Q&A: Here’s a question that a Wisconsin credit union recently asked The League’s Legal Affairs team, along with our answer. Do you have a compliance question? Contact The League’s Compliance Hotline at (608) 640-4050 or email.
Q. This is related to the recent Compliance Courier titled, “OFAC record retention period increasing to 10 years in March.” In everything I am reading on this, it appears that the updated retention period for the recordkeeping requirement includes transactions or attempted transactions conducted for an actual party on the sanctions lists (even those allowed by special license). My question is, do we need to retain records for those that were determined to be a false positive?
A. To be sure we’re on the same page, I want to start by reviewing what I believe a “false positive” means.
A false positive occurs when your screening process initially identifies a party to a transaction as a possible match against one of the OFAC lists, but later investigation shows that to be wrong, and so the credit union takes no steps to block or reject the transaction.
As OFAC’s FAQs explain it:
If you have checked a name manually or by using software and find a match, you should do a little more research. Is it an exact name match, or very close? Is your customer located in the same general area as the SDN or another entry on one of OFAC’s sanctions lists? If not, it may be a “false hit.” If there are many similarities, contact OFAC’s hotline for verification.
***
In many cases, an institution may identify a “false positive,” where the name is similar to a sanctioned person’s name, but the rest of the information provided by the applicant does not match the descriptor information on OFAC’s SDN List.
The FAQs go on to list specific steps to be taken to investigate potential OFAC matches for false positive hits, and we include those steps in The League’s ii Release No. 0148.
When you have a false positive hit, the name does not actually match OFAC lists, and so the credit union is not required to take any action regarding that transaction, such as blocking it or rejecting it.
The newly revised OFAC regulations say:
Except as otherwise provided, every person engaging in any transaction subject to the provisions of this chapter shall keep a full and accurate record of each such transaction engaged in, regardless of whether such transaction is effected pursuant to license or otherwise, and such record shall be available for examination for at least 10 years after the date of such transaction. Except as otherwise provided, every person holding property blocked pursuant to the provisions of this chapter or funds transfers retained pursuant to § 596.504(b) of this chapter shall keep a full and accurate record of such property, and such record shall be available for examination for the period of time that such property is blocked and for at least 10 years after the date such property is unblocked.
In the case of a false positive, the credit union and its member are not actually “engaged in a transaction subject to the provisions of” the OFAC rules, and so the record retention requirements do not seem to apply.
Similarly, the federal regulators’ joint BSA/AML Examination Manual (which hasn’t yet been updated to reflect the 10-year retention period) says this about OFAC record retention:
Banks must keep a full and accurate record of each rejected transaction for at least five years after the date of the transaction. For blocked property (including blocked transactions), records must be maintained for the period the property is blocked and for five years after the date the property is unblocked.
Since a “false positive” wouldn’t lead to a rejected or blocked transaction, the manual helps confirm our view that the record retention requirements do not apply.
Keeping records for auditors and examiners
Independent testers and/or examiners might want to see records that reflect what steps a credit union has taken to weed out false positive OFAC hits. It would make sense to keep some records of what you’ve done, to satisfy auditors and examiners that credit union staff has taken appropriate steps. I just don’t believe that those records are subject to the strict 10-year retention period in the OFAC regulations.
What if you mistakenly blocked and reported a transaction?
If the credit union has actually blocked a transaction because of an apparent OFAC hit, but later finds out it was wrong, perhaps because of mistaken identity or a typo, then the answer is different. In those cases, you can seek to have it unblocked or ask for a “compliance release,” but it seems that you would still need to retain records of what happened for at least 10 years.
One of OFAC’s FAQs addresses blocked property, which references section 501.601 of the OFAC regulations – the record retention rule.
1196. What should I do if I blocked and reported property in error due to mistaken identity or typographical or similar errors?
If you have blocked and reported property due to mistaken identity or typographical or similar errors, you may unblock such property and file an unblocking report with OFAC consistent with the procedures described in 31 CFR 501.603(b)(3). With respect to the information described in 31 CFR 501.603(b)(3)(ii)(F), the reporting person can cite FAQ 1196 in their unblocking report to indicate that the property was released due to mistaken identity or typographical errors, rather than an OFAC authorization like a general or specific license. Please note, unblocking property in which a blocked person does in fact have an interest without authorization from OFAC could expose U.S. persons to civil penalties.
Alternatively, you may seek to have such property unblocked pursuant to the administrative procedures detailed at 31 CFR 501.806, known as a “Compliance Release.”
OFAC strongly encourages organizations subject to U.S. jurisdiction to develop risk-based sanctions compliance programs that allow for the proper evaluation and adjudication of potential name matches to blocked persons. Organizations should not use the Compliance Release process as a substitute for internal controls to mitigate the risk of transactions or dealings in blocked property.
Organizations should not request a Compliance Release in situations in which property was correctly blocked, but the status of the property has subsequently changed (e.g., a change in the portion of ownership by a blocked person). In such scenarios, organizations should apply for a specific license. The Compliance Release process is solely for cases of mistaken identity or typographical or similar error, in which there was never a blockable interest in the subject property (e.g., a name match to a blocked person that the reporting organization later determines, with reliable supporting evidence, to be a false positive). Please note neither a specific license nor a Compliance Release is required to unblock property when a person is delisted from the Specially Designated Nationals and Blocked Persons List.
The Compliance Release process is only available to the organization who blocked the property; thus, if a financial institution or other organization has blocked your property and you are requesting that the property be unblocked, you should engage directly with the financial institution or other organization that blocked your property in cases of mistaken identity or apply for a specific license.
Organizations must retain records as related to the transactions described above. See 31 CFR 501.601 and 31 CFR 501.602 of the Reporting, Procedures and Penalties Regulations for applicable recordkeeping and reporting requirements.
OFAC’s new platform
Lastly, The League published a Compliance Courier last summer, about OFAC changing its platform for handling things like queries to verify a potential hit. Credit unions can use that platform and the other links in the Courier to help find answers on OFAC issues.