Boosting Sanctions Screening Performance: Insights from Yanez CEO, Jose Caldera

‍Jose Caldera is the CEO of Yanez, a no-code AI-powered automation and investigation platform for Financial Crime Prevention Operations (FCPO).

He has over two decades experience as a developer, marketer, and product manager with extensive focus on regtech and compliance technology for financial institutions and fintechs.‍

‍

We invited Jose to share his insights on boosting sanctions screening performance. In our interview, he provides expert advice and highlights how Yanez's cutting-edge solutions advance sanctions compliance.

Be sure to read to the end. Even if your role doesn't involve advanced sanctions tuning, Jose also covers essential tips for all companies to enhance the efficiency of their sanctions screening process.

Importance of Testing

Why is it crucial for financial institutions to regularly test their sanctions screening systems?

It is part of the regulation in the US and strongly recommended by every regulatory framework. Both the Office of the Comptroller of the Currency (OCC) and New York Department of Financial Services (NYDFS) require banks and financial institutions that operate in New York to perform model validation and testing of sanctions screening programs. US OFAC, the most important regulatory body for sanctions, includes testing and auditing as one of the key components in its proposed framework for sanctions compliance.

Testing and auditing your sanctions screening ensures your systems adequately apply the required sanctions lists to the jurisdictions in which you and your partners operate. It furthermore ensures that your system can adequately handle name variations that sanctioned entities may use to evade detection. Periodic testing is recommended as changes to sanctions lists occur very frequently.

Identifying deficiencies in sanctions screening enables proactive actions to close unintended gaps, execute mitigation actions, self-report, and conduct proper capacity planning and risk analysis. Proactive behavior is proven to significantly reduce potential penalties imposed by regulatory bodies. Conversely, the lack of proper testing and auditing is proven to increase the penalties imposed by regulatory bodies.

What does "testing" mean in the context of sanctions screening systems, and what does it involve?

There are three key aspects when testing sanctions screening systems:

• Are the sanctions lists kept up-to-date, and are updates applied in a timely manner? In other words, are there no significant lags in the system update?
• Is the configuration of the system providing coverage for all sanctions lists required to comply with the applicable operating jurisdictions? (Sometimes the screening system will cover a list, but the list itself may not be applied in the configuration.)
• Is the ability to detect name variations (e.g., fuzziness), transliteration, and translation, and its configuration adequate and commensurate to the assessed risk scenarios?

The first step is to build a library of scenarios and document the expected outcomes. These scenarios should be driven by a proper risk assessment analysis. Then the analysts will need to develop test data sets that exercise the identified scenarios and include enough false data to assess the operational impact of those scenarios.

Once the datasets are prepared, it's necessary to set up an environment that mimics the configuration of the sanctions screening system, preferably keeping testing separate from production systems. When the datasets and environment are ready, it's time to evaluate the system by "playing" the test datasets and collecting the results. These need to be evaluated and compared to the expected results. If there are gaps, these need to be addressed or justified, and the whole process needs to be properly documented.

If you are a bank in the United States, your datasets need to comply with the data sampling specifications from the Office of the Comptroller of the Currency (OCC), which specifies how you need to build your datasets (e.g., sampling) and the maximum number of errors and exceptions you may have before having to report to the OCC. Other regulatory bodies worldwide may have similar specifications, so it's better to check with your local regulators.

Sanctions Screening Tuning

Can you explain what “tuning” means in the context of sanctions screening systems?

In sanctions screening, every match to a list has to be properly evaluated by analysts. Regulatory bodies expect that every sanctions screening function is able to detect name variations that might otherwise miss a sanctioned entity. Therefore, systems need to be configured to match on name variations. However, the more variations you detect, the higher the number of false positives. Achieving a balance between name variations you should care about and the operational capacity to deal with false positives is, to say the least, tricky.

But detecting name variations isn't the only reason for tuning. In many instances, sanctions lists overlap with each other. This means that some names may appear on different lists, resulting in multiple alerts triggered by the same entity (and its variations). So it is useful to understand the list structure from the screening provider and ensure compliance with regulations while trying to minimize duplicated alerts. The most famous lists across jurisdictions are OFAC (US), UN Freeze list, and EU. There is great overlap in these lists; in fact, the consolidated EU list contains all of the entries from the UN list.

Additionally, your sanctions screening provider is likely also providing name matching against Politically Exposed Persons (PEPs), and you are probably using it for this purpose as well. PEPs lists are not published by any regulatory body, so each provider builds their own, sources their PEPs lists from third-party vendors, or uses a combination of both. Here, you truly need to do some work. There is a very high chance that PEPs are duplicated across lists, and lists overlap in many ways, so keeping those in check can be tricky.

Fortunately, the expectations from regulators when it comes to matching PEPs and sanctions are different. You can get away with a much stricter policy for matching PEPs. In other words, if your sanctions screening system allows it, you could have a different configuration for your PEPs, ensuring fewer false positives.

Another important aspect of tuning is considering your clients. If your clients are ONLY individuals, then you don't have to deal with business entities or vessels, for example. If you only do business in the US, then you can be more strict about location. There are many tuning factors that depend on the scope of your business and the risk analysis.

Sanctions Screening Configuration

What are the key factors to consider when configuring a sanctions screening system for optimal performance?

When configuring sanctions screening systems for optimal performance, there are several key factors to consider:

• Fuzziness level/score is crucial. The system needs to detect name variations that may otherwise miss a sanctioned entity, as required by regulatory bodies. However, more variations mean higher false positives. Achieving a balance between detecting relevant name variations and managing operational capacity is tricky.
  ‍
• List overlaps are another important aspect. Sanctions lists often overlap, causing multiple alerts for the same entity. Understanding the list structure from your screening provider helps comply with regulations while minimizing duplicated alerts. Major lists like OFAC (US), UN Freeze list, and EU have significant overlap.
  ‍
• Risk-based segregation can be useful. For instance, expectations for matching Politically Exposed Persons (PEPs) and sanctions are different. If your system allows, you could have a stricter configuration for PEPs, resulting in fewer false positives.
  ‍
• Consider your client base and business scope. If your clients are only individuals, you don't need to screen for business entities or vessels. If you only operate in one country, you can be more strict about location-based screening.
  ‍
• Operational capacity is key. The system's configuration should balance detection capabilities with your team's ability to handle and investigate potential matches.

These factors are interconnected and depend on your specific business context and risk analysis. Proper tuning involves adjusting these elements to achieve optimal performance while ensuring regulatory compliance.

Common Challenges

What are the most common challenges compliance teams face when testing, tuning, and configuring their sanctions screening systems?

There are several issues that teams face: 1) building a dataset, 2) building a testing environment that replicates production, 3) data gathering and analysis, and 4) access to IT resources.

Building a dataset: It all starts with doing a proper risk analysis. What are the scenarios that you (your organization) care the most about and what would be the impact of failing in those scenarios? You put more effort into the highest risk scenarios and ensure that your test data set covers those scenarios in a deeper manner. You have to be mindful of the jurisdictions you operate in and the breadth of attributes available in the lists so you can ensure you are covering your bases. Then you have to consider the breadth of name variations you want to test for, where do you draw the line between being too open and being too strict? Keep in mind that auditors expect you to cover variations.

Building a test environment: You need a way to separate test results from live production results. Some screening systems allow you to have multiple configurations in the same environment, making it easier to separate results; some don't. Some systems are simply based on APIs, leaving you with the need for separating results based on the response. Some systems simply require you to have a whole separate environment. Whichever your screening system allows for, the most important thing is that it allows you to replicate the live environment and you can test mimicking it as closely as possible; and that it doesn't mix testing alerts with live alerts.‍

Data gathering and analysis: You've got to be able to aggregate and analyze the results to validate that the screening system and its configuration address your regulatory requirements and your risk profile. You've got to be able to document the process along with the proper results. You want to look at the data in ways that validate the whole spectrum, and also be on the lookout for anomalies that may identify gaps.

Access to IT resources: The setup of the environment, the ability to send test data against the screening system, and the collection of data for analysis, in most cases, requires access to IT resources at one level or another. Operations teams struggle to access IT resources in their organizations. The more you need them, the harder it is to get the necessary commitment from the IT leadership. Many operations teams cut corners and minimize the scope of work to reduce their dependency on IT resources. Outside the obvious risks of failing an audit, (lack of) access to IT resources generates anxiety for the compliance team, usually at a time when stress levels are already pretty high due to audits.

Yanez Overview

How is Yanez addressing and solving these challenges in testing, tuning, and configuring sanctions screening systems?

Yanez addresses and solves these challenges in testing, tuning, and configuring sanctions screening systems through the following approaches:

Off the shelf: Yanez offers an off-the-shelf solution for tuning and testing. We have designed technology that allows for generating a comprehensive set of synthetic data aimed to cover a very broad set of use cases that a client can configure based on their regulatory requirements and risk parameters. It provides integration with screening systems. All you need to do is input credentials and point to the right configuration. It records all of the results in the user interface so you can evaluate the results, and export all of the data for further analysis if necessary. It also provides reports that document the process and results to present to internal and external auditors.

No Code: Yanez testing and tuning, in general, does not need additional IT resources. In most organizations, for most teams, the operations team can perform all of the testing and tuning tasks without requiring assistance from the IT department.

Automation: The tests can be scheduled and carried out automatically and periodically. This enables looking at testing and tuning differently. Whereas today for many teams it is a painful task that is only performed because it is needed by regulation, the reality is that if you are able to test more frequently, you may validate your program more often and minimize surprises at audit time.

False Positives: The hardest operational challenge of operating sanctions screening systems is how to reduce the number of potential matches without jeopardizing your sanctions program and meeting auditors' expectations. There are many variables to consider. While Yanez can't necessarily affect all of the variables, it gives you the tools to guide you the best way possible in the process, helping to achieve a reasonable configuration of your screening system. It first guides you through examples to decide what type of name variations you find relevant to your operations. It then applies those learnings to your actual traffic, and guides you through a second round of guidance. In addition, based on the results, you may be able to spot redundant lists, lists that are out of date, or lists that shouldn't be configured, all of which will reduce the number of matches that the screening system generates and reduce the required operational cycles.

Regulation ready: Certain regulatory frameworks, like the Office of the Comptroller of the Currency (OCC), require specific techniques for sampling data. Yanez has incorporated all of these techniques and has included the required language in the reports and documentation to meet these frameworks. As new frameworks arise, it would be easy to add them to Yanez.

Can you explain how Yanez's technology improves the efficiency of audit reporting?

In order to be efficient and effective in reporting, you first need a strong methodical process, you need to gather data, and draw conclusions in a systematic manner. All of these are de facto features in Yanez.

Reporting is all about crafting what is needed for what type of audit. By default, Yanez reports contain all of the information that an auditor is looking for. In specific cases, like the aforementioned OCC framework, the user can specify to include the necessary language in the report.

All of Yanez reports also use Generative AI to ensure that the reports are correctly summarized and readable. This approach improves efficiency in several ways:

Systematic data collection and analysis: Yanez automates the process of gathering and analyzing data, ensuring consistency and reducing human error.

Customizable reporting: The ability to tailor reports for specific regulatory frameworks, such as the OCC, saves time and ensures compliance with reporting requirements.

Comprehensive information: By including all necessary information by default, Yanez reduces the risk of omitting crucial details that auditors seek.

AI-enhanced readability: The use of Generative AI to summarize and improve readability makes the reports more accessible and easier to understand, potentially reducing follow-up questions from auditors.

Time-saving: By automating much of the reporting process, Yanez significantly reduces the time and effort required to produce audit-ready reports.

Consistency across audits: The standardized approach ensures that reports maintain a consistent quality and format across different audits and time periods.

These features collectively contribute to a more efficient audit reporting process, allowing compliance teams to focus on addressing any issues rather than spending excessive time on report preparation.

Top Tips

What advice would you give to companies just starting to implement testing for their sanctions screening systems?

This is what I consider to be more important:

1. Conduct a proper risk assessment to understand what you are testing and for what purpose. This sets the foundation for your entire testing strategy.
2. Be methodical in your process. Develop a structured approach to testing that covers all relevant aspects of your sanctions screening system.
3. Document everything. Thorough documentation is crucial for both internal review and potential regulatory audits.
4. Be curious about the results. Don't just go through the motions; actively analyze and interpret your findings.
5. Proactively identify and address gaps. Being proactive in finding and fixing issues can be the difference between a front-page scandal and the survival of your organization.

And remember, effective testing is not just about compliance, it's also about protecting your organization and maintaining its integrity in the global financial system.

For companies of all sizes and across various sectors, including financial and non-financial, what basic tips do you have for sanctions screening and system configuration?

1. Treat tuning as an ongoing process. It's not a one-time setup, but a continuous effort to improve and adapt.
2. Start from a strong baseline and grow from there. Begin with a robust initial configuration and refine it over time.
3. Be mindful of duplicating lists, or rather duplicating entries across lists. This can lead to unnecessary alerts and increased workload.
4. Use as many attributes as possible. In most systems, the more attributes you add to the queries, the better the results.
5. Ensure your jurisdictions (and lists) are aligned to your business. Only screen against lists that are relevant to your operations and regulatory requirements.
6. PEPs and Sanctions are different. Have the right process and configuration for each.
7. Discriminate configurations by the characteristics of the traffic. For example, the configuration for US names may be very different from Russian or Arabic names.
8. Regularly review and update your configuration to reflect changes in your business, regulations, and the global sanctions landscape.
9. Document your configuration decisions and the reasoning behind them. This is crucial for audits and internal reviews.

Yanez is a proud strategic partner of sanctions.io. Click here to learn more about how Yanez's solutions can enhance your company's sanctions compliance process, and be sure to check out their LinkedIn page.