OFAC: Are You Compliant or Just Think You Are?

If your accounts payable department wants a motto, it might go with Semper Vigilo — “always vigilant.”

Threats to businesses abound and given that accounts payable issues payments, it is a prime target for criminal perpetrators of all kinds.

In addition to prevention of myriad fraud schemes, AP must also ensure information protection as well as avoid unwitting payments to sanctioned entities. This, of course, involves compliance with the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC). OFAC keeps track of and enforces U.S. sanctions on countries, entities, and persons — including drug traffickers, WMD dealers, dirty diamond traders, organized crime syndicates and, of course, terrorist organizations. Sanctions aim to enforce U.S. policy, prevent criminal activity and combat terrorism. (It’s a real thing — see one shared services director’s story in Avoiding the Men in Black.)

You’re familiar. And you’re compliant, right? Or do you just think you are? How are you managing your compliance? It’s not enough to run your list against OFAC’s SDN list once in a while, or even (you thought of this) to check your new vendors against the list. Of course, you are adding new vendors all the time. Those need to be checked and you’re doing that.

Here’s the challenge. OFAC updates the SDN list and the country sanction programs all the time too. If you’re only comparing your new vendors, going to the Treasury and saying “How does this guy look,” one or two a day, you’re missing the possibility that a new entry on the SDN list matches a name that is already on your list!

In other words, every time either you or OFAC updates your respective lists, you need to crosscheck. OFAC’s list changes are unpredictable, so the only safe method is to check every day.

Now here’s where it gets complicated. First, look at the numbers involved. Consider a check of your list, of, say 10,000, to OFAC’s SDN list of 18,000. Each one of your 10,000 names must be compared with each one of the 18,000 names on the SDN list. And the match has to look at each word or name in a phrase or multi-word name. That by itself is a time-intensive proposition for a computer.

Second, we’re not talking about exact matches here — that would be too easy. All those names — including international names — are not consistently spelled. Nor can you be sure they were entered correctly. So a name may be spelled in different ways (e.g. Smith or Smyth, Osama or Usama), and could include typos.

A matching program must also use algorithms that include Soundex, which in essence does a near-match on phonetic sound rather than precise spelling and applies Jaro Winkler scoring, a string metric that measures the “edit distance” between letter sequences, to help uncover transpositions or other errors that an exact match would miss. Depending on the list size, even computers can require hours of processing to do a complete comparison of two lists — not something you want to do every day.

What you need to do every day is check your new additions against the OFAC list, and new OFAC additions against your entire list. It’s much more efficient than running both complete lists against one another. But you have to do both.

If you’ve done a whole list check at a point in time, and you think you are in good shape going forward just by reviewing your new vendors – you’re half right. But in compliance, half right is all wrong. And being wrong can be expensive.

InvoiceInfo does OFAC/SDN list compliance checks right: both directions, every day, with all the complex matching algorithms required. Upon a simple IT-lite set-up, InvoiceInfo runs daily dual-direction checks and provides all flagged entities (matches and near-matches) back to its clients to review.

Says InvoiceInfo’s CIO Richard Burke, “We run the checks every day and you receive a checklist of any flagged names.” The suspect names may not even look alike but the Soundex flags them because they look similar and the computer scores them high. “Any matches that exceed a certain score are sent to our customer to review.”

You determine if the entity is okay. If yes: approve. If no: stop transaction and report.

“Once you check them off and say, ‘OK I’m approving these 50 names,’” Burke explains, “then tomorrow when the check is run, you will not see those 50 because they have been approved.

“The whole process saves a tremendous amount of time and is very quick,” Burke notes.

And you don’t have to worry about a new name popping up on the SDN list after you added it to your master file because InvoiceInfo’s OFAC check is looking at all of those. Every day. To keep you compliant.

Learn how an InvoiceInfo self-service solution can benefit your company; call (678) 335-5735 today or request information!