Anti-money laundering and OFAC compliance for multinational financial institutions: implementing a risk-based approach



AML laws date back to 1970, when Congress passed the Currency and Foreign Transactions Reporting Act (commonly known as the Bank Secrecy Act or the BSA), which requires that banks and many other financial institutions file currency reports with the United States and identify people engaged in financial transactions. These laws have been expanded several times, most importantly by the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Patriot Act). The Patriot Act criminalised the financing of terrorism and augmented AML laws by, inter alia, requiring strengthened customer identification procedures, prohibiting interactions with foreign shell banks, requiring enhanced due diligence procedures, and increasing penalties for violations. The end result is a web of broad-based controls that reach a wide variety of financial institutions.

Also complicating compliance for financial institutions involved in international transactions is the role of OFAC, which administers sanctions against transactions or investments in sanctioned countries or with sanctioned entities. OFAC maintains specific restrictions on financial institutions, which must take actions to reject or (more commonly) block prohibited transactions involving sanctioned persons or governments. There is a natural interaction of AML and OFAC requirements, as both require the identification of suspicious financial transactions and their report to the US government. Indeed, in recent years it has been common for the US government to bring enforcement actions that involve both OFAC and AML violations, as most notably occurred with regard to the $8.9bn BNP Paribas enforcement action. For this reason, many financial institutions implement AML and OFAC responsibilities together.

Evaluating and mitigating risk

AML risk assessment. AML compliance requires close knowledge of the risk profile of the company. This requires a careful review of the financial institution’s business and product lines, its types of customers, and its activities and operations, to determine where problems are most likely to arise.

At most financial institutions, the following products and services tend to be higher risk: account openings; electronic fund payments, including electronic cash, fund transfers (especially if international), payments made upon proper identification (PUPID transactions), and Automated Teller Machine (ATM) transactions; private banking (especially if international); trust and management services; foreign correspondence accounts; trade finance (such as letters of credit); lending activities, especially if secured by cash collateral or marketable securities; wire transfers initiated by customers who are paying with cash, especially if the amount is greater than $3000 (which implicates BSA guidelines) or if the customer is new to the bank; international private banking; transactions involving overseas branches or subsidiaries; and transactions involving negotiable instruments.

Similarly, the following entities tend to be higher risk: nonresidents, foreign customers, or accounts for the benefit of people outside the country; foreign financial institutions, including not just banks but also other sources of foreign money, such as foreign money services providers or foreign currency exchangers; non-bank financial institutions, such as money service businesses, casinos, and dealers in precious metals and jewels; senior foreign political figures, their immediate family members, and close associates; foreign corporations; cash-intensive businesses; entities and individuals in countries subject to OFAC sanctions or identified by the US government as supporting international terrorism; entities or individuals identified as being of primary money-laundering concern by the Secretary of the Treasury or identified by the US Department of State as being major money-laundering countries as part of its annual International Narcotics Control Strategy Report; companies operating in offshore financial centres; and any other types of customers identified as high-risk based upon the prior personal experience of the financial institution.

AML compliance implementation

The first step when implementing an AML compliance system is to create a set of internal controls. There are a number of important compliance best practices to consider when creating internal controls. Create a formal risk profile that identifies the products, services, customers and geographic factors that have been identified as creating higher risk to facilitate the creation of a compliance program tailored to address these risks. Establish a control structure for the proper implementation of an AML compliance program that includes a single person or committee in charge of implementing the program, monitoring its effectiveness, and notifying directors and senior management of issues that arise, including those that might require the filing of Suspicious Activity Reports (SARs). Put in place a mechanism to identify suspicious activity and to determine when it must be reported. Identify all reportable transactions, including currency transaction reports and other regulatory reports. Create training programs for employees that handle currency transactions, engage in overseeing and handling high-risk activities, or for other reasons need detailed knowledge of AML requirements. Establish a program that meets all required recordkeeping requirements. Incorporate AML compliance into performance evaluations.

All financial institutions must satisfy know-your-customer guidelines. These take two components: a Customer Identification Program (CIP) and Customer Due Diligence (CDD) procedures.

CIP requirements vary depending upon the size and type of business. At a minimum, the CIP should specify account opening procedures, including what type of information should be sought for opening different types of accounts or other activity that results in a person or entity becoming a customer of the financial institution. Required information for individuals includes the name, date of birth, address and identification, such as an unexpired, government-issued form of identification. The identification should provide evidence of the customer’s nationality or residence, bear a photograph, or in some other fashion allow the financial institution to form a reasonable belief as to the customer’s true identity. For entities, the financial institution should request information showing the legal existence of the entity, such as certified articles of incorporation, an unexpired business licence, or a partnership agreement. While banks are not required to use non-documentary methods of customer identification, for higher-risk transactions, financial institutions often will contact customers, independently verify the customer’s identity using internet resources, or obtain financial statements.

CDD policies and procedures are another key aspect of AML compliance, particularly for activities identified as high risk in the financial institution’s risk assessment. At account opening, the financial institution should obtain sufficient information to have a good understanding of the expected and normal activities for a customer. Much of the required information can be gotten through information-reporting agencies; for larger accounts, it is common to check banking references, internet resources, or to follow up with written correspondence and telephone conversations with the customer or visits to the prospective customer’s place of business.

For high-risk activities, additional information should be sought, including information regarding the purpose of the account, the customer’s source of funds, financial statements and banking references. It is appropriate to enquire into all individuals with ownership or control over the account, including beneficial owners, signatories and guarantors. The financial institution must understand the customer’s primary business areas, the anticipated volume of currency and total deposits, the level of revenues of the customer, and its primary customers and suppliers. It also is appropriate to enquire into the expected level and type of high-risk transactions, including the types of international transactions expected. Compliance procedures should be set to monitor activity on a more frequent basis so that changes in account activity are detected quickly and brought to the attention of appropriate compliance personnel.

The third key compliance area relates to the identification and reporting of suspicious activities. Financial institutions must file a variety of reports, and suspicious activity reporting forms the core of the reporting obligations. Banks and credit unions must ensure that they have in place compliance procedures that will ensure the reporting of SARs for the following situations: (i) known or suspected criminal violations involving insider activity in any amount; (ii) known or suspected criminal violations totalling $5000 or more when a suspect can be identified; (iii) known or suspected criminal violations totalling $25,000 or more, regardless of potential suspect; or (iv) suspicious transactions of $5000 or more that involve potential AML violations. The compliance program should designate a person in charge of following up on all SARs and ensuring they are filed on time (within 30 days of detection where a subject is known and 60 days otherwise).

Common international issues

Certain scenarios, by their nature, are of special concern to financial institutions engaged in international transactions. In some of these cases, AML regulations require enhanced due diligence or other special procedures. Even when that is not true, prudence often will dictate the same result. International transactions that fall within this category include:

Foreign branches and offices of US banks. The BSA and its implementing regulations do not encompass foreign offices of US banks. Nonetheless, the expectation is that banks will have policies and procedures in branches, whether at home or abroad, to prevent money laundering and terrorist financing. US regulators well know that foreign branches and offices of US financial institutions present special compliance issues, especially when located in high-risk geographic locations.

Electronic banking. Electronic banking in all forms (ATM transactions, online account opening, internet banking transactions and telephone banking) raises AML concerns due to its anonymity and ease of use. This is especially true for international e-banking or securities trading, which can involve customers in locations not traditionally served by a bank to conduct instantaneous transactions with little oversight. For these high-risk international transactions, financial institutions should consider special procedures for detecting unusual activity, including notations of changes to internet log-ins (internet protocol address changes), enhanced procedures to authenticate a customer’s identity when opening accounts online, and policies for which situations require a customer to open an account in person. Where it is anticipated that most banking will occur electronically, there needs to be a good understanding of the anticipated volume and type of business activity, so procedures can be put in place to have compliance systems automatically flag unusual transactions before they are completed.

Foreign correspondent accounts. Correspondent accounts are accounts established to receive payments or disbursements for a foreign bank or to handle other financial transactions from the foreign bank. Section 103.176(a) requires that banks conduct risk-based and, where appropriate, enhanced policies and procedures to detect money-laundering activity conducted using a correspondent account. To meet this requirement, a bank’s compliance program should gather information regarding: (i) the nature of the foreign financial institution’s business; (ii) the anticipated activity of the foreign correspondent account; (iii) AML requirements of the foreign jurisdiction that licences the foreign financial institution; (iv) and any information reasonably accessible regarding the foreign financial institution’s AML record. 31 C.F.R. § 103.176(b) requires further enhanced due diligence for correspondent accounts with foreign institutions operating under an offshore banking licence, a banking licence from a foreign country designated as non-cooperative with international AML principles, or designated as warranting special measures due to money-laundering concerns. Where section 103.176(b) applies, banks must implement enhanced due diligence policies and procedures to ensure reasonable steps are taken to: (i) determine the identity of the owners of the foreign bank (if not publicly traded); (ii) establish enhanced scrutiny of the account to identify suspicious transactions; and (iii) determine whether the foreign bank maintains correspondent accounts for other foreign banks and, if so, take reasonable steps to obtain information necessary to evaluate whether these relationships raise additional risks.

Non-resident aliens/foreign individuals. Both non-resident aliens (non-US citizens only sporadically residing in the United States) and foreign individuals are considered higher risk because of their potential ties to foreign countries that might either have lower AML requirements or have reputations as taking actions inimical to US foreign policy. The risks of dealing with these individuals can be amplified because of difficulty of implementing CIP and CDD procedures. There also can be issues arising from secrecy laws of foreign countries, which can inhibit satisfying these procedures. Financial institutions should put in place procedures to determine when they will decline business from these individuals because it is too risky, whether because of the geographic location involved, the products or services requested, or because of concerns regarding the identification of the source of wealth and funds. This is especially true for private banking accounts for non-US persons, which potentially could implicate rules regarding senior political figures.

Private banking accounts for senior foreign political figures. Senior foreign political figures are defined pursuant to 103.175(r) as current or former senior officials in the executive, legislative, or judicial branches (whether elected or not), or administrative or military officials, senior officials of a major foreign political party, senior executives of a foreign-government-owned commercial enterprise, immediate family members, and people who are publicly known to be close associates of such an individual (31 C.F.R. § 103.175(r)). Banks providing private banking services for these senior foreign political figures need to collect additional information when the relationship is being established, including direct information from the foreign official to help establish his governmental status, information regarding his family members or close associates having transaction authority over the account, and the purpose of the account and its expected activity. It is reasonable for the financial institution to take additional and reasonable due diligence steps regarding such an account, such as increased reference inquiries and obtaining additional background information. Enhanced scrutiny can include such steps as consulting internet resources and other public information regarding the conditions in the home country of the client, information about the political environment of the country and the senior official’s role in the government, and seeking additional information regarding the client’s employment history and sources of income. After the account is established, the financial institution should put in place enhanced due diligence procedures that provide extra scrutiny to ensure that the deposits are not the proceeds of foreign corruption. Regarding OFAC considerations, the financial institution should make checks regarding whether there are any prohibitions on the individual, including by checking OFAC lists of designated entities.

Trade financing/letters of credit. Letters of credit (a type of commercial loan used to finance the purchase of goods or services) can raise special problems. Typical trade finance involves short-term financing to facilitate the import and export of goods. Often, payment is set up to have automatic payment once certain conditions are met (such as with a letter of credit) or if a primary party defaults (such as with standby letters of credit or guarantees). International trade financing raises special issues because it is heavily document based (which raises issues of document fraud), there are multiple parties who may not be well known to the financial institution, and there often are issues of potential trade sanctions.

For international trade financing, banks need enhanced CDD procedures to understand the parties to a transaction. To the extent possible, financial institutions (generally banks) need to review the documentation associated with the transaction to look for unusual fact patterns or red flags. Documents to review include import and export documentation sent to customs shipping documentation, insurance documentation, and any SWIFT (Society for Worldwide Interbank Financial Telecommunications) message. Discrepancies in documentation can indicate a suspicious pattern.

Regarding OFAC requirements, before an institution issues, or even advises, on a letter of credit, it should check all OFAC lists carefully not only for the account party, but also for the beneficiary and issuing bank. As with general AML compliance, review of documents related to the transaction, such as bills of lading, certificates of origin, and relevant invoices and contracts, is important. Although cumbersome, this is the only way to check that the letter of credit is not intended to facilitate a barred transaction.


The compliance procedures discussed in this article are necessarily generic. Compliance, particularly for multinational institutions, needs to occur based upon a careful assessment of the risks posed by the way in which the financial institution conducts its business around the world. Nonetheless, careful consideration of the compliance best practices listed above will likely yield significant compliance dividends at most international financial institutions that need to pay close attention to the AML and OFAC regulatory requirements imposed by US regulators.


Gregory Husisian is a partner at Foley & Lardner LLP. He can be contacted on +1 (202) 945 6149 or by email:

© Financier Worldwide


Gregory Husisian

Foley & Lardner LLP

©2001-2019 Financier Worldwide Ltd. All rights reserved.