Magnifier on the computer keyboard

SDN Lookups: What do I need to do?

This is another installment in a series of articles meant to keep members from making the same mistakes that have proven costly to their competitors. This article will deal primarily with SDN lookups and everything that entails.

The Office of Foreign Asset Control, or OFAC, is a financial intelligence and enforcement agency of the Treasury Department. They identify individuals, entities, and vessels across the world that US citizens are not to provide assistance to for whatever reason. There are a myriad of lists that have been generated over the last many years and collectively the names of the individuals, entities, and vessels included therein are referred to as Specifically Designated Nationals or SDN’s for short. The SDN list at any given time has 15,000 or more names included on it and it has been updated or changed at least 120 times in each of the last two years. This means roughly once every 3 days.

The idea is that you are not allowed to give money to anyone that appears on the list. Period. It doesn’t matter how much money we are talking about. How does one know if someone is on the list? Well, you have to check! How? Well, first of all, that all depends on what software company you hitched your wagon to. If they can provide the search then you are half way there. If they can’t, well then you have a problem. Most can, and most do, but there are nuances.

Most of the major software providers in the market today provide the SDN lookup as part of their package with the exception of one. Several not only include it in the package at no extra cost, they actually turn the function on so it is useful. Sadly, several do not understand the importance of keeping you compliant, so they push that way to the bottom of the priority list.

For you to have full confidence in your software, you will need the following things:

  1. A query is done by the software of the OFAC SDN list on a regular basis (remember it changes on average every three days). The updated version is then either:
    1. Downloaded and installed by a staff member in a timely fashion, OR
    1. Automatically updated by the software (invisible)
  2. Entering a customer’s name in your system will then trigger one of the following:
    1. Nothing which means your customer is not on the list, OR
    1. Flagging the account that your customer could be a “potential match”.
  3. Flagged accounts will need to be either cleared (99.99% of the time) by a staff person or they will require further direction at which point in time you will likely not be doing business with that customer.
  4. A report should be run routinely that identifies the potential matches that were done in the period you query. The report should include:
    1. The date of the potential match
    1. The name of your customer
    1. The name of the SDN in question
    1. The status (cleared or not)

Effectively, you need to prove that you have a system that works. The report is the single most important piece and few software providers offer an option. A few let you know on a daily closeout. That is great, but what if an IRS examiner asks you to prove that your system is working. You would then have to go through countless daily reports to find the last actual potential match you had. Hardly efficient. In light of the fact that you may be asked, “how many SDN hits do you get in a year?” it would be helpful to have a report to immediately hand someone instead of spending the next twenty to thirty minutes frantically looking for data. Let’s get right to it. If the system can flag the account, then it can track the event. If it can track the event, then it can run a report. Easy Peasy.

Two more things. Assuming your system does include the SDN lookup feature, and assuming it is always turned on, how do you know it is working if you never get any ‘hits’? You need to ask your software company what the minimum name score is set to. The industry standard is 85%. The higher the number, the more closely the name must match the list. I have found software set at 100% match in the last year. It is highly unlikely that you would ever get a potential match with your score set at 100%. At 85% you will get hits. This proves that your system is working.

If your system is working, and you know this because you are getting potential matches, but it won’t give you reports, then print out any potential matches and keep them in a file. In this series we have talked about the importance of creating an illusion. By printing out your potential matches, you will cover two items. One is that you will identify the frequency (or lack thereof) of potential matches. The other is that you have proven that your system is working. Both bases need to be covered for the regulator asking the question. If you only have a couple a year, well that shows you are a low risk and it is well worth printing two sheets of paper a year to prove that point to someone who thinks first of all you don’t even do this stuff, and second that you probably do 100’s of these things. Data doesn’t lie.

If your software does not provide the option to do a free automatic SDN lookup, ask them why not. After you decide whether you are staying with them, you will then have to look at the probability of manually checking all your new customers against the SDN list on the OFAC website. This is not as onerous as it sounds, but is an extra step that will add 30 seconds to your loan process. In this instance, you really should print all of these and retain them for a month or so and then start systematically shredding them, being careful to retain any potential matches for a year. Again, this shows you have a system in place, and it shows the frequency of the potential matches. This is the goal.

The law requires you do not give money to anyone on the SDN list. If you perform a proper ‘front-end’ check, you will have complied. If you electronically report to CAPSS, you will find that they may or may not check the list, but it is irrelevant since that is what is referred to as a ‘back-end’ check. You already gave the money out and now you are tattling on yourself.

Bottom line here is that you need to identify your risk tolerance and act accordingly. The chance of a potential match is not that good. The chance of getting an actual match is astronomical. The chance of getting a Title 31 audit where they ask you questions about your system? Pretty darned good.

Newsletter

Keep up to date — get updates with latest topics