Today’s daily news headlines are overcrowded with various sanctions law enforcement cases, meaning, mostly large financial organisations failing to meet their obligations and fined with hefty sums of money. More often than not, these are financial organisations which are actually willing to implement the restrictions related to sanctions and yet still fail. Why is that? Those FIs which deliberately violate these laws due to political or other reasons are out of scope for the matter of this article.

The answer is that even if it seems very simple – not to do any type of business with the sanctioned entities/persons – in practice, there are a lot of details which make this whole thing much harder to achieve.

Let’s start with basics:

On the one hand, there exist sanctions lists – a list of sanctioned individuals and entities with whom you must not do any business with. These lists are publicly available and most notably originate from US Treasury Department (a.k.a OFAC) but also there exist other sanctions lists from other countries such as EU, UK, Switzerland, Hong Kong etc. Sanctions Lists.

On the other side, we have Financial Organisations who have customers, partners, vendors, employees, etc. Thus, at the very core what should happen is that the names from the sanctions lists should be matched with the names of the entities/individuals that the firm is directly or indirectly dealing with and in case of a match either must not start a new relationship or terminate an existing one.

Depending on the type of organisation and the sector/country it is dealing with, the challenge to meet the obligations varies greatly. For this article, we will take an example of a large financial organisation with global presence:

An EU Based global firm has subsidiaries/branches/other holdings in various countries e.g. in US, China, UAE, Mexico and Russia. Each of these subsidiaries/branches have Firm and Individual clients (and also partners, vendors, etc.). They save the business relevant information such as names, dates of birth/incorporation, gender, etc. in the respective databases and respective languages: English, Chinese, Arabic, Spanish and Russian. In order for the global firm to be a “law abiding citizen”, it must at the very least at the holding company level screen all names of all clients, vendors, partners and related parties with various sanctions lists (and also other lists to be fair such as negative news lists, pep lists, other special lists, internal “grey” lists, Police (Europol, Interpol, etc) lists) and in case of a true match either terminate the relationship or otherwise take respective measures as required by the relevant regulation.

On this background, these are typical challenges that the firm faces:

Challenge 1: Political drift between US and EU impacting on differences in Lists. This is relatively new development but has a huge potential to be the biggest challenge for the global firms. In short, if there are conflicts between sanctions lists of two or more countries and this firm operates in all of them, then it may face a “No Choice” scenario where in any case it would be violating one or another sanctions law. Thus, the firm just assess where the fine is less and goes with it.

Challenge 2: Data Quality – Due to differences in IT standards, processes and systems between countries/subsidiaries – it typically happens that either not all data is collected at the outset of business relationship or it is partially/wrongly collected or even that it is lost. Thus, if there is no data obviously no screening is possible.

Challenge 3: Differences in Regulatory Compliance Strategy – whilst the holding firm has ultimate ownership and responsibility for being compliant, very often the subsidiaries have great freedom in terms of their own strategy and this also refers to compliance strategy. This means a possible drift between the compliance standards, processes and ultimate risk appetite and final decision whether to rank a particular customer as a high or low risk.

Challenge 4: Related to challenge 3, the level of independence of the subsidiary might mean that the subsidiary has its own screening software. Nowadays, businesses are increasingly dependent on their IT software infrastructure and the line between IT and business is increasingly getting vanished. Why is it important? Most global firms have no internal capacity to develop own it tools, thus there exist software vendors who create such tools in the best of their knowledge of regulatory landscape and even though these software packages by different vendors are relatively similar (as it should be since they cover same regulatory material), there still can be critical differences between screening logic as well as alert display and other features. In short, it can be that the subsidiary has bought a software which has a different logic of screening from the software which the holding company implemented and thus there is a gap which is a great risk.

Challenge 5: Staff Capacity – related to Challenges 3 and 4 – quality of screening tool’s alerts and number of employees/investigators who must work through these cases is another challenge. For example, A subsidiary might not have (and willing to have) many employees working in compliance and in this case (even if the software was the same between Holding and subsidiary) they might decide to apply stricter thresholds to drive number of total alerts down. If the subsidiary has a different software, then it is much easier for them to set much stricter thresholds than the holding company – with an argumentation that the two software are so different that they are not comparable. Thus, here again there is a huge risk for a gap in terms of regulatory coverage.

Challenge 6: As if it was not enough of challenges, as the names on the sanctions and other lists (excl. bank’s own lists) are typically in Latin characters, in order for the names to be compared they first need to be translated or more correctly transliterated into Latin characters. Even though this task lies with the software firm, in case this transliteration does not work properly (and it has been often the case), ultimately it means that the global firm has failed to have appropriate systems to execute a proper screening and KYC process. Fuzzy Logic is a methodology deployed by most software vendors, which basically promises software buyers that even if they have some data deficiencies (challenge 2 – data quality), their screening systems would be able to alert them on a possible breach. In other words, for example if the sanctioned individual is Gio Kevanishvili but for some reason the customer records shows the client as Giorgi Kevanaschvili, then still there would be an alert generated. This is surely a good thing but here it again Global Firm Compliance Department must decide what kind of Fuzzy Logic Thresholds they would like to go with – if the threshold is too strict then it will only alert when there is a very minor deviation between names, if it is too loose then the compliance will be drowned with a very high number of false matches.

Challenge 7: Conflict between Data Protections Laws and AML/KYC regulatory requirements – in order for the global firm to implement sanctions law and other related regulatory requirements they must be able to source the information from one country, store it in another country e.g. where the screening tool is installed and for the investigation purposes share the data with the home regulator or a designated third party or different branch. This makes sense from the investigation perspective but apparently does not make too much sense from the Data Sharing perspective. Thus, right now there are some eye-catching differences in terms of what can be shared even for the AML/KYC/Sanctions purposes and even between EU countries not mentioning much greater differences between US vs. EU vs. Asia (Russia, China, etc.). It is obvious that here again it has to do with politics.

This list is surely incomplete as there are additional challenges specific to the firm based on industry/legislation/business sector, etc. For example, in case of banks and especially correspondent banks, they have to screen all transactions and block them if the screening tool finds something suspicious. A correspondent bank is just an intermediary between Bank A and Bank B – thus, if Bank A’s customer is transferring money to Bank B’s customer and this transfer for valid reasons should go through the correspondent bank which has no direct relationship with Bank A or Bank B Customer, it must still screen and in case of a true match even refuse to execute the transaction. Without having no or very limited details about the end customers, this can be a very challenging and time consuming task.

To summary and answer the headline question, the global firms have been and will possibly be in the future fined not necessarily because they were reluctant to be compliant but because they tried (and tried hard) and still failed to fully compliant.

Also, Having this complex background, I would not be surprised if some (especially smaller) banks despite the headlines go about it in a somewhat reactive manner – thinking “let’s see what happens”, “Let’s see if we get fined” whilst at the same time stocking aside funds for possible penalty or legal proceeding. On the other hand, there are always such players… Let’s now hope for the better, higher integrity world – this is surely one thing we can do.