Standard Chartered Bank and UniCredit have recently agreed to pay around $1bn each in settlements to US and UK authorities for financial crime related failures, including the processing of transactions on behalf of persons or countries subject to sanctions.
Penalties for sanctions breaches have become more sporadic in recent years compared to the wave of cases which surfaced 10 years ago, perhaps suggesting the attitude of institutions with regards to sanctions compliance has improved. Deliberate evasion appears less prevalent, with controls to detect out-of-appetite customers and transactions largely in place across the industry. However, many firms remain exposed to inadvertent breaches due to a failure to maintain the effectiveness of these controls. Three challenges in maintaining control effectiveness are technology, data and managing sanctions risk appetite – each of these should be addressed in order to ensure that controls are tailored to the unique profile of your organisation.
For most organisations, sanctions compliance is reliant on customer and payment screening. This often involves simplistic text matching to identify whether customer or payment details match that of a sanctions target – which include individuals, businesses and countries. A popular approach when choosing a technology solution is to opt for an off-the-shelf product, offering a range of matching techniques, with ongoing support provided by the vendor. However, implementing such a tool without tailoring it to a firm’s geography, products, risk appetite etc. is unlikely to adequately mitigate specific sanctions risks. Effectiveness testing using synthetic data with known sanctions targets and variations thereof is an important step in building trust in the effectiveness of a screening solution. This testing is a valuable exercise when tuning thresholds to ensure the right alerts are generated whilst avoiding excessive false positives.
That said, even simplistic name matching depends upon complete and accurate data feeds. It is critical to gain confidence that all relevant customer records, related parties (e.g. beneficial owners) and payment information are included in screening. Additionally, ensuring that the breadth of information held on these parties is of sufficient completeness and quality is essential to avoid missing sanctions targets. If such data is not present, valid matches may be too weak to generate an alert, falling below thresholds. Where customer data is of poor quality, potentially interesting matches may not meet the criteria to generate an alert – for example, holding a default date of birth for a customer (e.g. 01/01/2001) could prevent an alert by failing to match the customer’s actual date of birth.
Fluidity of sanctions
Lastly, given the complex and ever-changing nature of international sanctions regimes, firms should monitor and interpret how developments relate to their own risk appetite, ensuring the right lists of targets are being screened against. Omitting a relevant list can result in mistakenly onboarding, or processing a payment on behalf of, a sanctioned individual or entity. Similarly, screening entries which do not relate to sanctions will increase false positives, wasting effort on unnecessary alerts.
The consequences of sanctions breaches are now well understood by the majority of firms, with fewer egregious cases of evasion hitting the headlines. That said, mitigating the risk of such deliberate behaviour should not lead to undue confidence that the risk of breaching through other control weaknesses is being managed. The tools which are intended to keep banks compliant are of little value when neglected and it is worth investing the time and effort to maximise the effectiveness of controls to ensure that unwanted relationships are identified and managed.