How often does an institution need to scan their customer database against the OFAC list?
The frequency of running an OFAC scan must be guided by your internal bank policy and procedures. Keep in mind, however, that if your bank fails to identify and block a target account (of a terrorist, for example), there could be “real world” consequences such as a transfer of funds or other valuable property to an SDN, an enforcement action against your bank, and negative publicity. OFAC agrees that financial institutions should take a risk-based approach when considering the likelihood that they may encounter OFAC issues. The functional regulators examine financial institutions to determine the adequacy of each institution’s OFAC program and the effectiveness of its risk management. To assist banks with building a risk-based program, OFAC has provided a matrix to assist in identification of low, moderate and high areas (OFAC Risk Matrix: http://www.treas.gov/offices/enforcement/ofac/faq/matrix.
