OFAC, Cyber Risk & Third-Party Vendors: What You Need to Know
Bankers know they shouldn’t do business with parties sanctioned by the Office of Financial Assets Control (OFAC). That doesn’t just mean as a customer. They also need to make sure they aren’t using the products or services of a sanctioned entity (i.e. using a sanctioned third-party vendor), as OFAC has reminded us in its most recent statement on sanctions and risk management.
Using a product or service from a sanctioned entity, whether directly or indirectly, can lead to “violations of law, civil money penalties, enforcement actions, and damage to the financial institution’s reputation.” This is especially important from an operational perspective as software or technical products often have access to an institution’s sensitive data, creating a cyber threat.
Avoiding this problem is not as simple as it sounds. “Identifying, assessing, and mitigating any risks associated with these sanctions requires a high degree of collaboration across a financial institution’s OFAC compliance, fraud, security, IT, third-party risk management, and risk functions to assess any potential risk,” the agency said in its statement, which includes no new regulation or requirements.
What can do you do to minimize risk from a vendor management standpoint? Make sure your vendor management program addresses these three key areas:
1. Contract Management
Review contracts to ensure that appropriate provisions are in place:
1. Prior notice from third party of any outsourcing of any aspects of the products/services provided by the third party
2. Termination content to include the right to terminate a contract should the third party decide to outsource to a fourth party
3. OFAC compliance measures in place at the third party (with emphasis on outsourcing to fourth parties). This program should include:
- Screening fourth party relationships to all OFAC lists
- Identification of ownership, identifying ownership at 50% or more, and screening those meeting 50% or more ownership
- OFAC screening process addressing potential matches and clearing
- Communication of potential OFAC matches to the institution to include decisioning on clearing “false positives”
2. Vendor Management
Review technology service provider relationships identifying ownership structure. Ownership for, at, or exceeding 50% should be included in OFAC screening.
3. Risk Assessment
Review current risk assessments addressing OFAC, cybersecurity, and vendor management. Ensure your inherent risk related to products and services offered by technology service providers (TSP) considers:
a. Impact of OFAC violations (1)
b. Probability is updated to include recent enforcement actions (as applicable).
Perform ongoing maintenance of your risk assessments through the identification of control effectiveness. Some controls that might be considered to include in ongoing control assessments are
c. SOC reports include a scope of the TSP’s OFAC Program
d. All TSP contracts were reviewed prior to initial signing and prior to renewal. The review of contracts for TSPs is recorded in a manner validating that appropriate provisions were reviewed and content was considered acceptable.
With these policies and procedures in place, you can be sure you’re positioning your institution to comply with OFAC regulations and protecting your institution.
(1) See Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, app. A. Civil monetary penalties of up to the greater of $250,000 ($289,238 as of January 15, 2017 for violations occurring after November 2, 2015) or twice the amount of the underlying transaction may be imposed administratively against any person who violates, attempts to violate, conspires to violate, or causes a violation of any license, order, regulation or prohibition issued under IEEPA. Upon conviction, criminal penalties of up to $1,000,000, imprisonment for up to 20 years, or both, may be imposed on any person who willfully commits, willfully attempts to commit, or willfully conspires to commit, or aids or abets in the commission of a violation of any license, order, regulation, or prohibition issued under IEEPA.