Faq Risk Matrix
OFAC agrees that financial institutions should take a risk-based approach when
considering the likelihood that they may encounter OFAC issues. The functional
regulators examine financial institutions to determine the adequacy of each institution's
OFAC program and the effectiveness of its risk management. The following provide
areas to consider as you review your OFAC procedures:
Section A (corresponds to a matrix provided in the FFIEC Bank Secrecy Act Anti-
Money Laundering Examination Manual published in 2005, Appendix M ["Quantity
of Risk Matrix--OFAC Procedures"]):
Low
Moderate
High
Stable, well-known customer
Customer base changing due to
A large, fluctuating client base in
base in a localized environment.
branching, merger or acquisition
an international environment.
in the domestic market.
Few high-risk customers; these
A moderate number of high-risk
A large number of high-risk
may include nonresident aliens,
customers.
customers.
foreign customers (including
accounts with U.S. powers of
attorney) and foreign
commercial customers.
No overseas branches and no
Overseas branches or
Overseas branches or multiple
correspondent accounts with
correspondent accounts with
correspondent accounts with
foreign banks.
foreign banks.
foreign banks.
No electronic banking (e-
The bank offers limited e-
The bank offers a wide array of
banking) services offered, or
banking products and services.
e-banking products and services
products available are purely
(i.e., account transfers, e-bill
informational or non-
payment, or accounts opened via
transactional.
the Internet).
Limited number of funds
A moderate number of funds
A high number of customer and
transfers for customers and non-
transfers, mostly for customers.
non-customer funds transfers,
customers, limited third-party
Possibly, a few international
including international funds
transactions, and no international funds transfers from personal or
transfers.
funds transfers.
business accounts.
No other types of international
Limited other types of
A high number of other types of
transactions, such as trade
international transactions.
international transactions.
finance, cross-border ACH, and
management of sovereign debt.
No history of OFAC actions. No A small number of recent actions Multiple recent actions by
evidence of apparent violation or (i.e., actions within the last five
OFAC, where the bank has not
circumstances that might lead to
years) by OFAC, including
addressed the issues, thus
a violation.
notice letters, or civil money
leading to an increased risk of
penalties, with evidence that the
the bank undertaking similar
bank addressed the issues and is
violations in the future.
not at risk of similar violations in
the future.
Section B (Additional factors that you might consider):
Low
Moderate
High
Management has fully assessed
Management exhibits a
Management does not
the bank’s level of risk based on
reasonable understanding of the
understand, or has chosen to
its customer base and product
key aspects of OFAC
ignore, key aspects of OFAC
lines. This understanding of risk
compliance and its commitment
compliance risk. The
and strong commitment to
is generally clear and
importance of compliance is not
OFAC compliance is
satisfactorily communicated
emphasized or communicated
satisfactorily communicated
throughout the organization, but
throughout the organization.
throughout the organization.
it may lack a program
appropriately tailored to risk.
The board of directors, or board
The board has approved an
The board has not approved an
committee, has approved an
OFAC compliance program that
OFAC compliance program, or
OFAC compliance program that
includes most of the appropriate
policies, procedures, controls,
includes policies, procedures,
policies, procedures, controls,
and information systems are
controls, and information
and information systems
significantly deficient.
systems that are adequate, and
necessary to ensure compliance,
consistent with the bank’s OFAC but some weaknesses are noted.
risk profile.
Staffing levels appear adequate
Staffing levels appear generally
Management has failed to
to properly execute the OFAC
adequate, but some deficiencies
provide appropriate staffing
compliance program.
are noted.
levels to handle workload.
Authority and accountability for
Authority and accountability are
Authority and accountability for
OFAC compliance are clearly
defined, but some refinements
compliance have not been
defined and enforced, including
are needed. A qualified OFAC
clearly established. No OFAC
the designation of a qualified
officer has been designated.
compliance officer, or an
OFAC officer.
unqualified one, has been
appointed. The role of the
OFAC officer is unclear.
Training is appropriate and
Training is conducted and
Training is sporadic and does not
effective based on the bank’s
management provides adequate
cover important regulatory and
risk profile, covers applicable
resources given the risk profile
risk areas.
personnel, and provides
of the organization; however,
necessary up-to-date information some areas are not covered
and resources to ensure
within the training program.
compliance.
The institution employs strong
The institution employs limited
The institution does not employ
quality control methods.
quality control methods.
quality control methods.
Compliance considerations are
Compliance considerations were
Compliance considerations are
incorporated into all products
overlooked, but not in high-risk
not incorporated into numerous
and areas of the organization.
areas, and management promised areas of the organization, or do
corrective action when
not adequately cover high-risk
deficiencies were identified.
areas.
Effective policies for screening
Policies for screening
Policies for screening
transactions and new accounts
transactions and new accounts
transactions and new accounts
for Specially Designated
exist but are not properly aligned do not exist.
Nationals and Blocked Persons
with the bank’s level of risk.
(SDNs) and sanctioned countries
is in place. These policies take
into account the level of risk of
the type of transaction being
screened.
Compliance systems and
Compliance systems and
Compliance systems and
controls effectively identify and
controls generally identify
controls are ineffective in
appropriately report potential
potential OFAC violations, but
identifying and reporting OFAC
OFAC violations. Compliance
the systems are not
violations and are not
systems are commensurate with
comprehensive based on risk or
commensurate with the bank’s
risk. Records are retained that
have some weaknesses that
level of risk.
document such reporting.
allow inaccurate reporting.
On a periodic basis, determined
Accounts are periodically
Existing accounts are not
by the bank’s level of risk, all
checked to ensure that problem
reviewed to ensure that problem
existing accounts are checked to
accounts are properly blocked or
accounts are properly blocked or
ensure that problem accounts are
restricted, but this does not occur restricted.
properly blocked or restricted,
often enough based on the
depending on the requirements
bank’s level of risk.
of the relevant sanctions
program.
Compliance systems and
Compliance systems and
Compliance systems and
controls quickly adapt to
controls are generally adequate
controls are not current and are
changes in the OFAC SDN list
and adapt to changes in the
inadequate to comply with and
and country programs, regardless OFAC SDN list and country
adapt to changes to the OFAC
of how frequently or
programs.
SDN list and country programs.
infrequently those changes
occur.
Independent testing of a
Overall, independent testing is in Independent testing is not in
compliance program’s
place and effective, but some
place or is ineffective. Testing
effectiveness is in place. An
weaknesses are noted.
performed is not considered
independent audit function tests
independent.
OFAC compliance with regard
to systems, training and use.
Problems and potential problems
Problems are generally corrected Errors and weaknesses are not
are quickly identified, and
in the normal course of business
self-identified. Management is
management promptly
without significant investment of dependent on regulatory findings
implements meaningful
money or management attention. or responds only when violations
corrective action.
Management is reasonably
are cited or penalties assessed.
responsive when deficiencies are
identified.
Overall, appropriate compliance
In general, no significant
Significant problems are evident.
controls and systems have been
shortcomings are evident in
The likelihood of continued
implemented to identify
compliance controls or systems. compliance violations or
compliance problems and assess
noncompliance is high because a
performance.
corrective action program does
not exist, or extended time is
needed to implement such a
program.
