Question 1

How long does OFAC require schools to retain screening records?

Accepted Answer

31 CFR § 501.601 requires U.S. persons to retain records of transactions subject to sanctions regulations for at least 5 years. Many schools adopt a 7-to-10-year retention policy to align with standard institutional record-retention guidance and potential statute-of-limitations exposure. SecurePoint Education retains the screening audit log for 10 years by default.

Question 2

What specific records should we retain?

Accepted Answer

At minimum: the screening event (who was screened, when, against what list), the match result (clear or match), the adjudication decision with reviewer identity and rationale (for any match), the licensing workflow outputs (assessment, application, license documentation) if applicable, and the transaction outcome (processed, held, rejected, or authorized under license). The evidence pack bundles all of these per-case.

Question 3

Is the evidence pack self-contained — will it work years later?

Accepted Answer

Yes. The evidence pack is a self-contained PDF + CSV bundle that does not depend on the live tenant. The screening result, decision, reviewer, rationale, matched list snapshot, and regulatory citation are all captured inside the pack. If you export a pack in 2026, an auditor can read it in 2033 without access to your SecurePoint tenant.

Question 4

What if we need to provide historical records to OFAC directly?

Accepted Answer

OFAC may request records in the course of an investigation or as part of a voluntary self-disclosure. SecurePoint's audit log is filterable by date range, party, campus, list, and decision — so producing a targeted record set is a search, not a reconstruction. Enterprise institutions can forward the audit log to a SIEM or data lake for long-term archival.

Question 5

What about ID images and other sensitive fields?

Accepted Answer

ID-image retention is configurable by policy and plan. Evidence packs automatically redact or exclude sensitive fields per your retention configuration, while the immutable audit log continues to reference the event. This matches standard privacy-first recordkeeping practice.

Question 6

How does this hold up in a formal OFAC audit?

Accepted Answer

An OFAC examiner is looking for three things: (1) did you have a program, (2) was it documented, and (3) were decisions captured with rationale. The SecurePoint evidence pack and 10-year audit log are specifically structured to answer all three. In a "reckless disregard" posture, a documented program changes the settlement conversation materially.

OFAC audit and recordkeeping for schools

5 years required. 10 years defensible. SecurePoint retains 10.

Six categories of record, one integrated trail

Screening events

Match records

Adjudication decisions

Licensing workflow

Evidence packs

Long-term archive

What an auditor actually asks for

What to read next

Evidence Packs

Sample Evidence Pack

OFAC Compliance Checklist

How to Clear a Screening Alert

Flagged Payor Workflow

OFAC Licensing

Education Launch

For Compliance Leads

For Business Offices

Education White Paper

Audit and recordkeeping — FAQ

Book a school compliance review