Your OFAC policy should include several of the same elements as your Bank Secrecy Act policy — a risk assessment, internal controls, independent testing, training, a dedicated compliance officer, and reporting. For this reason, many credit unions have combined their OFAC and BSA policies into a single Anti-Money Laundering or AML policy.

CU PolicyPro has both a combined AML policy (#2110) and a separate OFAC policy (#2145) for you to work with, as well as a model procedure on Politically Exposed Persons (#2110.10).

One common question is whether it is acceptable to set a dollar threshold for OFAC transactions if your credit union determines you are fairly low risk during your assessment. Unfortunately, the answer is no. There is no minimum or maximum amount subject to the regulation. Despite a low-risk or more simplistic program, compliance is expected. Iif the transaction involves the movement of money, it is subject to OFAC regulations.

An important OFAC-related resource in this time of cybersecurity threats is the Cyber-Related Sanctions section of their website. There you can find recent advisories, a brochure overview of Cyber-related Sanctions, Frequently Asked Questions, and Interpretive Guidance.

OFAC itself was the target of Chinese hackers, as reported by CISA in early January. Their first-hand experience may lead to additional guidance soon.

Before contacting them, OFAC recommends you take the following steps to determine if your credit union has a valid OFAC match:

1) Is the hit against OFAC's SDN list or "hitting" for some other reason? If your potential match is hitting against one of the lists, continue to #2. If it is hitting for some other reason, contact the keeper of the list (i.e. the FBI if on the FBI Most Wanted list) or your software provider. 

2) Compare the name in your transaction with the name on the SDN list. Is the name in your transaction an individual, while the name on the SDN list is a vessel, organization, or company? If yes, you do not have a valid match; if no, continue to #3.

3) How much of the SDN's name matches that of your account holder? Is it just one of two or more names (i.e. just the last name)? If yes, you do not have a valid match; if no, continue to #4.

4) Compare other information you have (like an address, nationality, date of birth, former names, etc.) Are you missing a lot of this information for the name of your account holder? If yes, go back, get more information, and then compare; if no, continue to #5.

5) Are there several similarities or exact matches? If yes, contact the OFAC Compliance Hotline or call 1-800-540-6322 for guidance. If no, you don't have a valid match and can just log the details of your process and move on.

Broad Screening



According to the FFIEC BSA/AML Exam Manual on OFAC, new accounts should be compared with OFAC lists either before or shortly after being opened. However, "the extent to which the [credit union] includes account parties other than accountholders (e.g., beneficiaries, guarantors, principals, beneficial owners, signatories, and powers of attorney) in the initial OFAC review during the account opening process, and during subsequent database reviews of existing accounts, will depend on the [credit union's] risk profile and available technology."

Based on your OFAC risk profile for each area and available technology, your credit union should establish policies, procedures, and processes for reviewing transactions and parties.

Recent Actions

If you are interested in recent actions OFAC has taken, their website has a comprehensive list.

A November 2024 penalty of over $1 million was issued against a U.S. person for 75 violations of sanctions on Iran that were transacted through a Canadian money service business. OFAC determined the violations were "egregious and were not voluntarily self-disclosed." The penalty was one of the first against an individual. You can read more about it here.

Prohibited Countries

It is common to request or look for a list of countries on the OFAC list. Some credit unions may want to include it in their policy or procedures, but it is not that simple. 

According to OFAC, "U.S. sanctions programs vary in scope. Some are broad-based and oriented geographically (i.e. Cuba, Iran). Others are "targeted" (i.e. counter-terrorism, counter-narcotics) and focus on specific individuals and entities. These programs may encompass broad prohibitions at the country level as well as targeted sanctions." Due to the diversity among sanctions, OFAC advises using the Sanctions Programs and Country Information page for information on a specific program.

For additional information on OFAC Compliance, visit the InfoSight OFAC page or our Compliance Training Tools website. Contact me if you have any problems or need access.

Donya Parrish, VP Risk Management | donya@mcun.coop | 406.324.7374