Anti-Money Laundering (AML), and specifically OFAC, concerns are increasingly becoming a greater issue for third parties who engage with financial institutions in the payments space. Banking regulators are closely scrutinizing the financial institutions to determine that their relationships with third parties are not exposing the financial institutions to AML and OFAC issues. What does this mean for third parties, including ACH Third-Party Senders (TPS)? Should a TPS have an OFAC/AML Policy? If so, how should that policy be constructed? Let’s talk about it.
OFAC is the Office of Foreign Assets Control and is a division of the U.S. Department of the Treasury. OFAC administers and enforces economic and trade sanctions against targeted foreign countries and regimes, terrorists and other individuals based on U.S. foreign policy and national security concerns. Among other things, OFAC imposes controls on financial transactions and assets of such designated parties under U.S. jurisdiction. While many OFAC policies and efforts focus on the financial banking industry, its powers are not limited to financial institutions. In fact, U.S. citizens, companies located in the U.S., overseas branches of U.S. companies and, in some cases, overseas subsidiaries of U.S. companies all fall under OFAC jurisdiction.
While there is no specific requirement for a TPS to have an AML/OFAC Policy, it is a recommendation often made by EPCOR. A large percentage of the third parties with whom we engage have created such a policy, and doing so exhibits the TPS's commitment to compliance with U.S. law for both domestic and international payment transactions. If you review any active ACH Origination Agreements, you should find a stipulation where a TPS has agreed to comply with all U.S. laws, of which OFAC would be a part. A thorough policy is an ideal place for a TPS to start to demonstrate their organization’s awareness of and commitment to the regulation.
It is recommended that the TPS’s AML/OFAC Policy address five essential components:
Management strategy – The organization’s overall direction for AML/OFAC compliance including allocation of resources, delegation of an AML/OFAC Officer, assignment of duties, establishment of measurement parameters and required reporting.
Risk assessment – Identifying AML/OFAC risks within the TPS activities (not just ACH) and operations. This would entail a thorough understanding of the organization’s clients, products and services, types of payments being facilitated and the geographic parameters of funds movement. The risk assessment should also seek to identify weaknesses and exposure to specific AML/OFAC risks.
Internal Control – Establishing a framework for the development and implementation of specific internal controls based on the risk assessments already performed.
Testing/Auditing – Internal controls, policies and procedures must be reviewed and tested periodically, and reporting of that testing should be described in the AML/OFAC policy.
Training – The policy should provide guidelines for a sufficient AML/OFAC training program for the organization and key employees.
In addition to the five components listed above, reporting and record-keeping of AML/OFAC concerns is another important topic to address in the policy. TPSs need to be aware of their responsibilities and their obligations related to OFAC compliance, especially as it concerns possible restrictions of client activities, reporting to regulatory agencies and potentially freezing funds of which the TPS may have possession. TPSs must ensure they do not process or facilitate transactions for parties targeted by OFAC and that proper action is taken when such transactions are presented. A policy that drives compliance with these responsibilities is paramount.
Finally, the policy should establish a process to periodically scan the TPS clients against the Specially Designated Nationals (SDN) list. The SDN list is a list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. The list is updated frequently, and therefore, the client base should be compared to it at appropriate intervals.
While there is no formal requirement for a TPS to have an AML/OFAC policy, hopefully the value in creating one has become clear. If you’re a TPS, your ODFI should be able to provide more guidance on AML/OFAC considerations and how your policy should be tailored to your specific ACH activities. However, if you have more questions about AML/OFAC and how these regulations can affect your overall payment processing activities, contact EPCOR.
Republished with permission from EPCOR.