Why are regulators so concerned about sanctions screening?
Regulators and supervisors around the world are becoming increasingly more proactive in the current ever-changing sanctions environment and are conducting more frequent sanction screening Thematic Reviews to improve the quality of their AML/CFT supervision. This in turn is putting additional pressure on financial institutions (“FIs”) to ensure that their sanction screening systems are performing correctly and in accordance with a firm’s risk appetite.
To date we have completed over 30 Thematic Reviews around the world, testing the systems of over 500 regulated entities with over 900 screening systems included in the scope of Thematic Reviews so far. Many more are scheduled for 2023 and beyond.
Sanction screening system testing establishes the effectiveness and efficiency of a system and is a vital tool for regulators to ensure that a regulated entity is meeting compliance requirements, minimising its exposure to financial crime risk and has robust detection systems in place.
The aim is to understand the overall level of effectiveness and efficiency of each client and transaction screening system in scope, with particular attention placed on these key considerations:
- Does the system generate an alert when a sanctioned name is screened?
- Are the fuzzy logic matching rules, configuration and threshold settings of a system effective so that an algorithmically manipulated sanctioned name generates an alert?
- Are the levels of false positives from a system within manageable levels for the regulated entity?
- And finally… is system performance in line with the regulator’s expectations?
How big is the market for automated sanctions screening technology?
The market is enormous. With more than ninety different sanction lists globally, with 40,000 plus names that are constantly being updated, together with an infinite number of possible fuzzy logic combinations, it is almost impossible for FI’s to manage sanctions risks manually. Just managing the sheer volume of sanctions updates since the Russian invasion of Ukraine in February 2022 has been a huge issue for FIs.
It is therefore essential for firms to invest in automated technology. As a company, we have tested most of the sanction screening solutions on the market and have seen many examples of the same solution being used by multiple FIs with a completely different performance outcome every time. This shows that it is how a system is used and not the actual system itself which is surely encouraging news for regulators and regulated entities alike who can jointly work together with transparency to raise screening standards in a market by ensuring that screening solutions are understood, tuned frequently and operate in line with risk appetite.
Compliance is not cheap, but as many commentators have said previously, “If you think compliance is expensive, try non-compliance”. In their 2021 ‘True Cost of Financial Crime Compliance Global Report’, LexisNexis Risk reported that the global spend on financial crime compliance at financial institutions had reached $213.9 billion.
Which factors need to be considered when making an assessment?
Rather than me reinventing the wheel, I think the ‘Principles Generating Productive Alerts’, contained within the ‘Wolfsburg Group Guidance on Sanctions Screening’ explains it perfectly:
“Identifying and implementing risk based screening decisions, in order to maximise alert quality and minimise the number of low quality or irrelevant alerts, should be undertaken prior to the deployment of a new screening system and thereafter on an on-going basis. Risk based decisions may include:
- Lists- an FI may establish criteria and technology processes to ensure that lists are only screened against a subset of data relevant to a specific jurisdiction
- Exclusions – the addition of a party that poses low sanctions risk to a list of parties omitted from screening; or the use of conditional screening rules using list data or source data attributes
- Suppression - use of suppression rules or “Good Guys” lists to manage common false positive alerts requiring unnecessary manual review
- Data -removal of reference data from screening once the data is no longer risk relevant A governance framework should contain the documented rationale for risk based decisions, such as those made in support of the creation of screening rules and threshold settings, as well as the risk acceptance or remediation efforts in relation to material deficiencies or changes”.
What are the common issues arising from the use of these technologies?
There are a number of common findings and trends that have become apparent to AML Analytics following our extensive work with so many regulators. The most pertinent of these observations are as follows:
- Unmanipulated sanction names are frequently undetected by FIs for long periods of time
- Vendors are tasked with managing the risk of an FI, without any awareness or understanding by the FI itself of any system settings
- Alert levels of sanction screening systems are often tuned to an FI’s existing resource capacity as opposed to being tuned to match an FI’s defined risk appetite
- Jurisdictionally relevant sanction lists are often not included in a screening system’s configuration
- New systems are rarely tested before implementation
- Testing (UAT) environments often do not mirror the production environments
- Screening systems rarely generate alerts to a sanctioned name if a system has not been tuned for a year or more
Are there any other factors that need to be taken into account when deploying this technology?
During a Thematic Review, we are frequently asked which sanction screening tool is the best. Most tools use similar technologies and work more or less in the same way however our experience shows that the key to optimum system effectiveness and efficiency is how the tool is used and how well it is understood by its operators.
If a screening system is not performing as expected, it will normally be due to one or more of the following reasons:
- Poor system configuration.
- The system is being used with “out of the box” factory setting.
- The system’s rules and settings have not been updated to suit the changing risk appetite of the FI.
- The system has not been upgraded with essential system updates.
- Too many sanction sources are being screened, denoting poor list management
- The list provider is not fully up to date.
- An FI’s sanction list feed is not being kept up to date according to their list provider’s sanction list updates.
AML Analytics creates cutting-edge RegTech and SupTech testing, validation and risk management solutions for financial institutions, DNFBPs, money exchanges, crypto businesses, regulatory authorities, central banks, and governments.