As of February 2022, there have been 11632 sanctioned individuals and 5935 entities across the US, EU, Canada and Australia. A number of influential banks have been fined for not detecting money laundering or dealing with sanctioned individuals - often because of their connections to sanctioned nations like Russia and Belarus. For example, HSBC and Credit Suisse have been among those implicated; the latter had to freeze assets of $10.6 billion in Q1 of this year.
So in this rapidly-changing socio-political environment, how can institutions reduce the impact of sanctions risk, continue to offer services to international partners, and identify these financial crime threats to avoid penalties?
What are the current challenges for sanctions risk management?
Volatility of the global sanctions landscape
Currently, the political landscape is complex, presenting many grey areas and uncertainties for financial institutions. For example, after leaving the EU, the UK no longer fell within the scope of EU regulations, and sanctions that previously applied to British institutions lost their validity. While the UK largely adopted EU sanctions regulation, differences exist between regimes, resulting in a divergence between jurisdictional sanctions lists. For example, nuances in the categorisation of financial services firms means the UK sanctions regime includes payment and money transmission services, whereas the EU regime does not. This offers just one example of disparities that multinational firms must be aware of.
To add to the challenge, sanctions lists are updated weekly (even daily in some cases) and institutions must keep tabs on entities that are added or delisted. Such monitoring is extremely resource-heavy and can divert attention away from other sanctioned jurisdictions or high risk regions.
Definitions and contexts can also play a part in adding to the difficulties of sanctions management. As these fines are restrictive measures put in place to fulfill a range of purposes such as supporting foreign policy or national security objectives, they can manifest themselves in many ways; from economic restrictions (such as limitations on trade), diplomatic sanctions (reduction or removal of diplomatic ties), through to military intervention.
They are typically put in place by global organisations and unions such as the United Nations (UN) and the European Union (EU), with the Office of Foreign Assets Control (OFAC) playing a primary role in sanction administration and enforcement in the U.S.
Financial Institutions (FIs) are legally obliged to comply with sanctions requirements through preventing the facilitation of designated activity via trade embargoes, asset freezes and restrictions on access to the international financial system - but it can be pressurising to manage these when contexts consistently adapt and change.
For example, firms must consider other entities affected by ownership percentage rules. Otherwise known as “sanctions by association”, the percentage rule applies to those companies that are majority owned (at least 50%) by an explicitly sanctioned individual or entity.
Moreover, institutions must also be aware of sanctions risks in supply chains, ensuring that goods or services are not sourced from a sanctioned entity or jurisdiction.
All of these wide-ranging factors mean FIs must constantly be aware of varying contextual changes and update their processes accordingly - however there are operational setbacks to being able to do this effectively.
The validity and reliability of global sanctions lists presents ongoing challenges for institutions; customer data and names are often stored in varying formats across multiple databases and there are often insufficient sources to allow for thorough name matching. This hinders institutions ability to identify ownership structures and link disparate data sources together for investigative purposes.
To add to this, gaps in data quality and completeness can generate a huge number of false positives. This is a particular issue within international correspondent banking transactions as an error in the name of a single bank can cause multiple false positives across the full chain of institutions.
Unmanageable volumes of false positives can generate huge backlogs that must be manually investigated. If left unchecked, these increase regulatory risk, while inefficiencies worsen the customer experience by increasing onboarding times for legitimate entities.
Name screening is difficult enough for those using novel AI capabilities, however, many institutions still rely on legacy technology with more primitive matching logic, further increasing the likelihood of generating false positives when identifying risks. Worse still, institutions using manual methods for name screening lack the ability to check names at scale and can quickly become overwhelmed with onboarding volumes.
In what ways do current AML and KYC processes underperform?
Managing sanctions risk has historically relied on a combination of manual checks of designated lists during client onboarding or periodic reviews, such as:
Initial name screening
During the onboarding process, institutions cross-check or “screen” the names of individuals, organisations or other entities against national or global sanctions lists. Public lists are made available across many geographies, for example, the UK government publishes its UK Sanctions List which provides details of those designated under the Sanctions Act.
As part of ongoing customer monitoring, names are screened against sanctions lists at a frequency based on the financial crime risk that the customer poses to the firm.
Payments and other transactions are also screened on a recurring basis, which requires checking the names of counter-parties and payment beneficiaries against sanctions lists.
Transaction monitoring involves analysing customer transactions, both historical and current, to provide a clear picture of customer activity. This is a more sophisticated means of identifying patterns of behaviour associated with sanctions evasion.
If matches to sanctioned entities are identified, the client relationship must be terminated, related transactions must be stopped, relevant assets must be frozen and the incident must be reported to the relevant national authorities (e.g. OFAC, OFSI).
Considering the complexity of the current sanctions environment, existing methods of identification are not sufficient to adequately manage and mitigate sanctions risk, as there are often long delay times or a lack of data to make informed decisions on a customer or client profile. This has contributed to even the most influential banks failing to identify large financial fraud or partners connected to sanctioned countries, individuals or institutions.
While many current AML (anti-money laundering) and KYC (know your customer) processes are robust, with multiple stakeholders and verification steps, there are many manual tasks to complete before verifying and monitoring individuals and institutions, which can result in delays and inaccuracies.
By processing profiles and transactions on legacy systems, there can be instances of missing information and consequently a missing picture is formed when analysing partners or clients.
Depending on resources allocated, some institutions have better KYC, compliance and due diligence programmes than others and there is a lack of standardisation or universal source of truth from which information can be ascertained about clients and entities across markets.
How to combat these challenges: building an effective sanctions compliance programme
Understanding your sanctions risk exposure
Institutions should hold a thorough understanding of the macro-view of the sanctions landscape, monitoring current risks and where sanctions may be imposed based on geopolitical events. This may require input from other teams within an organisation such as public policy, government affairs, economics or environmental, social and governance (ESG) specialists.
Sanctions risk exposure should be monitored based on the institution's product and service offerings, customer types (particularly those in high risk business areas such as shipping and logistics), as well as the geographical locations in which they do business. A comprehensive risk-based approach to sanctions screening should also include understanding sanctions evasion schemes and the firm’s subsequent vulnerability to these.
Technology and data
Institutions should calibrate risk management, screening and monitoring tools to their associated risks. For those relying on manual processes, it should be made a priority to migrate away from these as they carry additional risks of inaccuracy and human error as well as being costly and time consuming.
Institutions should consider using screening solutions which make use of more sophisticated techniques such as fuzzy matching (a technique that helps identify two elements of text, strings, or entries that are approximately similar but are not exactly the same), as well as entity resolution between disparate data sources.
Using multiple data sources can help to identify complex corporate ownership structures to avoid dealing with entities that may be partially owned by sanctioned firms or individuals. This facilitates the identification and subsequent removal of duplicates, as well as enabling firms to resolve gaps in data and match across different languages.
Enhanced due diligence should also supplement sanctions screening, including techniques such as adverse media monitoring. This offers additional control in instances where individuals and entities employ sanctions evasion tactics.
In order for KYC programmes in the context of rapidly changing sanctions to work, institutions need to have a single source of truth to benchmark against - a shift in focus from simply KYC (know your customer) programmes to KYD - know your data. KYD is accompanied by an increased confidence in the information being used to inform compliance and due diligence and often includes new, innovative technologies to instil reliability into the process.
How Elucidate’s FinCrime Index (EFI) can support existing KYC and enhance sanctions management
Introducing the Elucidate’s FinCrime Index (EFI); a benchmark that leverages data-analysis and machine learning to score and price risk, providing a comprehensive view of a bank’s own risk, as well as that of its counterparties.
Regulated by the Federal Financial Supervisory Authority, The EFI generates nine scores based on high quality data across a range of risk themes - including sanctions - enabling an objective and nuanced view of crime exposure, and ensuring accurate and fair evaluations can be made, along with relevant comparisons between institutions.
In accordance with the results of this index, FIs can better understand their risk exposure and prevent financial crime going unnoticed. To learn more about this solution, book a demo today with one of our team.