6 steps to drive greater sanction screening effectiveness
The experts at AML Analytics are going to take you through the vital steps a financial institution should take to ensure a sanction screening system is working as optimally as possible.
Contents
1. Senior management oversight and commitment
It’s the responsibility of senior management of a regulated entity to have a good understanding of sanction screening processes, procedures, frameworks, and technology with the capability to act should sanctions risk arise.
Senior management should actively assess, review, and approve the organisation’s sanctions compliance programme including policies, procedures, resourcing, data and technology practices. Senior management should own the sanctions regime, as they will be accountable in the event of non-compliance.
A clear whistleblower policy and culture of compliance that does not penalise active reporting of potential sanctions violations or misconduct ensures senior management acts when misconduct or violations are identified.
Adequate resourcing
Senior management need not only provide oversight and maintain governance protocols, but they should also ensure adequate resources are provided to the compliance function.
Resources including suitable and proper staffing, technology, data, and training to ensure sanction screening can be undertaken in an appropriate manner aligned to the organisations risk-based approach.
Management reporting
Reporting on all relevant elements of the sanction screening programme should be provided to senior management on a frequent basis in a risk-based manner, and frequency should be no less than quarterly to the board of directors.
Reporting should include, but not limited to, the alignment to this policy document and focused on being able to identify, assess, and act on sanctions risk.
2. Risk assessment
In February 2019, the Wolfsberg Group published guidance on sanction screening.
They said that screening “requires a programmatic approach through which each financial institution must assess its own risks in order to define the manner, extent and circumstances in which screening is employed.”
That process is built around four core principles summarised as follows:
- Articulate the specific sanctions risk the financial institution is trying to prevent or detect within its products, services, and operations.
- Identify and evaluate the inherent potential exposure to sanctions risk presented by the financial institution’s products, services and customer relationships.
- A well-documented understanding of the risks and how they are managed through the set-up and calibration of the screening tool.
- Assess where, within the financial institution, the information is available in a format conducive to screening.
Being able to effectively identify potential threats and vulnerabilities within the sanction’s compliance context will enable organisations to enhance their programmes.
A regular, periodic risk assessment of the sanction screening programme and associated policies, procedures and frameworks will produce stronger compliance programme.
Organisations should construct, if they do not have one in place, a risk assessment methodology based on its ability to identify, assess, and manage those risks.
Emergent risk typologies
Due to the evolution of crime and continued usage of evasive techniques undertaken by sanctioned individuals and entities, there is a need to constantly monitor new emergent risks as well as test against the new typologies on an ongoing basis.
Organisations should be constantly monitoring guidelines and alerts published by competent supervisory authorities and international standards bodies as well as through continual training and skill advancements.
They should be able to enhance system effectiveness through the updating of policy and system configurations to meet new and emergent risks posed by sanctioned individuals and entities.
3. Ownership, skills and training
Responsible persons
Responsible persons need to be accountable within the organisation for the overall effectiveness of the sanction screening programme.
They should be adequately skilled with requisite experience and be provided with ongoing training. Responsible persons should be knowledgeable across all elements of the sanction screening process and be accountable to the areas in which they oversee.
Risk-based training programme
Training of responsible persons and associated personnel needs to be undertaken in a risk-based manner that is ongoing, frequent and helps develop appropriate expertise across all components of the sanction screening programme.
Training should be across all functions linked to the sanctions programme and should include accessible resources for all stakeholders to continue to drive understanding of sanctions risks, driving greater execution
Policies and procedures
All configurations of the sanction screening programme including processes, policies, procedures, frameworks and technology configurations need to be adequately documented. Documentation should be securely stored and reviewed on an ongoing basis with continued updates in line with improvement programmes.
Clear and appropriate processes and procedures should be instituted and followed by all persons in the sanction screening process as well as the wider organisation and defined and ratified by senior management.
Record keeping
In line with current obligations under local laws, all risk relevant records need to be properly documented and securely stored in both physical and digital means depending on the nature of the document and aligned with the organisation’s business practices.
4. Sanctions data
List selection
Appropriate lists are to be selected in accordance with regulatory agreements in place with other territories, exchange control agreements which enable trade relations, and any separate legislative prescriptions. Internal lists that prohibit relationships with certain parties can and should be included in screening configuration.
Commercial lists are available for procurement and are developed in the format required for screening system use. Commercial list providers retrieve list records from official published sources and provide consolidated list services to institutions in need.
List providers are private companies and not the official source of sanction data, so carry the risk of not updating records immediately, making errors in spelling of names, and incorrectly classifying records.
Regulated entities should show that the selected sanctioned lists from the chosen commercial list vendor are comprehensive and efficient enough to detect all sanctioned parties and are updated with source updates. This can be done by comparing content and customer support of commercial list vendors.
Segmentation
Segmentation is the process of segmenting lists within data sets to screen at appropriate configurations depending on the risk. Sanctions, politically exposed persons (PEP), and adverse media data should be segmented in the screening process to ensure that a risk-based approach is implemented.
Segmentation allows for the ability to tune to differing thresholds for screening based upon risk and enables the ability to tune for greater efficiency utilizing exact matching versus fuzzy logic as highlighted in this document.
Whitelisting
This is the implementation of rules and configurations to automatically eliminate potential hits from screening. Whitelisting enables organisations to drive greater efficiency in screening practices.
5. Sanction screening technology
Balancing effectiveness and efficiency
Financial institutions should first ensure that they have the correct AML/CFT technologies in place to detect financial crime indicators. This should include a robust sanction screening system which is set up to alert against names on globally important sanction lists and tuned to flag sanctioned names even when they have been altered using algorithms to assess the fuzzy logic matching capabilities of a screening system. Algorithmic manipulation will stress test a screening system and make it harder for a system to identify and alert against sanction records.
Sanction screening systems should be tested regularly to ensure that they are working as expected and that the number of false positives generated by the system are manageable and do not overwhelm available resources.
Testing will help a financial institution understand a system’s configuration whilst determining its weaknesses within pre-defined detection parameters.
Testing and the ongoing monitoring of the screening system will facilitate improvement and enhancement of system performance through ongoing iterative tuning to optimise the efficiency and effectiveness of a sanction screening system.
All AML/CFT technologies should be monitored on an ongoing basis to ensure that they remain correctly calibrated and that the number of false positives generated by the system remain at a manageable level.
A highly tuned AML/CFT system that is fit-for-purpose leads to relevant and valid alerts without the interference of excess system noise caused by numerous irrelevant false positives.
Manual and automated systems
Many organisations utilise manual screening systems including those of substantial scale and with potential risks and vulnerabilities to sanctions. The choice between implementation of manual and automated screening systems should be risk-based.
Where commercially available, or in-house systems developed, automated screening software is implemented, firms should understand its capabilities and limits, and make sure it is tailored to their business requirements, data requirements, and risk profile.
Firms should also monitor the ongoing effectiveness of automated systems. Where automated screening software is used, firms should be satisfied that they have adequate contingency arrangements should the software fail and should periodically check the software is working as they expect it to.
Automated screening systems provide batch screening system capabilities which enable more efficient screening due to delta screening capabilities, more effective use of data segmentation, ability to utilise secondary identifiers with greater effectiveness, and typically have far greater ability to customise configurations based upon risk.
Delta screening
Delta screening is the process of screening customer accounts whenever a change occurs in either the customer accounts or the watchlists used in the screening process. This limits the unnecessary process of a full list of customers screened against the full list of sanction parties every day.
After the full list of customers is screened against the full list of sanction parties once, then the full list of customers can be screened only against new sanction names thereafter. Then only new customers can be screened against the full list of sanction parties daily, without screening the full list of customers against the full list of sanction parties daily.
Sanction screening systems tuning
Tuning screening system parameters needs to be undertaken in an evidence-based manner to ensure configurations are aligned to the organisation’s risk-based approach. Configurability of the sanction screening technology in place needs to be addressed at procurement and implementation stage to enable the ongoing tuning to risk.
The ability to continually optimise the technologies and usage of data needs to be undertaken on a periodic basis. Tuning should be undertaken in line with testing frameworks highlighted in the document and should be targeted at the tuning stage for effectiveness and efficiency reducing false positives whilst not sacrificing effectiveness levels. Tuning should be iterative with audit capabilities and reporting should be established to be escalated internally to stakeholders.
Over reliance on vendors
Technology third-party vendor reliance continues to be prevalent in organisations as they look to rely on the implementation and technologies prescribed by vendors without proper evaluation and assessment.
Screening technology providers are heavily relied upon in the configuration of systems settings and rules without proper oversight from responsible persons which can lead to incorrect or erroneous system configurations.
Regulated entities must understand that off-the-shelf solutions from vendors may not meet and combat all their potential risks in which customisation and tuning would need to be undertaken after testing is completed.
Exact matching and fuzzy logic
In some circumstances, in the name screening process, exact matching may be appropriate such as in the case of adverse media screening. However, in the instance of sanction screening, the usage of fuzzy logic, or black box technologies powered by algorithms to detect manipulations of sanctioned individuals or entities names is required. This can be provided either by third party vendors or built in- house.
Group-wide system management
If there is a group-wide screening policy, localisation measures and controls need to be provided to local offices to meet local regulatory obligation.
6. Testing and auditing
Independent and objective
Testing of sanction screening systems and validation should be independent of the compliance function and executed either by third parties or internal audit. The assessment and testing need to be objective and carried out by skilled practitioners with detailed metrics and analytics.
Reporting should be provided to the organisation that aligns with overall effectiveness and efficiency goals set out by senior management. Testing should utilis synthetic data, fit-for-purpose, and clean identification for further efficiency testing. Testing is a mandatory requirement for all REs to ensure they understand their TFS requirements and implementation of a programme to identify any potential sanctions risks.
Frequent testing and validation
Testing of sanction screening systems and the assessment and validation of sanction screening processes and frameworks should be undertaken on a frequent and ongoing manner. Frequency should be risk-based, depending on the scale and risk assessment undertaken by the organisation, but more than once per year at a minimum.
Testing should be iterative and should utilise a consistent methodology with reporting to senior management of results on a regular basis with the overall effectiveness of the sanction screening compliance programme to be reported as defined in clause 2.1.3. Peer comparative data should be used in testing to ensure system performance is meeting industry benchmarks.
Pre & post implementation testing
Thorough, rigorous, and robust testing at pre and post implementation of new or updated systems needs to be undertaken before systems go live to ensure relevant controls are in place to identify potential sanctioned individuals and entities. Testing should be undertaken on all parts of the technology with a clear audit trail of testing.
Testing frameworks
This should be defined within the organisation’s policy and utilized by responsible persons. Testing frameworks should be based upon evidence and documented tuning practices. Testing should enable REs to understand system performance, diagnose deficiencies and weaknesses within the technologies or data, and allow for configuration support and a clearly documented methodology.