Sanctions screening refers to controls employed within companies that are designed to detect, prevent or otherwise manage sanctions-related risks by identifying sanctioned individuals and/or organizations, as well as illegal activity to which these institutions may be inadvertently exposed. Sanctions screening forms part of an effective FCC (Financial Crime Compliance) program and assists organizations with making judicious and compliant risk decisions. International sanctions’ regulations are continually expanding and growing in complexity.
What are Sanctions and Sanction Screening?
Financial sanctions are implemented by governments around the globe to restrict or prohibit trade with foreign targets involved in illegal or un-desired activities. Sanctions may be leveled against territories, individuals, or entities, as well as against any countries, individuals, or entities acting on behalf of others that are engaged in criminal activities. Sanctions are often backed by civil and criminal penalties.
Sanctions screening is a control designed to disrupt financial crime and sanctions risk through comparing data sourced from an organizations operations, including customer or other business partners and transactional records, against global sanctions lists containing names and other indicators of sanctioned parties or locations to detect similarities to determine whether a possible match exists.
Organizations will typically utilize two main screening controls to achieve their risk reduction objectives:
a) transactional screening that seeks to identify transactions that involve targeted individuals, organizations, or entities;
b) customer/name screening to identify targeted individuals, organizations, or entities during the onboarding or other crucial stages of the customer relationship.
Sanctions screening has its limitations and should form part of a larger AML (Anti-money laundering) or FCC program within any organization.
The complex Landscape of Sanctions
Sanctions screening may sound deceptively simple, but in reality, determining a “true match” is complex and deals with multiple variables, including international languages, cultures, spelling, acronyms, aliases, and technological limitations including varying algorithms, match rules, and workflows. Accuracy is influenced by the type and availability of data, the inherent sanctions risks to which the organization and their products/services/customers may be exposed, and the third-party sanctions screening solution deployed.
The nature of sanctions also adds to the complexity. Unlike economic embargoes, which prohibit all activity and transactions involving a specific country, list-based or smart sanctions target particular persons, entities, and organizations rather than a specific regime. Secondary sanctions target third-party actors doing business with specific regimes, organizations, persons, or entities. (A good example of secondary sanctions includes many Ukraine-related programs, which target Russia’s financial and energy sectors specifically). This means that customers who are not on a sanctions list but have a relationship with a sanctioned entity could present a potential risk for the organization in question.
Other factors to consider:
- There is a push particularly in Western nations to consider sanctions for a wider range of concerns, including human rights violations and cyber-attacks;
- Sanctions regimes may include sectoral or national embargoes;
- Sanctions evasion techniques such as the use of Virtual Assets are becoming more sophisticated;
- A rapidly changing geopolitical environment makes it harder for organizations to meet their sanctions obligations.
- Many legacy screening platforms are still in use, which is both cumbersome and prone to large amounts of false positives.
Organizations need reliable partners utilizing up-to-date technology to navigate and manage these and other complexities.
Who needs to comply and screen against Sanctions Lists?
Enforcement actions are stricter and more prominent in the financial services and fintech industries, but all businesses in all sectors need to comply with sanctions screening requirements and may be subject to fines. In the UK, for example, the Office of Financial Sanctions Implementation has published guidance for charities and non-governmental entities. Non-compliance can be costly. In the United States alone, OFAC’s enforcement penalties hit a high of $1.2 billion in 2019.
Bear in mind that fines are not only levied for sanctions violations but also if the Organization fails to implement adequate controls.
How to determine relevant sanctioning bodies for your Business?
Businesses need to consider the relevant sanctioning bodies active in the countries they operate in, the territories in which they and their partnerships and alliances trade, and the currencies they are operating in.
- The HM Treasury Sanctions List applies to all individuals and legal entities within or who undertake activities within the United Kingdom, as well as all UK nationals and legal entities established under UK law. It’s enforced and overseen by OFSI (the Office for Financial Sanctions Implementation).
- The EU Consolidated List of Sanctions applies to all EU citizens or corporate entities constituted in a member state and are overseen by the EU Council.
- The OFAC Sanctions List applies to all US citizens and corporate entities constituted in the US, as well as any entity that either trades in US dollars, US goods, or US components or that has a US parent or affiliate. Its regulatory body is the US Office of Foreign Assets Control (OFAC).
- The UN Sanctions list applies to all UN Nation-states and is overseen by the UN Council.
How to set up an effective Sanctions Screening Process
Every business needs a comprehensive AML / FCC program in place that includes sanctions screening to mitigate the risks associated with sanctioned parties and non-compliance.
This process includes:
Determining where the risks lie
It’s important that the business understands which sanctions risks they need to prevent or detect during the course of their operations. A global company may institute policies that prohibit dealing with any party sanctioned by the United States, United Nations, or European Union, as well as those sanctioned within their home country or the countries where they operate. A small company operating within a single country may limit its policies to the country where they are based.
It’s also important to consider risks that are posed by an organization’s products, services, and relationships, e.g., cross-border payments where account holders are required to be compliant with their country’s sanction requirements.
Cleaning up and streamlining data
Often the lack of data quality, integrity, or completeness is the reason sanction screening systems fail or suffer from poor performance. Companies need to compile and clean their KYC / Know Your Customer information to avoid producing a large number of false positives and to avoid the possibility of failing to detect sanctioned entities during the screening process.
Data sources may be distributed across IT systems and must be mapped and identified to obtain a more holistic view of the customer base. If possible, all data sources should be linked and integrated and be subject to the same quality standards by extracting, enriching, and loading the information to a single platform.
Determining relevant attributes for screening
Not all data elements within a company’s records may be relevant for screening against specific sanctions risks. Names of individuals/entities with whom the organization has a relationship with can be screened against name-based sanctions lists, but not geographic lists, for example.
Sanctions Data/Screening setup
Institutions should determine which lists are relevant for screening, depending on the nature of their clients, the products they offer, and the nature of their business. This is usually done through a risk-based assessment. Some customers or entities may be present on more than one list, leading to multiple matches; some organizations may want to implement a list management system to clean and parse the data to reduce these false positives.
Companies must ensure that lists are kept up to date, and that data is enhanced with additional information (either internal or external) is required. They may also wish to whitelist certain data points, including past false positives, and to define the geographic scope of the list.
Sanctions screening should be repeated at defined intervals through an automated process as determined by internal policies. It’s recommended that screening takes place when establishing new relationships (to ensure the permissibility of the relationship), followed by regular screening either upon trigger events (such as regulatory or listing information changes) or at predetermined intervals. Transaction screening should be performed at such a time that a transaction may be stopped and before a violation occurs. It’s important to pay close attention to any moments in time within the transactional process where information may be altered or removed in a way that may undermine screening controls.
It’s important to note that an alert is generated during screening, indicating a match between a customer or business partner and a sanctions list, which is not necessarily an indication of a sanctions risk. It needs to be verified, confirmed or discounted using additional information to determine whether the match is true or a false positive.
Manually review all of the client identity information you hold against the information within the sanctions list. You may also wish to approach your client for additional information. If the individual or entity matches all of the information on the list, it is likely a positive match and needs to be reported to your internal compliance or reporting officer. All transactions should be suspended.
If you are confident that the match is a false positive, you may wish to whitelist the client’s name to avoid future matches.
General Challenges during your Sanctions Screening Process
While sanctions screening is effective to control, it also comes with unique challenges and limitations, which include:
- Evasive behaviors of Politically Exposed Persons or persons related to PEPs. Individuals under scrutiny may avoid detection by opening shell companies in offshore jurisdictions instead of using their own names.
- More than one sanctions list may be required for screening, posing consolidation, and data corruption risks.
- Poor internal data management, including failure to complete, verify or maintain information about shareholders, beneficial owners, suppliers, or other relationships.
- Different writing systems or naming conventions, including screening names written in Chinese, Cyrillic, or Arabic alphabets.
- Manual data entries during onboarding increase the risks of human error during data capture.
- Isolated internal systems, including non-integrated data between branches or subsidiaries during an acquisition or merger.
Every business must have a sanctions screening strategy in place that is documented and reviewed regularly. The accuracy and depth of internal data forms is the key to an effective sanctions screening process, while technology remains an important part of identifying financial crime risks accurately and timeously.
This must include policies and procedures that determine what information must be screened and how frequently, how alerts must be resolved, and which data attributes must be screened against based on a thorough risk assessment.