The Wolfsberg Group, an association of 13 global banks which aims to develop frameworks and guidance for the management of financial crime risks, issued new guidance for sanctions screening earlier this year to provide financial institutions (FIs) with a stronger toolkit for dealing with money laundering, sanctions and bribery and corruption.
Since no two FIs will have exactly the same procedures for sanctions screening and their procedures can vary depending on their risk appetite, the paper examined questions surrounding best practices and how the group believes those practices should be developed.
Sanctions screening is a key control in the prevention of financial crime risk which FIs may otherwise be exposed. It is essential that screening is implemented and maintained as part of a wider set of financial crime fighting measures, Wolfsberg wrote in its report.
In a recent webinar, Andrew Simpson, COO of CaseWare RCM, explained that compliance goals should be clear and that their compliance programs need to be evaluated.
"The big objective is to prevent your institution from doing transactions with any sanctioned organization or individual. You also want to be able to undertake some enhanced due diligence on high-risk customers and third parties,” said Simpson, whose company developed its Alessa software to combat financial crimes.
Simpson said Wolfsberg stressed the need for assessing risks and implementing consistent policies and procedures.
“Everyone in the organization must be clear what your stance is as a financial institution when it comes to sanctions, how it is to be treated and how you’re going to mitigate that risk,” he said.
Identifying and assessing sanctions risks
Wolfsberg recommends FIs should first identify and assess the sanctions risks to which it is exposed and implement a screening program that takes into consideration the following:
• Jurisdictions where the FI is located, and its proximity or relationship with sanctioned countries
• What international and domestic customers the FI has, where they are located and what businesses they conduct
• Volume of transactions and distribution channels
• What products and services the FI offers and whether those products represent a heightened sanctions risk, through cross-border transactions, foreign correspondent accounts, trade related products or payable-through accounts
“You need to understand what your sanction risks are, where there are risks and how are you managing those risks. In any compliance program in any financial institution or corporation, everything has to be pivoted on having strong controls,” Simpson said. “Because internal controls are what’s going to allow you to have a greater preventative approach as opposed to one where you’re always chasing and filing reports to the regulators.”
Important pillars in sanctions screening programs
According to the Wolfsberg Group, the fundamental pillars of a Financial Crime Compliance (FCC) program should be applied to screening, in conjunction with other financial crime risk prevention and control processes:
• Policies and procedures - defining requirements for what must be screened and how alerts should be handled and judged.
• Responsible person - ensuring appropriate skills and experience in understanding sanctions requirements and how these might influence screening outcomes and decisions, as well as the technical capabilities of screening software.
• Risk assessment - applying risk based decisions to determine what data attributes to screen, when to screen, what lists to use and how exact or “fuzzy” to set the screening filter. At the same time, the decision making and governance structure needs to be clearly articulated, documented and supported by analysis and testing.
• Internal controls - FIs are expected to document how their screening systems are configured and demonstrate that it is reasonably expected to detect and manage the specific sanctions risks to which the FI is exposed.
• Testing - validate that the screening system is performing as expected and assess its effectiveness in managing the specific risks.
Simpson said testing is paramount to ensuring an FI is on the right track.
“I’ve seen a lot of companies that have sanctions screening program implemented and they really don’t know how well it’s doing,” Simpson said. “They don’t know how many transactions they screened: What’s my hit rate on that, What’s my false positive rate?, possibly even understanding what’s the root cause if you have a spike in your risk and what is causing it.”
He also pointed out that data factors into risk assessment programs.
“Everything is really driven by data and many companies have so many silos in terms of their system that they’re working with is to get data, to aggregate it, to prepare it and make it optimal for screening. That in of itself is a big challenge; especially in situations where you’re a financial institution that has grown through acquisitions and then realize you don’t really have that single view of the customer.”
Risk based approach for compliance officers
Wolfsberg points out that a risk based approach means understanding sanctions screening can never detect every possible risk due to variables in text and the quality of the data. That means the effectiveness of screening will vary among FIs, even when they are using the same screening protocols and solutions.
That means FIs need to include risk processes in the design, configuration and maintenance of their screening programs.
Those programs must follow the following principles, Wolfsberg wrote:
• Articulating the specific sanctions risk that the FI is trying to prevent or detect, such as complying with sanctioned parties or complying with local sanction laws in a single jurisdiction.
• Identifying and evaluating potential exposure to sanctions risks through an FI’s products and services and its relationships with customers. This includes monitoring cross-border payments between a range of parties as opposed to payments between parties in the same jurisdiction.
• Ensuring an FIs’ screening tool includes a well-documented understanding of the risks and how the risks are managed.
• FIs must ensure screening includes information that is available in a format that makes screening more effective. For example, screening based on transactions containing only the International Securities Identification Numbers (ISIN) may be insufficient to raise an alert or distinguish between a true match and a false positive.
When considering a risk based approach for sanctions screening, screening simply against Office of Foreign Asset Controls (OFAC) lists can expose an organization to increased risks. As described in the webinar, some of the associated networks of sanctioned entities do not end up on OFAC or other sanctions lists. Third-party lists can offer more comprehensive profiles of domestic and international individuals that should be avoided.
Expectations and realities of screening technology
Wolsberg points out that screening goes well beyond a simple name matching process and requires examining data from widely disparate technologies and sanctions lists. This often means using matching algorithms and risk-based alert creation rules to ensure FIs comply with regulators.
Depending on the size of the FI, screening programs will require the use of technology to generate alerts, provide metrics and reporting, protect the data and allow for independent testing and validation.
Such programs require all departments from IT to Operations and Financial Crime Compliance (FCC) to work together to ensure productive alerts by including screening lists for relevant data, ensuring exclusions are maintained through suppression rules or “Good Guys” lists and the removal of reference data from the screening process once it is determined not to be a risk, Wolfsberg said.
The industry body added a governance framework includes documented rationale for risk based decision making. Regular reviews of the testing regime will help ensure screening produces valid and expected alerts in accordance with the FIs risk appetite.
“You have to be pragmatic about what you’re doing. It is important that you document that risk, document the testing and validation of that risk, especially any risk that you’re accepting,” Simpson said.
Internal technology build or vendor selection
To successfully implement a sanctions screening application requires a financial institution to either build a screening application on its own, or source a solution from a vendor. Factors such as an FI’s size, global business footprint and its own technology environment need to be included in the decision making.
Wolfsberg suggests analyzing sanction risks and functional requirements to include the sophistication of the software; availability of screening rules to ensure alert creation or suppression; the ability to manually screen in one-off situations; and, the ability to configure workflows and the availability of metrics and reporting.
The volume of data to be screened, the extent of the installation, support for data integrity processes and the ability to integrate an application into an FIs operations are also important considerations.
In Simpson’s experience, organizations increasingly turn to vendors rather than building solutions internally because technology like machine learning and AI augments the performance of compliance programs.
He says many of today’s software use matching algorithms to match names (and potential variations, aliases, and short-forms) with sanctioned data, negative news, internal lists, regulator lists or commercial lists, like World-Check.
Most solutions provide a “match score” so compliance officers can quickly hone in on the most likely matches, investigate and confirm individuals more quickly. Identifying the right individual or organizations means being able to more accurately identify their associations and risks.
“Once you find that there is a potential risk associated with a particular customer or beneficial owner, then you have to go and do some level of investigation. You have to make some decisions around it and importantly you need to be able to provide evidence that you did. There has to be some audit trail - Who touched it, when did they touched it, what decision did they make and what is the justification for those decisions.”
Role of sanctions in reducing risks
Sanctions screening is a key control in the prevention of financial crime risk to which FIs may otherwise be exposed, Wolfsberg wrote.
According to Simpson, many organizations have been mitigating their risk around doing business with sanctioned or high-risk individuals by changing how and when they screen individuals during the customer onboarding process.
“Over the last five years, it has become almost standard for FIs to do this. Whatever system you are using to onboard a customer, they are real-time screening requests and if there is a problem, then it puts the process in the pending state while the investigation is being done.”
Many FIs are also beginning to dynamically screen high-risk individuals when there has been a change in their profile, like a change in address, business type, or jurisdictions of wire transfers.
Wolfsberg concluded that FIs must recognize they need to meet legal and regulatory requirements while at the same time demanding the highest standards of effectiveness in the identification of sanctioned parties and locations.
“It is essential that is implemented and maintained as part of a wider set of financial crime compliance controls and within the risk appetite of the FI,” the report concluded.