Author: Debra Geister*
Date: March 24, 2016
For many banks, and indeed for other business organizations, undertaking a sanctions compliance program seems at first like a straightforward, relatively easy endeavor. After all, how difficult can matching names be?
It is true that of the operational areas a bank has to confront in anti-money laundering (AML) compliance, economic sanctions is one of the less complex ones. However, it is not as easy as it looks. As many financial institutions will acknowledge, managing sanctions compliance can be confusing and challenging and always high-risk.
Lack of a single solution makes field challenging, complicated
What makes it so challenging and complicated to manage? The primary reason is that as in many compliance functions, no single solution fits every business. Each program must be specifically tailored to the particular type of business and operation. If the business operates in multiple countries, there can be overlap and conflict. In addition, sanctions lists are intrinsically challenging because many names are common and come with limited additional information to ascertain true matches.
For example, a person named Charles Taylor is under review. He may be on a Politically Exposed Person list, meaning he is a public official or close associate of the official in another country. In most such cases, date of birth, street address and other information is limited or unavailable. Charles Taylor is not an uncommon name in the US so a “hit” may generate many false positives that require review. With little information to disqualify the false positives at the start, the hits would create an operational burden for the operations team. Combine this “common name problem” with the fact that a Charles Taylor is on the OFAC list. The complicating factors that arise become clear, constituting the factors and challenges that make sanctions compliance anything but simple and straightforward.
Constructing a sanctions compliance program includes several factors. They include the type of business conducted, location of the business, whether it exports goods and services across borders and, of course, what the organization’s appetite for risk is. For businesses located in the United States, the sanctions compliance program can be fairly clear. Compliance with the regulations of the Office of Foreign Assets Control (OFAC) is mandatory and, without exception, a program must be constructed and implemented. OFAC requirements apply to everyone in the United States in all kinds of businesses.
Risk-based approach to compliance is the best route
In addition to OFAC’s list of “Specially Designated Nationals” (SDNs), lists maintained or derived from the requirements of other government agencies must also be considered, including lists of Politically Exposed Persons and other enforcement lists of various agencies. The Arms Expo Control Act (AECA) and the “Debarred” lists of the US State Department are examples. The U.S. Departments of State, Commerce and Treasury determine that entries on their respective lists are a potential threat to domestic export control requirements and “Denied Persons” list of the U.S. Commerce Department’s Bureau of Industry and Security(BIS). BIS targets companies that export goods from the US. Its lists must be reviewed to see if they apply to a business. For a financial services institution, OFAC compliance in large measure depends on the geographic scope and nature of the business customer and who its customers are. As with many areas of financial and business regulation, the answer is usually found in a risk-based approach.
For businesses outside the financial services arena, pinpointing the lists that merit priority can be difficult, but a risk assessment based on factors such as geography, export activity, type of products and customers usually leads to the right compliance decision. Several best practices, guides and questions should be kept in mind:
Key questions that test sufficiency of compliance program
1: Are the operational, risk and legal teams synchronized and collaborating?
- Sanctions program decisions should be a joint effort. None of the teams in an organization can effectively perform its job or make decisions without considering what the other team is doing.
- Give due weight to the significant risk faced by the organization if operational procedures are not aligned with the overriding policies.
- It may be easy to write a policy, but putting it into operation is often difficult, especially if there are conflicting views or a lack of good communication among the teams.
- Controls, such as the settings of the filtering software and false positive rules, should be consistent with the policy standards. Are the standards reflected in the procedures? Do they clearly reflect the risk-based approach of the organization?
- The risk and legal teams must sufficiently understand the operational process so they make informed decisions and provide proper guidance. The effects on the organization of a policy decision must be considered before, not after, a program is implemented.
- If, for example, the legal team decides the Australian National Security’s terrorist organization list must be screened, it should provide direction on how to handle a match beforet list implementation begins. Must a match be reported to a regulatory agency? Are there reporting timeframes? Should the organization end its relationship with the matching party or only conduct “enhanced monitoring”? Is enhanced monitoring defined? What is the escalation process for final decisions? Collaboration is critical in making operational decisions that support the objectives specified in the organization’s policies.
2: What identifying information is available to determine matches?
- A financial institution likely has four data points of its Customer Identification Program or CIP: name, address, date of birth (DOB) and identification number. All of them help to prove or disprove name matches, but that is only part of the task.
- If additional data points are not gathered, can the organization start gathering them for future screening? Aside from name, DOB or age is by far the most valuable information to help with OFAC and other alert clearing. It is no accident that the great investigative agencies, such as the Federal Bureau of Investigation, New Scotland Yard and IRS Criminal Investigation, consider date of birth one of the crucial facts in pinpointing a person’s identity. Depending on circumstances, adding a date of birth filter can reduce false positive reviews by 50 to 90%.
3: Has proper attention been given to the research tools that help with alert clearing?
- The less information that exists about a party, the more likely it is that an outside information source is required. Free open sources, such as Google or Personlookup.com, may provide missing data about a party. Otherwise, the organization should consider purchasing research tools from existing providers.
- Each list against which screening is conducted may require a different research source and distinct operational procedures.
It is crucial to understand internal risk, strategy
There are no easy answers to the questions the organization, including the legal team, may have. There is no help hotline for questions about the requirements of lists that jurisdictions publish. Much time may be required to find necessary information. Often, vendors will suggest that multiple new lists should be maintained. More lists are not necessarily the answer. Instead, a good understanding of the organization’s risk and strategy and a determination of how, or if, additional lists are consistent with the risk and strategy are key first steps.
The organization should understand the operational impact and risk of adding sanctions lists. The approach that “more lists are better” is a fallacy. If more lists bring resource constraints and the organization is not prepared to handle them, risk can increase. Taking on new operational burdens can be more detrimental than not including a list in the program. In addition to analyzing the impact, the new lists should be reviewed for risk and strategic fit. By understanding the impact of these factors, the organization’s oversight and operations teams can plan a successful launch of added sanctions lists and remember that:
- Difficulties arise in navigating and understanding sanctions lists and their regulatory applicability when websites are in a foreign language, as is often the case,
- Vendors offer watch lists to their corporate customers without providing details of the entities on the lists or of the source of the lists,
- Guidance provided at compliance forums is often very limited. For example, the ACAMS forum posts inquiries from compliance officers who ask for global sanctions guidance, but the responses are slim.
Risk versus cost should be weighed when considering additional lists.
- It may sound like a simple solution to take a risk-averse approach and screen all sanctions and enforcement lists, but remember that the organization’s costs rise with each list, especially global lists. Building a process to handle each type of alert and match is not quick, easy or inexpensive.
- In the U.S., it takes an analyst up to five times as long to clear an alert for a non-U.S. party than for a U.S. party, depending on the operational plan and availability of data.
- It can be onerous to stay abreast of regulatory changes in U.S. sanctions programs. Consider the maintenance required to screen for the sanctions programs of multiple countries. Is it advisable to review list applicability and changes in regulatory direction annually or to try to stay abreast of updates throughout the year?
- Many sanctions lists contain the same entities. Determining match risk mitigation strategies addresses this possibility. The testing process should highlight this crossover and the impact on operations.
Compliance is a major mission and failure leads to risks, possible calamities
There are many operational facets of sanctions compliance management. Sanctions compliance is a major undertaking and failures can lead to compliance, legal, reputational, criminal and operational risks and calamities. Inadequate sanctions compliance can lead to civil money penalties, criminal prosecution and regulatory consequences. U.S. regulators are the most active of all global agencies in levying money penalties and pursuing actions against entities worldwide. U.S. sanctions agencies, such as OFAC, have levied billions of dollars in penalties against organizations, as in these examples:
- 20, 2015 – Crédit Agricole Corporate and Investment Bank was penalized by OFAC for more than $1 billion, mainly for sanction violations. https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20151020_cacib.pdf
- March 12, 2015 – Commerzbank AG suffered OFAC money penalties and forfeiture of $1.45 billion. The penalty was part of a global settlement among Commerzbank, OFAC, the U.S. Department of Justice, the New York County District Attorney’s Office, the Federal Reserve Board of Governors, and the New York Department of Financial Services. Sanctions violations came from 1,596 transactions with SDNs and with U.S.-sanctioned nations, Burma, Cuba, Iran, and Sudan. https://www.treasury.gov/resource-center/sanctions/CivPen/Documents/20150312_commerzbank.pdf
- The U.S. sanctions-related laws and regulations are by far the most actively enforced and create the highest standards for sanctions compliance and enforcement. Anyone that does business in the U.S. should be diligent about their sanctions compliance program.
Sanctions laws and regulations have wide applicability and impact all businesses. Global sanctions apply not only to banks but to any company that does business abroad. Thus, the need for global sanctions compliance is expansive. In view of this great impact, a thorough sanctions program can help a business avoid regulatory, legal and reputational problems.
Businesses must have a clear and consistent risk assessment program to determine the sanctions risks. They should apply risk assessments comprehensively. The operations team should create policy-driven procedures that address all global risks and operations. Adding more lists to a program is not always a sound path. Following these steps may ensure the existence of a good sanctions program.
* Debra Geister, Founder and CEO of Navigator Consulting Group, LLC, New London, MN, is a career compliance professional and member of the SanctionsAlert.com Advisory Board. She works with institutions and organizations of all size and scale assisting them with sanctions, anti-money laundering and risk mitigation programs. She has served as a BSA and OFAC Officer and led banks out of regulatory orders. She has been an Advisory Board Member for the American Bankers Association and a faculty for the ABA, ACAMS and ACFCS.