Matching up a name on a database to a government sanctions list is only the first line of defense against doing business with an individual or corporation or country prohibited by the US or another foreign government. Based on the $102 million in civil penalties, the US Office of Foreign Assets Control (OFAC) imposed so far in 2017 alone for violating US sanctions policies, financial firms of all sizes are apparently failing to meet their responsibilities to verify the accuracy of any names which match those on a sanctions list.
Anti-money laundering experts acknowledge that the process of sanctions compliance a tangled web and warn that it could become even more tangled this year. The Trump administration has promised to ease sanctions against Russia, but to impose stricter ones against Iran and Cuba. Every change to current policy raises the potential for errors in interpretation and enforcement. “Although we don’t have the final details and are not even certain there will be adjustments, we are forecasting a number of possible scenarios so that we can adjust our sanctions compliance program,” says the AML director of one US bank.
Financial firms have more to worry about than just OFAC. That unit of the US Treasury isn’t the only enforcer in town. Federal banking regulators, the Financial Crime Enforcement Network (FinCEN) unit of the US Treasury, and state enforcement agencies also keep a watchful eye on sanctions compliance. On March 1, the New York Department of Financial Services warned that any banks doing business in New York must attest to the effectiveness of their sanctions compliance program as part of a solid overall AML program. “If we don’t get nailed by OFAC, the DFS might be getting ready to pounce,” bemoans the AML compliance director.
Sanctions compliance is one of three critical pillars of a financial firm’s anti-money laundering program. The others are know-your customer and transactions monitoring. One way or another, a financial firm needs to make sure that no business is conducted with any country, individual or corporation on a prohibited list. Financial firms can do business with politically-exposed people as long as they rate the individuals as higher-risk and more frequently scrutinize their activities. The financial firm must also report any transactions it suspects relate to illegal activities, such as money laundering or terrorist financing, to a regulatory agency. In the case of the US that is FinCEN.
Although sanctions compliance and transactions monitoring teams typically report to the same AML director, their responsibilities differ in two important aspects: the speed at which compliance must take place and the extent of such compliance. In the case of transactions monitoring, a financial firm might have at least thirty days to investigate and file a SAR. It is likely to file even more SARs than necessary to avoid regulatory penalties. When it comes to sanctions compliance, every little bit counts and there isn’t much time to make tough calls.
Presumably, a financial firm will catch whether an individual, company or country is on a sanctions list at the time it onboards the customer. However, sanctions compliance also applies to wire payments for individuals or companies. Given that financial firms may have hundreds of wire transfers each day, the potential for missing just one sanctioned payment is high. Catching the culprit is just the start. The payment then has to be blocked and a report filed to one or more regulatory agencies, including OFAC.
“Financial firms have to quickly determine whether a wire payment is legit so it can pass through their doors or be blocked,” explains David Kwan, general manager and global vice president of AML solutions for AML technology provider Nice Actimize in Hoboken, New Jersey. “They could have anywhere from a few minutes to a few hours in which to make a decision. And allowing even a single transaction to slip through the cracks will be enough to trigger a regulatory fine.”
The OFAC list is often cited as the most comprehensive list that every financial institution will likely review before allowing a transaction to pass through its doors or an individual to sign up. As long as a payment is originated in the US, is received in the US, or passes through the US, OFAC’s rules apply regardless of where the financial firm is located. The same applies to any US person anywhere in the world as well as the foreign subsidiaries and branches of US companies. The other three must-check lists are the European Union sanctions list, the United Nations sanctions list and the UK’s sanctions list. There are several dozen more lists reflecting individual country lists.
How does a bank or other financial firm know whether its customer is legit or the wire payment is legit. There are plenty of software firms, including Nice Actimize and Accuity, which sell filtering software that matches up the name on the financial firm’s roster with the name on a sanctions list. Some data vendors, such as SIX Financial Information, also produce a single daily updated list of information on sanctioned companies and their issued securities based on consolidated data from multiple government sources.
Despite such available tools, several New York-based AML managers tell FinOps Report that false positives are more common with sanctions filtering than with transactions monitoring software. No one would specify the percentage, but AML managers insist that only a handful of annual hits are true positives. “The filtering software depends on the accuracy and depth of information on a sanctions list in the first plance and within the firm’s own databases,” cautions Natasha Taft, a former US compliance head for several foreign banks who now runs her own AML consultancy in New York. “There could be discrepancies in how names or spelled, incomplete information on names and other disparate data.”
Differences can be dramatic and the most common names will generate the most grief. “Take the first and last name Muhammed. There are several dozen variations depending on the country of the individual’s origin,” says Debra Geister, managing director of AML advisory services for financial crime consultancy Matrix-IFS in New York. “In the case of a common name such as Juan Martinez or even Charles Taylor, there even could be several hundred listings on a sanctions list.”
Given that the percentage of false positives is so high, a financial firm is left to make a tough decision. Just how much more research does it want its sanctions analyst to do to track down whether or not the individual or company is legitimate. Time is money. An analyst can take a further look into the rest of the information available. That means the individual or company’s address, the birthday of the individual or its country of residence. “If any of those match up to the information on the sanctions list the financial firm or is within a certain accepted deviation the analyst must then decide there is enough information to block the transaction and notify the regulatory agency on whose name the list appears,” says Geister. “Or the analyst can decide to do more research.”
False positives aren’t a financial firm’s only worry. “The specific name of a company or a transaction might not appear on a sanctions list, but that doesn’t mean the financial institution can accept the payment or transmit the payment,” explains Henri Balani, global head of strategic affairs for AML software provider Accuity. “OFAC and other regulatory organizations have indicated that if fifty percent of a company is owned by individuals or parent firms on sanctions lists the company itself is also persona non-gratis. So is its payment.”
Hopefully, the financial institution will have established a consistent set of data policies and comprehensive sanctions screening procedures across an organization. Likewise, a robust oversight program. Unfortunately that’s not always the case. Procedures could differ dramatically by business line or geographic region. Even worse, analysts responsible for monitoring sanctions lists are often inadequately trained. “In some cases, because of the heavy volumes of transactions and number of sanctions lists that must be reviewed, banks will hire inexperienced staffers to save a buck,” says Taft. “In other cases, they will outsource the sanctions screening process to offshore locations also to save money.”
At best even the most qualified staffers might not go the extra mile to verify the identity of the originator of the wire transfer and its beneficiary. Wire transfers which pass through the global network operated by the La Hulpe, Belgium-headquartered SWIFT often don’t clearly indicate the originator or beneficiary of a payment because they haven’t been required to do so. European Union’s new fund transfer regulation is now requiring that any transfer of funds made by a financial institution within the EU or between Europe and another country include complete information on who is sending the payment and for whose benefit.
However, SWIFT won’t be eliminating its free formats within the messages to indicate the originator and beneficiary of a payment until 2020. That delay is necessary to give financial firms sufficient time to prepare but leaves them with two short-term options. They can review only the transactions which are flagged through any sanctions filtering system or they can review each wire transfer manually. Chances are financial firms will do only the former so there is no way to know what percentage of transactions that would otherwise be prohibited actually slip through the cracks.
Why are financial firms resorting to such ineffective compliance considering regulatory fines are so high? Cost is likely the biggest factor. Yet another: the belief that sanctions are an anathema. Governments often impose sanctions to retaliate against trade restrictions, to change a country’s conduct, or to change a regime. “Everyone can agree that transactions monitoring can reduce the potential for money laundering and terrorist financing,” says Ross Delston, a Washington DC-based attorney and AML expert. “However, some foreign banks take the view that the US is imposing sanctions simply for political reasons so why should they comply.”
Yet other banks may think they don’t have to worry about blocking a transaction and reporting it to OFAC or another regulatory organization. They can always count on another bank in the payments chain to do so. However, legal experts caution that OFAC doesn’t let anyone off the hook. Every bank which has touched a wire transfer is responsible for filing a report with OFAC or another regulatory agency regardless of which bank blocked the transaction.
Do the Basics
Given that the need to ensure compliance with sanctions is so high, what’s a financial firm to do? OFAC doesn’t require financial firms to implement specific sanctions compliance programs. Nor will it determine the suitability of a program. However, it does warn that financial firms should take a risk-based approach in coming up with the right mix of technology and workflow process. “Establishing a global risk-based model with consistent sanctions filtering rules and procedures will go a long way,” recommends Kwan.
However, determining how much a filtering system should be calibrated is subjective. “Producing as few false positives as possible sounds like the best idea. But that is only if the financial firm is willing to take a risk that one might slip through the cracks,” cautions Balani. “Financial firms may ultimately decide to cast a wider net even if that means more false positives.”
Training analysts in how to detect false positives, do additional research, when to block a trade and when to report to OFAC or another regulatory organization should be part of the sanctions compliance program. “Ultimately, the analysts involved in sanctions compliance must think far more quickly on their feet than the ones involved with transactions monitoring,” says Kwan. “Having foreign language skills and familiarity with foreign cultures is far more criticial in sanctions compliance than in transactions monitoring where an investigative nose is required.”
One of the most common mistakes financial firms make in sanctions compliance is delinking the know-your-customer process from sanctions compliance. Taft recommends financial firms establish correct onboarding policies and alert the staffers responsible for onboarding a customer or institution that when a wire transfer has been blocked or a report filed with OFAC or another regulatory agency. Doing so would put the client in a higher risk category for more frequent transactions monitoring in the future or might even prompt the bank to ask the client to take its business elsewhere.
Perhaps the most difficult lesson a financial firm should learn when it comes to sanctions compliance is to never let its guard down. Too often banks engaged in low-risk businesses or regions might think that because they have never filed an OFAC report, chances are they will never have to. “All of the false positives they have experienced through sanctions screening proves they have nothing to worry about,” says Geister. “Such an attitude couldn’t be further from the truth. Just when they think they are in the clear, a sanctions violation will likely occur.”
Banks also need to remember that their sanctions compliance programs will be scrutinized every time they or another bank files a report with OFAC. “OFAC can decide to investigate the actions or inactions of all of the banks in the payments transfer chain, not just the bank which blocked the payment and filed the report,” says Kwan.
Regardless of how a financial firm decides to handle its sanctions compliance, one thing is certain. It can’t afford to play Russian roulette. “At the very least a well-documented process needs to be established. If the firm does realize it made a mistake and allowed an illegit payment to be transmitted it must still report the error after the fact,” recommends Balani. “Not reporting the violation looks as though there was an intent to commit a crime and the penalties can become a lot stiffer.”