If you are a vendor manager at a bank or credit union, you may be familiar with checking OFAC, but have you ever paused to ask why? Who exactly is "OFAC?" Is checking vendors a best practice or is it a regulatory requirement? How frequently should you check your vendors?

While you should communicate with your regulator to best understand their OFAC compliance expectations, this article will respond to these questions and hope to unravel some of the mystery surrounding OFAC for vendor managers.

Who is OFAC?

OFAC is the "Office of Foreign Assets Control." It is an office in the U.S. Department of the Treasury. Their primary goal is to put economic and trade sanctions into effect against malicious actors in the name of national security, foreign policy, and the economy of the United States. For a more detailed description of OFAC, visit the U.S. Department of the Treasury website.

Why should I check OFAC?

OFAC maintains sanctions lists on their website, designed to inform the public of people, organizations, and other entities that are connected to illegal or illicit things like terrorism, drug trafficking, weapons distribution, and more. As a vendor manager, it is important to know your service providers are not using your financial institution's funds to support these types of activities.

Is checking vendors against the OFAC lists a best practice or regulatory requirement?

When it comes to checking vendors against the OFAC lists, per the OFAC Sanctions Compliance FAQ, "OFAC itself is not a bank regulator." As such, they do not examine financial institutions and their compliance programs. However, OFAC does administer trade sanctions and works with the U.S. Department of Justice to enforce them.

That said, financial institutions are prohibited from performing transactions with sanctioned entities. (For more information, see the Office of Foreign Assets Control section of the FFIEC's BSA/AML Manual.)

Additionally, according to a 2018 Federal Financial Institutions Examination Council (FFIEC) joint statement over OFAC Cyber-Related Sanctions Program Risk Management, "continued use of products or services from a sanctioned entity […] could result in violations of law, civil money penalties, enforcement actions, and damage to the financial institution's reputation."

Lastly, the 2023 Interagency Guidance on Third-Party Relationships: Risk Management by the FDIC, FRB, and OCC states:

"A review of any legal and regulatory compliance considerations associated with engaging a third party allows a banking organization to evaluate whether it can appropriately mitigate risks associated with the third-party relationship. This may include [...] determining whether the third party itself or any owners are subject to sanctions by the Office of Foreign Assets Control."

In other words, checking vendors against the OFAC sanctions list is not a direct regulatory requirement. However, paying entities on the OFAC sanctions list is a violation of the law. Because of this, checking vendors against the OFAC sanctions lists has become an industry-accepted best practice.

Furthermore, not doing so may lead to scrutiny of your third-party risk management program by your federal banking regulator and could result in significant consequences if your financial institution is found to be in business with a sanctioned entity.

How can I check the OFAC lists?

You can check your vendors against the OFAC sanctions lists in a variety of ways:

  • OFAC Website: The OFAC website offers a Sanctions List Search, which can be used to determine if your vendors or vendor contacts are associated with a sanctioned entity.
  • Existing Internal Processes: Financial institutions are required to ensure their customers/members are not and do not transfer funds to sanctioned entities. As such, you may be able to work within your organization's existing framework to check your vendors.
  • Third-Party Service Providers: Certain third parties offer products and services to help organizations locate and report on sanctioned entities. While these services can be costly, depending on the number and complexity of vendor relationships involved with your organization, use of an additional third party may improve your OFAC checking processes.

How often should I check my vendors?

As there is not an explicit requirement for checking vendors against the OFAC sanctions lists, the OFAC Sanctions Compliance FAQ simply states the checking frequency "must be guided by your organization's internal policies and procedures."

One option could be to check your vendors during the selection process and then again prior to future payments. You could also check your vendors on an established frequency (e.g., monthly, quarterly, annually, etc.), based on factors such as the vendor's location or the operational and reputational risk associated with the vendor relationship. Ultimately, the decision should come down to what is best for your organization and your regulators' expectations.

What should I do if one of my vendors is on an OFAC sanctions list?

If you are involved with a sanctioned entity, the FFIEC's joint statement recommends you contact OFAC as soon as possible through their telephone hotline (800-540-6322) or by email (ofac_feedback@treasury.gov).

Does Tandem have anything that can help with this?

Yes, Tandem Vendor Management can assist with the implementation of a full third-party risk management program for banks and credit unions. The Vendor Management product features compliance categories, including an "OFAC" category designed to help users document whether or not the organization has checked the vendor against the OFAC sanctions lists. Users may also schedule recurring tasks on a per-vendor basis, reminding vendor managers to confirm the vendor is not on the OFAC sanctions lists. Learn more about how Tandem can help you manage your third-party risk.