<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

3 Lessons Learned from a $250,000 OFAC Fine

3 min read
Aug 30, 2022

The Office of Foreign Asset Control (OFAC) recently fined Banco Popular de Puerto Rico $250,000 for violating the Venezuela Government sanctions program. The bank processed $850,000 in transactions on behalf of two low-level Venezuelan government employees over a 14-month period. The bank was aware of the new OFAC sanction but took over a year to make the appropriate changes to their compliance program.

While the fine may seem like a drop in the bucket for a $66 billion institution, it could have been much worse. Banco Popular self-disclosed the violation to OFAC, which saved them big. Based on OFAC’s guidelines, the fine could have been as high as $105 million.

Part of OFAC’s leniency was that Banco Popular was able to demonstrate its internal control environment was sufficient to catch and report the issue, and that it had bolstered its internal control environment since identifying the issue. 

As this case proves, sanctions compliance is a real issue for financial institutions, especially in the wake of round after round of economic sanctions levied by the U.S. against Russia over the war on Ukraine.

As your institution navigates evolving OFAC requirements, keep these three lessons in mind to avoid these kinds of compliance oversights.  

Managing regulatory change isn’t just about information—it’s also about speed. 
  1. Managing regulatory change isn’t just about information—it’s also about speed.

OFAC sanctions require a quick response. They don’t come with far-off implementation dates like some regulations. They require immediacy.

In the case of Venezuelan government sanctions, a year was far too long to wait to make the update.

To avoid this mistake, your financial institution should ask: 

  • How are we sourcing information on new and changed regulations, such as new additions to the OFAC sanctions list? 
  • How are we being alerted when a new or changed regulation affects our institution? 
  • Are we engaging with all key players in the change management process, such as line of business management and frontline personnel, and if so, how? 

Answering these questions can help ensure that regulatory changes are implemented in a timely manner.

2. Internal controls must be effective.

Internal controls must be effective. 

Internal controls aren’t something that can be set up and forgotten. When internal controls aren’t functioning properly, it increases risk. In this case it was the risk that OFAC sanctions aren’t updated and implemented in a timely manner.

To avoid this problem, the internal control environment at a financial institution must be monitored and improved on an ongoing basis. 

Your financial institution must ask: 

  • How are we testing the effectiveness of our internal control environment?  
  • Does this data flow back to our risk management or internal audit systems? 

There must be a process for remediating any flaw or breakdown in your institution’s control environment, as well as oversight for the remediation process. Your financial institution should also ensure that the remediation process is quick and efficient to address any issues as soon as they arise. Findings management is a must.

Internal audits are extremely valuable. 

3. Internal audits are extremely valuable.

If Banco Popular had a robust internal audit function, the entire issue might have surfaced sooner, enabling risk managers to remediate it long before it became an issue and resulted in a fine.

Questions your financial institution should consider include:  

  • How are we currently conducting internal audits? 
  • And again, is the data flowing from our risk assessment to the audit process, so that auditors can properly scope audits based on perceived risks? 

You should also look at how you are sourcing compliance-related information to build out audit and compliance testing programs.

Additionally, you must ensure that audit management is an efficient process so there are no delays in getting key risk data to the people within your institution who can make changes, if any are warranted. 

If your financial institution has not evaluated its compliance, risk, and audit programs recently, now may be a good time to do so. Otherwise, you could find yourself in Banco Popular’s position.

Worried about the pace of regulatory change? 
Register for our webinar, Are You Ready for It? How to Manage Regulatory Change 
for insights into upcoming regulatory change and how to prepare.


Subscribe to the Nsight Blog