We do not believe that you would be held responsible for OFAC violations related to the credit card accounts issued by or transactions conducted through your third party credit card vendor, but it would be advisable to confirm this practice with your primary regulator.

Of course, the scope of transactions covered by OFAC regulations is very broad — as stated in FDIC guidance, OFAC regulations cover every transaction “by or through” a financial institution. However, because the credit card applications are sent directly to the third party vendor, and all account transactions are processed through the third party vendor, we do not believe it would be necessary, or possible, for your institution to block individuals or transactions involving the credit cards.

However, we recommend confirming that your contract with the third party vendor addresses OFAC compliance. The OCC’s third party risk management guidance applies to all business arrangements between a bank and another entity — which would include your relationship with the third party credit card vendor — and it recommends reviewing third party contracts for OFAC compliance, among other compliance responsibilities. In addition, you should take into account possible reputation risks in this arrangement, since you are referring customers to the third party vendor, and their credit cards do carry your institution’s logo.

For resources related to our guidance, please see below:

• OCC Bulletin 2013-29 — Third-Party Relationships: Risk Management Guidance

• FDIC Risk Management Manual of Examination Policies — BSA, AML and OFAC (“Each financial institution is responsible for every transaction occurring by or through its systems.”)