5. Role of Technology, List Screening & Other Operational Processes Contributing to an Effective and Efficient Sanctions Compliance Program

Question 1

What does some agencies say sanctions screening is?

Answer 1

Wolfsberg - “Sanctions screening is a control employed within FIs to detect, prevent and manage sanctions risk and should be undertaken as part of an effective Financial Crime Compliance (FCC) programme, to assist with the identification of sanctioned individuals and organisations, as well as the illegal activity to which FIs may be exposed.”

EU - “{T}ransaction screening is the most critical element of an internal compliance programme.”

FFIEC - “With respect to U.S. banks, sanctions compliance systems should include screening.”

Question 2

What was Wolfberg’s Guidance on Sanctions Screening?

Answer 2

Issued in 2019

Gives a good overview of what’s involved in a sanctions screening program.

Provide guidance to financial institutions as they assess the effectiveness of their sanctions screening controls, whether automated, manual or both.

Question 3

What were the four core principles of Wolfsberg Guidance?

Answer 3

The basis for the design and implementation of sanctions screening systems:

1. Articulate the specific sanctions risk the organization is trying to prevent or detect within its products, services and operations.
2. Identify and evaluate the inherent potential exposure to sanctions risk presented by the FI’s products, services and customer relationships.
3. Develop a well-documented understanding of the risks and how they are managed through the set-up and calibration of the screening tool
4. Assess where, within the organization, the information is available in a format conducive to screening.

Question 4

What were the two main screening controls in Wolfsberg Guidance?

Answer 4

FIs will deploy two main screening controls to achieve their objectives:

1. Transaction screening is used to identify transactions involving targeted individuals or
   entities (and sanctioned countries)
2. Customer or Name screening (reference data screening) is designed to identify targeted individuals or entities during on-boarding or the lifecycle of the customer relationship with the FI.

Together, they form a robust set of controls for identifying sanctions targets.

It should be recognized that there are a number of limitations in the way in which these controls are managed and should always be employed as part of a wider FCC program.

Question 5

What were Wolfsberg 5 Fundamental Pillars of Sanctions Screening

Answer 5

Should be applied to screening, not in isolation, but in conjunction with other financial crime risk control processes:

1. Policies and Procedures: defining requirements for what must be screened, in what context and at which frequency, and how alerts should be adjudicated, paying particular attention on how to resolve alerts where information is unavailable, incomplete or potentially unreliable.

*What screened, what context, what frequency?

2. Responsible Person: ensuring appropriate skills and experience in understanding the nuances of often arcane sanctions requirements and how these might influence screening outcomes and decisions, as well as the technical capabilities of screening software.

*Who will perform the screening and who will interpret and act on results?

3. Risk Assessment: applying risk based decisions to resolve specific questions of what data attributes to screen, when to screen, what lists to use and how exact or “fuzzy” to set the screening filter. The decision making and governance structure needs to be clearly articulated, documented and supported by analysis and testing.

*Identify what, how, and when to screen.

4. Internal Controls: implementing screening control processes requires an understanding of the various methodologies and technologies available and their operational consequences.
5. Testing: conducted to validate that the screening system is performing as expected and to assess its effectiveness in managing the specific risks articulated in the FI’s Risk Assessment. Regular testing of the system should be supported by metrics, analysis and reporting.

Question 6

What were the 7 factors Wolfberg indicated may affect the design of a screening system?

Answer 6

Screening is based on Risk.

1. The jurisdictions where the organization is located (determines the sanctions laws that apply)
2. The proximity of the organization - geographically, culturally and historically - to countries subject to broad sanctions.
3. The organization’s customers or clients, including:
   
   • Whether they international or domestic
   • If international, where they are located; and
   • What their business is
4. The volume of transactions.

*Determines how you screen (Manual or systemic)

5. The complexity of transactions, including the distribution channels used.
6. What products and services the organization offers and whether those products
   reflect a heightened risk of sanctions violations.
7. The organization’s business processes, and in particular, how it sells and delivers
   products.

Question 7

What were Wolfsberg Principles for Generating Productive Alerts?

Answer 7

Identifying and implementing risk based screening decisions, in order to maximize alert quality and minimize the number of low quality or irrelevant alerts, should be undertaken
- prior to the deployment of a new screening system and thereafter
- on an on-going basis.

Risk based decisions may include:

§ Lists- an FI may establish criteria and technology processes to ensure that lists are only screened against a subset of data relevant to a specific jurisdiction

§ Exclusions – the addition of a party that poses low sanctions risk to a list of parties omitted from screening; or the use of conditional screening rules using list data or source data attributes

§ Suppression - use of suppression rules or “Good Guys” lists to manage common false positive alerts requiring unnecessary manual review

§ Data -removal of reference data from screening once the data is no longer risk relevant

Question 8

What were Wolfberg Key Terms for alerts?

Answer 8

False Positive - is a result that indicates a potential hit on a sanctions list, but which, upon further investigation, is revealed to be innocuous. Example: “Havana Café”

*An alert that is not a true match or a true hit.

*False Negative - when no match is generated but there is a sanctions element in the transaction. (e.g. rules implemented for screening were added incorrectly) - getting a negative result when in fact there was a hit.

True Match - is a screening result, where the characters contained within the information being screened match the details of a designated entity on a list that is in scope for screening.

Fuzzy Matching - is a varied and algorithm-based technique to match one name (a string of words), where the contents of the information being screened is not identical, but its spelling, pattern or sound is a close match to the contents contained on a list used for screening.

Reference Data Screening: Process of screening the information an FI collects and maintains on the parties it does business with, or specific types of products and services it offers. Any data set within the FI’s operations, separate from its transactional records, that may present a relevant sanctions risk indicator and be conducive to detection through screening on a periodic basis.

Question 9

What are the 8 Steps of a screening process?

Answer 9

1. Information is received
2. Information to be screened is identified
3. Screening system extracts relevant information

4 Screening for potential matches; system generates an alert

5. Potential matches and alerts are examined
6. If not false positive, forwarded for further investigation
7. If match confirmed, system generates “True Hit”
8. Action taken to address
   We will now discuss each step in more detail

Question 10

In the 8 Steps of screening what do we screen?

Answer 10

1. Information that is received from the core banking system.

In a bank setting - Information that will be included in the screening tool typically comes from this solution.

Back-end system that processes daily banking transactions and posts updates to accounts and other financial records.

Typically include deposit, loan and credit processing capabilities, with interfaces to general ledger systems and reporting tools.

Contains information about customers, transactions, payments etc.

Question 11

In the 8 Steps of screening, how do you identify what needs to be screened and how do you extract the relevant information?

Answer 11

You look for the common attributes of screened transactions:

The parties involved in a transaction, including the remitter and beneficiary (field 50/59 of SWIFT Message)

Agents, intermediaries and FIs

Vessels, including International Maritime Organization (IMO)
numbers, normally in Trade Finance related transactions

Bank Names, Bank Identifier Code (BIC) and other routing codes

Free text fields, such as payment reference information or the stated purpose of the payment in Field 70 of a SWIFT message

International Securities Identification Number (ISINs) or other risk relevant product identifiers, including those that relate to Sectoral Sanctions Identifications within securities related transactions …

Trade finance documentation, including the:
- Importer and exporter, manufacturer, drawee, drawer, notify party, signatories
- Shipping companies, freight forwarders
- Facilitators, such as insurance companies, agents and brokers
- FIs, including Issuing / Advising / Confirming / Negotiating /
Claiming / Collecting / Reimbursing / Guarantor Banks

Geography, including a multitude of addresses, countries, cities, towns, regions, ports, airports, such
as:
- Within SWIFT Fields 50 and 59
- Place of taking in Charge / Place of Receipt / Place of Dispatch /
Place of Delivery
- Place of Final Destination
- Country of origin of the goods /services / country of destination /
country of transshipment
- Airport of Departure / Destination

Question 12

What is matching?

Answer 12

Processofcomparingtwodatasetsinordertoeitheridentifythe exact or potential match.

Revealstherelationshipbetweentwoelements.Helpsdefinerules for possible related items.

Basedonalgorithms,whereprocessorsperformsequentialanalyses of each individual piece of a data set, matching it against each individual piece of another data set, or comparing complex variables like strings for particular similarities.

Thematchingprocesslooksateverywordineachname/addressline and the complete string of words in the transactions.

Question 13

In the 8 Steps of screening, When do you screen for potential matches and review system-generated alerts?

Answer 13

This step is the essence of screening.

• Transactions are normally screened for sanctions in real time, before they are executed.
• If there are a very large number of transactions of a certain type, though, or if the risk of a sanctions violation is small, it may be more efficient to use batch screening, i.e., screening all transactions of a given type at one time.
• Customer and business relation names should be screened before the customer is accepted or the business relationship established. For existing customers, whether or not a business re-screens its entire customer base every time a list changes or only at set intervals depends upon the organization’s risk profile.
• Another type of screening is event-driven screening, such as screening that occurs in response to adverse news about a customer. Integrating event-driven screening into the overall system requires some sort of method for monitoring relevant news and creating a link between that news and the screening tool.

Question 14

In the 8 Steps of screening, what do you do with Potential Matches, how do you examine alerts and what do you do with a false positive and a “true hit”?

Answer 14

There are 3 steps

1) Examine the alert to determine any potential matches

2) Forwarding potential matches for further investigation (is it a hit or not?)

3) Confirming if the potential match is a “true hit”

Example:
~ Person A determines if alert generated by the system (whether automatically or manually) is/is not a false positive.

*The transactions must be held in suspense while a final determination is made.

Alternative 1: Person A investigates the alert further to determine whether it is an actual hit. (2 eye principle)

Alternative 2: Person A does just enough of an investigation to determine whether there is a potential hit, and then turn the investigation over to a specialized function.

Alternative 3: Person A reviews the initial alert; if they cannot dismiss it, they turn the matter over to someone else whose function is specifically to investigate potential hits.

*Alternative 2 & Alternative 3 is considered the “Four Eyes” principle.

Question 15

How do you have an alert/hit?

Answer 15

Related Issue: how many people are required to confirm that a hit is a true hit?

Assessing a hit as “true” has potentially significant implications, such as rejection of a transaction, with possible harm to the customer and other parties involved. At most, it may require the freezing of property. Given this, the question is whether one person should be able to classify a hit as confirmed.

The “Four Eyes Principle”: requiring at least two people to assess a potential hit.

Question 16

What functions does an effective sanctions screening system embody?

Answer 16

• A system for screening transactions.
• Relevant systems subject to ongoing analysis.
• Documentation that articulates the screening processes and what types of transactions are screened.
• Qualified personnel responsible for design, implementation, and maintenance of screening.
• Customer names screened before customer onboarded.
• Periodical screening of existing customers.
• Screening in real-time (as opposed to batch screening).
• Process for identifying name variations and misspellings. (e.g. fuzzy logic)
• Process for identifying and assessing false positives.

Question 17

How do you test and audit your screening system?

Answer 17

The screening system must be subject to periodic testing and audt.

Test - Periodically
Audit - Once a year

The typical Key Performance Indicators of sanctions screening systems:

 * The number of transactions screened
 * The number and percentage of alerts generated
 * The number and percentage of true hits
 * The ratio of true hits to alerts
 * The average time for investigating an alert
 * The average time for investigating a true hit
 * The number and percentage of cases left open after a specified period, such as 24 or 72 hours

Question 18

What are the Common Deficiencies in Screening?

Answer 18

• Insufficient capacity to assess alerts;
• Filtering criteria that are too loose, generating too many “false positives”.
• Filtering criteria that are too strict, potentially missing real hits (false negatives).
• Closing alerts without proper investigation due to back log.
• Excluding certain transactions from the filtering process without first assessing the risk this poses.
• No access to older alerts that have already been investigated or closed.
• Persons and entities on the suppression list are not screened periodically or when changes are made to the lists.
• Out-of-date sanctions lists are used.

Example: National Bank of Pakistan bank’s screening filter failed to catch illicit transactions due to technical flaws.

AMEX - gave a prepaid card to a German national who was designated

Question 19

What is the heart of a screening program?

Answer 19

Lists/List Selection:

*Listslieattheheartofthescreeningprocess.

• The selection of which lists against which information will be screened determines what customers and transactions may be allowed, and which must be rejected.
• The lists organizations must screen against depends in the first instance on where they are located. Organizations and individuals must comply with the laws of their home country. This means that, if their home country has a list of individuals and entities against whom sanctions apply, screening should be against that list.

Question 20

What is List Management?

Answer 20

List Management = The end-to-end process of determining and managing regulatory and internal lists used for screening.

Considerations relevant to effective list management:
* List selection
* Sourcing of lists
* List maintenance
* Data Enhancement
* Whitelisting
* Geographic scope of list application
* Exact matching versus fuzzy logic * Frequency of screening

Question 21

What are the Official Lists for screening?

Answer 21

European Union: EU Consolidated List Official Lists - Note that many EU members have their own sanctions lists in addition to the EU list.

United Nations: UN Security Council List - Many organizations choose to screen against this list regardless of whether or not UN sanctions are incorporated into their home country’s sanctions list.

United States: OFAC’s SDN and other Lists. - The U.S. also maintains other lists, including the Sectoral Sanctions Identifications (SSI) List. All non-SDN lists are included in OFAC’s Consolidated List. Bureau of Industry and Security, maintains the denied persons list of persons who may not export from the U.S., and the entity list of foreign parties that are prohibited from receiving imports from the U.S. The State Department maintains a list of individuals and entities subject to nonproliferation sanctions, as well as the AECA list of parties who are prohibited from participating in the exportation of defense articles.

All of the U.S. lists, including the OFAC lists, are combined in a single consolidated U.S. sanctions list, which is available at https://www.export.gov/csl-search

Question 22

What are Internal Lists?

Answer 22

Organizations may also maintain their own internal lists.

“Good guy” or “white” lists” names that have been screened and confirmed not to represent a true hit. This may occur, for example, if a customer has the same name as someone on a sanctions list.

“Bad guys” or “grey lists”: These are individuals or entities whom the organization has determined have ties to sanctioned parties or present other financial crime risk, even if they are not sanctioned themselves. Organizations decide not to do business with these “bad guys” as a matter of principle, even if it may be technically legal (for the time being at least) to do. so

Question 23

What are the significant operational issues involving an effective sanctions compliance system?

Answer 23

These include:
§ Resolving standard and complex cases. §Freezing property, and managing frozen property.

§ Obtaining, managing, or reviewing licenses.

§ Using contractual clauses to mitigate sanctions risks.

§ Outsourcing compliance functions.

§ Reporting and record keeping.

*The operation of a sanctions compliance system frequently requires interaction with other areas of compliance, especially export controls, anti-money laundering, and anti-corruption. It also requires the compliance function to be aware of, and be prepared to address, forces from the business side that may make compliance with sanctions laws more difficult.

Question 24

How do you Resolve standard and complex cases?

Answer 24

• Some sanctions cases may be very simple, while others can be quite complex
• Resolving complicated questions may require special expertise
• The organization should ensure that it has the resources to resolve complex cases
  o This may require calling upon outside experts
• The organization should have a procedure specifying
  o When an issue should be escalated
  o Who has the authority to decide upon the answer

*Complex case (e.g. Sectorial Sanctions)

Question 25

When do you freeze property and how do you manage frozen property?

Answer 25

Sanctions laws of many jurisdictions, including the US and the EU, require that funds, assets, and other property be frozen (or, using the U.S. terminology – “blocked”).

Frozen property cannot be transferred or disposed of without permission from the relevant government authority. In most cases, the party freezing the funds or other assets is required to report their action to the relevant authority.

In the U.S., for example, a U.S. person blocking property must file a report with OFAC within 10 days.

In the E.U., frozen assets must be reported at the national level.

*US bank hit on EU list - you can’t freeze/block. Conversely - If EU gets a hit on the OFAC list - they can’t freeze?

Question 26

What tailors and tune sanctions?

Answer 26

Licenses.

OFAC has the authority to license transactions that would otherwise be prohibited under sanctions programs.

Two types of OFAC licenses:
General licenses – broader exceptions written into the regulations, typically in
Subpart E (the 500s), of each Part.
Examples include: operation of foreign embassies, operation of international organizations, operations of the U.S. Government.

Specific licenses – more focused, issued to a limited number of parties. Examples: Unblocking a funds transfer; allowing travel to Cuba under certain circumstances; agricultural and medical exports under Trade Sanctions Reform Act (TSRA); living licenses.
Be aware of recordkeeping and reporting requirements triggered by using licenses!

Question 27

What do you do when applying for an OFAC License?

Answer 27

Licenses can be handled online on the website

When filling out the application include the following:

1. Provide full facts in a clear, concise manner
2. Review OFAC’s guidance and statements of licensing policy before you file
3. Make clear why granting the license is consistent with US foreign policy
4. Avoid arguments that OFAC sanctions are inconvenient or costly
5. Be patient – the process can take months

Question 28

What facts do you need to present when completing an OFAC License Application?

Answer 28

You need a detailed description of the proposed transaction:

The identity of the party or country subject to sanctions that is the subject of the application.

The name and address of the applicant (whether the buyer, seller, or financial institution)

The names of any entities that might perform services for or act on behalf of the applicant, including corporate affiliates, suppliers, and subcontractors

A detailed description of the goods, services, or technology subject to the application.

Whether the license is sought for a single transaction, for multiple transactions, or for unlimited transactions over a given period of time.

The beginning and end date of the license.

Question 29

What is one way you can protect yourself from OFAC Violations?

Answer 29

One important method to reduce sanctions risks is to use language in contracts to address sanctions issues.

Such representations and warranties typically include statements that:
* The party is not subject to sanctions by the UN, the EU, the U.S., or other jurisdiction.
* No person or entity owning more than a specified percentage of the company (usually either 10% or 25%) is subject to such sanctions.
* The party is not currently under investigation by any authority for violations of sanctions laws.
* The party will not use the proceeds of the loan for investment in or transactions with parties or countries subject to sanctions.
* Performance of the contract will not result in any violation of the enumerated sanctions laws.

Example Sample clause in chartering of a ship document:
ANY TRADE IN WHICH THE VESSEL IS EMPLOYED UNDER THIS CHARTERPARTY WHICH COULD EXPOSE THE VESSEL, ITS
OWNERS, MANAGERS, CREW OR INSURERS TO A RISK OF SANCTIONS IMPOSED BY THE UNITED STATES, UNITED NATIONS OR THE EU, SHALL BE DEEMED UNLAWFUL AND OWNERS SHALL BE ENTITLED, AT THEIR ABSOLUTE DISCRETION, TO REFUSE TO CARRY OUT THAT TRADE. IN THE EVENT THAT SUCH RISK ARISES IN RELATION TO A VOYAGE THE VESSEL IS PERFORMING, THE OWNERS SHALL BE ENTITLED TO REFUSE FURTHER PERFORMANCE AND THE CHARTERERS SHALL BE OBLIGED TO PROVIDE ALTERNATIVE VOYAGE ORDERS.

Question 30

What are OFAC’s reporting requirements?

Answer 30

Report of Blocked Transactions – Financial Within 10 days

Report of Blocked Transactions Tangible/Other/Real/Non Financial Property – within 10 days

Report on Rejected Transaction – within 10 days

Annual Report of Blocked Property
-by September 30 annually

In EU reporting requirements depend on National authority and what national law says you need to do.

Question 31

What are other areas that could have conflicts with sanctions?

Answer 31

Export Controls

~ Export controls and sanctions frequently intersect.
~ In some cases sanctions are administered under export control laws. For example, OFAC administers sanctions regarding the export of services to Syria, while BIS is responsible for regulation of exports of goods to Syria.
~ Export controls frequently apply to many of the same categories of goods as sanctions - especially arms.

Anti-Money Laundering

Anti-money laundering (AML) shares many similarities to sanctions compliance.

AML criminals use many of the same techniques to launder money as sanctions evaders employ (i.e. shell companies, layering, and the use of cash).

Detecting and preventing money laundering also uses the same techniques as sanctions compliance (e.g. customer due diligence and
transaction screening).

Business Environment

The business of the business is to make money whilst sanctions compliance often requires rejecting business.

Resolving this conflict requires that both the business and compliance understand each other.

It is vital that the business and compliance work together in a manner that maximizes profits while minimizing exposure to sanctions risks.