Legal (Compliance) Risk

Legal/compliance risk arises from an institution's failure to enact appropriate policies, procedures, or controls to ensure it conforms to laws, regulations, contractual arrangements, and other legally binding agreements and requirements. In particular, legal risks can result if a financial institution does not provide adequate attention to the operating circulars, procedures and rules of the payment and settlement systems in which it participates. Similarly, an institution's contractual relationships with customers, counterparties, and vendors must be sound and appropriate to the relevant legal framework(s) such as payment and bankruptcy frameworks. Contracts, among financial institutions, their customers, and counterparties are also important to allocate risk-sharing responsibilities applicable to payments. Finally, an institution must ensure it is in compliance with all applicable Federal and State laws and regulations governing payments activity, including the Bank Secrecy Act, the USA PATRIOT Act, and laws regarding economic sanctions Appendix D provides details on the general legal framework for payments and securities settlement systems.

Office of Foreign Assets Control (OFAC)

The Office of Foreign Assets Control (OFAC), an agency of the U.S. Treasury, administers a series of laws imposing economic sanctions against targeted hostile foreign countries to further U.S. foreign policy and national security objectives. The U.S. government exercises economic sanctions through trade embargoes, blocked assets controls, travel bans, and other commercial and financial restrictions. The economic sanctions programs of the U.S. government are powerful foreign policy tools. Their success requires active participation and support of every financial institution. The Secretary of the Treasury manages the sanctions for the U.S. The U.S. Government mandates that all financial institutions located in the U.S., overseas branches of U.S. financial institutions, and, in certain instances, overseas subsidiaries of U.S. financial institutions, comply with economic sanctions and embargo programs administered under regulations issued by OFAC. In general, the regulations:

  • Block accounts and other assets of countries identified as being a threat to national security by the President of the United States (this always involves accounts and assets of the sanctioned countries' governments; it may also involve nationals of the sanctioned countries). In addition, OFAC also blocks the accounts of individuals on OFAC's Specially Designated Nationals (SDN) listing who may not be associated with a sanctioned country.
  • Prohibit unlicensed trade and financial transactions with such countries. U.S. law requires that assets and accounts be blocked when such property is located in the U.S., is held by U.S. individuals or entities, or comes into the possession or control of U.S. individuals or entities. The definition of assets and property is very broad and covers direct, indirect, present, future, and contingent interests. Certain individuals and entities located around the world that are acting on behalf of sanctioned country governments have been identified by the U.S. Treasury and must be treated as if they are part of the sanctioned governments. U.S. banks must block funds transfers that are remitted:
    - By, or on behalf of a blocked individual or entity;
    - To, or through a blocked entity; or 
    - In connection with a transaction in which a blocked individual or entity has an interest.

Financial institutions receiving instructions to make a payment that falls into one of these categories are required to execute the payment order and place the funds into a blocked account. Customers cannot cancel or amend a payment order after the U.S. bank has received it. Once assets or funds are blocked, they may be released only by specific authorization from the U.S. Treasury. If OFAC compliance issues are found during an examination, the examiner should follow up with the bank regulatory agency's compliance area to determine whether the financial institution needs to acquire subject matter expert support.For a complete discussion of legal requirements, consult 31 CFR Part 500 et seq.

Bank Secrecy Act (BSA)

Financial institutions should develop and provide for the continued administration of a program reasonably designed to ensure and monitor compliance with the record keeping and reporting requirements set forth in subchapter II of the Bank Secrecy Act.Chapter 53 of title 31, United States Code, the Bank Secrecy Act, and the implementing regulations promul-gated by the Department of Treasury at 31 CFR part 103. The BSA requires a written compliance program that is approved by the board of directors. The board must note the approval in the board minutes. The compliance program must include, at a minimum:

  • Provision for a system of internal controls to ensure ongoing compliance;
  • Provision for independent testing for compliance to be conducted by institution personnel or by an outside party;
  • Designation of an individual or individuals responsible for coordinating and monitoring day-to-day compliance, and
  • Provision for training for appropriate personnel.



On October 26, 2001, the President signed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act. The USA PATRIOT Act contains strong measures to prevent, detect, and prosecute terrorism and international money laundering. The provisions of the USA PATRIOT Act that most affect financial institutions are those contained in Title III. Among other things, Title III amends the Bank Secrecy Act and provides the Treasury Department and federal agencies with enhanced authority to combat international money laundering and block terrorist access to the U.S. financial system.

The Act is far-reaching in scope, covering a broad range of financial activities and institutions. One such provision is section 312 - Due Diligence for Correspondent and Private Banking Accounts. Section 312 requires a U.S. financial institution that maintains a correspondent account or private banking account for a non-U.S. person to establish appropriate and, if necessary, enhanced due diligence procedures to detect and report instances of money laundering. Section 312 also describes specific enhanced due diligence standards for U.S. financial institutions that enter into correspondent banking relationships with foreign banks operating under offshore banking licenses or under banking licenses issued by countries that have been:

  • Designated as non-cooperative with international anti-money laundering principles by an international body (such as the Financial Action Task Force) with the concurrence of the U.S. representative to that body, or
  • The subject of special measures imposed by the Secretary of the Treasury under section 311 of the USA PATRIOT Act.

In addition, section 312 describes minimum anti-money laundering due diligence standards for the maintenance of private banking accounts by U.S. financial institutions for non-U.S. persons. The Treasury Department (Treasury) is authorized to issue regulations implementing section 312. The Act provides that the provisions of section 312 became effective July 23, 2002, whether or not final regulations were in place. Because of the complexity of the issues raised by the proposed rule, Treasury did not promulgate a final rule by July 23, 2002, but rather issued an interim final rule that was effective immediately. The interim final rule requires that insured depository institutions, U.S. branches and agencies of foreign banks, and Edge and Agreement corporations comply with the statutory requirements of section 312.

The interim final rule also provides compliance guidance to financial institutions. This guidance, which is set forth in supplementary information and not as a regulation, indicates what Treasury would consider as "reasonable" due diligence policies and procedures pending the issuance of a final rule. According to Treasury's guidance, these policies and procedures include (1) focusing on accounts that pose the highest risk of money laundering, (2) according priority to those accounts opened on or after July 23, 2002, and (3) complying with existing best practice standards for banks, such as those issued by the Wolfsberg Group in May 2002, the Clearing House in March 2002, and the Bank for International Settlements in October 2001. Treasury noted that it would be reasonable for an institution not to apply every best practice standard if it has a justifiable basis for not adopting a particular practice.

Until Treasury issues a final rule implementing section 312, examiners should make certain covered banking organizations are aware of the specific provisions of the law and have reasonable policies and procedures in place to assure and monitor compliance. Also, in accordance with existing practices concerning anti-money laundering related matters, examiners should ensure that a banking organization is in compliance with the terms of section 312.


Previous Section
Liquidity Risk
Next Section
Operational (Transaction) Risk