Back to all articles
If you have ever sent money directly through your bank account, then you’ve interacted with the Automated Clearing House (ACH) Network. This network, which exists solely in the United States but operates similarly to other money transfer networks worldwide, is governed by the Office of Foreign Assets Control (OFAC).
Every time that money is sent as a bank-to-bank transaction, there are several measures in place that protect that money against ACH fraud or negligence.
If you are sending money with a bank-to-bank transaction and through the ACH Network (a process different from a wire transfer) then OFAC will also be involved as a security measure.
This article will provide you with the necessary information you need in order to understand the ACH Network and OFAC.
The ACH Network is an interconnected financial network that is comprised of private banks, credit unions, other financial institutions, the Automated Clearing House, and the Federal Reserve.
Banks and financial institutions within this network must be approved to operate within this network. Once approved, you are known as an ACH Operator. And, usually, banks are approved as an Originating Depository Financial Institution or ODFI and a Receiving Depository Financial Institution (RDFI).
In order to ensure that the transaction is compliant against a broad number of regulations, there are stationed checks throughout the money transfer process. The Automated Clearing House itself is processing the transaction and checking for erroneous or fraudulent activity. As well, each ODFI and RDFI that comes in contact with the money also has checks in place.
The OFAC is one of these checks. The biggest difference with the OFAC is that it is not always checking every single money transfer. This is because it usually takes longer for that type of check to be processed, and this would further delay an ACH payment.
Instead, banks rely on their risk mitigation and risk assessment policies in order to weed out those accounts that would be more or less susceptible to violating an OFAC regulatory requirement.
Maintaining compliance with both OFAC and NACHA is required because it protects the financial institution, its constitutes, and the US from acts of terrorism or other illegal activities. According to the US Treasury Department, “The Office of Foreign Assets Control administers and enforces economic sanctions programs primarily against countries and groups of individuals, such as terrorists and narcotics traffickers.”
While screening for compliance is not required under OFAC regulations, they do require that the bank conduct an OFAC risk assessment. The risk assessment will determine how often OFAC screening should be conducted, and this will differ from bank to bank.
There is a major distinction between maintaining compliance with NACHA and maintaining compliance through OFAC. While Nacha has regulations and restrictions in place to limit ACH fraud and errors in submitting an ACH transfer request, OFAC lists a set of prohibited transactions in order to protect US persons from unauthorized foreign transactions.
Every transaction sent via ACH can be subjected to an OFAC screening, so maintaining compliance is crucial. All US persons must comply with OFAC regulations, including US Citizens and permanent resident aliens anywhere in the world.
Additionally, all persons in the US and incorporated entities in the US (including their foreign entities) must follow OFAC regulations, and fines for not following can be substantial. Civil and criminal penalties in the millions of dollars can be applied but the penalty amount will depend on the severity of the transgression.
The FFIEC (the Federal Financial Institutions Examination Council) recommends that due to the necessity for OFAC reviews, the ODFI and RDFI has to have a proper Know Your Customer (KYC) or Customer Due Diligence (CDD) program set up when processing any ACH payment in order to reduce the level of OFAC risk.
It is up to the ODFI to ensure that the Originator is not a blocked party and the ODFI needs to “make a good faith effort” to ensure that blocked funds are not being transmitted. Similarly, the RDFI is responsible for verifying that the Receiver is not a blocked party as either the ODFI or RDFI allowing these transmissions could risk the integrity of the financial institution, the Receiver/Originating party, the ACH Network, and the US financial system.
ACH Network standards that are in place to ensure compliance under OFAC might fall under regulations for an IAT, or an International ACH Transaction. The key difference though is that the IAT regulates international ACH transactions, and the ACH Network largely processes domestic ACH transactions. Therefore, ACH regulations do not necessarily change along with changes to the IAT regulations. Instead, IAT regulations with the ACH Network are updated and regularly reassessed where needed.
For the most part, OFAC compliance is automatically written into the standards of the ACH Network regardless of the IAT regulations because ODFis and RDFIs are required to abide by Regulation E of the Electronic Fund Transfer Act (EFTA). EFTA is a federal law that protects consumers who send money electronically via debit, credit card, ATM, or through automated withdrawals (ACH debit).
Services that are protected under EFTA include:
This act requires that the fiscal service (either the financial institution or third party involved) disclose to the users their liability in sending an unauthorized transaction, details of the transfer (including the contact information of the other party), a summary of rights, summary of institution’s liability, and other necessary information.
Any ACH transaction request could be submitted for OFAC screening. This means that every ACH transaction either needs to go through this process automatically and the time for this screening accounted for, or the bank needs to take into consideration OFAC and EFTA regulations for each client.
Since the risk falls solely on the ODFI and RDFI, then it is up to that bank or financial institution to ensure that compliance is met and that KYC and CDD programs are accurate. It is also important for the ODFI and RDFI to maintain a reliable ACH file of all the transactions issued in case of an OFAC screening.
Many of the resources for following the OFAC guidelines can be found through the OFAC website, the NACHA Operating Rules, or by reviewing the EFTA itself. Other resources can be accessed through the Treasury’s website.
When navigating the OFAC regulations, OFAC has provided a single-page dedicated to common FAQs, so be sure to access this if you are unsure of any of the regulations. Know that the bank can receive a general license that authorizes the performance of certain transactions. These are known as prohibitions, and OFAC issues them on a case-by-case basis and under certain conditions. Guidance on how to request a specific license is found below and at 31 C.F.R. 501.801. You can apply for a license here.
Every ACH transaction must be compliant under the OFAC rules, NACHA Operating Rules, and the EFTA guidelines. And while OFAC screenings aren’t required, the OFAC regulations require that each individual bank conducts an appropriate risk assessment and request OFAC screenings regularly based on this assessment.
Much of OFAC compliance is unique to international ACH transactions. It is up to the financial institution (i.e., ODFI, RDFI, bank, credit union, or a third party) to ensure compliance through OFAC. Luckily, this level of compliance is already incorporated into the regulations from NACHA and the EFTA.