FDICís Supervision of Financial Institutionsí OFAC Compliance Programs

December 2006
Report No. 07-001

AUDIT REPORT

FDIC OIG, Office of Audits

Background and Purpose of Audit


The U.S. Department of the Treasuryís Office of Foreign Assets Control (OFAC) is responsible for promulgating, developing, and administering economic and trade sanctions such as trade embargoes, blocked assets controls, and other commercial and financial restrictions under the provisions of various laws. In general, OFAC regulations prohibit financial institutions from engaging in transactions with the governments of, or individuals or entities associated with, foreign countries against which federal law imposes economic sanctions. Sanctions also can be used against dangerous groups and individuals, such as international narcotics traffickers, terrorists, and foreign terrorist organizations, regardless of national affiliation.

As part of its enforcement efforts, OFAC publishes a list of individuals and companies controlled by, or acting for or on behalf of, targeted countries. The list also includes individuals and entities such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and entities are called Specially Designated Nationals and Blocked Persons (SDN).

The objective of this audit was to determine whether the FDICís Division of Supervision and Consumer Protection (DSC) provides effective supervision of compliance with OFAC regulations by FDIC-supervised institutions.

FDIC, Federal Deposit Insurance Corporation


Results of Audit


The FDICís supervisory approach to OFAC compliance includes examinations of controls established and implemented by FDIC-supervised financial institutions to ensure compliance with OFAC regulations. For the examinations we reviewed, FDIC examiners generally followed interagency guidelines in assessing the appropriateness of implemented controls and whether those controls were commensurate with the financial institutionsí specific product lines, customer base, nature of transactions, and identification of high-risk areas. In addition, the FDIC has taken important steps to address institutionsí OFAC compliance, such as participating in developing and issuing interagency guidance for examiners and banking organizations, including notifications on updates to OFACís SDN list; conducting OFAC-related training and outreach activities for examiners and the banking industry; issuing Bank Secrecy Act-related cease and desist orders that included OFAC-related provisions; and signing an interagency Memorandum of Understanding, which governs information-sharing between the Federal Banking Agencies and OFAC.

The FDIC, however, could enhance its supervisory approach to OFAC compliance by monitoring and tracking financial institution OFAC sanctions violations, compliance program deficiencies, and OFAC-related enforcement actions. In addition, examiner work paper documentation and reports of examination could be improved with respect to examination planning and contact with OFAC, completing core examination procedures, and concluding on the adequacy of OFAC compliance programs and interdiction systems used by financial institutions. These measures could assist the FDIC and OFAC in addressing the risks associated with financial institution noncompliance with OFAC regulations.

We also identified a matter for congressional consideration regarding examination and enforcement authorities associated with institution compliance with OFAC regulations. Specifically, a more comprehensive statutory and regulatory framework exists for the examination and enforcement of Bank Secrecy Act (BSA) compliance and the establishment of BSA compliance programs than for OFAC compliance, although both BSA and OFAC requirements address national security and law enforcement concerns.

Recommendations and Management Response

The report makes four recommendations for DSC to enhance its supervisory approach to OFAC compliance by monitoring and tracking financial institution OFAC sanctions violations, compliance program deficiencies, and OFAC-related enforcement actions; and issuing additional guidance to examiners to ensure consistent and comprehensive documentation of OFAC compliance to better assist the FDIC and subsequent examination teams in ensuring financial institution compliance with OFAC laws and regulations. DSC management concurred with two of the recommendations and agreed with the intent of the remaining two recommendations. Completed and planned actions are responsive to all recommendations.


TABLE OF CONTENTS

BACKGROUND
RESULTS OF AUDIT
DSCíS SUPERVISORY APPROACH TO OFAC COMPLIANCE

Evaluation of OFAC Compliance

Supervisory Monitoring

Conclusion

Recommendation

Corporation Comments and OIG Evaluation

DOCUMENTATION OF DSCíS EXAMINATION COVERAGE OF FINANCIAL INSTITUTION OFAC COMPLIANCE

Recommendations

Corporation Comments and OIG Evaluation

MATTER FOR CONGRESSIONAL CONSIDERATION Ė AUTHORITIES FOR SUPERVISION OF OFAC COMPLIANCE

Examination and Enforcement Authority for BSA Compliance

Examination and Enforcement Authority for OFAC Compliance

Conclusion

APPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY
APPENDIX II: REGULATORY AUTHORITY AND OVERSIGHT FOR OFAC AND BSA
COMPLIANCE
APPENDIX III: CORPORATION COMMENTS
APPENDIX IV: MANAGEMENT RESPONSE TO RECOMMENDATIONS


ACRONYMS

AML Anti-Money Laundering
BSA Bank Secrecy Act
C&D Cease and Desist Order
C.F.R. Code of Federal Regulations
DSC Division of Supervision and Consumer Protection
ED Examination Documentation
FBA Federal Banking Agency
FDI Federal Deposit Insurance
FFIEC Federal Financial Institutions Examination Council
FIL Financial Institution Letter
FinCEN Financial Crimes Enforcement Network
FRB Federal Reserve Board
GAO Government Accountability Office
MOU Memorandum of Understanding
NCUA National Credit Union Administration
OCC Office of the Comptroller of the Currency
OFAC Office of Foreign Assets Control
OIG Office of Inspector General
OTS Office of Thrift Supervision
RFPA Right to Financial Privacy Act
SDN Specially Designated Nationals and Blocked Persons
TEOAF Treasury Executive Office for Asset Forfeiture
TFI Office of Terrorism and Financial Intelligence
U.S.C. United States Code
ViSION Virtual Supervisory Information on the Net


FDIC, Federal Deposit Insurance Corporation, Office of Inspector General, 3501 Fairfax Drive, Arlington, VA 22226
DATE: December 14, 2006
 
MEMORANDUM TO:Sandra L. Thompson, Director
Division of Supervision and Consumer Protection
 
FROM:Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]
Assistant Inspector General for Audits
 
SUBJECT:FDICís Supervision of Financial Institutionsí
OFAC Compliance Programs (Report No. 07-001)
 

This report presents the results of the subject FDIC Office of Inspector General (OIG) audit. The audit objective was to determine whether the FDICís Division of Supervision and Consumer Protection (DSC) provides effective supervision of compliance with Office of Foreign Assets Control (OFAC) regulations by FDIC-supervised institutions. All U.S. persons and entities, including U.S. banks, holding companies, and non-bank subsidiaries, must comply with OFAC regulations.[ 1 ]

To address our audit objective, we (1) assessed the FDICís statutory and regulatory authorities for ensuring OFAC compliance by the institutions it supervises, (2) reviewed DSCís supervisory and examination processes for OFAC compliance, and (3) reviewed DSCís OFAC examination coverage at 16 sampled financial institutions. Our observations on statutory and regulatory authorities may apply equally to the other Federal Banking Agencies (FBA),[ 2 ]which also examine financial institutions for OFAC compliance. Appendix I of this report discusses our objective, scope, and methodology in detail.

BACKGROUND

Within the U.S. Department of the Treasury (Treasury Department), the Office of Terrorism and Financial Intelligence (TFI) marshals the department's intelligence and enforcement functions for the purposes of safeguarding the nationís financial system against illicit use and combating terrorist facilitators, money launderers, drug kingpins, and various national security threats. TFI is composed of several offices, including OFAC, the Financial Crimes Enforcement Network (FinCEN), and the Treasury Executive Office for Asset Forfeiture (TEOAF).

OFAC is responsible for developing, promulgating, and administering sanctions for the Secretary of the Treasury under various laws, including, but not limited to, the Trading With the Enemy Act and the International Emergency Economic Powers Act. In general, OFAC regulations prohibit financial institutions from engaging in transactions with the governments of, or individuals or entities associated with, foreign countries against which federal law imposes trade or economic sanctions. Sanctions can be used against dangerous groups and individuals, such as international narcotics traffickers, terrorists, and foreign terrorist organizations, regardless of national affiliation. Many of the sanctions are based on United Nations and other international mandates, are multilateral in scope, and involve close cooperation with allied governments. The U.S. Government has used economic sanctions as a tool against international terrorist organizations since 1995, marking a significant departure from the traditional use of sanctions against hostile countries or regimes. Following the terrorist attacks on September 11, 2001, Executive Order 13224 entitled, Blocking Property and Prohibiting Transactions With Persons Who Commit, Threaten to Commit, or Support Terrorism, was signed, significantly expanding the scope of U.S. sanctions against international terrorists and terrorist organizations.

As part of its enforcement efforts, OFAC publishes a list of individuals and companies controlled by, or acting for or on behalf of, targeted countries. The list also includes individuals and entities such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and entities are called Specially Designated Nationals and Blocked Persons (SDN).

OFAC regulations require financial institutions to block or reject accounts and transactions[ 3 ] that involve any persons, entities, or countries that are included on the SDN list. Specifically, financial institutions must block transactions that are:

  • by or on behalf of a blocked individual or entity,
  • to or through a blocked entity, or
  • in connection with a transaction in which a blocked individual or entity has an interest.

Further, financial institutions must file (1) initial reports within 10 days for accounts and transactions that are blocked and/or rejected and (2) annual comprehensive reports on all blocked property[ 4 ] (held as of June 30) no later than September 30. An OFAC publication entitled, Foreign Assets Control Regulations for the Financial Community, dated November 23, 2005, provides guidance to financial institutions on monitoring financial transactions to ensure that SDNs, narcotics traffickers, and terrorists do not benefit from access to our nationís financial system.

Violations of OFAC sanctions occur when a financial institution processes a transaction, with or for an SDN, that should have been blocked or rejected.[ 5 ] OFAC can impose civil money penalties for violations of established sanctions. In addition, Title 18 United States Code (U.S.C.) ß1001 provides for criminal penalties associated with OFAC noncompliance.

FDIC safety and soundness examinations of FDIC-supervised financial institutions include an assessment of financial institution compliance with Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) requirements.[ 6 ] As part of the BSA/AML examinations, the FDIC assesses financial institutionsí OFAC compliance programs. Interagency guidance[ 7 ] entitled, Bank Secrecy Act/Anti-Money Laundering Examination Manual,[ 8 ] issued in June 2005 by the FFIEC provides examination procedures related to BSA, AML, and OFAC examinations. OFAC assisted in the development of the manual sections that relate to OFAC reviews. Further, in January 2006, OFAC published guidelines entitled, Economic Sanctions Enforcement Procedures for Banking Institutions,[ 9 ] in the Federal Register that complement and expand upon examination guidance for OFAC examinations.

RESULTS OF AUDIT

The FDICís supervisory approach to OFAC compliance includes examinations of controls established and implemented by FDIC-supervised financial institutions to ensure compliance with OFAC regulations. For the examinations we reviewed, FDIC examiners generally followed interagency guidelines in assessing the appropriateness of controls implemented and whether those controls were commensurate with the financial institutionsí specific product lines, customer base, nature of transactions, and identification of high-risk areas. In addition, the FDIC has taken important steps to address institutionsí OFAC compliance at FDIC-supervised financial institutions.

The FDIC, however, could enhance its supervisory approach to OFAC compliance by monitoring and tracking financial institution OFAC sanctions violations, compliance program deficiencies, and OFAC-related enforcement actions (DSCís Supervisory Approach to OFAC Compliance).

Further, examiner workpaper documentation and reports of examination could be improved with respect to examination planning and contact with OFAC, completing core examination procedures, and concluding on the adequacy of OFAC compliance programs and interdiction systems[ 10 ] used by FDIC-supervised financial institutions (Documentation of DSCís OFAC Reviews).

We also identified a matter for congressional consideration regarding examination and enforcement authorities associated with institution compliance with OFAC regulations. Specifically, a more comprehensive statutory and regulatory framework exists for the examination and enforcement of BSA compliance and the establishment of BSA compliance programs than for OFAC compliance and a related program, although both BSA and OFAC requirements address national security and law enforcement concerns (Matter for Congressional Consideration Ė Authorities for Supervision of OFAC Compliance).

DSCíS SUPERVISORY APPROACH TO OFAC COMPLIANCE

DSCís supervisory approach to OFAC compliance includes examinations of controls established and implemented by FDIC-supervised financial institutions to ensure compliance with OFAC regulations. For the examinations we reviewed, FDIC examiners generally followed interagency guidelines in assessing the appropriateness of controls implemented and whether those controls were commensurate with financial institutionsí OFAC risk assessments. In addition, DSC has taken the following steps to address institutionsí OFAC compliance:

  • participated in developing and issuing interagency guidance for examiners and banking organizations, including notifications on updates to OFACís SDN list;
  • conducted OFAC-related training and outreach activities for examiners and the banking industry;
  • issued BSA-related Cease & Desist (C&D) Orders that include OFAC-related provisions; and
  • signed an interagency Memorandum of Understanding (MOU), which governs information-sharing between the FBAs and OFAC.

DSC could, however, enhance its supervisory approach to OFAC compliance by monitoring and tracking financial institution OFAC sanctions violations, compliance program deficiencies, and OFAC-related enforcement actions. These steps could assist the FDIC and OFAC in better addressing the risks associated with financial institution noncompliance with OFAC regulations and sanctions.

Evaluation of OFAC Compliance

DSC has implemented interagency guidelines for evaluating institutionsí OFAC compliance and taken additional steps in support of OFAC regulations. According to the FFIEC BSA/AML Examination Manual, to facilitate an examinerís understanding of the financial institutionís risk profile and to adequately scope an OFAC examination, an examiner should review the financial institutionís:

  • OFAC risk assessment that considers types of products, services, customers, transactions, and geographic locations;
  • independent testing of its OFAC program;
  • correspondence received from OFAC and, as needed, OFACís Web site to determine whether the institution has received any warning letters, fines, or penalties imposed by OFAC since the most recent examination; and
  • correspondence related to periodic reporting of prohibited transactions and, if applicable, annual reports on blocked property.

The manual states that it is not the FBAsí primary role to identify OFAC violations. Rather, the examination procedures are designed to help examiners determine whether financial institutions have policies, procedures, and processes in place for compliance with OFAC laws and regulations commensurate with an institutionís OFAC risk profile. DSC officials stated that if examiners identify significant issues with OFAC compliance during examinations, examiners may conduct additional transactional testing related to those issues.

Additional steps taken by the FDIC in support of OFAC regulations and sanctions are described below.

Interagency Guidance. DSC participated in the development of the FFIEC BSA/AML Examination Manual, issued in June 2005, and an updated version issued in July 2006. The project was a collaborative effort by the FBAs, OFAC, and FinCEN to ensure consistency in the application of the BSA/AML and OFAC regulations. With respect to OFAC compliance, the manual provides:

  • expectations on OFAC compliance program elements;
  • information on financial institutionsí responsibilities to report blocked and rejected accounts or transactions to OFAC;
  • core procedures related to OFAC examinations; and
  • an OFAC risk matrix, which examiners should use, as appropriate, when assessing a financial institutionís risk of encountering OFAC issues.

The manual is available to the banking industry as a reference guide for OFAC-related issues. In addition, DSC has issued financial institution letters (FIL) to announce new regulations and policies, including updates to OFACís SDN list.

Examiner Training and Outreach Activities. DSC has conducted and/or participated in a number of activities to familiarize examiners and financial institutions with guidance in the FFIEC BSA/AML Examination Manual. These events included:

  • a training Webcast in July 2005 for approximately 1,200 federal and state bank examiners to discuss the BSA/AML manual;
  • a series of teleconferences in August 2005 for bankers that included an overview of the BSA/AML manual and a question-and-answer session;
  • banker outreach and examiner training events in August 2005 in 5 major U.S. cities; and
  • nationwide BSA/AML conference calls for the examination staff and financial institutions in September 2006 to discuss the July 2006 changes to the FFIEC BSA/AML Examination Manual. More than 1,500 examiners and 10,650 bankers and industry representatives participated.

In addition, according to the FFIEC Annual Report 2005, the FFIEC has conducted extensive outreach activities with federal and state examiners and the banking industry on the FFIEC BSA/AML Examination Manual and regulatory expectations, reaching more than 23,000 bankers and examiners.

OFAC-Related Enforcement Actions. The FDIC has included OFAC-related provisions in BSA-related C&Ds. We reviewed the FDIC Enforcement Decisions and Orders Web site to identify C&Ds that included OFAC provisions for the period January 2004 through August 11, 2006. Although we did not identify any OFAC-specific C&Ds, we identified 10 cases in which the FDIC had included OFAC provisions in BSA-related C&Ds. Those OFAC provisions primarily related to financial institutions that had not implemented an adequate OFAC compliance program and/or institutions that had not implemented policies and procedures to ensure account databases were adequately compared against the OFAC SDN list.

Information Sharing With OFAC. To increase the level and extent of information sharing, the FBAs signed an MOU with OFAC in April 2006. In accordance with the MOU, the FBAs and OFAC can share information regarding OFACís administration and enforcement of economic sanctions, compliance with OFAC regulations by financial institutions, and financial institutionsí violations of OFAC sanctions. Specifically, the FBAs are to notify OFAC of:

  • apparent, unreported sanctions violations identified during examinations of financial institutions;
  • significant deficiencies[ 11 ] in a banking organizationís policies, procedures, and processes for ensuring compliance with OFAC regulations.

In turn, OFAC will notify the respective FBA of enforcement actions OFAC takes against a financial institution. In August 2006, DSC issued a memorandum to its regional offices to formally communicate the information-sharing provisions of the MOU and establish a process for the exchange of information with OFAC.

Supervisory Monitoring

DSC has not established a comprehensive process for monitoring and tracking financial institution OFAC sanctions violations, compliance program deficiencies, or OFAC-related enforcement actions. DSC field staff review OFAC-related concerns on an examination-by-examination basis. Further, DSC does not consolidate this information to identify institution, regional, or national trends or patterns of noncompliance or program deficiencies. Specifically, we found that OFAC compliance information for FDIC-supervised institutions was not available on the following items:

  • the number of violations of OFAC regulations,
  • specific financial institutions that had not implemented the expected OFAC compliance program elements,
  • FDIC enforcement actions that include provisions related to OFAC noncompliance,
  • OFAC enforcement actions against FDIC-supervised financial institutions for apparent violations of trade or economic sanctions, or
  • historical examination results related to OFAC compliance.

In a prior audit report issued in March 2004, we reported that the FDIC tracked supervisory actions related to BSA violations.[ 12 ] Similarly, in another prior report issued in September 2006, we noted that the FDIC also tracks supervisory actions related to a range of other regulatory compliance requirements.[ 13 ]

In the absence of monitoring data from DSC, we contacted OFAC for information on FDIC-supervised institutions. OFAC identified nine instances during 2004 and 2005 in which FDIC-supervised financial institutions may have violated sanctions by failing to block transactions as far back as 2001. The FDIC was aware of some, but not all, of the nine instances. At the time that we contacted OFAC, only two of those nine instances had been resolved by OFAC.

Conclusion

DSC has implemented interagency guidelines for evaluating institutionsí OFAC compliance and taken additional steps in support of OFAC regulations. However, DSC has not implemented certain supervisory controls for OFAC compliance, such as a system or process to monitor and track OFAC program deficiencies, institutions that may have violated OFAC sanctions, and enforcement actions taken by the FDIC and/or OFAC. As a result, the level of focus placed on OFAC compliance may not be sufficient to ensure that financial institutions implement the necessary controls to comply with OFAC regulations and take necessary actions to correct identified deficiencies and prevent future deficiencies or violations.

DSC could enhance its supervisory approach to OFAC compliance by monitoring and tracking financial institution violations of OFAC sanctions, compliance program deficiencies, and OFAC-related enforcement actions. A monitoring and tracking process would assist the FDIC in identifying those financial institutions that may have a history of not implementing effective controls to ensure compliance with OFAC regulations and, subsequently, may require further supervisory and/or enforcement consideration.

Recommendation

We recommend that the Director, DSC:

  1. Implement a process to monitor and track OFAC sanctions violations, deficient OFAC compliance programs, and OFAC-related enforcement actions to assist in monitoring OFAC compliance.

Corporation Comments and OIG Evaluation

The Director, DSC, provided a written response to a draft of this report on December 8, 2006. DSCís response is presented in its entirety in Appendix III of this report. DSC concurred with recommendation 1 and implemented a process in November 2006 to track and monitor OFAC sanctions violations and program compliance deficiencies. This process will help support DSCís coordination with OFAC, such as on the seven unresolved instances OFAC identified in 2004-2005 in which FDIC-supervised institutions may have violated OFAC sanctions. DSCís action for recommendation 1 is responsive, and we consider the recommendation resolved. However, the recommendation will remain open until we have determined that this action has been completed and is effective. Appendix IV presents a summary of DSCís responses to our recommendations.

DOCUMENTATION OF DSCíS EXAMINATION COVERAGE OF FINANCIAL INSTITUTION OFAC COMPLIANCE

As instructed by the FFIEC BSA/AML Examination Manual OFAC core examination procedures, examiners generally (1) relied on the financial institutionsí risk assessments and the results of the institutionsí internal or external audits and (2) included documentation in the examination workpapers on financial institutionsí OFAC compliance programs, including OFAC-related policies and procedures, a designated compliance officer, internal controls, training, and independent testing. However, examiner workpaper documentation and reports of examination could be improved with respect to examination planning and contact with OFAC, completing core examination procedures, and concluding on the adequacy of OFAC compliance programs and interdiction systems used by the institutions. More complete documentation would ensure that examiner conclusions regarding financial institutionsí controls established and implemented for OFAC compliance are adequately documented, supported, and reported.

DSCís Regional Directors Memorandum entitled, Guidelines for Examination Workpapers and Discretionary Use of Examination Documentation Modules (Transmittal 2001-039, dated September 25, 2001), defines standards for examination workpaper documentation. According to the guidelines, examination documentation should (1) demonstrate a clear trail of decisions and supporting logic and (2) provide written support for examination and verification procedures performed and conclusions reached and support the assertions of fact or opinion in reports of examination. Although the use of Examination Documentation (ED) Modules[ 14 ] is discretionary, the guidelines recommend that examiners use the ED Modules for the BSA examinations, which include reviews of OFAC policies and procedures. DSC updated the ED Modules in July 2006 by incorporating the BSA/AML examination procedures, which include procedures for OFAC compliance.

We reviewed examination documentation on OFAC reviews conducted by 2 DSC regional offices for 16 financial institutions and made the following observations.

  • Examination pre-planning documentation explicitly addressed OFAC compliance as a factor in determining the scope of examinations for 6 of the 16 institutions, while the pre-planning documentation for the other examinations did not specifically mention OFAC compliance. In some of these cases, examiners addressed BSA compliance in the examination pre-planning documentation, but it was not clear whether OFAC compliance had been considered. According to DSC guidance, examiners are to limit information in the pre-examination planning memoranda to an ďexception onlyĒ basis for areas considered higher or lower-than-normal risk. Examiners are not required to comment on areas subject to regular examination procedures. Thus, we could not determine whether examiners had not considered OFAC compliance or there was ďnormalĒ risk that did not warrant mention in the pre-planning documentation.
  • Although examiners reviewed OFAC correspondence that the financial institution maintained, there was no indication whether examiners had contacted their regional office, DSC headquarters, or OFAC before, during, or after the examination to determine whether those institutions have had any OFAC compliance civil money penalties or warning/cautionary letters or whether OFAC was conducting investigations or audits related to the financial institution being examined.
  • Examination documentation of the extent of work completed was inconsistent for the OFAC-related core examination procedures provided in the FFIEC BSA/AML Examination Manual. For 5 of the 16 examinations, the core procedures had not been completed. Additionally, in four cases, examiners used check marks or symbols for some of the procedures without providing explanations of the symbols. However, in cases where the core procedures had not been completed, the workpapers contained evidence of documentation for some of the procedure steps. On the other hand, in seven cases, examiners provided detailed responses for each core procedure question.
  • Examination workpapers and reports of examination did not usually include an overall conclusion on the sufficiency of the financial institutionís OFAC compliance program or the effectiveness of the financial institutionís interdiction system used to compare the institutionís accounts and transactions to the OFAC SDN list. Specifically, for 5 of the 16 examinations, the examination results did not include the examinerís conclusion on the sufficiency of the bankís OFAC compliance program. Documentation for only 2 of the 16 examinations presented conclusions on the adequacy of the financial institutionís interdiction system.

Additionally, we found it was difficult to identify information on the results of OFAC reviews because such information is embedded within the BSA/AML examination comments when BSA/AML deficiencies are identified. The FFIEC BSA/AML Examination Manual states that BSA and OFAC regulations are distinct and separate. However, financial institutions generally incorporate procedures related to OFAC compliance programs into BSA programs. For example, a financial institutionís OFAC officer is likely to be the institutionís BSA compliance officer, OFAC training is often conducted simultaneously with BSA training, independent testing of the OFAC program may be conducted concurrently with independent testing of the BSA program, and OFAC policies and procedures may be included in the financial institutionís overall BSA policies and procedures. One DSC official stated that all BSA/AML examinations should include a review of a bankís OFAC compliance; however, we found that examiners were not consistent in including OFAC-related issues in examination comments.

Consistent and comprehensive documentation and reporting of OFAC compliance would better assist the FDIC and subsequent examination teams in ensuring financial institution compliance with OFAC laws and regulations. Additional examination guidance could help ensure that OFAC concerns are clearly identified apart from BSA-related observations.

Recommendations

We recommend that the Director, DSC:

  1. Issue examination guidance to clarify the nature and extent of documentation expected for OFAC examination coverage, including documentation related to the planned scope of OFAC compliance coverage, OFAC actions related to the institution, the completion of core examination procedures, examination results and conclusions, and the effectiveness of the institutionís interdiction system.
  2. Issue examination guidance on including the scope of work performed and conclusions on OFAC compliance in reports of examination.
  3. Issue examination guidance to ensure that OFAC concerns at financial institutions are clearly identified apart from BSA-related observations for monitoring and tracking purposes.

Corporation Comments and OIG Evaluation

The Director, DSC, provided a written response to a draft of this report on December 8, 2006. DSCís response is presented in its entirety in Appendix III of this report. DSC concurred with recommendation 2 and agreed with the intent of recommendations 3 and 4.

The FDIC and the other FBAs issued the Revised Bank Secrecy Act/Anti-Money Laundering Examination Manual in July 2006, which provides additional OFAC examination guidance and addresses aspects of recommendations 2 and 3. For recommendations 2 and 4, DSC agreed to review its examination guidance and by September 30, 2007, issue revised guidance or reminders to examiners, where necessary, to clarify the nature and extent of documentation expected for OFAC examination coverage. With respect to recommendation 3, DSC issued examination guidance on December 1, 2006, addressing the presentation of the scope of examination work and conclusions on OFAC compliance in reports of examination. The guidance adequately addresses our concerns. Therefore, we consider recommendation 3 to be resolved and closed.

DSCís completed and planned actions for recommendations 2 and 4 are responsive to the recommendations, and we consider these recommendations resolved. However, these recommendations will remain open until we have determined that agreed-to corrective actions have been completed and are effective. Appendix IV presents a summary of DSCís responses to our recommendations.

MATTER FOR CONGRESSIONAL CONSIDERATION Ė AUTHORITIES FOR SUPERVISION OF OFAC COMPLIANCE

As shown in detail in Appendix II, a more comprehensive statutory and regulatory framework exists for ensuring compliance with the BSA than for OFAC compliance, although both laws address national security and law enforcement concerns. The following sections summarize our analysis of the differences and their potential implications.

Examination and Enforcement Authority for BSA Compliance

Under Sections 8 and 10 of the Federal Deposit Insurance (FDI) Act, the FDIC has plenary authority to examine banks and enforce compliance with laws and regulations. Nevertheless, the Treasury Department has overall authority for BSA enforcement and compliance and has delegated examination authority to the FBAs for institution compliance with BSA record-keeping and reporting requirements. Further, of particular note:

  • Section 8 of the FDI Act provides direct authority to the FBAs for BSA examination and enforcement.
  • The FDI Act requires each FBA to (1) prescribe regulations requiring insured depository institutions to establish and maintain procedures reasonably designed to ensure and monitor compliance with the BSA, (2) review such procedures during examinations, (3) enforce compliance with the BSA monetary transaction recordkeeping and reporting requirements, and (4) issue C&Ds when deemed appropriate.
  • The FDI Act authorizes the FBAs to impose civil money penalties for violations of C&D provisions.

Additionally, the FDIC Rules and Regulations, section 326.8, Bank Secrecy Act Compliance, outlines the compliance program elements that FDIC-supervised banks must establish and maintain to assure and monitor their compliance with BSA recordkeeping and reporting provisions.

Failure by an FDIC-supervised financial institution to comply with the BSA requirements can result in regulatory actions by the Treasury Department and/or the FDIC. The BSA and its underlying regulations give the Treasury Department authority to assess civil money penalties for violations and to refer cases to the Department of Justice for possible criminal prosecution. The FDIC is required to report all identified BSA violations to the Treasury Department and to refer violations that warrant penalties. Such referrals, however, do not preclude the FDIC from taking regulatory action when BSA violations are identified.

Examination and Enforcement Authority for OFAC Compliance

The statutory and regulatory framework for OFAC compliance is generally limited to OFAC-specific oversight and enforcement activities and focuses on transaction and account-level requirements and penalties. Specifically, as discussed earlier, OFAC has overall responsibility for developing, promulgating, and administering sanctions for the Treasury Department. In addition:

  • OFAC can review an institutionís compliance with OFAC-administered economic sanctions programs and take enforcement action through delegations of authority from the Secretary of the Treasury. However, these authorities have not been delegated to the FBAs that routinely perform OFAC compliance reviews as part of BSA/AML examinations. Additionally, the Government Accountability Office (GAO) and Treasury Department OIG have concluded that OFAC is limited in its ability to monitor financial institution compliance with foreign sanction requirements and does not have the authority to conduct examinations or proactively monitor financial institutions for compliance.[ 15 ]
  • Executive Order 13224 expanded the scope of U.S. sanctions against international terrorists and terrorist organizations and OFACís authority related to such activities. However, the Executive Order was not accompanied by comparable changes in the statutory framework for OFAC compliance. Additionally, the Executive Order did not address the FBAsí authority in this area.
  • Although financial institutions must comply with OFAC regulations and sanctions, there are no laws or regulations requiring institutions to have an OFAC compliance program. Therefore, the FBAs and OFAC must rely on financial institutions to implement appropriate controls to ensure compliance with OFAC-related laws and regulations as a matter of sound banking practice, not as a requirement. DSC officials have stated that (1) FDIC-supervised financial institutions are complying, to a great extent, with OFAC requirements and that (2) the lack of a statutory or regulatory requirement has not limited the extent of the FDICís oversight and supervision of OFAC compliance programs.
  • The FBAs lack specific statutory and regulatory authority for taking enforcement actions associated with institution noncompliance with OFAC regulations. Instead, U.S.C. Title 12 authorizes the FBAs to take certain enforcement actions if they determine that an institution is engaging in unsafe and unsound practices or has violated any applicable law or regulation. The FBAs have interpreted this authority to allow them to take formal enforcement actions aimed at addressing violations of OFAC regulations. However, we did not identify any instances in which the FDIC had taken enforcement actions solely related to OFAC sanctions violations or program deficiencies. Rather, some supervisory actions that addressed BSA violations and deficiencies also addressed OFAC deficiencies.

The FDIC and OFAC have provided guidance to financial institutions that outline controls that financial institutions are expected to implement to ensure compliance with OFAC requirements. The guidance states that financial institutions should establish and implement controls similar to those required for BSA compliance programs. According to the FFIEC BSA/AML Examination Manual, as a matter of sound banking practice and in order to ensure compliance with OFAC regulations, financial institutions should establish and maintain an effective, written OFAC compliance program commensurate with their specific product lines, customer base, nature of transactions, and identification of high-risk areas for OFAC transactions. Recognizing high-risk areas, an institution should include in its compliance program appropriate internal controls necessary to meet established expectations and ensure compliance. Those controls should include:

  • a risk assessment based on product lines, customer base, nature of transactions, and identification of high-risk areas for OFAC transactions;
  • policies and procedures;
  • a designated compliance officer;
  • a system of internal controls;
  • training; and
  • independent testing.

In addition, OFACís guidance entitled, Foreign Assets Control Regulations for the Financial Community, dated November 23, 2005,[ 16 ] outlines the type of controls that could be implemented to ensure that financial institutions properly identify and block or reject prohibited transactions and report these transactions to OFAC. The guidance, however, does not constitute a legally-enforceable requirement for a compliance program.

Conclusion

Although Executive Order 13224 expanded the scope of U.S. sanctions against international terrorists and terrorist organizations, and OFACís authority related to such, there was no statutory change to recognize OFACís expanded authority. Additionally, the Order did not address the FBAsí authorities related to OFAC examination coverage or enforcement. Whether additional and specific authority is needed to better ensure compliance with OFAC regulations and sanctions is a matter for congressional consideration. In that regard, we are providing this information to assist the Congress in considering whether more specific statutory authorities, particularly as they relate to OFAC compliance programs and enforcement action, would heighten the extent of institution and regulatory attention to this area and help mitigate the increased risk associated with terrorist and other criminal activities using the Nationís financial system.



APPENDIX I

OBJECTIVE, SCOPE, AND METHODOLOGY

Objective

The objective of this audit was to determine whether DSC provides effective supervision of compliance with OFAC regulations by FDIC-supervised institutions. To address our audit objective, we (1) assessed the FDICís statutory and regulatory authorities for ensuring OFAC compliance by the institutions it supervises, (2) reviewed DSCís supervisory and examination processes for OFAC compliance, and (3) reviewed 16 sampled examinations for DSC coverage of OFAC compliance.

This report discusses statutory and regulatory issues that have a bearing on the FDICís oversight of financial institutionsí OFAC compliance programs. These issues may apply equally to the other FBAs, which also examine financial institutions for OFAC compliance. In addition, this report includes observations from our review of OFAC examination coverage by DSC at sampled financial institutions. We performed our audit from March through August 2006 in accordance with generally accepted government auditing standards.

Scope and Methodology

We performed the following steps to address the audit objective.

  • Interviewed FDIC officials at DSC headquarters in Washington, D.C., and the Atlanta and New York Regional Offices.
  • Identified applicable laws, regulations, criteria, and other guidance on OFAC and BSA compliance as follows:

  • OFAC regulations, C.F.R. Title 31, Money and Finance Treasury Part V-Foreign Assets Control Regulations, (31 C.F.R., Chapter V).
  • OFAC guidance, entitled, Foreign Assets Control Regulations for the Financial Community, dated November 23, 2005.
  • OFAC guidance in the Federal Register entitled, Economic Sanctions Enforcement Procedures for Banking Institutions, dated January 12, 2006 (Interim final rule 31 C.F.R. Part 501).
  • Bank Secrecy Act of 1970, Public Law 91-508, codified to 31 U.S.C. Section 5311 et seq., also known as the Currency and Foreign Transactions Reporting Act.
  • 31 C.F.R. Part 103, Financial Recordkeeping and Reporting of Currency and Foreign Transactions, the BSAís implementing regulation.
  • FDIC Rules and Regulations:
  • Section 326.8, codified to 12 C.F.R. Section 326.8,
  • Section 337.12, codified to 12.C.F.R. Section 337.12, and
  • Section 353, codified to 12 C.F.R. Section 353.

  • Section 8 and Section 10(b) of the FDI Act.
  • DSCís examination policies and procedures, including:

  • Risk Management Manual of Examination Policies, Section 8.1, Bank Secrecy Act, Anti-Money Laundering and Office of Foreign Assets Control.
  • FFIEC BSA/AML Examination Manual, issued June 30, 2005 and updated July 28, 2006.

  • FILs announcing the issuance of the FFIEC BSA/AML Examination Manual and updates to the OFAC SDN list.

  • Reviewed DSCís Regional Directors Memoranda entitled, Guidelines for Examination Workpapers and Discretionary Use of Examination Documentation Modules, Transmittal 2001-039; Monitoring and Tracking of BSA Problem Institutions, Transmittal 2004-025; and Compliance with Office of Foreign Assets Control Memorandum of Understanding, Transmittal 2006-024.
  • Reviewed the Right to Financial Privacy Act (RFPA) of 1978 (12 U.S.C. Section 3401), which governs the sharing of financial information held by financial institutions.
  • Met with OFAC officials and reviewed the Treasury Departmentís OIG and Government Accountability Office (GAO) reports on OFAC compliance.
  • Identified applicable laws and regulations related to DSCís examination and enforcement authority for BSA/AML and OFAC.
  • Reviewed a judgmental sample of 16 financial institution BSA/AML examinations started on or after September 1, 2005 and ended on or before April 10, 2006 to determine the extent of examination coverage for OFAC compliance. We reviewed reports of examination and examination workpapers that included preplanning documentation, financial institution BSA/AML and OFAC risk assessments, core examination procedures, correspondence files, documentation supporting OFAC training, independent testing, policies and procedures, updates to the SDN list, and designations of an OFAC compliance officer.
  • Reviewed information on possible FDIC-supervised financial institutionsí failures to comply with OFAC regulations.
  • Reviewed the FDICís Web site for information on C&Ds issued for BSA and/or OFAC noncompliance for January 1, 2004 through August 11, 2006.

In addition, we coordinated with the FDIC Ombudsmanís Office to determine whether that office had (1) received general concerns, comments, or complaints related to OFAC compliance or (2) generated any related trend information or bankersí perspectives. The Ombudsmanís Office responded that it did not have a sufficient basis on which to identify trends regarding OFAC nor would such data address our auditís goal of determining the effectiveness of the FDICís supervision of state non-member banksí compliance with OFAC regulations.

In addition, we coordinated with the OIGs for Treasury, FRB, and NCUA regarding previous or ongoing audit work related to OFAC compliance.

Evaluation of Internal Controls

We gained an understanding of the internal control activities relevant to the FDICís examination process for OFAC compliance by identifying and reviewing applicable policies and procedures related to the FDICís examination of financial institution examination for OFAC compliance, including guidance provided to FDIC examiners (FFIEC BSA/AML Examination Manual, DSC Risk Management of Examination Policies, FILs, OFAC regulations, and OFAC guidance issued January 12, 2006). Additionally, we interviewed DSC officials responsible for BSA/AML and OFAC examinations in DSC headquarters and selected regional and field offices.

Our assessment of internal controls determined that the FDIC has implemented some internal controls and interagency guidance related to examinations of financial institution compliance with OFAC regulations. However, controls related to the implementation of OFAC compliance programs need improvement, as indicated in our Results of Audit.

Reliance on Computer-based Data

We used computer-based data and reports from the Virtual Supervisory Information on the Net (ViSION) system to identify the universe of examinations conducted from September 1, 2005 through April 10, 2006. However, we did not test the reliability of computer-based data extracted from ViSION because the data were not significant to our conclusions or recommendations.

Compliance With Laws and Regulations

We reviewed applicable laws and regulations on OFAC compliance. We determined that there are no laws or regulations that apply to or require the FDICís examination of financial institutions for OFAC compliance, except those that relate, in general, to the FDICís overall examination authority (Section 10(b) of the FDI Act, and Section 337.12 of the FDIC Rules and Regulations). In addition, we determined that the FDIC does not have specific authority to enforce OFAC compliance. In the absence of such specific authority, the FDIC relies on its general authority to impose enforcement actions under Section 8 of the FDI Act to take action for OFAC compliance as it relates to operating a financial institution in an unsafe and unsound manner or noncompliance with laws and regulations.

Although financial institutions must comply with OFAC regulations and sanctions, no laws or regulations require financial institutions to have an OFAC compliance program. According to the FDIC Risk Management Manual of Examination Policies, there are no regulatory program requirements for institutionsí OFAC compliance. Additionally, DSC officials stated that there are no express statutory or regulatory provisions for financial institutions to have programs that comply with OFAC-administered laws or to check OFACís SDN list before processing a transaction or opening an account. However, DSC officials also indicated that failure to have an adequate OFAC compliance program could be an unsafe and unsound practice. This report identifies actions that DSC could take to improve management controls over the supervision of OFAC compliance.

Government Performance and Results Act

We reviewed DSCís performance measures under the Government Performance and Results Act, Public Law 103-62. We reviewed the FDICís 2005-2010 Strategic Plan and 2006 Corporate Annual Performance Plan to determine whether the FDIC has established goals related to OFAC compliance. Neither plan includes goals, objectives, or indicators specifically related to OFAC compliance. Those documents, however, include information related to BSA examinations and compliance and reference OFAC in a discussion on BSA/AML training.

Fraud and Illegal Acts

The nature of the audit objective did not require that we assess the possibility for fraud and illegal acts. However, we were alert to the possibility of fraud and illegal acts, and none came to our attention during this audit.

Summary of Prior Audit Coverage

The FDIC OIG has not previously performed an audit specifically focused on OFAC examination coverage. However, on March 31, 2004, the FDIC OIG issued Audit Report No. 04-017 entitled, Supervisory Actions Taken for Bank Secrecy Act Violations. That audit addressed FDIC BSA/AML examinations, which included coverage of OFAC compliance.

We reviewed audit reports related to OFAC compliance issued by the Treasury Department OIG and the GAO. The Treasury Departmentís OIG issued a report entitled, Foreign Assets Control: OFACís Ability To Monitor Financial Institution Compliance Is Limited Due To Legislative Impairments (OIG-02-082, dated April 26, 2002), which concluded that OFAC is limited in its ability to monitor financial institution compliance with foreign sanctions. The report recommended that the Treasury Department inform the Congress that:

  • OFAC lacks sufficient authority to ensure financial institution compliance with foreign sanctions, and
  • OFACís ability to ensure financial institution compliance with foreign sanctions would be enhanced through a legislative change that would enable bank regulators to share information about their compliance examinations with OFAC.

The report concluded that information sharing could be accomplished by amending the RFPA to include OFAC in the definition of ďbank regulator.Ē In response, OFAC agreed that its current legislative authority could be improved in terms of the information shared by bank regulators but stated that, despite statutory limitations, OFAC and the financial regulators have created an adequate compliance system. In February 2004, OFACís Director informed the Senate Finance Committee that OFAC had engaged in discussions with the Treasury Department about the desirability of adopting the recommendation for legislative change for information sharing and that the Treasury Department was reviewing whether certain changes in the technical definitions of the RFPA would further enhance OFACís ability to ensure compliance. The FBAs signed an MOU with OFAC in April 2006 that governs information sharing between the FBAs and OFAC and addresses some of the limits on sharing individual financial account information by relying on financial institutions to provide this information directly to OFAC, when needed.

GAO issued a report entitled, Foreign Regimesí Assets: The United States Faces Challenges in Recovering Assets, but Has Mechanisms That Could Guide Future Efforts (GAO-04-1006, dated September 14, 2004). GAO reported the following:

  • The primary way OFAC learns about violations of its regulations is through its review of mandatory reports filed by financial institutions.
  • In every instance in which a U.S. bank has acted inappropriately, OFAC has sent information regarding the transaction to the appropriate financial regulator.
  • In a limited number of instances, OFAC learns about violations of its regulations through ďself-disclosureĒ by financial institutions or when a second institution involved in a transaction subsequent to the first institution blocks a transaction and notifies OFAC, thus also informing OFAC of the first institutionís involvement in the transaction.

GAO also reported that OFACís ability to monitor financial institutionsí compliance with its regulations is hampered because the varied legislation under which OFAC operates does not provide it with the authority to proactively monitor financial institution compliance with foreign sanctions. GAO further stated that OFACís ability is limited because it does not have supervisory authority over financial institutions and, thus, relies on the financial institutionsí regulators to monitor institutionsí OFAC compliance programs. GAO recommended, among other things, that the Treasury Department seek legislative authority to allow financial regulators to share complete information from examinations. The Treasury Department responded that it was working on this issue and was uncertain whether a legislative change was needed to allow OFAC access to information from financial regulatorsí examinations. In addition, the Treasury Department stated that it was working with the financial regulators for comprehensive arrangements for information sharing. Our current audit addressed the information-sharing MOU signed by OFAC and the FBAs.



APPENDIX II

REGULATORY AUTHORITY AND OVERSIGHT FOR OFAC AND BSA COMPLIANCE

ELEMENT OFAC BSA REGULATORY AUTHORITY AND OVERSIGHT
REGULATIONS AND DELEGATED AUTHORITY
Compliance Program Required No Yes OFAC Regulations (31 C.F.R. Part V) require financial institutions to comply with sanctions; but there is no specific requirement for financial institutions to implement an OFAC compliance program. FDIC Rules and Regulations, Section 326.8 requires financial institutions to implement a compliance program for BSA.
FDIC Rules and Regulations No Yes FDIC Rules and Regulations, Section 326.8 applies to BSA.
Specific Delegated Authority No Yes The Treasury Departmentís FinCEN and FDI Act, Section 8 provide delegated authority for BSA.
COMPLIANCE PROGRAM
Written Board- Approved Policies and Procedures Yes Yes OFAC Regulations (31 C.F.R. Part V), FFIEC BSA/AML Examination Manual; FDIC Section 326.8 for BSA; and Section 8(s) of the FDI Act.
Internal Controls Yes Yes
Independent Testing Yes Yes
Compliance Officer Yes Yes
Training Yes Yes
Legal Requirement No Yes  
EXAMINATION AND ENFORCEMENT AUTHORITY
General Examination Authority Yes Yes FDI Act Section 10(b) examination authority and FDIC Rules and Regulations, Section 337.12.
Specific Examination Authority No Yes FDI Act Section 8 examination authority.
General Enforcement Authority Yes Yes FDI Act Section 8, which addresses the FDICís authority to impose formal enforcement actions for unsafe and unsound practices and noncompliance with laws and regulations.
Specific Enforcement Authority No Yes FDI Act Section 8(s) and Section 8(i); FDIC Rules and Regulations Section 326.8 and Part 353, and Treasury Departmentís 31 C.F.R. Part 103 recordkeeping and reporting requirements for BSA.
Other Entity Authorized to Enforce Compliance Yes Yes Treasury Departmentís OFAC for OFAC and Treasury Departmentís FinCEN for BSA.
SUPERVISORY MONITORING
Cite and Track Violations No Yes Based on cited violations in accordance with FDIC Rules and Regulations Section 326.8 and Part 353, and Treasuryís 31 C.F.R. Part 103 recordkeeping and reporting requirements.
Automated Monitoring System or Process No Yes FDICís manual case-by-case review of ViSION data for OFAC issues. FDICís automated system (ViSION) for BSA.
Monitoring and Tracking of Problem Institutions No Yes Regional Directors Memorandum, Monitoring and Tracking of BSA Problem Institutions.
EXAMINATION GUIDANCE
Risk-Focused Examinations Yes Yes FFIEC BSA/AML Examination Manual.
Risk Matrix Yes Yes
Core Procedures Yes Yes
Expanded Procedures No Yes
Source: OIG review of the FFIEC BSA/AML Examination Manual, FDIC examination guidance, FDIC Rules and Regulations,
    Treasury Departmentís BSA reporting and recordkeeping requirements and OFAC regulations, and the FDI Act.


APPENDIX III

CORPORATION COMMENTS

Corporation Comments from the Division of Supervision and Consumer Protection, page 1
[ D ]
Corporation Comments from the Division of Supervision and Consumer Protection, page 2
[ D ]
Corporation Comments from the Division of Supervision and Consumer Protection, page 3
[ D ]


APPENDIX IV

MANAGEMENT RESPONSE TO RECOMMENDATIONS

This table presents the management response on the recommendations in our report and the status of the recommendations as of the date of report issuance.

Rec.
Number
Corrective Action: Taken or Planned/Status Expected
Completion Date
Monetary Benefits Resolved: [ a ] Yes or No
Open or Closed [ b ]

1

DSC has implemented a centralized process to track violations of OFAC sanctions and institutions with compliance program deficiencies. Records for all enforcement actions, including those with OFAC provisions, are stored in ViSIONís Formal and Informal Actions Tracking module.

  November 30, 2006   $0   Resolved   Open

2

DSC will review examination guidance for opportunities to provide additional clarification. On July 28, 2006, DSC issued a Regional Directors Memorandum entitled, Revised Bank Secrecy Act/Anti-Money Laundering Examination Manual, which provides guidance on the review of a financial institutionís risk assessment and audit. In addition, on December 9, 2005, DSC issued a Regional Directors Memorandum entitled, Formal and Informal Actions Procedures Manual, which provides guidance on administrative procedures for formal and informal corrective actions.

  September 30, 2007   $0   Resolved   Open

3

DSC agreed with the intent of this recommendation. On December 1, 2006, DSC issued examination guidance addressing the presentation of the scope of examination work and conclusions on OFAC compliance in reports of examination.

  December 1, 2006   $0   Resolved   Closed

4

DSC agreed with the intent of this recommendation. As stated in response to recommendation 1, DSC has implemented a centralized system to track violations of OFAC sanctions and institutions with compliance program deficiencies. In addition, DSC will review existing guidance and, as necessary, issue revised guidance or reminders to examiners.

  September 30, 2007   $0   Resolved   Open
a  Resolved Ė (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.
(2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.
(3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.
b  Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.

Last updated 01/05/2007