Screening Outages: OFAC Expectations and Industry Best Practices

What happens when your Sanctions Screening Filter Times-Out? How does a screening time-out affect the on-boarding process for new customers? How does the time-out affect existing customers? Below I cover OFAC guidance, Industry Norms, & Best Practices.

Has OFAC provided guidance on this in the past? Has OFAC mentioned screening “time outs” in any of its Settlement Letters? Yes! 

OFAC FAQ #43 does provide applicable guidance. In 2020, OFAC also touched on the subject of screening Time Outs in its Settlement with the American Express Related Travel Services (AMEX). Link to AMEX SL: https://home.treasury.gov/system/files/126/20200430_amex.pdf

OFAC FAQ #43 asks (summarized): Must you screen a new customer immediately upon account opening or can you wait 24 hours?

OFAC FAQ 43 states (summarized): 

• “There is no legal or regulatory requirement to use software or to scan.” 
• “There is a requirement, however, not to violate the law by doing business with a target or failing to block property.”
• “The important thing is not to conclude transactions before the analysis is completed.”

Thus, you must have reviewed the new customer/user for sanctions risk and compliance purposes prior to concluding transactions on their behalf.

For those meeting these requirements with a screening tool, the screening and any subsequent alerts (i.e. potential matches) must be reviewed and concluded prior to concluding transactions on their behalf. 

But, what if your filter “times out” during the customer/user approval process? 

In the 2020 OFAC Settlement with American Express Travel Related Services (Amex), OFAC determined the following to be 1 of 3 Aggravating Factors:

• “Amex’s automatic approval of applications in instances where the risk engine led to a system timeout was a critical shortcoming of its compliance program.” 

In the Mitigating Factors of this SL, OFAC included:

• “OFAC has no information to indicate that Amex knew it maintained a card for an SDN, or that its system could be overridden.”
• “Amex remediated, making it less likely similar violations will recur.”

LESSONS LEARNED:

• Users should not be able to override sanctions system or trigger a time out. 
• A system timeout should not lead to an automatic approval of new a user/customer account, enabling their account activity.
• Filter testing should include scenarios aimed at generating an unexpected timeout to identify risks and address accordingly. 

What If Screening Times Out While Processing Transactions for Existing Approved Customers?

Although this specific topic has not yet been covered in OFAC’s settlement letters, below I will share the common industry practices I have seen throughout my career and the controls applied to support those practices.

Among other factors, given the ramifications of pausing all payments (for existing approved customers/users) in response to an unexpected time-out (e.g. during a natural disaster, vendor time-out, outage of some sort, etc.), it is not uncommon for companies to process in-flight payments for these approved/vetted customers during these time-outs to prevent financial harm to their clients and ensure their user agreement / service levels are met. Once the outage has passed and the system is up and running again, retroactive screening is performed for those processed transactions. 

If your program approaches in-flight transactions (for approved customers/users) similarly during time-outs, consider the below controls:

• Having that decision documented and rationalized within your program documentation and/or risk appetite statement. Ensure the decision has been circulated and approved by all relevant and responsible parties.
• Ensure there are sufficient monitoring controls, in-line with your risk, to detect screening time-outs.
• Ensure there are sufficient governance protocols in place aimed at ensuring those controls are effectively working as expected.
• If using a hosted screening solution, know your vendor’s contractual responsibilities, such as: “up-time”, transparency around time-out communications to clients, service level agreements with respect to response/repair time, & how retroactive screening is handled.
• Have an Issue Management Resolution program to document such time-outs, their Root Cause Analyses (RCA), & subsequent repairs (short term tactical, as well as long term systemic repairs). The RCA, tactical stop gap, and long term systemic repair are all requirements of OFAC’s Framework for Compliance Commitments. Link: https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf
• Lastly, if sanctioned activity occurred during time-out, freeze/block customer’s account(s) as needed, complete the RCA, quickly take remedial action(s), and perform a Voluntary Self Disclosure. Each of these steps will be considered favorably as shown in past OFAC settlements.

If you found this helpful, please Like and Share on LinkedIn!!  

Noe Compliance is available to:

• review sanctions filters, sanctions controls, and geo-fencing / geo-blocking controls,
• lead efforts to identify, implement, and/or enhance your screening tools, &
• design and execute your regulatory remediation plan. 

Call Us Today! 1-202-417-7978