On November 5, 2018, the members of the Federal Financial Institutions Examination Council (FFIEC), which is comprised of the federal bank regulatory agencies, National Credit Union Administration, Bureau of Consumer Financial Protection, and State Liaison Committee, released a Joint Statement alerting financial institutions to recent actions taken by the Treasury Department's Office of Foreign Assets Control (OFAC) and the potential impact those sanctions may have on a financial institution's operations.1 Specifically, the Joint Statement identifies the potential for OFAC violations when financial institutions engage in prohibited transactions with entities sanctioned under the Cyber-Related Sanctions Program,2 as well as associated operational and cyber risks that may result from engaging directly or indirectly with sanctioned entities.

Overview of Sanctions Program and Related Risks

In April 2015, OFAC implemented the Cyber-Related Sanctions Program pursuant to an Executive Order calling for a sanctions framework to target perpetrators of cyber attacks posing a "significant threat to the national security, foreign policy, or economic health or financial stability of the United States."3 The Executive Order granted OFAC broad authority to designate persons determined to have engaged in certain malicious cyber activities. Under the Cyber-Related Sanctions Program, transactions by "US persons," which include US financial institutions, are prohibited if they involve transferring, paying, exporting, withdrawing, or otherwise dealing in the property or interests in property of an entity or individual sanctioned under the program.4 In the Joint Statement, the FFIEC is alerting financial institutions of the potential OFAC, operational and cyber risks created by interacting with sanctioned entities, directly or indirectly, through a third-party service provider.

With respect to OFAC risk, the Joint Statement reminds financial institutions that continued use of products or services of a sanctioned entity could cause an institution to violate OFAC regulations, and that prohibited transactions may include even technical transactions, such as downloading a software patch from a sanctioned entity, in addition to traditional trade or financial transactions. With respect to operational and cyber risk, the Joint Statement identifies that the continued use of software and technical services from a sanctioned entity may expose an institution to increased risk and that, unbeknownst to the institution, its third-party service providers may be using products or services of a sanctioned entity on behalf of the institution. If an institution relies on a sanctioned entity for critical services or controls, the Joint Statement suggests that it should find alternative solutions as soon as possible.

What It Means for Your Institution

Financial institutions should take steps to assure that they are not exposed to unknown OFAC, operational or cyber risk as a result of the recent OFAC designations. For example, the Joint Statement suggests that institutions should assess their OFAC compliance risks in light of recent designations, identify potentially impacted relationships and transactions, and ensure their screening systems are up to date. From an operational perspective, financial institutions should assure they are conducting in-depth due diligence and ongoing monitoring of each of their third-party service providers. Depending on the level of risk posed by each third-party service provider, which should in part be evaluated based on the level of access to an institution's infrastructure, institutions should consider specific information requests or questionnaires soliciting information on vendors' OFAC compliance and controls.

Institutions interested in assistance evaluating third-party relationships and transactions relative to the Cyber-Related Sanctions Program, or developing plans to unwind existing vendor relationships, are encouraged to contact any of this Advisory's authors or their usual Arnold & Porter contact. The firm's Financial Services team would be pleased to assist with any questions about the Joint Statement or OFAC compliance more broadly.

Footnotes

1 Office of Foreign Assets Control Cyber-Related Sanctions Program Risk Management, Joint Statement, FFIEC (Jun. 5, 2018).

2 31 CFR Part 578.

3 Executive Order 13694, Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (Apr. 1, 2015).

4 Overview of Sanctions: Cyber-Related Sanctions Program, OFAC (Jul. 3, 2017).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.