The Office of Foreign Assets Control Releases Framework for Compliance Commitments


The Treasury’s Office of Foreign Assets Control published a Framework for OFAC Compliance Commitments to provide credit unions with a guideline on the essential components of a sanctions compliance program, or SCP. The document also outlines how OFAC may incorporate these components into its evaluation of apparent violations and resolution of investigations resulting in settlements. An appendix offers a brief analysis of the root causes of apparent violations of U.S. economic and trade programs OFAC has identified during its investigative process. 

The essential SCP components include management commitment, risk assessment, internal controls, testing and auditing, and training. 

Management Commitment 

Senior management’s commitment to, and support of, a credit union’s risk-based SCP is one of the most important factors in determining its success. This support is essential in ensuring the SCP receives adequate resources and is fully integrated into daily operations. It also helps legitimize the program, empower its personnel, and foster a culture of compliance throughout. 

Risk Assessment 

Risks in sanctions compliance are potential threats or vulnerabilities that, if ignored or not properly handled, can lead to violations of OFAC’s regulations and negatively affect reputation and business. OFAC recommends that credit unions take a risk-based approach when designing or updating an SCP. One of the central tenets of this approach is for credit unions to conduct a routine, and if appropriate, ongoing “risk assessment” for the purposes of identifying potential OFAC issues they are likely to encounter. As described in detail below, the results of a risk assessment are integral in informing the SCP’s policies, procedures, internal controls, and training in order to mitigate such risks.  

While there is no “one-size-fits all” risk assessment, the exercise should generally consist of a holistic review of the credit union from top-to-bottom, and assess its touchpoints to the outside world. 

Internal Controls 

An effective SCP should include internal controls, including policies and procedures, in order to identify, interdict, escalate, report (as appropriate), and keep records pertaining to activity that may be prohibited by the regulations and laws administered by OFAC. The purpose of internal controls is to outline clear expectations, define procedures and processes pertaining to OFAC compliance (including reporting and escalation chains), and minimize the risks identified by the credit union’s risk assessments. Policies and procedures should be enforced, weaknesses should be identified (including through root cause analysis of any compliance breaches) and remediated, and internal and/or external audits and assessments of the program should be conducted on a periodic basis.  

Given the dynamic nature of U.S. economic and trade sanctions, a successful and effective SCP should be capable of adjusting rapidly to changes published by OFAC. These include the following: (i) updates to OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”), the Sectoral Sanctions Identification List (“SSI List”), and other sanctions-related lists; (ii) new, amended, or updated sanctions programs or prohibitions imposed on targeted foreign countries, governments, regions, or persons, through the enactment of new legislation, the issuance of new executive orders, regulations, or published OFAC guidance or other OFAC actions; and (iii) the issuance of general licenses. 

Testing and Auditing 

Audits assess the effectiveness of current processes and check for inconsistencies between these and day-to-day operations. A comprehensive and objective testing or audit function within an SCP ensures that a credit union identifies program weaknesses and deficiencies, and it is the credit union’s responsibility to enhance its program, including all program-related software, systems, and other technology, to remediate any identified compliance gaps. Such enhancements might include updating, improving, or recalibrating SCP elements to account for a changing risk assessment or sanctions environment. Testing and auditing can be conducted on a specific element of an SCP or at the enterprise-wide level. 


An effective training program is an integral component of a successful SCP. The training program should be provided to all appropriate employees and personnel on a periodic basis (and at a minimum, annually) and generally should accomplish the following: (i) provide job-specific knowledge based on need; (ii) communicate the sanctions compliance responsibilities for each employee; and (iii) hold employees accountable for sanctions compliance training through assessments. 

Question of the Week 

Q: How do we know which disclosures and posters we are required to post in the credit union?      

A: Credit unions are required to post many different disclosures and posters to fulfill regulatory requirements and state employment requirements. For a list of the requirements and regulatory citations, please click here 

Legal Briefs 

National Credit Union Administration (NCUA) 

NCUA highlighted its online resources to help older adults manage money and protect against fraud and exploitation. 

Consumer Financial Protection Bureau (CFBP) 

CFPB issued proposed rule changes to the Fair Debt Collection Practices Act. 

CFPB released a report on convening communities to build elder fraud prevention and response networks. 

CFPB announced a plan to review rules under the Regulatory Flexibility Act. 

CFPB is reviewing the Regulation E overdraft fee rule on one-time debit and ATM transactions. 

U.S. Equal Employment Opportunity Commission (EEOC) 

EEOC announced on its website the immediate reinstatement of revised EEO-1, which will require EE)-1 filers collect and submit pay data for calendar years 2017 and 2018. 

Financial Crimes Enforcement Network (FinCEN) 

FinCEN released FIN-2019-G001, which provided guidance on the application of FinCEN’s regulations to certain business models involving convertible virtual currencies. 

FinCEN released Advisory FIN-2019-A003 on the illicit activity involving convertible virtual currency. 

Office of Foreign Assets Control (OFAC) 

OFAC has updated the SDN list as of May 10, 2019. The last update prior to this was May 7, 2019. 

Questions? Contact the Compliance Hotline: 1.800.546.4465;

Posted in Compliance News, Compliance News.