Banking and Finance Law Daily OFAC cyber-sanctions program could increase risks for banks, FFIEC warns
Tuesday, November 6, 2018

OFAC cyber-sanctions program could increase risks for banks, FFIEC warns

By Richard A. Roth, J.D.

The Federal Financial Institutions Examination Council is warning financial institutions not to enter into transactions with entities on the Office of Foreign Assets Control’s cyber-related sanctions list. According to the FFIEC, some of these entities claim to be based in the United States and to offer financial services to financial institutions. Using the products or services of a sanctioned company, whether directly or through a third-party service provider, increases a financial institution’s operational and compliance risk, the agency says.

OFAC created its Cyber-Related Sanctions Program in 2015 in response to threats to the United States from "malicious cyber-related activities" of entities located outside of the country, the FFIEC joint statement says. As part of the program, set out in 31 CFR Part 578, OFAC has sanctioned entities that it concludes have supported malicious entities that have attacked U.S. organizations. Once a foreign entity is sanctioned, U.S. companies may not engage in transactions with them, and any property interests the foreign entity has that is subject to U.S. jurisdiction is blocked.

Increased risk. According to the FFIEC statement, addressing the risks from possible transactions with sanctioned entities "requires a high degree of collaboration across a financial institution’s OFAC compliance, fraud, security, IT, third-party risk management, and risk functions." Simply downloading a software patch from a sanctioned entity could constitute a prohibited transaction, the FFIEC is warning. Not only would this violate OFAC’s sanctions rule, it could increase a financial institution’s cybersecurity and operational risk.

The joint statement notes that some financial institutions may be obtaining a critical service from a sanctioned entity that cannot be instantly replaced. If such a service is deemed to be vital or necessary, it should be replaced "at the earliest possible time."

The FFIEC comprises the Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, National Credit Union Administration, and State Liaison Committee.

MainStory: TopStory BankingFinance BankSecrecyAct FederalReserveSystem FedTracker FinTech

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More

Banking and Finance Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.