OFAC Compliance: What Counts as Due Diligence?

“We’re from the Government, and we’re here to help.”

OFAC supports U.S. financial institutions in their list-screening operations in several ways.  It provides:

And yet…

OFAC policies make it clear that “due diligence” is required when matching names of potential parties against their lists, and that the SLSA tool by itself is not necessarily adequate to achieve minimal compliance.

Let me repeat: According to OFAC, using the SLSA tool they provide is not sufficient for minimal compliance.

So, what counts as “minimally compliant” and “due diligence””?  OFAC doesn’t really say (but don’t worry, they will know it when they see it).  Instead, OFAC helpfully recommends a complex winnowing process which begins with the name and moves on to successive stages of analysis, including analysis of non-name data fields.  This advice, while helpful for weeding out the “false positives” that can chew up staff time and increase the risk of offending valuable clients, does little to drive out the uncertainty around what counts as good enough, especially for large-scale operations clearing millions of names in the course of a single work-day.

One problem, many solutions

The broad array of commercial products and technologies now in use for OFAC list-screening gives compelling evidence of the wide range of opinions among financial institutions as to the correct way to achieve the “due diligence” that OFAC requires. Why can’t this be simpler?

The OFAC website seems to be of two minds on this issue. One one hand, it takes pains to point out that list-screening need not involve the purchase of “expensive software.” On the other hand, its own SLSA tool is described as insufficient for the task. Even more ominously, OFAC says using the SLSA tool does not shield the user from subsequent civil or criminal liability. Does that sound just a bit to you like “Do as I say, and not as I do?”

Part of the answer, of course, is that name-matching is a deceptively difficult undertaking. If I learned nothing else in more than twenty years spent matching names for a living, at least I learned that. But I also believe that a fair piece of the blame must be placed on OFAC.

Surely, OFAC officials understand that there are practical and operational limitations inherent in preventing financial crimes this way. Publishing a list of entities and telling US institutions not to do business with any of them is an easy mandate to lay down, but exceedingly difficult to accomplish, especially without a clear definition of the exact terms for achieving “due diligence.”

Part of the problem, IMHO, is that OFAC has a case of cultural myopia when it comes to its name-lists. The assumption that names on the OFAC lists will behave like names do in everyday US usage is shot through the OFAC policies, decision-making guidance and even the SLSA tool’s code. I’ll point out a few of the more evident and impactful of these in following posts and suggest strategies for overcoming these limitations in order to reduce risk.

Leave a Reply

Your email address will not be published. Required fields are marked *