Are You OFAC Compliant? Or Do You Just Think You Are?

Threats to businesses abound, and given that accounts payable issues payments, it is a prime target for criminal perpetrators of all kinds.

In addition to preventing myriad fraud schemes, AP must also ensure information protection and avoid unwitting payments to sanctioned entities. This, of course, involves compliance with the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC). OFAC keeps track of and enforces U.S. sanctions on countries, entities and persons — including drug traffickers, WMD (weapons of mass destruction) dealers, dirty diamond traders, organized crime syndicates, and, of course, terrorist organizations. Sanctions aim to enforce U.S. policy, prevent criminal activity and combat terrorism. (It’s a real thing—see An OFAC Case Study and Avoiding the Men in Black.)

The Complexity of Compliance

You’re familiar with OFAC’s SDN and other lists. And you’re compliant, right? Or do you just think you are? How are you managing your compliance? It’s not enough to run your list against OFAC’s SDN list once in a while, or even (you thought of this) to check each of your new vendors against the list. Of course, those need to be checked, and you’re doing that.

Here’s the challenge. OFAC updates the SDN list and the country sanction programs all the time too. If you’re only comparing your new vendors, going to the Treasury and saying, “How does this guy look,” one or two a day, you’re missing the possibility that a new entry to the SDN list matches a name that is already on your list!

In other words, every time either you or OFAC updates your respective lists, you need to crosscheck. OFAC’s list changes are unpredictable, so the only safe method is to check every day.

Now here’s where it gets complicated. First, look at the numbers involved. Consider a check of your list of 10,000 vendors against OFAC’s SDN list of 18,000. Each one of your 10,000 names must be compared with each one of the SDN’s 18,000 names. And to find a match, the algorithm has to look at each word or name in a phrase or multi-word name. That by itself is a time-intensive proposition for a computer.

Second, we’re not talking about exact matches here. That would be too easy. All those names—including international names—are not consistently spelled. Nor can you be sure they were entered correctly. A name may be spelled in different ways (Smith or Smyth, Osama or Usama). Furthermore, they might include typos. 

A matching program must also use algorithms that include Soundex, which in essence does a near-match on phonetic sound rather than precise spelling. It applies Jaro Winkler scoring (a string metric that measures the “edit distance” between letter sequences) to uncover transpositions or other errors that an exact match would miss. Depending on the list size, computers require hours of processing time to complete the comparison of two lists—not something you want to do every day.

What you need to do every day is check your new additions against the OFAC list and check the new OFAC additions against your entire list. That is much more efficient than running the two complete lists against one another. You have to check both lists’ new entries.

If you’ve done a whole list check at a point in time, and you think you are in good shape going forward just by reviewing your new vendors — you’re half right. But in compliance, half right is all wrong. And being wrong can be expensive. You must be wholly right to be all right.