Skip to main content

Foodman CPAs and Advisors

Six Months In. Seven Questions for an Institution's Mid-Year Compliance Review.

Six Months In. Seven Questions for an Institution’s Mid-Year Compliance Review.

OFAC enforcement activity in 2025 signaled a clear shift in expectations. The focus moved from the outcome of a decision to the process behind it and whether institutions could demonstrate the substance of their transactions exceeds the mere form of the related legal formalities.

That enforcement environment shapes where many institutions now find themselves at mid-year. Months of compliance decisions have already been made. Sanctions guidance has continued evolving alongside geopolitical developments. Attention is shifting to how those decisions will be reviewed as the circumstances surrounding them continue to change. 

For institutions managing cross-border exposure, the pressure is not limited to any single corridor. The same decisions may be reviewed under different standards, at different points in time, across multiple jurisdictions simultaneously. A decision that appeared aligned when it was made may later be assessed differently when guidance evolves, enforcement priorities shift, or another jurisdiction applies a different framework to the same underlying facts. 

The practical question is whether the record allows the reasoning behind those decisions to be followed. That question is becoming increasingly important across sanctions compliance, politically exposed person classification, correspondent banking, customer due diligence, and governance processes that depend on consistent documentation across jurisdictions. 

1. Can the reasoning behind sanctions-related decisions made in the first half of the year be clearly reconstructed from the record? 

Sanctions-related decisions made earlier in the year do not remain fixed in the environment in which they were made. They may later be reviewed after new designations, new guidance, geopolitical developments, or enforcement actions have changed the way similar facts are understood. 

OFAC has repeatedly emphasized the importance of understanding the underlying economic reality of a relationship rather than relying solely on formal ownership structures or legal arrangements. That expectation extends to decisions already made earlier in the year. 

For institutions, this places significant importance on the record supporting the decision. The issue is not limited to whether the institution reached a particular outcome. The record should allow anyone reviewing the decision, internally or under examination, to understand what information was available, how it was evaluated, and why the institution reached the conclusion it did at that point in time. 

2. Where guidance evolved during the year, does the record show how that evolution was tracked and applied at the time? 

Sanctions guidance rarely evolves in isolation. It often moves alongside geopolitical developments, public designations, enforcement actions, advisories, and changes in regulatory expectations. Institutions managing exposure across Latin America, Russia, Iran, Venezuela, and other higher-risk corridors frequently have to assess relationships while the surrounding context continues to change. 

Recent OFAC designations connected to political leadership and government-linked networks in Latin America have altered how existing relationships are assessed after the fact. For institutions managing exposure in those corridors, the record needs to show what information was available when decisions were made and how evolving guidance was incorporated into the review process. 

This becomes particularly important when a decision is later reviewed by a regulator, auditor, correspondent bank, or internal governance committee. The relevant question becomes whether the institution can show how the evolution in guidance was identified, escalated, interpreted, and applied to specific relationships or transactions. 

3. Do documentation standards hold up when the same decision is reviewed across different jurisdictions simultaneously? 

A decision that appears aligned under one standard may later be assessed differently under another. The record needs to allow the reasoning behind the decision to be followed across all applicable standards, including those applied later through examination or cross-border review. 

This issue becomes more visible for institutions operating across corridors where U.S., EU, local, and international expectations intersect. A relationship may be reviewed through a sanctions lens in one jurisdiction, a customer due diligence lens in another, and a correspondent banking risk lens elsewhere. The underlying facts may remain the same, but the regulatory interpretation may differ. 

Documentation has to support that level of review. It should make clear which standards were considered, which risks were identified, how competing considerations were weighed, and how the institution reached a consistent position across the frameworks that applied. 

4. Are PEP classifications documented in a way that can be followed under EU, FATF, and U.S. standards at the same time? 

PEP classification remains one of the clearest examples of how the same relationship can be interpreted differently across regulatory frameworks. The EU AML framework has expanded PEP categories. FATF Recommendation 12 continues establishing the global baseline. U.S. requirements apply a different model. 

For institutions operating across these standards, the question is not whether one framework applies in isolation. The question is how the institution documented the relationship in a way that allows each applicable framework to be followed. 

That includes the information used to classify the customer or related party, the rationale for the classification, the due diligence performed, any enhanced review applied, and the basis for ongoing monitoring. When a relationship crosses jurisdictions, the documentation should allow the institution to explain how the same facts were assessed under different standards without creating inconsistency in the record. 

5. Where sanctions guidance and geopolitical developments moved simultaneously, does the record show how both were incorporated into specific decisions? 

Sanctions programs in 2026 continue evolving across Russia, Iran, Venezuela, and the Western Hemisphere corridor. Questions increasingly raised under examination focus on how institutions tracked those developments and incorporated them into decisions as conditions evolved. 

This requires more than identifying that a new designation, advisory, or enforcement action occurred. Institutions also need to show how the development affected existing exposure, whether it changed the risk assessment, and whether it required additional review, escalation, restriction, or monitoring. 

The challenge becomes more complex when the geopolitical context changes faster than formal guidance. Institutions may have to make decisions before interpretive clarity fully develops. In those circumstances, the record becomes essential because it shows how the institution understood the risk at the time and how it applied the information available. 

6. Does the record show how regulatory, compliance, and operational considerations were weighed in decisions made under uncertainty? 

Decisions made under uncertainty rarely belong to one function. Regulatory teams may assess the applicable sanctions framework. Compliance may evaluate customer or transaction risk. Operations may identify the practical implications of restricting, delaying, or processing activity. Senior management may need to determine whether the institution’s risk appetite supports the relationship or transaction. 

Examiners increasingly focus on whether the reasoning behind a decision can be followed through the record and how regulatory, compliance, and operational considerations were weighed at the time. 

For institutions, this means documenting not only the outcome but the process. The record should show who participated, what information was considered, what issues were escalated, how competing considerations were resolved, and whether the decision was reviewed or updated as new information became available. 

7. Has the institution assessed consistency across jurisdictions, business lines, and governance structures? 

The same requirements may be applied differently across different parts of an institution even when teams are working from the same underlying obligations. Those inconsistencies often surface later through examination, enforcement review, or cross-border scrutiny. 

This can occur when business lines use different systems, when regional teams apply standards differently, or when governance committees document similar decisions in different ways. The variation may not be intentional. It may reflect how regulatory concepts were translated into internal processes, data fields, escalation criteria, or review workflows. 

At mid-year, institutions have an opportunity to assess whether similar decisions are being documented consistently across jurisdictions and business lines. That review can help identify whether the institution’s record supports a coherent explanation when decisions are later examined across multiple standards. 

What the second half of the year requires 

The second half of the year places increasing pressure on institutions to maintain consistency policies and procedures reliability as standards, enforcement priorities, and geopolitical developments continue evolving simultaneously. 

Questions around how decisions were reached, what information supported them, and how evolving guidance was applied become increasingly important once those decisions are revisited under examination, enforcement review, or cross-border scrutiny. 

Institutions across jurisdictions and business lines are grappling with these questions. While the answers may differ, one expectation remains consistent: decisions must be able to withstand review under every applicable standard. 

These are the types of questions institutions are working through with us across jurisdictions and business lines. 

For institutions managing cross-border exposure, the mid-year review should therefore focus on more than whether policies were updated. It should examine whether the record behind key decisions can be followed across frameworks, jurisdictions, and time. That record may determine how the institution’s decisions are understood long after the original circumstances have changed.