Screening lists is no protection against sanctions risks
“The practice that we often see is that institutions in Sweden tend to not apply a sanctions risk assessment or motivating the extent of the mitigating actions. The risk-based decision for this exclusion, as an example, is however neither properly documented nor motivated. This is a risk in itself”, says Lars von Ehrenheim, Director Financial Crime Prevention at Advisense.
Perspectives on sanctions risk management in a rapidly changing environment
The invasion of Ukraine and everything after, has meant that sanctions programs have been put to the test. FCG’s report AML State of Play Sweden conducted end of 2021, showed that most respondents felt that sanctions screening was fairly well developed. When the same analysis was done in Denmark a few months ago, the results were slightly less optimistic.
But even before this watershed, there have been indications that sanctions management has been a weak point in Nordic banks. According to Lars von Ehrenheim, there is a lot of focus on efficiency and the cost of compliance right now. The ambition is to create economies of scale in an area where failure however, be it because of neglect or under-resourcing, clearly is tremendously expensive.
Failure to comply with sanctions obligations is heavily enforced by foremost the US sanction agency Office of Foreign Asset Control (OFAC). This has become abundantly clear in recent years, with the consequences of failure counting in the billions of USD in fines. Over and above fines, the obvious threat to Nordic and European companies at large is to be banned from performing USD transactions or engaging with US financial institutions. Moreover, following the Russian invasion of Ukraine in 2022, a multitude of sanctions have been used as important tools by the EU, the US and the UK to counteract the Russian aggression.
How effective is your sanctions program really?
Swedish companies seeking to comply with US sanctions and perform list screening need to obtain a license from the Swedish Authority for Privacy Protection (Sv. Intergritetskyddsmyndigheten, IMY) in advance. Unless under the Swedish Banker´s Association brokered agreement for this purpose.
Upon approval, an organization should take the first and fundamental step and perform a sanction risk assessment.
Sanctions regulations are in general absolute, but a risk-based approach must at all times be applied first to properly mitigate a potential sanctions risk exposure.
A sanctions risk assessment is the basis for establishing what screening actions an institute should take, what mitigating controls that are needed, the depth and complexity of these. In addition to list screening covering e.g. customers, third parties and transactions, measures can include export and import controls, including dual use goods-measures in trade finance.
Risk assessment and governance
Organizations aspiring to ensure a proper and consistent sanctions management program, must have procedures with a documented framework in place. Efforts can ideally be integrated with the AML framework for a systematic and pro-active approach with clearly defined roles, responsibilities and mandates. Swedish regulations do not set forth any explicit requirements on a framework or functions. It is however typically necessary in a properly defined framework and is specifically required in US regulations including any entity with exposure to OFAC and US dollar transactions.
In practical terms, a few fundamental questions should be considered as a start for a sanctions risk assessment:
- Operational locations
Where in the world do you operate? Any offices/branches/subsidiaries outside of Sweden and/or EU?
- Supply chain risk
Where are your suppliers, distributors, and agents located? If the company imports certain parts of products from a third party in countries bordering a sanctioned country, how do you assure that products or components are not sourced from a sanctioned jurisdiction?
- Third party due diligence
Do you know all your third parties well enough? Have you performed adequate due diligence on e.g. suppliers, agents and business associates to ascertain assurance that good sanctions procedures and processes are in place to mitigate sanction exposure to your company?
This further necessitates performing KYC (know your customer) measures properly, to fully understand the beneficial ownership structure. This will only be successful when the right questions are asked so that sanction risks can be identified.
- Know your end-user
Where in the world are your end-users located? Although your product is sold in Sweden, it can be distributed or re-sold outside Sweden and the EU. The responsibility can stretch beyond. Key questions to consider include if your products or parts of the products can be defined as dual use goods. By way of example of what can be used for dual purposes are the reported parts of high-speed cameras that are used to develop drones in war zones, including in Ukraine.
- International funds transfer
Does the company offer e-banking services with international money transfers? Does the company facilitate transfers and payments on behalf of others? To or from private individuals and local Money Service Business? You need to analyse if your exposure is direct or indirect.
The case involving Sweden, Venezuela and OFAC
In 2017-2019, OFAC increasingly imposed comprehensive sanctions against the Government of Venezuela, targeting i.e. it´s important oil sector. The state-owned oil company Petróleos de Venezuela SA (PDVSA) was fully designated in 2019, and as per the “50 % -rule”, the blocking statue also applied to entities owned to 50% or more or controlled by such parties, directly or indirectly.
In a small town, outside of Stockholm, a Swedish oil company was suddenly affected by OFAC sanctions as it was considered a “Shadow SDN[1]”, due to the 50,01 % ownership by the PDVSA. Not only the company itself, but also it´s subsidiaries were blocked due to this indirect ultimate ownership by PDVSA. The Swedish company was unable to perform USD transactions, its financial stability was seriously threatened and thousands of employees in danger of losing their jobs. Although a general license was issued by OFAC to conduct certain activities with the Swedish company, it eventually had to go through a corporate restructuring of the ownership and in the middle of 2020, due to the restructure and reorganization, the company was no longer subject to US sanctions. During the entire process, banking entities that were either providing accounts or funding to the Shadow SDN, were in constant dialogue with OFAC to ensure that matters were properly handled.
Lessons learned
US sanctions can heavily impact your risk exposure if not monitored properly. Since the Shadow SDNs are not listed themselves, you cannot only rely on your list screening.
According to Joachim Rusz, Senior Manager Financial Crime Prevention at FCG, it cannot be emphasized enough that sufficient and adequate knowledge of your customers is ensured and that updates on changes in ownership structures are maintained.
It is also important to note that it is possible to have a dialogue with OFAC to ensure a proper handling and winding down of funding and other operations.
JOACHIM RUSZ
There are many public case examples of large and global institutions that have failed to comply with applicable sanction regulations. Even though the area is complex and all cases should be analysed independently, we can identify three common reasons.
- Culture and tone at the top
Lack of knowledge, poor commitment by senior management, and insufficient resources (both human and use of tools)
- Improper due diligence on customers
Conducting due diligence on an organization’s customers, supply chain, intermediaries, and counterparties is critical to an effective sanctions program. OFAC does take recurring administrative actions against companies due to improper or incomplete due diligence on its customers, such as their ownership, geographic locations, counter parties, and transactions.
- Screening software or filter errors
Failure to maintain sanctions screening tools up to date, properly reflecting relevant lists, or failures due to poor “fuzzy logic” screening, e.g., alternative spelling of sanctioned countries or parties, which can lead to sanction breaches.
This is a complex issue area which requires focus as well as a structured approach to prevent any direct risk of breaches against EU or US sanction regimes, or the indirect risk of having correspondent banking partners being reluctant to provide services.
A key recommendation over and above the frequent areas of improvement that we have identified, is generally that a proper sanctions framework with risk assessment and controls can be integrated into the AML framework and processes.
LARS VON EHRENHEIM
[1] Specially Designated Nationals And Blocked Persons