areas of the world are worth the expense of a potential investigation and fines. Strategic Considerations for Bankers As banks prepare for the potential implementation of the new record-keeping rule, there are several strategic considerations that bankers should keep in mind: 1. Proactive Planning Banks should begin reviewing their current data retention policies and systems to assess their ability to comply with the proposed rule. Engaging with legal advisors, technology vendors and compliance consultants early in the process can help banks identify potential gaps and develop a framework for compliance. 2. Investment in Technology Investing in advanced data management and compliance technologies will be critical to meeting the new requirements efficiently. Complying with the rule will require a data mapping exercise to identify any systems that may have transactional records subject to the retention requirement and ensure such systems are being maintained and backed up. A 10-year retention rule is outside of the normal lifespan for computers or operating systems, which is typically three (3) years to five (5) years for laptops and desktops. Thus, banks should consider preservation options that are readily transferable between 1. https://www.federalregister.gov/d/2024-20674 2. https://www.ecfr.gov/current/title-31/section-501.601 3. 50 U.S.C. 4301 et seq., https://www.govinfo.gov/content/pkg/USCODE-2023-title50/pdf/USCODE-2023-title50-chap53-sec4301.pdf 4. https://www.govinfo.gov/content/pkg/FR-2024-09-13/pdf/2024-20674.pdf, pg. 2 5. See: https://www.justice.gov/opa/pr/bnp-paribas-agrees-plead-guilty-and-pay-89-billion-illegally-processing-financial; https://www.justice.gov/opa/pr/standardchartered-bank-admits-illegally-processing-transactions-violation-iranian-sanctions; https://ofac.treasury.gov/system/files/2023-11/20231121_binance.pdf; and, https://www.justice.gov/opa/pr/bnp-paribas-agrees-plead-guilty-and-pay-89-billion-illegally-processing-financial. operating systems and hardware, such as an agnostic cloud-based data bucket. 3. Collaboration Across Departments Compliance is not the sole responsibility of the compliance department. Banks should foster collaboration between compliance, IT, legal and operational teams to ensure that all aspects of the record-keeping rule are addressed. 4. Employee Training As regulations evolve, so too must employee training programs. Banks should invest in continuous education for their staff, ensuring that they are aware of the latest sanctions lists, OFAC requirements and best practices for identifying and reporting suspicious transactions. Conclusion: A Compliance Extension The proposed 10-year record-keeping requirement from OFAC marks a significant change in regulations for banks. The rule presents increased compliance burdens, data management challenges, complexities and costs. Fines for OFAC violations can reach millions (and sometimes billions5) of dollars, and the reputational damage associated with sanctions breaches can have extensive effects. As such, while the upfront costs of complying with the 10-year rule may be significant, they are likely to be outweighed by the potential costs of failing to adhere to OFAC’s record-keeping requirements. By taking proactive steps to prepare for the new requirement, banks can position themselves not only to comply with the regulation but also to lead the industry in best practices for sanctions compliance and data security. Compliance will be key to maintaining trust with regulators, customers and the broader financial community. Robert L. Kardell (Bob) is an attorney whose practice focuses on cyber-breach incident response, legal and technology-based risk management solutions, technology and cyber-defense policy and protections, intrusion remediation, and fraud prevention and investigation. Bob has more than 22 years of experience working for the Federal Bureau of Investigation as a special agent and supervisory special agent, as well as a program coordinator for Public Corruption, Complex Financial Crime, Healthcare Fraud and Domestic Terrorism. The change in the statute of limitations is largely motivated by the increasing complexity and longevity of sanctions investigations. 20 NEBRASKA BANKER
RkJQdWJsaXNoZXIy ODQxMjUw