Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, November 6, 2018

OFAC cyber-sanctions program could increase risks for banks, FFIEC warns

By Richard A. Roth, J.D.

The Federal Financial Institutions Examination Council is warning financial institutions not to enter into transactions with entities on the Office of Foreign Assets Control’s cyber-related sanctions list. According to the FFIEC, some of these entities claim to be based in the United States and to offer financial services to financial institutions. Using the products or services of a sanctioned company, whether directly or through a third-party service provider, increases a financial institution’s operational and compliance risk, the agency says.

OFAC created its Cyber-Related Sanctions Program in 2015 in response to threats to the United States from "malicious cyber-related activities" of entities located outside of the country, the FFIEC joint statement says. As part of the program, set out in 31 CFR Part 578, OFAC has sanctioned entities that it concludes have supported malicious entities that have attacked U.S. organizations. Once a foreign entity is sanctioned, U.S. companies may not engage in transactions with them, and any property interests the foreign entity has that is subject to U.S. jurisdiction is blocked.

Increased risk. According to the FFIEC statement, addressing the risks from possible transactions with sanctioned entities "requires a high degree of collaboration across a financial institution’s OFAC compliance, fraud, security, IT, third-party risk management, and risk functions." Simply downloading a software patch from a sanctioned entity could constitute a prohibited transaction, the FFIEC is warning. Not only would this violate OFAC’s sanctions rule, it could increase a financial institution’s cybersecurity and operational risk.

The joint statement notes that some financial institutions may be obtaining a critical service from a sanctioned entity that cannot be instantly replaced. If such a service is deemed to be vital or necessary, it should be replaced "at the earliest possible time."

The FFIEC comprises the Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, National Credit Union Administration, and State Liaison Committee.

MainStory: TopStory BankingFinance BankSecrecyAct FederalReserveSystem FedTracker FinTech

Back to Top

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.