5 Practical Questions to Ask for Assurance of Your Sanctions Controls
With the latest moves to ratchet up sanctions on Russia in recent days, the sanctions landscape once again grows more complex. We’ve seen in the last few weeks a dizzying array of different types of sanctions that continue to change as the conflict in Ukraine progresses.
For the moment, everyone’s focus is justifiably on simply figuring out how to comply with their sanctions obligations. Most companies are in full de-risking mode, with at least 600 companies having left or scaled back their Russia operations and compliance teams at full-throttle.
However, these historically rapid and wide-ranging sanctions are essentially a massive stress test of companies’ sanctions controls.
This is particularly true for banks and fintechs that have a widespread customer base and conduct lots of transactions. The reality is that, in all likelihood, some companies’ controls will break down or fail in some way. And without automated assurance providing ongoing controls monitoring, there is no real way for a company to know how effectively their controls are operating in real-time.
Maintaining effective sanctions controls is critical for companies as even one mistake can be hugely detrimental. This means that compliance officers, in addition to focusing on pure sanctions compliance, should also monitor for risks of possible sanctions controls breakdowns. To help with this, below are five practical questions you can ask to improve assurance over your sanctions controls.
Why do effective sanctions controls matter?
Not only are sanctions complex, but a single mistake can land you in major trouble.
One control failure can quickly multiply into hundreds or thousands of prohibited transactions before you find the issue, with the size of your potential penalty increasing rapidly for each additional transaction.
On top of that, in the U.S. (and soon in the UK), you can be punished for a sanctions violation despite having a reasonably designed sanctions compliance program. Then, there is also the reputational risk of being named publicly as having poor controls and, for banks and fintechs, the extra scrutiny that you might invite from other regulators.
Because overlooking even one prohibited transaction or sanctioned customer can lead to a penalty, the stakes are incredibly high for maintaining your sanctions controls.
It isn’t a straightforward task to avoid sanctions breaches and there are many opportunities for mistakes. Say you’re an emerging fintech intent on complying with sanctions. A basic approach to sanctions compliance might look like this: you write a sanctions compliance policy and procedures, you hire a sanctions screening vendor, and then you review any screening alerts for true positive matches to a sanctioned person. Done, right? Unfortunately, that’s not the case.
Prior sanctions enforcement actions are filled with stories of companies who did all of these basic steps, but made some small missteps elsewhere that led to a sanctions breach (or many breaches). These include, among others, failing to screen customers’ nationality, failing to screen IP addresses obtained from clients, or not catching an analyst’s failure to escalate a high-risk alert.
In short, the severe potential consequences of even a single failure make it more important than ever to ensure the effectiveness of your sanctions controls and avoid any slip-ups.
Questions to Assure Your Sanctions Controls
To gain assurance about controls effectiveness, compliance officers should be checking regularly for any signs that their controls have lapsed.
We’ve suggested five questions below to help you think about potential areas of controls breakdowns in light of the recent Russia sanctions.
You may be focused on screening customers and beneficial owners, which can be difficult for Russian entities with opaque ownership structures. However, are you similarly screening any person you have a business relationship with for potential sanctions exposure, including counterparties or service providers?
If you have data, you’re expected to screen it. Companies have slipped up by obtaining information in the course of business - e.g., emails, location data, or onboarding documents - indicating some connection between an account holder or a transaction and a sanctioned entity, but failing to flag and screen this data. Do you have any data that you're not screening?
Other departments, particularly customer-facing departments, may not understand that an account’s suspended or cancelled status is due to sanctions risks. If a customer, or even an internal business unit, complains, then other team members may try to re-open the account. Are you confident that any accounts suspended or cancelled for sanctions risks have not been re-activated?
If you typically suppress alerts for persons that were previously determined not to be sanctioned, are you sure those persons are being re-screened for the latest sanctions? With the vast number of recent sanctions designations, you should check to make sure the triggers for reviewing false hit list entries are working.
Are your front-line analysts struggling with their review caseload due to a spike in screening alerts generated by the new sanctions? Whilst you cannot prevent human error, you should check that your team is not over-burdened. Otherwise, you face greater risks of team members making errors or deviating from procedures.
While there are certainly many other risks to check for, these questions will help you manually check for potential sanctions controls failures. Of course, there is still a fundamental limitation, which is that by the time you discover a problem, the issue will likely have started months and months ago and grown much worse in the meantime.
The good news is that technology in the form of automated assurance can enable compliance officers to know in real-time if their controls are breaking down and exposing the company to sanctions risks. With tools like Cable’s sanctions assurance in hand, instead of asking questions like those above and simply hoping that no mistakes are found, compliance officers can have confidence that any failures will be detected and fixed right away.
