For financial institutions, inadequate sanctions screening can be risky
For financial institutions, screening customers for sanctions violations has become an increasingly important component of standard anti-money-laundering (AML) protocols and know-your-customer (KYC) due diligence. Yet many institutions do not regularly review their sanctions screening processes and fewer still take active steps to improve and strengthen their compliance procedures.
They have their reasons. Almost all compliance teams face the twin pressures of bandwidth and budget, after all, and while most entities want to do the right thing, it can be difficult to assess when safeguards are sufficient and when they are not.
Unfortunately, the consequences for inadequate sanctions screening have never been more punitive. Regulatory scrutiny surrounding sanctions is stricter than ever and penalties for noncompliance can cost companies millions of dollars. Furthermore, a new presidential administration means U.S. sanctions are currently in a period of flux — a period, that is, when the possibility of an inadvertent sanctions violation is at its highest.
Sanctions under Biden
In the U.S., the Office of Foreign Assets Control (OFAC) administers and enforces sanctions against countries or groups of individuals (such as terrorists or human traffickers) whom the government has deemed a threat to national security or the international order. Every presidential administration exercises its sanctions power differently, however, and the Biden administration is no exception.
Whereas the Trump administration sought to undo many Obama-era policies involving such countries as Cuba, Iran, and North Korea, the Biden administration is taking a much more measured approach to sanctions. According to Adam Frey, senior managing director of K2 Integrity, a risk-management consulting firm that specializes in financial integrity, the Biden administration has lifted some sanctions and issued new ones and the decisions to do so are often based on emerging political realities on the ground. For example, recent events in Russia, Hong Kong, and Myanmar have prompted several sanctions-based diplomatic responses.
“In response to China’s activities in Hong Kong, the Biden administration recently issued several new sanctions and issued an official advisory to U.S. businesses operating in Hong Kong, in addition to an advisory related to Xinjiang that could impact supply chains,” Frey says. Frey also noted that while the Biden administration has lifted the Trump-era bans on Tik-Tok and WeChat, the administration actually expanded the list of banned Chinese military and surveillance companies to 59, up from 44 during the Trump administration.
Russia, too, has been the recipient of additional sanctions intended to curb what Treasury Secretary Janet Yellen calls Russia’s “malign behavior” in several areas. The new sanctions include a prohibition against U.S. companies participating in the Russia bond market and a trade ban involving six Russian tech companies. Several Russian Intelligence Services agencies have also been sanctioned for “malicious cyber activity,” including the late 2020 SolarWinds cyberattack and Russia’s ongoing disinformation campaign to disrupt American democracy.
Challenges to sanctions compliance
Historically, Iran, Syria, Cuba, and Venezuela are the countries most likely to involve U.S. companies in a sanctions violation but there are hundreds, if not thousands, of other sanctioned individuals and entities of varying types that could trip a company up — and that, says Frey, is the biggest problem facing financial institutions seeking to remain compliant.
“Regarding sanctions, the biggest challenge facing financial institutions is the sheer complexity and variety of sanctions out there,” Frey explains. “Some sanctions are targeted at countries and some at individuals. Some are very broadly based and some are extremely nuanced. Then there are sanctions involving arms embargoes and human rights violations, and they are all constantly changing, sometimes by the day. Not everyone can be a sanctions expert and no one person can keep up with it all, which is why it is so important for financial institutions to have an effective sanctions compliance program in place.”
When it comes to sanctions, however, compliance is a squishy concept — one made somewhat squishier by the fact that OFAC does not specifically require companies to have a sanctions compliance program; they simply encourage it. If a company without a compliance program is caught in a sanctions violation, however, OFAC’s penalty will likely be harsher and the company will often be required to create a compliance program as a condition of its settlement with OFAC.
OFAC’s gray territory
For companies to avoid such a fate, OFAC “strongly encourages” companies to use its “framework” for effective sanctions compliance programs. OFAC’s framework includes management commitment, risk assessment, internal controls, testing, auditing, and training. But, OFAC does not provide specific guidelines about how to implement or maintain such a program, preferring instead to allow organizations to develop programs based on their own individual risk appetites and other needs.
This lack of specificity on OFAC’s part leaves a great deal of gray territory, says Irene Kenyon, director of risk intelligence for FiveBy Solutions — territory that, if ignored, can greatly increase the possibility of a sanctions violation and consequent penalties.
“Too many companies just do the bare minimum to avoid a penalty, not what they should be doing to build an effective compliance program,” Kenyon says. “What we see is companies that say they have a compliance program but are failing to effectively use screening tools that already exist or that they already have.”
For example, Kenyon says, most sanctions compliance programs rely on some sort of software screening tool that allows financial institutions to determine if a potential client is on any of OFAC’s official sanctions lists, including its Specially Designated Nationals and Blocked Persons (SDN) lists. Unfortunately, says Kenyon, simply checking to see if a company or person shows up on a list is only the first step in effective sanctions compliance. In fact, she says, relying too heavily on an automated screening tool can lull companies into believing they have done their due diligence when they really haven’t — a false sense of confidence that can be costly.
“The problem comes when bad actors use evasion methodologies and technologies to avoid detection,” says Kenyon. “For example, one company may not be on the sanctions list but can be more than 50% owned or controlled by a company or someone that is. Automated screening can also miss shell and shelf companies created specifically for sanctions evasion and whose ownership is not clear.”
Searching for names in foreign countries can be problematic as well, says Kenyon, because different countries use different languages and alphabets. “One typo can result in a missed screening,” says Kenyon, who is fluent in Russian. “Last year, Amazon was penalized by OFAC for, among other things, failing to screen for common Russian spellings of Crimea, such as ‘Krimea,’” Kenyon notes. OFAC’s report also cited “hundreds of instances” when “Amazon’s sanctions screening processes failed to flag the correctly spelled names and addresses of persons on OFAC’s SDN list.”
Tools and training are key
To avoid such situations, both K2 Integrity’s Adam Frey and FiveBy’s Irene Kenyon agree that financial institutions need comprehensive compliance programs that pair the most technologically advanced screening tools available with professionals who are adequately trained to use them.
“Every good compliance program needs that human element and training is key,” says Frey. “Furthermore, the training needs to be ongoing and continuous at all levels. Banks and other financial institutions need to make sure people on the front lines know what they’re looking for.” And when something suspicious is flagged, Frey says, “there needs to be layers of accountability, where a ‘hit’ by the screening system gets escalated to a further level of review. At the end of the day, compliance can’t be all people or all technology, but combining the two is always a balancing act.”
Best practices for proactive sanctions compliance
At a minimum, financial institutions that want to be proactive about sanctions compliance should incorporate these elements into their compliance programs, say Frey and Kenyon:
- Make sure there is management buy-in at the top for maintaining a comprehensive, risk-based program that goes beyond OFAC’s guidelines.
- Assess the best screening tools available based on the financial institution’s risk profile and make sure people on the front lines are trained to use them correctly.
- Annually test and validate the performance and setup of the screening tool.
- Understand the organization’s risk profile and where its business interests intersect with potentially sanctioned countries, companies, or individuals.
- Be proactive about gathering beneficial ownership information and identifying entities that may be owned by sanctioned individuals but that don’t necessarily appear on OFAC’s lists.
- Expand sanctions-based KYC protocols to include denied-party screening, negative news monitoring, known criminal associations searches, and other types of information that OFAC does not cover.
- When dealing with foreign entities, engage experts who know the language and business culture of the region to avoid errors of misunderstanding and ignorance.
Thomson Reuters® CLEAR
Confirm identities and get immediate risk insights on individuals and businesses in just one search. Learn more at tr.com/clear. Protect your reputation and anticipate risk through real-time negative news monitoring with CLEAR Adverse Media.
The data provided to you by CLEAR may not be used as a factor in establishing a consumer’s eligibility for credit, insurance, employment, or for any other purpose authorized under the Fair Credit Reporting Act..