Sanctions – ensuring robust screening and due diligence

Posted: 25th June 2018

The geopolitical reality of sanctions is continually evolving in line with international and national policy changes. Many Boards understand the importance of a sanctions programme and rely on subject matter experts to guide them through the turbulent sanctions landscape. A few recent changes that have had an effect on the UK include:

•    Policing Crime Act 2017 - the power to impose monetary penalties by the UK government for sanction breaches. 

•    Sanctions and Anti-Money Laundering Act 2018 - On the 23rd May 2018, the Sanctions and Anti-Money Laundering Act 2018 gained Royal Assent, which will allow the UK to comply with their international obligations post-Brexit.

•    Global events - Recent headline events have had an effect within the UK, including the announcement of renewed US sanctions against Iran following Trump administration policy on the US-Iran nuclear deal. Many are also following the news in relation to US-North Korea talks and how the sanction landscape may respond.  

Firms have an acute awareness of US sanction enforcement policy and cannot afford to be complacent. The US has built a strong reputation for strict enforcement of those who breach US Sanctions. In the last eight years, the Office of Foreign Asset and Control (OFAC) distributed fines ranging from $12,500 to $8.9 billion, with an overall total of $15.4 billion.

The Office of Financial Sanctions Implementation (OFSI) was formed in March 2016 as part of Her Majesty’s Treasury (HMT) to oversee the implementation and enforcement of domestic and international financial sanctions in the UK. OFSI has the power to punish institutions for breaches of financial sanctions including monetary penalties, asset freezing, direction to cease all business and restrictions on a wide variety of financial markets and services. The guidance published by OFSI in May 2018 provides a penalty decision process that includes one or more of the following factors:

• The breach involves economic resources or funds made directly to a designated person  
• There is evidence of circumvention or other arrangements to circumvent the legislation  
• A monetary penalty is proportionate and appropriate
• The person has been requested to provided information and has not complied.

Since April 2017, OFSI has been able to impose penalties for serious breaches of up to £1m or 50% of the breach, whichever is higher. The penalty powers apply to offences committed after the 1st April 2017.

In 2016, just over one hundred suspected breaches were reported to OFSI, 95 of which were actual breaches, totalling around £75 million. The largest breach of financial sanctions included business that was worth around £15 million that would have cost the company a 50% fine of £7.5 million under the new regime. By legislating to ensure that OFSI has the powers it needs to hand out penalties, the UK government, through the Policing and Crime Act 2017, is sending a clear message that it will not tolerate breaches of the financial sanctions regime.

Circumventing sanction controls 

Continuing legal and political changes are not the only challenges for firms. Many companies are at risk of adopting a routine “tick box” approach to sanctions that involve basic and rather limited screening checks. Firms should consider the indirect threat of sanctioned customers circumventing inadequate controls in order to obtain financial services. 

In March 2018, OFSI highlighted that there had been a 30% increase in the number of targets on the “Asset Freeze List” relating to North Korean sanctions. OFSI underscored that individuals and groups from North Korea had circumvented international sanctions to gain access to the financial system by masking their activities. The legal and reputational risk of non-compliance with sanctions is significant. Managing the threat effectively through a robust sanctions compliance programme is critical. Firms should assess the risk of being indirectly targeted by sanctioned customers operating under a veil to avoid detection.

There has been ample speculation on how OFSI will approach sanctions enforcement to comply with UK interests and if they will be as robust as the US’s OFAC. It may be early days for an accurate comparison, but Rena Lalgie, Head of OFSI, has commented:

 “We’ll continue to provide information and guidance to business, industry, the public and charitable sectors to facilitate compliance with financial sanctions. However, we will issue penalties for serious breaches and we won’t hesitate in referring the most serious cases to law enforcement agencies.”

Sanctions screening is a firm’s primary defence against any breaches, protecting them from fines and other regulatory sanctions. The tuning of sanctions screening should be aligned with the risk profile and appetite of the firm.

Firms should consider five key areas to improve within their sanctions screening:

1. Risk assessment - Assess the risk your firm is exposed to through your customer base and line of business. Implement a risk scoring system that is linked to your risk appetite and will take into account your systems and controls. Consider and assess the geographic exposure to nearby sanctioned countries.
2. Screening sources/lists - Using the right sources to perform your screening is vital. There needs to be in-depth research and understanding of the different sources of sanctions as well as effective list management. If you decide to outsource the screening, you need to understand your provider’s methodology and define rules that are tailored to your business and risk appetite.
3. Automation and rule-based approach - A defined screening process with a rule-based approach can help firms keep an eye on the sensitive areas of the business. These areas could be those that cover sanctions, fraud, anti-bribery and corruption, or simply be those areas that require constant scrutiny. The world is moving towards Robotic Process Automation (RPA) and Artificial Intelligence (AI) to make these processes easier, reduce costs and avoid human error.
4. Data quality and fuzzy matching capability - A first-class and regularly updated system is only as good as the quality of the data you input. If you store the data for your clients in different repositories, sources or formats, it will make the screening difficult to automate. Equally, if the data you own is wrong, unreadable or simply missing, you will not be able to perform your screening. The data needs to be cleansed, enriched and formatted correctly to be able to match against the various sanctions lists and sources, thus reducing your false positives and false negatives which may oppose an equal risk.
5. Understanding the customer with enhanced due diligence - Understanding your customer base, agents, third parties and areas of concerns (e.g. geographic, business type) enhances the screening process and prevents breaches. North Korea, for example, utilises complex structures with front or shell companies to hide beneficial ownership. Business Insider reported that North Korea shipped coal to Russia, which was then shipped to South Korea and Japan to evade US Sanctions.

Additionally, be prepared for when the regulator visits and requires evidence of your governance, policies and procedures. Processes should be documented and roles and responsibilities must be defined to ensure appropriate governance is embedded within the organisation. The efficiency of the compliance programme should be assessed regularly, periodic reviews should be in place and the risk exposure should be assessed and communicated to all relevant departments.

An end-to-end workflow solution that handles your customer journey from the onboarding process will mitigate sanctions risk, enhance customer experience and improve overall efficiency.

Firms that embrace technological capabilities will be able to sustain political changes and be able to identify the evasion methods used by sanctioned entities more efficiently.