At this week's International Compliance Association conference in London, sponsored by Compliance Matters, Rachel Nagle from the dreaded US Office of Foreign Assets Control explained her organisation's attitude to foreign institutions.

Nagel thought that "the long arm of OFAC seems to be growing longer as the years go on." OFAC, she said, imposes primary sanctions (transactions/people in the US) and secondary sanctions, which it can impose on a non-US institution (by restricting access to US correspondent accounts or the US financial system) for knowingly facilitating significant transactions or financial services for specifically targeted individuals.

Compliance Matters asked her whether non-US private banks and asset management firms could fall foul of this rule if they merely operated systems that they knew would be of help to blacklisted entities without having any in mind, or whether they could only be liable if they engaged in actual 'message-stripping' or some other activity that can only happen if they know or are in actual contact with the people they are helping. The OFAC woman replied that her organisation only counted the second activity (in which the facilitator knows the identity of the beneficiary) as 'facilitating,' which may come as something of a relief to banks that deal with Russian and Middle Eastern customers.

Five objectives for your compliance department

While issuing novel and slightly perplexing phrases such as "dialoguing with your clients" and "dispositioning that transaction" and with the timbre of her voice shooting unaccountably upwards at the end of almost every sentence, Nagle called on the world's financial firms to do many onerous jobs on America's behalf. She wanted their compliance people to pursue five strategies.

* Making sure that they have strong lines of communication. If these are to work, she said, they must go internally from the top down, the bottom up and sideways. External dialogues between banks and their clients are important also, as 'customer due diligence' files have to be kept up-to-date and customers have to know what their banks can and cannot do. Communication lines with correspondents, vendors (who have to know the banks' expectations) and peer institutions (for 'benchmarking') are important as well.

* Obtaining the commitment of 'senior leaders' (perhaps meaning members of a main board) to the compliance infrastructure. Nagle said: "This is critical. I can't stress this enough." She thought that one way to pull off this very rare stunt was to "enrol the management team in your vision" by offering to build a "best in class compliance team." Readers are invited to write in with tales of any senior managers they know who have fallen under the spell of such an offer.

* Making 'programmes' (one can only assume that this unexplained word meant "things that the company does") dynamic and acquiring resources that are 'appropriate'.

* Enforcing OFAC-compliant policies rigorously and backing them up with accountability for everything. Nagel proclaimed herself a great believer in 'incentivising' compliance.

* Making cross-training effective so that everybody understands how his own training fits into the greater context of compliance. This can happen between process experts (compliance people) and product experts (everybody else). Nagle also urged firms to "separate the 'what' from the 'why.'" She said: "People want to believe in what they're doing and why they're doing what they're doing, so at every level in a compliance organisation, ensuring that people truly understand why they're filling [sic] that function can sometimes increase their commitment to performing their function in a complete and thorough way. Enrol them in your vision of where you want your compliance organisation to be and they will be more committed to what they do on a daily basis."

On this last point, evidence from many emails suggests that the German staff at Commerzbank, which has just signed a humiliating forfeiture agreement with OFAC for non-compliance, thought that OFAC's rules merely represented the capricious whims of the world's most powerful rogue state rather than something they could or should believe in. Nagle had no strategy for 'enrolling' non-US people such as these in the 'vision' of OFAC compliance.

Reassurance from on high

On 13th August 2014 OFAC released a document that said "any entity owned in the aggregate, directly or indirectly, 50% or more by one or more blocked persons is itself considered to be a blocked person." Just this one illiterate little phrase threw many non-US compliance offices into turmoil.

One East European delegate asked: "In KPMG we spend a lot of time to identify these kind of entities and I know how much manpower and money it takes to produce something like that, so what is your expectation towards smaller companies that don't have so much money or manpower to actually recognise these entities?"
 
This question is of interest to all private banks, insurers and asset-management firms that are not as large as KPMG. Nagle's attempt to say something reassuring had the opposite effect.

"This is where, I think, risk-based compliance comes into play. OFAC tries - I'm not sure we fully accomplish this goal - but we do try to be a reasonable agency. When it comes to an enforcement context, so for example, a small, less sophisticated organisation did process a transaction in violation of that 50% concept, what we would be looking at is what controls the company attempted to put into place to address that need. And so as long as they did something, we would be looking at whether that was commensurate with the risk that they identified and whether it was feasible with their resource level and so it's something that...we're not in the business of putting banks or other companies out of business. We understand that compliance is a lot more expensive than it used to be and so we do have a system in place to evaluate different institutions and what they were capable of."