Dos and don’ts of sanction screening
Recently, Standard Chartered Bank (SCB) was ordered to pay $1.1 billion for conspiring to violate the International Emergency Economic Powers Act (IEEPA) and other international money laundering controls. It included a criminal conspiracy involving some 9,500 transactions worth a quarter of a billion dollars to the benefit of sanctioned Iranian entities.
More than half of the transactions were the result of deficiencies in SCB’s compliance program which allowed customers to request U.S. dollar transactions from within sanctioned countries.
Less than two weeks later, U.S. officials fined one of Europe’s largest banks, UniCredit Bank AG (UCB AG), more than $1.3 billion for processing nearly $400 million for sanctioned entities and countries, including Iran, Libya and Cuba.
UCB AG not only did business with sanctioned entities, they even altered their screening to strip sanctioned countries from transaction information in a conspiracy run by compliance staffers.
Prosecutors said the bank “engaged in this criminal conduct through a scheme, formalised in its own bank policies, designed to conceal from U.S. regulators the involvement of sanctioned entities in certain transactions.” In one instance, the bank actually used its sanctions screening software to find and release, illegal transactions to blacklisted regimes.
These and other financial institutions (FIs) have been scrutinised as regulators seek to send a strong message that FIs will be heavily fined if they drop the ball on sanctions screening. At the same time, U.S. regulators are warning individuals they may also be held responsible for letting dirty money get through the system. In my opinion, this is a clear wakeup call for anyone in the financial industry.
‘You’ll pay a steep price’
In the words of Assistant Attorney General Benczkowski on the Standard Chartered case: “Today’s resolution sends a clear message to financial institutions and their employees: if you circumvent U.S. sanctions against rogue states like Iran – or assist those who do – you will pay a steep price.”
He went on to warn financial institutions that doing business with the U.S. means carefully screening customers and transactions.
“When a global bank processes transactions through the U.S. financial system, its compliance program must be up to the task of detecting and preventing sanctions violations—and when it is not, banks have an obligation to identify, report, and remediate any shortcomings.”
In recent years, Manhattan District Attorney investigations alone have resulted in 11 banks that were fined or forfeited more than $14 billion U.S. in settlements.
The resulting legal cases have been costly in terms of financial penalties and perhaps more important, the reputations of these major banking corporations.
Meanwhile, the banks are responding by working to develop their own frameworks and guides to ensure they have comprehensive compliance programs.
The Wolfsberg Group, an association of 13 global banks, issued its own guidance for sanctions screening earlier this year. They wrote that sanctions screening is a key control in the prevention of financial crime risk which FIs may otherwise be exposed, urging companies to include it as part of a wider set of financial crime fighting measures.
Guidance for developing an effective Sanctions Screening program
According to the Wolfsberg Group, the fundamental pillars of a Financial Crime Compliance (FCC) program should include:
- Policies and procedures – defining requirements for what must be screened and how alerts should be handled and judged.
- Responsible person – ensuring appropriate skills and experience in understanding sanctions requirements and how these might influence screening outcomes and decisions.
- Risk assessment – applying risk based decisions to determine what to screen, when to screen, what lists to use and how exact or “fuzzy” to set the screening filter.
- Internal controls – FIs are expected to document how their screening systems are configured and demonstrate that it is reasonably expected to detect and manage the specific sanctions risks.
- Testing – validate that the screening system is performing as expected and assess its effectiveness in managing specific risks.
The Wolfsberg report points out a risk-based approach means understanding sanctions screening can never detect every possible risk. That means the effectiveness of screening will vary among FIs, even when they are using the same screening protocols and solutions.
While designing and configuring the screening process, Wolfsberg recommends the following:
- Articulate the specific sanctions risk that the FI is trying to prevent or detect.
- Identify and evaluate potential exposure to sanctions risks through an FI’s products and services and its relationships with customers.
- Ensure the screening tool includes a well-documented understanding of the risks and how they are managed.
Regulators issue their own best practice guide
While the Wolfsberg Group have developed these guidelines for sanctions screening, regulators have also issued their own best practice guides that should help FIs enhance their processes and procedures.
In May, the U.S. Office of Foreign Asset Control (OFAC) broke with tradition by issuing a new framework to help financial institutions develop a comprehensive risk-based sanctions compliance program (SCP).
“OFAC will consider using its enforcement not only against the violating entities, but against the individuals as well,” the framework concludes.
Legal analysts also point to another quote as a possible shift in OFAC’s standard: “OFAC may, in appropriate cases, consider the existence of an effective SCP at the time of an apparent violation as a factor in its analysis as to whether a case is deemed “egregious.”
Erich Ferrari, an attorney for Ferrari & Associates, P.C. who specialises in OFAC matters, wrote about the OFAC framework in a blog, spelling out its common causes for sanctions violations in easy to understand dos and don’ts:
Dos and Don’ts to avoid sanctions
Do: Have an OFAC sanctions compliance program.
Do: Consult legal counsel or OFAC sanctions expertise to understand the scope and applicability of OFAC-administered regulations.
Don’t: Refer business opportunities to, or otherwise approve or facilitate those opportunities of, your company’s foreign based operations and subsidiaries.
Don’t: As a non-U.S. person, re-export U.S.-origin goods, services, or technology to sanctioned jurisdictions or sanctioned persons, particularly if you have signed a contract or received other documentation that has informed you that you cannot do so.
Don’t: As a non-U.S. person, cause U.S. dollar payments to be remitted through the U.S. or by U.S. persons for transactions that in any way involve sanctioned persons or jurisdictions, and definitely do not in any way try to hide that a cross border U.S. Dollar payment is related in some way to a sanctioned person or jurisdiction.
Do: Make sure that your sanctions screening software and filters are adequate, continuously tested, and calibrated to ensure that sanctions risk is being appropriately mitigated.
Do: Good due diligence. Don’t slack on the quality of your due diligence, and if you don’t have the knowledge or resources to do it appropriately outsource it until you can devote adequate resources and processes to conduct it. Account for ultimate beneficial ownership, geographic risk, and all counter-parties. Also, conduct transactional due diligence and monitoring.
Do: Follow OFAC’s Framework and ensure that your sanctions compliance program is addressing sanctions-risk globally and is consistently applied and tested across operations and business lines.
Don’t: Engage in strange payment practices. This is particularly true when it comes to receipt or remittance of payments from or to third parties. If the manner of payment requested by a counter-party appears unusual or novel, ensure that the payment can be made through normal channels.
Don’t: Be the person at your company that comes up with a novel way to “get around” the sanctions. If you’re looking for loopholes, you’re looking for trouble. OFAC and other law enforcement agencies are becoming bullish on going after individuals for facilitating sanctions violations of the companies they work for. Don’t get the horns – promote compliance before OFAC promotes enforcement.
“OFAC’s Framework is a welcome development for many in the sanctions compliance world,” Ferrari wrote.
But he cautions that the clarity from the regulator means more responsibility for FIs.
“That said, it does signal that expectations are being elevated and that organisations need to make sure they have their compliance practices in order now that OFAC has made clear what good practices look like.”
Expectations and realities of screening technology
Screening goes well beyond a simple name matching process and requires examining data from widely disparate technologies and sanctions lists. This often means using matching algorithms and risk-based alert creation rules to ensure FIs comply with regulators.
Depending on the size of the FI, screening programs will require the use of technology to generate alerts, provide metrics and reporting, protect the data and allow for independent testing and validation.
Such programs require all departments from IT to Operations and Financial Crime Compliance (FCC) to work together to ensure quality alerts by including screening lists for relevant data, ensuring exclusions are maintained through suppression rules or “Good Guys” lists and the removal of reference data from the screening process once it is determined not to be a risk.
To successfully implement a sanctions screening application requires a financial institution to either build a screening application on its own, or source a solution from a vendor. Factors such as an FI’s size, global business footprint and its own technology environment need to be included in the decision making.
Wolfsberg suggests analyzing sanction risks and functional requirements to include availability of screening rules to ensure alert creation or suppression; the ability to manually screen in one-off situations; and, the ability to configure workflows and the availability of metrics and reporting.
In a recent webinar, Andrew Simpson, Chief Operating Officer of CaseWare RCM, said goals should be clear.
“The big objective is to prevent your institution doing transactions with any sanctioned organisation or individual. You also want to be able to undertake some enhanced due diligence on high risk customers and third parties,” said Simpson, whose company developed its Alessa software to combat financial crimes.
“You need to understand what your sanction risks are, where there are risks and how are you managing those risks. In any compliance program in any financial institution or corporation, everything has to be pivoted on having strong controls,” Simpson said.
Cast a wide net
Screening must cast a wide net, meaning a wide range of lists, companies and individuals must be included to reduce the risk for an FI to an acceptable level. These may include screening against the following lists:
- [US] OFAC SDN
- [US] OFAC Non-SDN
- [US] Non-OFAC sanctions
- [EU] European Union sanctions
- [UK] HM Treasury United Kingdom sanctions
- [UN] United Nations sanctions
- [AUSSANC] Australia’s Department of Foreign Affairs & Trade sanctions
- [CANS] Canadian sanctions
- [HKSANC] Hong Kong Gazette & Hong Kong Monetary Authority sanctions
- [SECO] Switzerland’s State Secretariat for Economic Affairs sanctions
- S. SAM which includes entities that are either restricted or prohibited from doing business with the U.S. government
- Country Risk Ranking data
- IHS Maritime Vessel data
- Adverse media data
- Internal intelligence lists
Depending on your organisation’s risk appetite, it is important to remember that just screening for OFAC alone doesn’t get the job done.
By Andrae Duhaney, CAMS, product owner, CaseWare RCM.
This article is also featured in the summer July/August 2019 issue of the Banking Technology magazine.
Click here or on the banner below to read the digital edition – it is free!