In wake of re-imposed sanctions on Iranian entities, exam council warns FIs about risks of doing continued business

Continued use of products or services from an entity sanctioned for malicious cyber-enabled activities may increase both operational risk and risk related to compliance with federal law, a joint statement from federal financial institution regulators warned Monday following re-imposition of sanctions by the U.S. government on entities related to Iran.

The statement issued by the Federal Financial Institutions Examination Council (FFIEC) is intended to alert financial institutions to recent cyber security-related sanctions and the impact those may have on a financial institution’s risk management program. It followed an earlier announcement Monday by the Treasury’s Office of Foreign Assets Control (OFAC) announcing what it called the “largest ever single-day action targeting the Iranian regime.”

The OFAC actions were taken under that office’s Cyber-Related Sanctions Program; the FFIEC statement pointed to the potential impact sanctions may have on financial institutions’ operations, including the use of services of a sanctioned entity.

In its own, separate release, OFAC said that it has sanctioned more than 700 individuals, entities, aircraft, and vessels in or related to the government of Iran. “This action is a critical part of the re-imposition of the remaining U.S. nuclear-related sanctions that were lifted or waived in connection with the Joint Comprehensive Plan of Action (JCPOA),” the OFAC release states (earlier this year, President Donald Trump rescinded U.S. engagement in the JCPOA).

“OFAC’s action is designed to disrupt the Iranian regime’s ability to fund its broad range of malign activities, and places unprecedented financial pressure on the Iranian regime to negotiate a comprehensive deal that will permanently prevent Iran from acquiring a nuclear weapon, cease Iran’s development of ballistic missiles, and end Iran’s broad range of malign activities,” the agency said.

The FFIEC statement underscored that financial institutions should ensure that their OFAC compliance and risk management processes address the challenges arising from possible interactions with a sanctioned entity. “Identifying, assessing, and mitigating any risks associated with these sanctions requires a high degree of collaboration across a financial institution’s OFAC compliance, fraud, security, IT, third-party risk management, and risk functions to assess any potential risk.”

The FFIEC statement notes that OFAC has long issued sanctions against entities which are “responsible for, are complicit in, or that have engaged in, certain malicious cyber-enabled activities, including by providing material and technological support to malicious cyber actors that have targeted U.S. organizations.”

The statement notes that some sanctioned entities claim that they are U.S.-based and offer services to financial institutions. “U.S. persons are generally prohibited from engaging in transactions with sanctioned entities and all property and interests in property of the sanctioned entities subject to U.S. jurisdiction are blocked (i.e., frozen),” the statement asserts.

The FFIEC statement also warned:

  • In addition to the violation of an OFAC sanction, continued use of software and technical services from a sanctioned entity may increase cybersecurity risk for a financial institution. “Security software often operates within sensitive areas of an organization’s infrastructure to identify vulnerabilities, ensure data is protected, or block malware,” the exam council said. “Because of the nature of the claims under OFAC’s Cyber-Related Sanctions Program, a financial institution should assess the risk of having or continuing to use software and services from a sanctioned entity, and take appropriate corrective action.“
  • Third-party service providers also may have used, or continue to use, products and services of a sanctioned entity on behalf of a financial institution. “Accordingly, a financial institution should understand how its third-party service providers ensure compliance with the OFAC requirements,” the exam council stated.
  • In some cases, a sanctioned entity may be providing a critical service or control that cannot be discontinued instantly. “If the products or services of a sanctioned entity provide a vital or necessary control, a financial institution should identify and implement an alternative solution at the earliest possible time. Financial institutions should contact OFAC for additional guidance as soon as possible if they encounter any operational issues related to sanctions deadlines.”

FFIEC Joint Statement – Office of Foreign Assets Control Cyber-Related Sanctions Program Risk Management (PDF)

U.S. Government Fully Re-Imposes Sanctions on the Iranian Regime As Part of Unprecedented U.S. Economic Pressure Campaign