OFAC, FinCEN, and the SEC's BSA-Compliance Hook

OFAC and FinCEN are both bureaus of the U.S. Treasury, but they perform very different functions. The exam tests the distinction directly: OFAC = sanctions screening, FinCEN = BSA reporting. The SEC's BSA-compliance recordkeeping rule is the third leg of the stool that lets the SEC enforce a missed CTR or SAR alongside FinCEN.

Office of Foreign Assets Control (OFAC)

OFAC is a bureau of the U.S. Department of the Treasury that administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals. Sanctions can be:

• Country-based (comprehensive sanctions on Cuba, Iran, North Korea, Syria, Russia, and Venezuela's PDVSA, plus targeted Russia / Belarus measures)
• List-based (the SDN list; sectoral-sanctions identifications; non-SDN lists for specific programs)
• Activity-based (prohibitions on certain transactions regardless of counterparty)

OFAC sanctions apply to all U.S. persons (citizens, permanent residents, U.S. entities, anyone physically in the United States), which includes every domestic broker-dealer and every U.S. branch of a foreign broker-dealer.

The SDN List

OFAC maintains the Specially Designated Nationals and Blocked Persons List (SDN list): a public list of individuals and entities owned or controlled by, or acting for or on behalf of, sanctioned countries, plus terrorists, narcotics traffickers, weapons proliferators, and other targeted persons.

U.S. persons (including broker-dealers) are prohibited from dealing with SDNs and must:

• Block (freeze) any property of SDNs in their possession or control
• Reject transactions in which an SDN is a counterparty when no blockable interest exists
• Screen customers, beneficial owners, and counterparties against the SDN list at onboarding and on an ongoing basis

Screening is typically performed by automated software comparing customer names, addresses, and identifying numbers against OFAC's regularly updated SDN list.

Exam Tip: Gotchas

• Block versus reject is OFAC vocabulary, not BSA. A blockable interest (for example, an SDN-owned account at the firm) requires the firm to freeze the property; a rejectable transaction (for example, an SDN counterparty in a cleared trade) requires the firm to refuse it. Both must be reported to OFAC.
• Screening is at onboarding AND ongoing. A customer not on the SDN list when the account opens can be added later. Firms must rescreen periodically against the updated list.

OFAC Reporting Deadlines

Exam Tip: Gotchas

• The OFAC blocking report is 10 business days; the annual report is filed by September 30 for the June 30 blocked-property snapshot. The 10-business-day window is for new blockings; the September 30 filing is the year-in-review.

Financial Crimes Enforcement Network (FinCEN)

FinCEN is a bureau of the U.S. Department of the Treasury that administers the Bank Secrecy Act. FinCEN's principal functions:

• Issues BSA regulations on behalf of the Treasury
• Receives and analyzes BSA filings: Currency Transaction Reports (CTRs), Suspicious Activity Reports (SARs), Foreign Bank Account Reports (FBARs), and Reports of Cash Payments Over $10,000 Received in a Trade or Business (Form 8300)
• Operates the BSA E-Filing System through which FIs submit reports
• Issues guidance on emerging typologies (cybercrime, ransomware, virtual currency, geographic targeting orders)
• Coordinates with law enforcement and other regulators

Exam Tip: Gotchas

• OFAC = sanctions screening (SDN list); FinCEN = BSA reporting (CTRs, SARs, law-enforcement information-sharing requests). Both are Treasury bureaus, but they serve different functions. The exam tests the distinction directly.

Law-Enforcement Information-Sharing Requests

The USA PATRIOT Act authorizes FinCEN to issue information requests to FIs on behalf of law-enforcement agencies investigating money laundering or terrorist financing. Mechanics:

• FinCEN sends the request electronically through the FinCEN Secure Information Sharing System
• The FI must search its records for the named persons of interest
• Search window: 2 weeks (14 calendar days) from the date of the request
• The FI reports back only positive matches; no match means no response is needed
• The FI must keep the request confidential from the named persons (a tipping-off prohibition similar to the SAR rule)

A law-enforcement information-sharing request is not an order to file a SAR, freeze accounts, or take any other action; it is purely a search-and-report obligation.

Exam Tip: Gotchas

• A FinCEN law-enforcement information-sharing request requires the firm to search records within 14 days and report positive matches; it does not require a SAR or any account action. The firm searches and reports back to FinCEN; it does not freeze the account or alert the customer.
• Law-enforcement information-sharing requests are government-driven; voluntary information sharing is FI-to-FI. Do not confuse the two.

Voluntary FI-to-FI Information Sharing

The USA PATRIOT Act also authorizes FIs to voluntarily share information with each other for AML / counter-terrorism financing (CFT) purposes. Mechanics:

• The FI must file an annual notice with FinCEN before sharing
• Sharing must be in good faith, with another notice-registered FI
• Information shared is protected by safe harbor from civil liability
• Permitted purpose: identifying and reporting activities that may involve possible terrorist financing or money laundering

The notice is filed once per year and renewed annually. After filing, the FI may share information freely with other notice-registered FIs without seeking permission for each instance.

Exam Tip: Gotchas

• Voluntary FI-to-FI information sharing is opt-in; it requires advance notice to FinCEN. A firm that has not filed the notice cannot lawfully share AML information with another firm. The exam may ask whether two firms can compare notes on a suspicious customer; the answer requires both firms to be notice-registered first.
• The voluntary-sharing safe harbor protects the sharing FI, not the receiving FI's downstream use. Information shared in good faith does not authorize the recipient to tip off the customer.

The SEC's BSA-Compliance Recordkeeping Hook

The SEC's BSA-compliance recordkeeping rule requires every broker-dealer subject to the BSA to comply with BSA reporting, recordkeeping, and record-retention requirements as a condition of its SEC registration. The effect is to give the SEC its own enforcement hook for BSA failures: a missed CTR or SAR is not only a FinCEN violation; it is also a securities-law violation.

This means a single missed SAR can produce parallel enforcement actions:

• FinCEN for the BSA violation (civil monetary penalties under the BSA)
• FINRA for an AML-program-requirement violation (industry sanctions)
• SEC for a recordkeeping violation (separate civil penalties and administrative remedies)

Think of it this way: the SEC's BSA-compliance recordkeeping rule is the SEC's bridge into BSA enforcement. The BSA does not give the SEC direct enforcement authority over money laundering; making BSA compliance a condition of broker-dealer registration means any BSA violation is also a securities-law violation.

Exam Tip: Gotchas

• A single missed SAR can trigger FinCEN, FINRA, and SEC enforcement. The exam will sometimes ask which authority enforces the violation. The complete answer is all three: FinCEN under the BSA, FINRA under the AML-program requirement, and the SEC under its BSA-compliance recordkeeping rule.
• The SEC's BSA-compliance recordkeeping rule is the bridge into BSA enforcement. Without it, the SEC would have to wait for FinCEN to act. With it, the SEC can charge the firm directly.