We are often asked how regulated businesses can reduce the cost of ensuring that their client portfolios are free from sanctioned individuals and entities.
Checking a new client against various sanctions lists at onboarding is not sufficient to protect your business from unwittingly assisting a sanctioned individual or entity in the future because such lists are frequently and regularly updated. A client you onboarded three years ago could very well have been added to a sanctions list last month, and if you’re not checking regularly, you could very well be helping them and thus be in breach of those sanctions.
For those unfamiliar with sanctions lists, they are lists of individuals and entities that have been identified by the UN, the U.K., and the U.S. (and other governments) as from, or owned or controlled by, specific countries or individuals or groups that are participating in terrorist activities or narcotics trafficking. There are many sanctions-checking service-providers (sometimes known as “list-providers” or “risk-screening solutions”) on the market on to whose platforms you can upload your client database to “batch-check” your clients’ names against those on their lists. The service provider will then provide you with a list of possible name matches. Sounds simple enough, but this is where the real challenge begins.
Larger businesses with thousands of clients will often receive a long list of so-called “possible name matches,” but often these are the result of false positives: for example, if you find yourself with a client with an identical or similar name to one on a sanctions list. Your compliance team is then tasked with reviewing your files and documenting sufficiently the review they performed that led them to determine that your client and the sanctioned individual are not the same person.
Even a small firm with only a few hundred clients is unable to check sanctions lists manually against all its clients. To do so would be to overwhelm its compliance staff (usually one person); and that, of course, in turn risks slowing down the day-to-day operations of client onboarding.
Cost is also a major consideration: the more lists you check, the more it costs. Obviously you want to ensure you are not breaching international sanctions, but many regulated businesses tick the “check-them-all” box when they sign on with a service-provider – and some of these service-providers generate lists that are much more than just sanctions lists. Although it’s commendable that you want to ensure your clients are not up to no good in areas not necessarily connected with international sanctions, the more lists you check, the more false positives your staff will have to investigate.
Some regulated businesses check third parties to transactions. Although not their clients, they feel the need to mitigate the risk to their reputation should they be assisting their client with a sanctioned person on the other side of the transaction. Again, while perhaps a good idea from a reputational standpoint at the time of the transaction, there is no need to continue to monitor the third parties after the transaction.
Your compliance staff are not alone in the process. Your IT team also need to ensure they are aware of the importance of international sanctions. If they have developed their own sanctions-checking system, they should have to prove to you at inception, and then regularly re-prove, the effectiveness of that system and its procedures. Another tricky aspect of the sanctions-checking process can be calibration. If you have bought a “fuzzy matching” feature to cover misspellings and phonetic similarities to your match-screening process, your false positives can go through the roof. Conversely, if your batch sanctions check is responding to too few alerts, you may be missing real matches. Too many and you’re overloading your compliance analysts and risking human error with information overload and a slowdown in compliance operations.
The basic means to reduce risk of being an unwitting party to a sanctioned person’s transactions, while at the same time also reducing some of the workload and risks that come with international sanctions checking, are these:
- Automate – The days of paper files for client due diligence and Excel spreadsheets to track higher risk clients are over. You need to organize your client data into a system and automate the process. For those already in a system and ready to move toward a more automated process of sanctions-checking, start by ensuring your client data is complete and accurate. Check for misspellings, accurate dates of birth, and nationality. These can all help reduce false positives (or achieve real hits) in the name matching process.
- Batch-Check – Sign on with a trusted, well-known service-provider and start batch-checking your entire client database. And identify who in your database is to be checked regularly; it’s no good batch-checking long-inactive clients or third parties after the transaction is complete. Once the possible name matches are reported to you, make sure your compliance team is taking immediate steps to conclude whether your client is the one listed on the international sanctions lists; and if not, to document the justification for its conclusion.
- Calibration – Control and know which lists you are checking; and, just as importantly, which lists you are not, and why. To reduce cost, opt out of non-international sanctions lists for regular screening. Although you can batch-check your negative news/media lists less frequently, you still need to do so regularly.
It is a good idea to make sure that everyone understands the importance of international sanctions. Therefore include, at a minimum, awareness training for all staff, not just for your compliance and IT teams. Include in your AML compliance policies your international sanctions-checking procedures on possible name matches and how to review and document false positive reviews. If a name-match review comes up with a positive hit, set out the steps which the compliance analyst must take to report to your MLRO and those that the MLRO must take to file a SAR; also, how ongoing communications with any affected client must be handled.
Finally, retain the record of your batch-checking name results for your regulator. Be able to show them how often you perform sanctions-check reviews and as well as the results of those reviews. Importantly, be aware of and sensitive to the workload your compliance staff are struggling under.
International sanctions checking will never be an easy process and the costs of list checking will only increase as time goes on. But failing to check its client database against sanctions lists is no longer an option for any regulated business that wants to stay free of penalties and reputational risk.