There’s a common misconception that sanctions are only an issue for terrorists or dictator-run countries. The reality is that sanctions are a very real threat to both banks and corporations across the globe. However, corporate awareness of this issue is somewhat patchy: data analysed during a webinar hosted by Bottomline, Break the Chain of Financial Crime, showed that only 30% of respondents believe that the responsibility for implementing sanctions screening rests not just with the banks, but corporates as well. Meanwhile, 71% believe that the entities most impacted by anti-money laundering regulations are banks, not corporates.
The 9/11 attacks had an enormous impact on the global financial regulatory environment, reshaping it in such a way that raised the risk for banks and other institutions ‘engaged in suspicious activity’ – unknowingly or not. Designed to reduce the risk of terrorist financing, suspicion – not necessarily any evidence – was all that was required for the US Treasury to designate foreign jurisdictions and institutions as “primary money laundering concerns” under the Patriot Act. The global reliance on the US dollar meant that these changes were felt far and wide.
While countries are imposing sanctions at increasing rates, they rarely align with each other. The main example of this is the US re-imposing sanctions on Iran after withdrawal from the Joint Comprehensive Plan of Action (JCPOA). In response, the Instrument in Support of Trade Exchanges (INSTEX) was created: a special purpose vehicle to facilitate non-USD and non-SWIFT transactions to allow EU member states to trade with Iran without breaking US sanctions. As a result of this increase in sanctions, as well as the focus on ultimate beneficial owners (UBOs), there is a mounting risk of falling foul of them somewhere in the world – even accidentally.
Treasury and sanctions
The role of treasury in sanctions screening has become more important as it has become evident that companies can no longer rely solely on banks’ screening technology to manage their sanctions risk. Just in November 2018, French bank Societe Generale agreed to pay US$1.34bn in fines to the US federal and state authorities for handling USD transfers in OFAC-sanctioned countries. Organisations therefore need to be proactive in their own checks as well.
As the people responsible for issuing payments, treasurers must have an active role in sanctions screening, deciding what exactly to screen – be it customers, vendors or partners. Companies must also be aware of other regulations, for example the OFAC/EU 50% rule – if more than 50% of a company or entity is owned by sanctioned individuals (eg it can be three sanctioned persons who each own 20%) it becomes a sanctioned entity itself. In addition, Pierrot Christophe, Treasury Controller Global Business Services, General Electric, notes that companies must also ensure they are continually screening their current customers, as sanctions lists change almost daily.
For Christophe, a major help was integrating the sanctions screening tools into the company’s treasury management system (TMS). “To be effective, everything has to be properly automated as much as it can,” he says. By embedding any sanctions frameworks into the TMS – which has the capability to send and receive funding payments – any suspicious transactions can be flagged immediately, “whether it’s the beneficiary, the country, or any other screening processes that we’re doing on an automated basis.” Similarly, he adds, it is helpful to have the capability to enter into the system that no payments are to be made to, say, North Korea – meaning that if someone tried to enter a customer from North Korea, the system would automatically reject it.
Other companies rely on third-party screening programmes instead of integrating screening into a TMS. Toby Shore, Senior Director, Group Treasury, Risk and Insurance at Emirates Global Aluminium (EGA), explains how he uses such a system at EGA for screening companies, as well as using country screening capabilities within the ERP.
The first step for onboarding new customers or vendors, Shore says, is running a compliance check, starting with a know your customer (KYC) or a know your supplier (KYS) form. “These look to identify, amongst others, A) the company name, and B) the ultimate beneficiaries of the company, directors and senior management,” he explains.
The cost of getting it wrong
Many know that several banks have recently incurred heavy fines for breaching sanctions. Most recently, Standard Chartered was ordered to pay US$1.1bn by US and UK authorities for breaching sanctions against Iran, Burma, Zimbabwe, Cuba, Sudan, and Syria between 2009 and 2014.
For businesses, says Christophe, the cost of getting it wrong is often dependent on where the company exists and where the breach takes place, but in some places there could be criminal or civil convictions for both the company and the individual responsible. And then of course, there are internal consequences for the individual, including anything up to termination of employment.
“It’s not a single point of failure, this is a proper team effort with clients,” says Adrian Rigby, Chief Operating Officer, Global Trade Finance, HSBC. “Corporates have their own responsibilities to ensure they deal with known parties and individuals and ensure that they operate within that. Anything routed through our organisation, we have a responsibility to back that up with additional and very robust checks as well.”
Of course, it’s not just legal ramifications that businesses and banks face, but reputational ones too. There is the risk of losing both current and future business, as customers look to use companies that seem safer. If by chance something does manage to slip through the net, “the best course of action is to disclose and then explain what the circumstances were,” says Shore.
Challenges in numbers
For many organisations, the main challenge is the sheer number of sanctions lists. In an ideal world there would be just one list, says Shahrokh Moinian, Head of EMEA Wholesale Payments at J.P. Morgan. Unfortunately, this isn’t the case, and with businesses operating all over the world with various subsidiaries, treasurers have to be aware of all lists and the various risks that come with them.
Christophe agrees. “If we are a global corporation and not just running in, say, the US, we have to make sure that we have access to a global list from different countries.”
Another challenge with the number of lists, according to Shore, is that they are “not always complimentary to one another, nor do they cover the same sort of things.” The number of lists, and the number of names on each list, creates the added challenge of how to handle false positives.
False positive or genuine hit?
According to the 2017 Dow Jones & SWIFT Global Anti-Money Laundering Survey, it takes an average of 16 minutes to clear a false positive. Sixteen minutes isn’t an especially long time on its own, but 28% of the respondents said that over 75% of their total alerts were false positives. Now multiply that by the hundreds and thousands of alerts that some companies have per day, and it’s easy to see how it can become a full-time job.
An example of one false positive that often crops up is any company name that includes the words “hair and nail” – owing to the existence of the word “Iran” in the middle of it (haIR ANd nail). Whilst it’s always better to have a slightly overzealous system to ensure nothing slips through the net, companies must then have a way of resolving the false positives in a timely manner. Moinian believes that artificial intelligence could be utilised to help with this and reduce the number of hours spent investigating false positive hits.
Rigby notes that false positives don’t just take a lot of time for the staff investigating them, they also have an impact on customers that have no link to sanctions. “We have a responsibility as a financial institution to screen against sanctions as well as AML and fraud, and we are doing that to protect our customers,” Rigby says. He adds that the bank needs to have effective controls in place – but these need to focus on the real risk and not on the false positive activity.
Regionally though, there are other complications that come with false positives. Based in Dubai, Shore states that the spelling of people’s names is the biggest challenge that he has found as there are a number of local and regional grammatical nuances. “Either the sanctions lists or our records may not have people’s full details, or the details may be very similar – the equivalent of ‘John Smith’ or ‘Peter Adams’ – and you get a false positive,” he says.
“The other challenge is you have to have an expert,” says Christophe. This could mean using a group of employees, rather than hiring someone specific, but there must be at least one person who understands what they’re looking for, who can “read the process, read the false positives and make a decision.”
Key to having an expert is of course, to train them and build their confidence. “No one wants to have their name associated to a payment like that,” notes Christophe, so training and creating the confidence to make those decisions is an important hurdle to overcome.
How to get it right
It’s widely agreed that additional information is required both on sanctions lists and when inputting new customer/client data to help combat the issue of false positives. Additional information allows for more data to be compared against the sanctions lists, meaning any matches will be more likely to be a genuine positive. For example, ‘John Smith’ could produce hundreds of matches, but inputting John Albert Smith, born on 1st December 1970 in New York, would significantly narrow it down.
The Dow Jones & SWIFT survey found that 71% of respondents reported that their companies include additional names of people, companies and organisations as additional information, 67% used entities controlled/owned by other sanctioned countries, and 66% used entities linked to sanctioned jurisdictions.
Alongside additional information from the screening, companies also need to use secondary identifiers to reduce false positives. In total, 96% of respondents used secondary identifiers, with 80% using date of birth, 59% using country of birth and 48% using gender.
Safety in numbers
A fan of a solid two-step process, Christophe believes that the most effective way to ensure compliance is to have an internal process that is integrated into the TMS, as well as having a third-party programme as a secondary checker. It is essential, he says, that the treasury team works to understand the system and ensures that the user access is there and available. “We have to make sure that there’s segregation of duties, there’s immediate validation, there’s some sort of supervisory process, and so on.”
Like Christophe, Rigby’s belief that there should be no single point of failure holds true for remaining compliant as well. “You need to have appropriate layers of control,” he says. It’s a corporate’s responsibility to ensure that they deal with appropriate counterparties and locations, and everything else that’s within sanctions, he adds. As a bank, “we’re there to work with them in terms of what we see.”
For Shore, the most effective way to ensure EGA remains compliant is to hold regular information sessions. “Not just with the treasury team, but with our marketing and sales and procurement teams,” he says. It’s important to reinforce exactly what the ramifications are of breaking a sanctions clause, and educating people on the expected processes. “People have busy jobs and may see this as a ‘nice to have’ rather than a necessity for doing business and the training and education reinforces the importance of the process,” he adds.
With human error one of the most significant risks, it’s important that every step possible is taken to reduce it. And that means “putting the responsibility back onto the business, to make sure that they understand what the requirements are, and that they are abiding by them.”
As many treasurers that deal with KYC issues know, a standardised solution would be ideal. Moinian thinks that in the absence of this, technology can play an important role in resolving issues related to payments delayed for sanction screening reasons. He describes the Interbank Information Network (IIN) platform that J.P. Morgan has created, which uses blockchain technology to enable member banks to exchange information in real-time and reduce friction in the payments process. Moinian notes that with a network of more than 380 banks, IIN continues to grow and evolve. More than 80 are now live and the onboarding process for others is happening quickly. There are discussions, Moinian says, of participant banks developing their own solutions for possible use across the network too.
Christophe understands that sanctions screening is an ongoing process, and the automated programmes for sanctions screening are still not perfect and therefore need human supervision. “Are there people reviewing and auditing the process, and spot checking to make sure nothing slips through the cracks?” he says. “Is there a process to review it? When in doubt, are we hiring management not just to make decisions, but to be aware of what’s going on? To be aware of if we’re running at 90% effective, or are we running at 80% effective? Are we just getting lucky?”
Christophe expects the existing process to improve with time, but also recognises that time will bring new challenges. Treasurers aren’t just having to think about how to solve their current problems, but future ones too.
Doing the best you can
Due diligence is something that all can agree is one of the most important factors in remaining compliant with sanctions. Shore notes that having an internal system is important for initial due diligence checks, but that it’s also essential to have periodic checks by the compliance team to manually cross-match a company’s records with sanctions lists.
Ultimately though, Shore believes that by providing an effective framework and system alongside the necessary training and education for all involved, “then that’s as robust a defence as we can reasonably put in place.”