as regularly and vigorously examined for Bank Secrecy Act (BSA) and OFAC compliance.

Risk-Based Compliance

ACB strongly supports OFAC’s new emphasis on risk management. Allowing insured depositories to tailor their policies and procedures to actual OFAC risk balances foreign policy objectives of the United States with the regulatory compliance burden placed on depository institutions. For the reasons described below, the new enforcement procedures will provide a more realistic and more efficient means of ensuring compliance with OFAC sanctions.

Risk Management Experience. Community banks must assess and manage risk. Every day, community bankers identify, analyze, and control risks associated with extending credit to new customers, introducing a new product into the marketplace, and making investments. Depository institutions also apply risk management techniques to the compliance function. For example, community banks continually evaluate their AML risk and adjust their compliance programs accordingly. In exchange for the ongoing monitoring and testing of these programs, institutions do not expect to be cited by their regulator when one or even a few transactions are processed improperly. Rather, the institution will be cited when the compliance system has not been implemented, is inappropriate, or when there is a systemic breakdown in internal processes and/or controls. Institutions will also be cited for AML violations that have not been corrected.

ACB strongly believes that this same approach should be applied to OFAC compliance. An institution should not be presented with an enforcement action or a civil penalty for failing to identify or block a single transaction as required by the OFAC sanctions program. Rather, OFAC should focus on whether institutions have implemented policies, procedures, and internal controls that are commensurate for the OFAC risk posed to that particular institution. To do otherwise would impose a disproportionate burden in exchange for compliance.

Realistic Compliance. Due to the daily transaction volume that is processed through the U.S. payments system, it is possible that an institution with stringent OFAC controls could inadvertently process a prohibited transaction. As a result, we believe that the quality of the institution’s OFAC program and history of OFAC compliance should be taken into account as OFAC determines what, if any, administrative action is appropriate. It is not feasible or economical to compare all parties in every banking transaction to persons and entities on the OFAC list. For example, it would be impracticable and costly to screen the drawer and payee of every check to determine whether the transaction involves a prohibited person or entity.

Bank Examination Process. The focus on risk management is appropriate because depository institutions are subject to a regular, vigorous examination process by the federal banking agencies. The banking regulators understand the business of banking and industry best practices. They are in the best position to evaluate an institution’s OFAC risks and controls and recommend appropriate corrections where necessary. The banking agencies already examine for BSA compliance and examination for OFAC compliance is a natural extension of the BSA examination function. ACB believes that a banking regulator’s assessment of an institution’s compliance program and history of OFAC compliance record should be a significant factor in any contemplated OFAC penalty action, but it should not be determinative.

Risk Matrix. With information from OFAC about what constitutes high-risk activities, persons, accounts, and geographic location, depository institutions can develop policies, procedures, and internal controls that devote OFAC compliance resources to areas within the institution where they are most needed and would be the most effective. We believe the OFAC Risk Matrix in Appendix A to the new enforcement procedures is helpful in this regard. As OFAC identifies additional risks in the future, we request OFAC to communicate this information to the financial services industry and update the Risk Matrix accordingly. We also request that OFAC work with the regulators to ensure that Appendix M in the BSA/AML Examination Manual is kept current.

Adoption of Formal OFAC Program

Appendices A and B and the preamble to the interim final rule suggest that all insured depositories must implement a formal, written, board approved OFAC compliance program. It is implied that all institutions will be expected to designate an OFAC officer, conduct special OFAC training for employees, and separately audit the institution’s OFAC program.

ACB understands that implementing policies and procedures based on OFAC risk is a predicate for eliminating the strict liability for improperly processing an OFAC transaction. However, no law or regulation requires institutions to adopt a formal OFAC program. Some community banks have adopted a separate OFAC program and others have incorporated OFAC procedures into the institution’s broader AML program. This decision is mostly determined by the size of an institution and the number of its employees. A community bank’s OFAC officer is likely to be the institution’s BSA officer; OFAC training is often conducted simultaneously with BSA training; and independent testing of the OFAC program is conducted concurrently with independent testing of the BSA/AML program.

As written, we are concerned that OFAC’s enforcement procedures may give bank management the impression that the development of a separate, formal OFAC program is mandatory. For some small banks and thrifts, this would not be possible. In addition, banking agency staff often are compelled to follow guidance, citing violations of the guidance in examination reports. We are concerned that this tendency may also occur with OFAC’s Appendices A and B. Banking agencies have tremendous discretion, which may vary from examiner to examiner and region to region in the interpretation and application of this material. Therefore, ACB requests that OFAC clarify that:
1) A separate, formal OFAC program is not a regulatory requirement.
2) Institutions may incorporate OFAC policies, procedures, and controls into the overall AML program.
3) OFAC is looking to balance compliance requirements with the size and capacity of the depository institution.

Other Financial Service Providers

All financial institutions have a responsibility to prevent the U.S. financial system from being used by money launderers and terrorists. However, we continue to be concerned about the level of OFAC compliance oversight for other financial sector entities. Unlike insured depository institutions, insurance companies, finance companies, and mortgage brokers are not vigorously examined for BSA/AML or OFAC compliance. Therefore, OFAC should not apply the same enforcement procedures or give the same weight to the compliance programs of these less regulated financial service providers.

Conclusion

ACB reiterates its support for OFAC’s modified enforcement procedures for depository institutions. We appreciate OFAC’s acknowledgement that perfect compliance with sanctions requirements is not possible, but that implementing risk-appropriate policies and procedures can control the risk of processing an OFAC transaction.

Thank you for the opportunity to comment on this matter. Should you have any questions, please contact the undersigned at 202-857-3121 or [email protected] or Krista Shonk at 202-857-3187 or [email protected].

Sincerely,

Patricia Milon
Chief Legal Officer and
Senior Vice President,
Regulatory Affairs