How can financial institutions effectively comply with Sanctions programs?
The recent decision of the US President to withdraw from the Iran Nuclear Agreement and reimpose sanctions against that country has put sanctions compliance back into the spotlight, as companies and business all around the world will be potentially impacted. The field of sanctions compliance has been constantly evolving since the landmark settlement between the US Department of the Treasury and BNP Paribas in 2015. The USD 8.9 bn[1] fine was the largest in history against a financial institution and reminded the industry of the urgent need to comply with sanctions regulations. Especially, US sanctions, due to the severity of its enforcement actions: heavy fines and the need to operate in dollars force every international institution to comply.
Sanctions compliance can be seen as a specific field within Financial Security, deeply connected to Anti-Money Laundering (AML), Counter Terrorism Financing (CTF) and more generally, the surveillance of transactions and operations processed by financial institutions, along with the knowledge of the different counterparties involved in them – Know Your Customer (KYC), Know Your Intermediary (KYI), or Know Your Transaction (KYT)
International Sanctions are foreign policy instruments employed by States to protect their national interests by targeting certain individuals, companies or countries. Economic sanctions impose certain restrictions against countries, such as trade embargoes or restrictions to the export of certain goods (e.g. aviation, military, nuclear technologies). On the other hand, financial sanctions target individuals or companies and entail the freezing and blocking of all property or interest in property of the sanctioned targets. On top of national regulations, the major sanctions regimes are the US, the European Union and the United Nations Sanctions.
While it is governments that designate the sanctioned targets and applicable restrictions, it comes down to private companies to implement these measures all through their network of operations: business must be subject to the restrictions imposed by the law. Hence, banks, insurance companies and money service businesses -among other financial actors – are subject to a regulatory obligation to systematically search through their transaction flows and client databases to detect any potential operations or assets found in violation of sanctions. Any deal with sanctioned persons or its mere facilitation may be punished as a violation. Banks and other financial actors need to in order to apply the necessary restrictions required by law.
Perhaps the most widely known Sanctions regime is the US embargo against Cuba, issued in 1962 by President John F. Kennedy. Those sanctions remain in force today, although with significant amendments over time. Recent geopolitical events like the long-lasting Crimea crisis, political instability in Venezuela or North Korea lead to the adoption of more complex sanctions regimes.
The United Nations Security Council Sanctions List is the global Sanctions regime approved by the UN Sanctions Committee. It targets transnational terrorist organizations, drug cartels and prominent political or military officials from countries suspected of Human Rights violations, along with companies linked to them. Once national governments transpose these UN Sanctions into their legal systems, they become directly enforceable.
Perhaps the most intricated Sanctions regime is the one managed and enforced by the US Department of the Treasury’s OFAC (Office of Foreign Assets Control). Its Specially Designated Nationals (SDN) List targets companies and individuals designated in virtue of US national security interests. Any individual or company listed as an SDN is subject to a complete asset freeze, meaning that any property or interest in property must be blocked. While its formal ownership remains with the sanctioned persons, the capacity to operate and to trade such assets must be completely blocked. Hence, banks and other financial institutions are bound to search, identify and immediately block any property or interest in property of sanctioned persons and companies. They must also report the blocked transactions to the regulatory authorities within 10 days.
As OFAC puts it on its website, there is no standard appropriate sanctions compliance program: the efforts and dimension of the compliance function will depend on the individual features of each business. Let’s have a look at different factors that can help defining a tailored approach to Sanctions compliance.
Which different jurisdictions is my institution subject to?
The first challenge in Sanctions compliance is to delimitate the scope of applicable regulations: to comply with a law, you first need to know which law to apply. Many factors need to be considered to determine which sanctions are applicable and on which perimeter of activities:
- Are operations spanning across various countries? This will condition the different international regimes or national regulations to comply with. Compliance should be studied not only on the level of countries where activities are carried out, but also at an international level since the European Union and the United Nations also manage their own sanctions lists. Some countries issue autonomous sanctions against specific targets, while others just transpose the sanctions lists issued by the UN Security Council.
- Which currencies is business conducted in? For example, American regulators claim compliance with US Sanctions whenever a transaction denominated in USD. Practically, this means that almost any financial institution conducting international business will need to keep an eye open on US Sanctions compliance. The lack of control over the clearing of USD-denominated corresponding accounts was in fact a major cause for the fines imposed to larger European banks by OFAC.
- What is the nature of operations conducted? The more complex financial operations are, the more intricated compliance scenarios should be considered. For example, a local savings bank would just need to analyze if any accounts or transactions are linked to sanctioned individuals or companies. A larger international institution will need to search through the financing of import-export transactions to detect if any sanctioned countries, ships or restricted goods are involved. Ultimately, institutions operating on a global marketplace must ensure that no prohibited securities or equity are processed through their trading systems.
How could my institution be potentially involved in Sanctions violations?
Once a Financial Institution has established which jurisdictions it is subject to, each of those legal regimes should be thoroughly analyzed to completely understand the and how sanctions regulations will impact business operations. All regulators publish Sanctions Lists of persons and companies to be blocked, but some of them also demand that all companies owned by sanctioned persons be blocked as well. In this case, banks and companies need to perform their own research or may source such data from an external market intelligence provider.
Which other stakeholders are involved in operations? Indeed, the analysis of operations must reach beyond the names of individuals and companies that are official counterparts of a given transaction. Financial institutions should systematically seek to establish who the beneficial owner of a company is, as to ascertain whether it is owned by a sanctioned person. Whenever a company is owned 50% or more by sanctioned persons or companies, it should be considered as sanctioned and subject to the same restrictions as its owners. This is a particularly complex endeavor, since sanctioned targets will systematically search to conceal their real ownership via complex schemes of subsidiaries and holdings.
Specifically, financial institutions need to pay increased attention the extraterritorial reach of US Regulations. US Sanctions are applicable outside of the US territory as soon as a relevant nexus connects a transaction to the US. Any US citizen or permanent resident, or any foreigner within US jurisdiction, is considered subject to US sanctions. Companies incorporated under US law, as well as subsidiaries and branches of foreign companies located in the US are also compelled under such regulations. Even transactions with no apparent connection to the US via counterparties could be subject to US Sanctions regimes, for example if the goods traded between two third countries are of US origin. For example, airplanes sold by Airbus to Iran Air will be impacted by the newest US Sanctions against Iran, because they contain some pieces manufactured in the US. The French Parliament deems this principle a major risk for non-US companies, since it might make sanctions violations go inadverted.
Lately, the industry has seen a common approach in compliance through de-risking. As a response to tightened regulatory pressure, institutions tend to reduce their exposure to risked business sectors or countries to avoid potential sanctions violations. They therefore fix stricter compliance standards, often beyond the regulator’s requirements, and can even refuse to enter legal business if it presents a considerable risk of sanctions violations.
A decentralized compliance function to accompany business
The challenge of an effective sanctions compliance operational model is to efficiently combine the business expertise with a legal or regulatory oversight over each field of operations. A decentralized compliance setup is crucial to account for the particularities of different departments or branches. The nature of activities and its associated risks may vary significantly, and since compliance is gaining the power to limit or discontinue business, it should be in close contact with operational teams. Institutions with international branches, should also appoint dedicated staff to monitor and enforce the respective regulatory requirements in each jurisdiction.
A decentralized sanctions compliance function should also be intertwined and coordinated with a global risk oversight, to ensure a coherent supervision at the level of the whole institution. Overall risk monitoring must ensure that all entities commit to equivalent compliance standards and that procedures are applied throughout all business branches. Reporting to regulators should ideally be centralized to ensure coherence of all documentation communicated to the authorities
Industrialization and optimization of legacy compliance processes
Depending on the size of the institution and the volume of clients and transactions, a certain level of automation and industrialization will be necessary. As a rule, incoming transactions should be filtered before entering, and outgoing transactions before leaving the internal systems. The identities of new customers must be checked before the opening of any service entailing payments or trades. Such compliance verifications at onboarding and throughout the customer relationship must be orchestrated in order not to interrupt the client experience, where any unjustified delay or request for unnecessary documents will result in customer dissatisfaction.
Larger international banks have automated client and transaction-monitoring systems capable of processing thousands of transactions in real-time. These systems will flag a transaction for the review by an operator if there is any suspicion of sanctions violations. The challenge here is not only to build and support these complex global systems, but to efficiently handle and disposition the outputs of such checks to apply an adequate treatment in line with regulatory expectations.
Such processes can be enhanced by applying some layers of digitalization via Machine Learning, Optical Caracter Recognition among other varied technologies. Numerous use cases around financial sanctions compliance have proven the potential to increase efficiency of connected processes such as KYC/KYT, regulatory monitoring and reporting, or treatment of alerts.
Indeed, most alerts generated by such systems are homonymies or obvious false positives without any risk from a sanctions perspective. However, the complexity of sanctions programs and jurisdictions demands a detailed scrutiny of flagged transactions to discard the risk of sanctions violations. The enormous quantity of alerts must be sorted out to enable for an in-depth analysis of the most complicated cases.
Since larger institutions rely on legacy systems to perform such checks, there is an immense potential for optimization. Introducing some layers of artificial intelligence into the process of filtering and analyzing transactions will significantly improve the system’s performance. A robotized semantical analysis can reduce the number of false alerts, while those generated can be classified according to the risk they present or their priority for an immediate analysis. A risk-based generation and prioritization of sanctions alerts is today crucial for financial institutions to efficiently handle the changing regulatory constraints.
Culture of compliance as a global approach to regulatory issues
Last but not least, an in-house culture of compliance will significantly contribute to the success of sanctions compliance. This should include regular training sessions for front- and back-office staffs and targeted sessions for staff of certain business branches. All employees should understand compliance challenges and how their contribution to compliance matters to the whole setup. To this respect, some institutions have even set up compliance whistleblowing hotlines where employees can signal any potential violation.
Top and middle management should embrace the mindset that compliance efforts can be turned into an asset. Rather than a separate watchdog function that harnesses business, Compliance should be integrated into the company’s strategy to reinforce commercial efforts. The better an institution knows its clients, their needs and habits, the more personalized services it will be able to propose.