The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) tracks, monitors and enforces economic and trade sanctions. To comply with an extension to the statute of limitations recently signed into law, OFAC recently proposed a significant update to its regulatory framework, introducing a requirement for banks and other financial institutions to maintain records for up to 10 years.1 For bankers, this rule will require changes to existing compliance efforts, changes to preservation policies and may require investing in additional record-keeping systems to stay ahead of evolving regulatory demands.
The Role of OFAC
OFAC is responsible for administering and enforcing U.S. sanctions programs against countries, entities and individuals that pose a threat to national security, foreign policy or the economy. Sanctions often involve preventing transfers of money or property to or from countries such as Iran, Russia, Syria or North Korea. Sanctions programs are an essential tool in combating terrorism, narcotics trafficking, human rights violations and other illicit activities. Banks, as key players in the global financial system, are on the front lines of sanctions compliance.
Sanctions programs are often complex, and banks must ensure they do not engage in prohibited transactions with sanctioned entities or individuals. Non-compliance can result in significant fines, legal ramifications and reputational damage. For years, banks have been required to maintain complete and accurate records of transactions and implement robust sanctions screening programs. However, the new proposed regulation is set to raise the bar by increasing the record-keeping requirements.
The New 10-Year Record-Keeping Proposal
Under the current regulatory framework, OFAC requires financial institutions to retain records for five (5) years2 from the date of a transaction. The proposed rule, however, extends this period to 10 years, doubling the existing requirement. While this may seem like a straightforward extension, the implications for banks, particularly those with global operations and complex transaction volumes, are far-reaching.
Why the Change?
OFAC’s decision to propose this 10-year requirement is due to a change in the statute of limitations for the civil and criminal violations under the International Emergency Economic Powers Act3 (IEEPA), which was signed into law on April 24, 2024, by President Biden. The act, titled the 21st Century Peace through Strength Act, extended from five (5) years to 10 years the statute of limitations. The act applies to any “violation that was not time-barred at the time of its enactment.”4
The change in the statute of limitations is largely motivated by the increasing complexity and longevity of sanctions investigations. As the financial landscape grows more intricate, tracking cross-border transactions and identifying potential sanctions violations often takes longer than in the past. In many cases, the evidence needed to establish non-compliance may not surface until several years after the fact, prompting the need for a longer retention period. A longer record-keeping period ensures that OFAC and other regulatory bodies have access to historical transaction data, which can be critical in uncovering long-term or sophisticated sanctions evasion schemes.
Impact on Banks: Compliance, Costs and Operational Challenges
For banks, the extension of the record-keeping requirement presents both challenges and opportunities in terms of operational changes, technology investments and risk management:
- Increased Compliance Burden
The 10-year record-keeping requirement will add to the existing compliance workload for banks. Compliance officers will need to ensure that data storage systems are capable of securely retaining transaction records for a full decade. This includes not just basic transaction data but also customer due diligence records, sanctions screening logs and any other documentation related to sanctions compliance.Additionally, the extended timeframe could result in more requests from regulators and more audits and/or reviews of historical transfer records to ensure ongoing compliance with OFAC regulations.
Data Management and Technology Upgrades
The proposed rule may very well require significant upgrades to a bank’s data management policies and potentially their infrastructure. Current systems are designed to store and manage records for five (5) years to seven (7) years and may not be equipped to handle this requirement. The sheer volume of data that must be stored securely for an additional five (5) years may strain existing systems, requiring new investments in cloud storage solutions, data encryption technologies and cybersecurity measures.- Cost Considerations
The costs associated with extending the record-keeping period will likely vary depending on the size and complexity of the bank, but the potential for increased costs may stem from:- Expenses related to data storage, technology upgrades, and increased compliance efforts could be substantial.
- In addition to the direct costs of upgrading technology and hiring additional compliance staff, banks must also consider the potential cost of non-compliance.
- Risk Management and Legal Considerations
The increase in the statute of limitations will expose banks to additional risks of investigations and audits, and potentially civil and criminal penalties. Banks will most likely need to consider whether transfers to risky areas of the world are worth the expense of a potential investigation and fines.
Strategic Considerations for Bankers
As banks prepare for the potential implementation of the new record-keeping rule, there are several strategic considerations that bankers should keep in mind:
- Proactive Planning
Banks should begin reviewing their current data retention policies and systems to assess their ability to comply with the proposed rule. Engaging with legal advisors, technology vendors and compliance consultants early in the process can help banks identify potential gaps and develop a framework for compliance. - Investment in Technology
Investing in advanced data management and compliance technologies will be critical to meeting the new requirements efficiently. Complying with the rule will require a data mapping exercise to identify any systems that may have transactional records subject to the retention requirement and ensure such systems are being maintained and backed up. A 10-year retention rule is outside of the normal lifespan for computers or operating systems, which is typically three (3) years to five (5) years for laptops and desktops. Thus, banks should consider preservation options that are readily transferable between operating systems and hardware, such as an agnostic cloud-based data bucket. - Collaboration Across Departments
Compliance is not the sole responsibility of the compliance department. Banks should foster collaboration between compliance, IT, legal and operational teams to ensure that all aspects of the record-keeping rule are addressed. - Employee Training
As regulations evolve, so too must employee training programs. Banks should invest in continuous education for their staff, ensuring that they are aware of the latest sanctions lists, OFAC requirements and best practices for identifying and reporting suspicious transactions.
Conclusion: A Compliance Extension
The proposed 10-year record-keeping requirement from OFAC marks a significant change in regulations for banks. The rule presents increased compliance burdens, data management challenges, complexities and costs.
Fines for OFAC violations can reach millions (and sometimes billions5) of dollars, and the reputational damage associated with sanctions breaches can have extensive effects. As such, while the upfront costs of complying with the 10-year rule may be significant, they are likely to be outweighed by the potential costs of failing to adhere to OFAC’s record-keeping requirements.
By taking proactive steps to prepare for the new requirement, banks can position themselves not only to comply with the regulation but also to lead the industry in best practices for sanctions compliance and data security. Compliance will be key to maintaining trust with regulators, customers and the broader financial community.
Robert L. Kardell (Bob) is an attorney whose practice focuses on cyber-breach incident response, legal and technology-based risk management solutions, technology and cyber-defense policy and protections, intrusion remediation, and fraud prevention and investigation. Bob has more than 22 years of experience working for the Federal Bureau of Investigation as a special agent and supervisory special agent, as well as a program coordinator for Public Corruption, Complex Financial Crime, Healthcare Fraud and Domestic Terrorism.
- https://www.federalregister.gov/d/2024-20674
- https://www.ecfr.gov/current/title-31/section-501.601
- 50 U.S.C. 4301 et seq., https://www.govinfo.gov/content/pkg/USCODE-2023-title50/pdf/USCODE-2023-title50-chap53-sec4301.pdf
- https://www.govinfo.gov/content/pkg/FR-2024-09-13/pdf/2024-20674.pdf, pg. 2
- See: https://www.justice.gov/opa/pr/bnp-paribas-agrees-plead-guilty-and-pay-89-billion-illegally-processing-financial; https://www.justice.gov/opa/pr/standard-chartered-bank-admits-illegally-processing-transactions-violation-iranian-sanctions; https://ofac.treasury.gov/system/files/2023-11/20231121_binance.pdf; and, https://www.justice.gov/opa/pr/bnp-paribas-agrees-plead-guilty-and-pay-89-billion-illegally-processing-financial.
