Sanctions Risk Management – What To Expect and What To Have in Place
In our first article and the webinar on ‘Sanctions risk management – Dealing with the new reality’ where we took a deep dive into OFAC, the 14th EU sanctions package and what these mean in practice. Sanctions screening is one thing, sanctions risk management and exposure another. We also discussed supervision in Scandinavia and the Baltics, how third parties and third countries remain a key issue.
In our second webinar in this series on the 15th of October, we will talk about exposure and risk assessment, KYC, common pitfalls in risk and exposure assessment, setting controls and working with sanctions lists screening. In relation to these factors, how do different UBO and PEP screening regimes compare and how can you assure effective customer screening and screening model risk management?
Step one is non-negotiable, and that is to understand your sanctions risk exposure. Only then would any financial institution stand a good chance to take effective measures and avoid both violations as well as costly remediation.
Lars von Ehrenheim, Director and Sanctions Expert at Advisense
Risk assessment contents and setting requirements on your framework
In our previous article on sanctions screening and varying risks associated with different jurisdictions, we discussed the responsibility for third parties and how far that stretches.
Supervisory authorities in Norway and Sweden have recently carried out reviews, resulting in a key observation that companies should make sure that their systems are sufficiently risk-based. Focus is on sufficient precision as opposed to false hits. The global benchmark is 97% on original lists, and 90% on manipulated lists and there are several companies that fall short of this.
Sanctions risk management is, perhaps contrary to some mixed perceptions, in fact a risk-based exercise which may be compared with the risk assessment in an AML program. The bottom-line is to be able to assess the overall customer and product risk exposure and what sanctions risks that may be associated with your customers business. Key is to establish what is it that you absolutely need to know and what measures that need to be taken to manage the risk.
Comparing this process with AML, companies are to identify what risks they have, including red flags that point towards potential circumvention. A typical query is if the company is operating in the SEPA zone, what currencies that the customer is dealing in and what markets they operate in that are identified as typical circumvention hubs. Depending on the status in relation to these questions, you may have to look deeper into who the unique beneficiary owner is.
According to Lars Ehrenheim, looking at what the EU expects as regards subsidiaries and what little best practice there still is at present, companies be able to demonstrate a best effort. OFAC has several cases of settlements as regards subsidiaries and facilitation in third countries which indicates the direction authorities will go in EU as well. Translating this into something manageable, it means that a company needs to include subsidiaries in third countries in its sanctions compliance program and assure it does not facilitate for any third party to circumvent or breach sanctions circumvention.
Risk scenarios for circumvention
There are some common challenges with regard to knowing your customer. The KYC process should be able to identify front men/money mules and decipher complex structures that conceal real ownership, what the company is actually working with and how the export business is run and to where.
Depending on your business model, you might have a multitude of correspondent banks that you need to deal with. All else equal, the responsibility for whatever is conducted through correspondent banks remains with you.
Different functions in the organization should be involved to establish circumvention risk scenarios according to requirements within the regulatory regime where it operates.
It would typically be the same functions as for AML, so that the first line with optimal understanding of the business is involved together with the financial crime prevention function. IT- or IT security should also be part of the process in order to screen geolocations of transactions and deliver input for counter-measures. Product/business owners can also provide meaningful insights into the actual exposure a financial institution might face.
Common pitfalls in risk and exposure assessment
No sanctions risk assessment is conducted at all –If there is no proper risk assessment to build screening and measures upon, then logically how will you be able to specify your settings? Moreover, what alerts will such a system setting be able to generate? One can more or less relate these issues directly to the challenges that frequently occur in transaction monitoring and more specifically the issue of a large number of false positives.
Questions that the organisation needs to be able to properly consider include how and why settings in their screening system are done in a certain way, if there is a structured customer knowledge process what cover sanctions but also includes business partners.
A question that most companies face is how far their responsibility for a third party can stretch. Generally, you should know if and how your counterparty conducts a proper due diligence on its suppliers, who they are selling to, and if whatever products that they sell is wanted by sanctioned parties. Any exporting company should make sure to carry out ongoing quality controls on what their suppliers do. This also applies to the bank and its customers’ customers.
Lars von Ehrenheim
Exclusion of domestic transactions – Only because a transaction is done within a single jurisdiction it does not mean sanction risk can be excluded. It may be that the advice on this particular issue varies, that the message is that sanctions risk screening is not required for domestic transactions. And, yes, Sweden as an example has few listed parties.
Screening model risk management- Poor fuzzy logic in their systems and where settings are not risk-based is something that organisations continue to struggle with. Systems might be old, lack logic and produce a lot of alerts. The screening system and all its controls should be proportionate to the actual requirements of the organization, plus and equally important, the organization should have the preparedness to deal with real alerts when they actually occur.
With regards to the organisational set up around the system, the company should establish clearly who does what and why in the systems and various settings, make sure the system works, that it corresponds to the needs identified in the risk assessment, and that it is validated and properly tested.
Don´t miss the opportunity to listen in to Advisense webinar series with an exclusive focus on sanctions risk management this autumn. Check out the program here and save the dates.