Sanctions Exposure Controls, Screening and Model Risk Management
In August, the US threatened with sanctions against countries hosting Russian banks. It said it will ‘go after’ branches used by Moscow to circumvent trade restrictions or financing the supply of goods for Putin’s war machine.
Aside of what happens in USA politics, the question is how organizations across the EU and in the Nordics have been able to gear up in line with requirements set out in the 14th EU Sanctions Package?
One thing is for certain, the risk landscape is a haze at best and there is little suggesting that trading routes are clearing up. On the contrary, sanctions circumvention continues to be an area causing concern in the risk and exposure management of many financial and non-financial companies alike.
Is your business managing sanctions controls successfully?
Here is the question I think all companies should ask themselves – How many days, hours or minutes can you ‘survive’ if your exposure risk assessment has severe errors or if your screening model fails? Your answer to that tells you about its criticality.
Lars von Ehrenheim, sanctions expert and Director at Advisense Financial Crime Prevention team
If you have a robust, well-built system, there will be an inception, i.e. if customer screening will cease to work, onboarding will stop. In other word, sanctions screening is often critical and if it does not work properly business screening will have to be done manually by your personnel and that is not something you want to do. The argument here is that your sanctions exposure risk model should be managed in the same way as your AML risk or your capital risk model.
If you are a trading company, you can leverage what is done in the financial sector. You share the same problems, but have different regulatory requirements to comply with.
It is the sanctions exposure (and risk) assessment that feeds the controls. Prior to that the question is what screening that your business needs, how it should be set up and fine-tuned. Moving forward, then the challenge is to how you manage to maintain an effective functionality and currency of your controls.
A lot of business today have good technical expertise in-house to setup up systems for assessing AML risks. Conceptually and functionally however disciplines need to meet at the interception between technology and regulatory and risk management expertise to arrive at a solid assessment outcomes.
According to Lars von Ehrenheim, it is easy to spot organisations where sanctions risk management is an understaffed area. The good thing though is that there is normally a lot of valuable experience from model development and model risk management in other parts of an organisation. This suggests good understanding of what to do if the model works well technically however where it lacks proper contents and activities. Again, he points towards credit risk and capital risk model management and the established structures and ways of working. In essence, there is no need to completely reinvent the wheel.
Sanctions risk management should be understood on equal terms as AML
Lars von Ehrenheim
A common scenario can be to assume that sanctions screening is the only control measure that your business needs. Sanctions risk management should be understood on equal terms as AML. Aligning and integrating your sanctions processes with your AML program makes it considerably clearer. It entails the KYC process, in particular assessing legal persons and UBOs, potential risks that legal persons can circumvent sanctions through complex structures. So yes, this requires different capabilities than screening as a specific activity. You would also want to be able to analyze trends and behaviours afterwards.
It all boils down to how well you really know your customer, and that requires a large amount of data
Lars von Erhenheim
There may be no ‘easy’ steps to ensure successful sanctions risk management, but to provide a sharply packaged set of recommendations, this is where to focus:
- Establish a clear connection between your sanctions exposure assessment and your risk assessment. Scrutinize how accurate your fuzzy logic needs to be, depending on where you have business operations, if you are in the EU, the US, if you have business transactions with China, the United Arab Emirates etc.
- Screening builds on modern transaction monitoring. It has to be effective to get precise hits. No one wants to have a lot of manual resources dealing with investigating false alerts.
- Implementation – successful implementation relies on good data quality. How many have issues with data quality, hands up? If everyone puts their hand up is a signal that there are a lot of uncertainties in your model To avoid this, make whoever is setting the requirements the same party as the owner of the data. Oftentimes quality requirements on data are missing.
- What other controls do you need? It is recommended to align with post transaction controls in line with AML transaction monitoring. For a financial institute, these might be in place and would need to be tailored to capture sanctions evasion as well as ML/TF.
Join us on the 19th November when we will talk more about all the above, and:
- Customer Screening and payments/transactions screening
- Model Risk Management
- Defining a risk model inventory and the practical implications, including the model for inventory maintenance
- Risk model methodologies
- Model validation and implementation
- Processes, procedures and routines – Understanding and achieving efficiency within sanctions risk management
Read our previous articles on Sanctions Risk Management
Sanctions Risk Management – Dealing With the New Reality
Sanctions Risk Management – What To Expect and What To Have in Place
