OFAC Risk Matrix: How High Risk is Your Business?

Customer Location

Low Risk
Stable, well-known customer base in a localized environment.

Medium Risk
Customer base changing due to branching, merger or acquisition in the domestic market.

High Risk
A large, fluctuating client base in an international environment.

Number of High Risk Customers

Low Risk
Few high-risk customers; these may include nonresident aliens, foreign customers (including accounts with U.S. powers of attorney) and foreign commercial customers.

Medium Risk
A moderate number of high-risk customers.

High Risk
A large number of high-risk customers.

Correspondent Accounts

Low Risk
No overseas branches and no correspondent accounts with foreign banks.

Medium Risk
Overseas branches or correspondent accounts with foreign banks.

High Risk
Overseas branches or multiple correspondent accounts with foreign banks.

Electronic Banking

Low Risk
No electronic banking (e-banking) services offered, or products available are purely informational or non-transactional.

Medium Risk
The bank offers limited e-banking products and services.

High Risk
The bank offers a wide array of e-banking products and services (i.e., account transfers, e-bill payment, or accounts opened via the Internet).

Composition and Velocity of Transfers

Low Risk
Limited number of funds transfers for customers and non- customers, limited third-party transactions, and no international funds transfers.

Medium Risk
A moderate number of funds transfers, mostly for customers. Possibly, a few international funds transfers from personal or business accounts.

High Risk
A high number of customer and non-customer funds transfers, including international funds transfers.

Types of International Transactions

Low Risk
No other types of international transactions, such as trade finance, cross-border ACH, and management of sovereign debt.

Medium Risk
Limited other types of international transactions.

High Risk
A high number of other types of international transactions.

OFAC History

Low Risk
No history of OFAC actions. No evidence of apparent violation or circumstances that might lead to a violation.

Medium Risk
A small number of recent actions (i.e., actions within the last five years) by OFAC, including notice letters, or civil money penalties, with evidence that the bank addressed the issues and is not at risk of similar violations in the future.

High Risk
Multiple recent actions by OFAC, where the bank has not addressed the issues, thus leading to an increased risk of the bank undertaking similar violations in the future.

Management Consideration

Low Risk
Management has fully assessed the bank’s level of risk based on its customer base and product lines. This understanding of risk and strong commitment to OFAC compliance is satisfactorily communicated throughout the organization.

Medium Risk
Management exhibits a reasonable understanding of the key aspects of OFAC compliance and its commitment is generally clear and satisfactorily communicated throughout the organization, but it may lack a program appropriately tailored to risk.

High Risk
Management does not understand, or has chosen to ignore, key aspects of OFAC compliance risk. The importance of compliance is not emphasized or communicated throughout the organization.

Board of Directors Approval

Low Risk
The board of directors, or board committee, has approved an OFAC compliance program that includes policies, procedures, controls, and information systems that are adequate, and consistent with the bank’s OFAC risk profile.

Medium Risk
The board has approved an OFAC compliance program that includes most of the appropriate policies, procedures, controls, and information systems necessary to ensure compliance, but some weaknesses are noted.

High Risk
The board has not approved an OFAC compliance program, or policies, procedures, controls, and information systems are significantly deficient.

Staffing Levels

Low Risk
Staffing levels appear adequate to properly execute the OFAC compliance program.

Medium Risk
Staffing levels appear generally adequate, but some deficiencies are noted.

High Risk
Management has failed to provide appropriate staffing levels to handle workload.

Authority and Accountability

Low Risk
Authority and accountability for OFAC compliance are clearly defined and enforced, including the designation of a qualified OFAC officer.

Medium Risk
Authority and accountability are defined, but some refinements are needed. A qualified OFAC officer has been designated.

High Risk
Authority and accountability for compliance have not been clearly established. No OFAC compliance officer, or an unqualified one, has been appointed. The role of the OFAC officer is unclear.

Staff Training

Low Risk
Training is appropriate and effective based on the bank’s risk profile, covers applicable personnel, and provides necessary up-to-date information and resources to ensure compliance.

Medium Risk
Training is conducted and management provides adequate resources given the risk profile of the organization; however, some areas are not covered within the training program.

High Risk
Training is sporadic and does not cover important regulatory and risk areas.

Internal Quality Control

Low Risk
The institution employs strong quality control methods.

Medium Risk
The institution employs limited quality control methods.

High Risk
The institution does not employ quality control methods.

Compliance Culture

Low Risk
Compliance considerations are incorporated into all products and areas of the organization.

Medium Risk
Compliance considerations were overlooked, but not in high-risk areas, and management promised corrective action when deficiencies were identified.

High Risk
Compliance considerations are not incorporated into numerous areas of the organization, or do not adequately cover high-risk areas.

Effective Policies

Low Risk
Effective policies for screening transactions and new accounts for Specially Designated Nationals and Blocked Persons (SDNs) and sanctioned countries is in place. These policies take into account the level of risk of the type of transaction being screened.

Medium Risk
Policies for screening transactions and new accounts exist but are not properly aligned with the bank’s level of risk.

High Risk
Policies for screening transactions and new accounts do not exist.

Reporting and Audit Trails

Low Risk
Compliance systems and controls effectively identify and appropriately report potential OFAC violations. Compliance systems are commensurate with risk. Records are retained that document such reporting.

Medium Risk
Compliance systems and controls generally identify potential OFAC violations, but the systems are not comprehensive based on risk or have some weaknesses that allow inaccurate reporting.

High Risk
Compliance systems and controls are ineffective in identifying and reporting OFAC violations and are not commensurate with the bank’s level of risk.

Ongoing Monitoring and Re-scans

Low Risk
On a periodic basis, determined by the bank’s level of risk, all existing accounts are checked to ensure that problem accounts are properly blocked or restricted, depending on the requirements of the relevant sanctions program.

Medium Risk
Accounts are periodically checked to ensure that problem accounts are properly blocked or restricted, but this does not occur often enough based on the bank’s level of risk.

High Risk
Existing accounts are not reviewed to ensure that problem accounts are properly blocked or restricted.

Adaptation Speed and Data Updates

Low Risk
Compliance systems and controls quickly adapt to changes in the OFAC SDN list and country programs, regardless of how frequently or infrequently those changes occur.

Medium Risk
Compliance systems and controls are generally adequate and adapt to changes in the OFAC SDN list and country programs.

High Risk
Compliance systems and controls are not current and are inadequate to comply with and adapt to changes to the OFAC SDN list and country programs.

Independent Audits

Low Risk
Independent testing of a compliance program’s effectiveness is in place. An independent audit function tests OFAC compliance with regard to systems, training and use.

Medium Risk
Overall, independent testing is in place and effective, but some weaknesses are noted.

High Risk
Independent testing is not in place or is ineffective. Testing performed is not considered independent.

Remediation Efforts

Low Risk
Problems and potential problems are quickly identified, and management promptly implements meaningful corrective action.

Medium Risk
Problems are generally corrected in the normal course of business without significant investment of money or management attention. Management is reasonably responsive when deficiencies are identified.

High Risk
Errors and weaknesses are not self-identified. Management is dependent on regulatory findings or responds only when violations are cited or penalties assessed.

Overall Compliance

Low Risk
Overall, appropriate compliance controls and systems have been implemented to identify compliance problems and assess performance.

Medium Risk
In general, no significant shortcomings are evident in compliance controls or systems.

High Risk
Significant problems are evident. The likelihood of continued compliance violations or noncompliance is high because a corrective action program does not exist, or extended time is needed to implement such a program.