A robust sanctions compliance program is a key part of financial crimes compliance programs for financial institutions as well as businesses engaged in global commerce. Failure to establish or effectively implement such a program can have serious consequences, including millions of dollars in fines and serious reputational damage.
According to regulatory and enforcement agencies such as the Office of Foreign Assets Control (OFAC), an effective list management, filtering, and sanctions screening process is crucial for ensuring effective compliance to an institution’s robust sanctions compliance program. Maintaining such a process can often be challenging and requires frequent and consistent review and assessment. However, there are steps organizations can take to make this process more manageable.
Sanctions Screening and List Management
Many organizations screen their customers, supply chain, intermediaries, counterparties, documents, and transactions in order to identify OFAC-prohibited locations, companies, or dealings. Problems can arise, however, when organizations fail to update their sanctions screening software to incorporate updates to relevant sanctions lists; fail to include pertinent identifiers for designated, blocked, or sanctioned financial institutions; or do not account for alternative spellings of sanctioned countries or parties. To be effective, such lists must be accurate, reliable, up to date, frequently refreshed, and relevant to the institution.
Fully understanding list management terms and execution can be challenging; however, there are ways to make this complex process more digestible.
- Break the list management process into smaller steps, including its parallel review with the recommended regulatory guidelines and adherence to internal policies and procedures. This makes the process more streamlined.
- Simplify the technical terms and lay out a clear vision that identifies the big picture goals. This is especially important for nontechnical teams who are subject-matter experts on the screening guidelines but may be excluded from providing sufficient insight and assistance due to the technical nature of the process. Collaboration between technical and nontechnical teams (such as investigations and/or alert management and sanctions advisory teams) should be encouraged.
- Provide an additional oversight focus, such as continuous compliance monitoring and/or QA process on list management process, including list management provider. This is in addition to continual monitoring of the screening platforms and list management systems. This will further assist in identifying what solutions are currently in place versus those that actually need to be in place and ensure that the process is equipped with the proper supporting controls.
Maintaining a Comprehensive Compliance Framework
Following the initial setup of a comprehensive sanctions compliance framework, a company should give thought to how it will ensure the program remains robust.
- Select additional lists for screening. In addition to OFAC’s prohibited listings, including its comprehensive country listing and Specially Designated Nationals and Blocked Persons List (SDN), there are other sanctions lists that financial institutions should consider based on their location (e.g., EU, HM Treasury), risk appetite (e.g., FBI’s “Most Wanted” list), screening coverage (e.g., FinCEN 311 and 314a), and their own internal compliance interdiction lists. The institution’s sanctions advisory team should be the ultimate decision maker on what vendor-provided lists are comprehensive and relevant.
- Scrutinize screening structure and transactions type. Analyzing how the list management process should adapt in accordance with the financial institution’s screening structure is important. For example, institutions with a centralized screening platform may perform all these duties centrally; however, those with a decentralized screening platform may need to establish additional controls and oversight to support the procedural steps, such as ensuring updated lists are applied at each platform, that the same configurations are applied at each location, and that the relevant additional lists are applied if the decentralized locations are in different jurisdictions. Additionally, the institution should ensure that any differences between the structures of real-time transaction screening (such as live fund transfers and trade settlements) and referential data or batch screening (such as customer and securities databases) are clearly defined. For instance, based on how the financial institution’s internal systems are set up, does it make sense to utilize real-time platforms for real-time transactions (such as ACH batch payments)?
- Understand filtering solutions. Financial institutions use various vendor-provided filtering solutions to support their screening process. The fundamentals of a filtering model are based on a few components, typically starting with a solution’s proprietary fuzzy matching logic, which in turn defines its core filtering principle. This allows potential sanctions alerts to be generated even if a letter is missing, or part of a name or word is incomplete. Other components include various settings of configurable algorithms and severity modes, which may be tuned based on the institution’s risk appetite. This also gives a financial institution the ability to tune processes, such as the creation of rules and exceptions, according to its internal guidelines. These tuning efforts are conducted internally by support teams within IT, compliance, or operations, and are designed to reduce, as much as possible, the “noise”—alerts that are obvious false positives—so the alerts review team can stay focused on resolving meaningful alerts. Overall, a thorough familiarization with the institution’s filtering solution is crucial to being able to request enhancements, functionalities, and/or additional features that may improve the institution’s alert review process.
- Support model validation. Filtering platforms are viewed as models that are subject to a periodic model validation, and an institution’s compliance, technology, and/or risk department would likely perform this validation. These exercises, while technical and time-consuming, are vital to confirming the validity of the filtering systems in use and bringing forward any defects or limitations and the potential impacts thereof. Determining that the makeup of the team(s) conducting the model validation is appropriate, that models are validated at the appropriate frequency and with the appropriate tests, and that testing is clearly documented and communicated remains essential. One best practice is to conduct periodic model validation testing against an internal and most recent sample population of clients and transactions to check the accuracy and functionality of the model. These exercises should be comprehensive, and in line with current configurations in use.
- Enhance and add controls to daily list management processes. Daily processes may be automated for large financial institutions that leverage external vendor lists. However, smaller institutions may choose to apply their lists manually on a daily basis. These lists should include external and internal watchlists, optimizations, rules, and exceptions. A common misstep in this process is reapplying the same list as the prior update, which potentially misses imperative screening against the most up-to-date lists. To mitigate this, organizations should ensure that there are daily controls in place to confirm that any new list update is incorporated into the lists that are screened against. This could include technical controls or four-eye reviews to reconcile changes. Additionally, organizations can create alerts or notifications for list changes as an extra layer of ensuring that the most up-to-date information is shared.
- Enhance periodic controls and/or processes based on internal reviews. Implementing additional periodic controls—such as weekly, monthly, and/or quarterly reviews of various supporting tasks—further complements the controls structure. These periodic controls may include reviewing good-guy/exception entries and rules that are created to suppress false positives, internal interdiction list entries, and list-loading timing and accuracy. Responding to recommendations resulting from internal reviews—such as audit, quality testing, and risk-assessment reviews—fosters such enhancement.
- Encourage the institution’s technical and nontechnical teams to view this as a collaborative effort. This can be promoted by having the technical teams that periodically review the terms generating the highest volume of alerts for potential tuning efforts seek input from the nontechnical teams and encouraging the nontechnical teams to escalate optimization requests. Also, technical teams should keep nontechnical teams informed of any upcoming model updates and how these may impact the alert population.
To have a successful sanctions list management and screening framework, a financial institution needs cooperation, insight, and expertise from senior managers as well as the model validation, technical, and subject-matter expert teams. Publicly available regulatory guidance, such as the Wolfsberg Guidance on Sanctions Screening, OFAC’s Framework for OFAC Compliance Commitments, and resources for complying with annual certification under NYDFS Part 504 rule may also be leveraged to better understand regulatory expectations and best practices. Finally, financial institutions and businesses looking to strengthen and/or build an effective and sustainable framework may engage expert third-party consultants that have the expertise, in-depth industry knowledge, and technical know-how to evaluate existing screening framework and recommend products, enhancements and upgrades, and effective controls.
By establishing best practices to support a strong framework, financial institutions can stay ahead of risks and keep their controls up to date in an ever-evolving environment.