Why technology is needed to deal with fast-changing rules and increased complexitites
Sanctions and counter-terror finance (CTF) screening have become a more demanding area of compliance. Sanctions lists used to be relatively static. Following the Russian invasion of Ukraine, they are now perpetually changing.
Unsurprisingly, it’s becoming challenging for firms to maintain adequate sanctions compliance based on existing in-house expertise and systems. Firms are now turning to external parties and, increasingly, technology to keep up to date with the pace of change, and put in place compliance systems that operate interactively, in real-time and 24/7.
While using new technology and/or service providers is proving vital to remain compliant with sanctions, “outsourcing performance” of such regulatory tasks requires careful management. What, therefore, are the requirements around sanctions and CTF screening and how can firms best use technology solutions to adequately discharge these responsibilities?
Outline of required processes
Firms need to check clients, customers and counterparties against lists of sanctioned persons (both natural and corporate) based on various official lists (UN, USA, UK, EU, etc.) at:
Onboarding;
Regular intervals to ensure an existing client, customer or counterparty hasn’t been added to the list of sanctioned persons (given the increased changeability of these lists this now has to happen more frequently than in the past; and
In advance of processing transactions, both receipts and payments out.
Although Anti-Money Laundering (AML) and CTF are referenced together as if they are the exact same thing, they differ quite markedly:
AML is performed after a transaction has been processed. Money laundering often requires a pattern of behaviour to be discerned. And materiality limits apply; so low value money laundering is often not identified.
But CTF is more akin to sanctions screening: it must take place before the transaction is processed, has no lower limit (terrorism is cheap) and suspected sanctions funds need to be seized. For example, some entities viewed by some parties as charities or legitimate political actors are viewed as terrorist fronts by sanctions designating authorities (e.g. Hezbollah).
Technology systems
To cope with today’s global risks, CTF / sanctions screening requires dedicated, sophisticated systems to perform checks and monitoring. Core features of systems include:
Fuzzy logic: A way to disguise sanctioned persons is to change a character or two in the name (perhaps using numbers or characters from other alphabets) so they appear to be the names on-boarded but don’t match exactly the name on the sanctions lists. So, screening software is tuned to identify close matches using fuzzy logic. But if the sensitivity is too high, the matches become unmanageable. Too low, and actual matches are missed. So, this is often an area that requires continuous and careful fine-tuning to appropriately address risk-profiles and appetites.
White lists: List of entities/persons that have been screened and identified as false positives, so they don’t need to be re-screened each time. This is particularly important to ensure that human intelligence and judgement is expended in reviewing high risk ‘hits’ rather than reconfirming the same ‘hits’ as false positives time after time.
Black-lists: Lists of persons/entities that firms may specifically want to screen even though they are not on a designated list. For example, some Russian oligarchs have started running their assets and expenditures via proxies and nominees (e.g. to own their super-yachts). If a firm becomes aware of such things it should add the proxies or nominees to its blacklists and screen against them.
Given the complexity of sanctions screening solutions, they often lead to a large increase in workload if a firm implements a new system until the firm staffs up and learns to tune the fuzzy logic and whitelisting. The temptation is sometimes to switch the system off, though this is not a good idea.
Wire transfer regulations (WTR)
A related issue for payments compliance is the wire transfer regulations, also known as the travel rule. Under these rules, firms are obliged to:
Identify the ultimate originator / payor and beneficiary / payee of each transaction. This sounds easy but often times, especially for dubious transactions, the intermediary may try to disguise or even ‘strip’ the ultimate payor or payee information. So, this needs to be reviewed to ensure intermediaries are not improperly presented as being the ultimate payors or payees.
Screen these details for CTF / sanctions purposes before processing.
This may give rise to a need to seize the funds and segregate them both from customer safeguarded funds and the firm’s own funds. Given the complexity of this, firms sometimes adopt the practical approach of pre-screening the parties before processing the amounts.
In any event, a hit that cannot be adequately confirmed to be a false positive needs reporting to the appropriate authorities. This can be less simple than it sounds given the jurisdictions of the clients, customers and counterparties, the currencies, and the matters involved.
Cryptos
An added complexity is that from September 2023, UK regulated entities are required to screen transactions involving cryptos. A firm may say, we don’t process cryptos and so this is of no concern to us. But if the firm is on notice that an inflow has come from the proceeds of cryptos and the intermediary declines to provide details of the ultimate payor, this can lead to a WTR / travel rule non-compliance which may require reporting.
A new way forward
With this increasing complexity in sanctions/CTF screening, which shows no signs of abating, better solutions are needed to make sense of this complexity and deliver clarity and contextual insight when it truly matters.
It is increasingly necessary to accept that it is not worth seeking to build the capability internally, but rather to buy-in the solution from a best of breed provider. Furthermore, we need to recognise that the activity is becoming increasingly sophisticated and therefore requires sophisticated tools to screen appropriately (e.g. tuning of fuzzy logic, white and black lists) so that effort is focussed where it is needed. It is not enough anymore for staff to review all payments only reviewing exact matches.
Finally, the need to audit the process referenced above is a new a growing complexity, especially since regulators are starting to require it, which further underscores the importance of systems precision to organise information and deliver clarity and transparency.
Ultimately, technology will play a pivotal role in realising such a solution. This is an area where Lucra can help.
Peter Davey is Head of Compliance at Lucra. Previously he has worked in senior compliance and risk roles at Dubai Financial Services Authority (DFSA); Earthport (since acquired by Visa); VocaLink (since acquired by MasterCard); First Data (since acquired by Fiserv); Open Banking Implementation Entity (OBIE); and Zumo, a crypto on-off ramp; among others, and is a well-known expert, consultant and advisor in governance, risk and compliance in payments, open banking and crypto.