FFIEC Releases Statement on OFAC Cyber-Related Sanctions

The Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement alerting financial institutions to recent actions taken by the Department of Treasury’s Office of Foreign Asset Control (OFAC) under their Cyber-Related Sanctions Program and to the potential impact it may have on financial institutions’ risk-management programs.

The statement describes the issues a financial institution should consider regarding the effect of sanctions on the operations of the financial institution and the implications of the continued use of products or services provided by a sanctioned entity.

Since the program’s inception, OFAC has issued sanctions against entities that are responsible for, are complicit in, or that have engaged in, certain malicious cyber-enabled activities, and providing material and technological support to malicious cyber actors that have targeted U.S. organizations. Some sanctioned entities (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) may offer services to financial institutions that operate in the United States. As a result of OFAC’s sanctions, all property and interests in property of the designated persons subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.

Financial institutions should refer to OFAC resources or the FFIEC’s Information Technology Examination Handbook (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) for information on requirements and expectations regarding OFAC-related compliance and operational risk management.

Attachment: Joint Statement (opens new window)