OFAC Compliance 101

Do you know what an SDN is? More important, do you know if you are doing business with one of them?

If you're a governance, risk management, and compliance (GRC) professional at a company that conducts any sort of international business, you ought to.

An SDN is a "specially designated national" or person, which means you should take special care to avoid doing business with a person who has this designation -- or risk running afoul of the Office of Foreign Assets Control (OFAC).

OFAC is the U.S. Department of the Treasury agency that "administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States."

OFAC maintains an SDN list, which is available here. In addition to individuals, countries, such as North Korea, Iran ,and Cuba also appear on the list. (Buying Cuban cigars violates OFAC rules).

"OFAC is a concern for a growing number of U.S. companies," notes Gene Truono, managing director, BDO Consulting, which is a division of BDO Seidman, LLP.

Truono ought to know: he oversees his firm's financial institution consulting practice, which includes a hefty emphasis on regulatory compliance initiatives, including anti-money laundering work. Earlier in his career, Truono served as vice president of compliance and ethics and chief compliance officer at American Express Bank Limited.

OFAC compliance can be tricky because:

1. Companies with newly global operations may not be well-versed in the requirements;
2. OFAC rules, along with the names on the SDN list, change periodically (for example, as of last month Western Union can now send wire transfers with fewer limits to Cuba);
3. Compliance can be tricky (Hewlett-Packard recently received scrutiny after news broke that one of its resellers distributes HP products in Iran).

Large, U.S. corporations with extensive global operations and sophisticated risk and compliance programs typically include OFAC compliance in their normal due diligence (of vendors and customers) and internal auditing processes. Smaller companies just venturing outside the U.S. may not have sufficient steps in place.