Challenges of Sanctions Compliance

Financial institutions need to meet growing sanctions compliance demands without disrupting customer
services, incurring an exorbitant overhead, and being exposed to regulatory fines.

Regulators strongly encourage financial institutions to employ a risk-based approach to sanctions
compliance by developing, implementing, and routinely updating a sanctions compliance program (“SCP”).
While each risk-based SCP will vary depending on a variety of factors—size and sophistication, products
and services, customers and counterparties, and/or geographic locations—each program should be
predicated on and incorporate five essential components of compliance:

Sanctions screening involves reviewing individuals, organizations, vessels, aircraft, and geographical
jurisdictions listed in transactional data, employees and contractors, and customer KYC information,
followed by vetting them against country-based and list-based sanctions. Country-based sanctions reflect
embargoes, such as the embargo on Cuba, while list-based sanctions focus on individuals and entities,
such as terrorists. Sophisticated name checks and list screening tools are instrumental in determining if
there is a connection with a sanctioned individual or entity.
Hefty fines against financial institutions for failing to comply with AML laws and regulations have
increased in recent years and is testament to the growing difficulty of adhering to sanctions compliance.
Penalties and fines not only affect financial institutions’ net value, but also their reputation.

Effective Tools for Sanctions Compliance

While robust filtering technology is essential to staying compliant, the most cost-effective approach
combines intelligent technology, people, and processes with self-learning. Effective technology must have
the capability to self-learn, which will systematically decrease the number of “False Positives.” Precise and
cost-effective controls meeting the demands of regulators and customers will form an integrated
sanctions compliance program. The onus is on financial institutions to detect, measure, and accept
risk(s), and it is a fine balance to find solutions that are effective and efficient in monitoring and screening
transactions. Areas of Sanctions Technology:

• Lists: criteria and technology processes to ensure that lists are only screened against a subset of data
relevant to a specific jurisdiction• Exclusions: exclusion of a party from screening that poses low sanctions risk or the use of conditional
screening rules using list data or source data attributes
• Suppression: use of suppression rules or “Good Guys” lists to manage common false positive alerts
requiring unnecessary manual review. Suppression rules help reduce false positives by
applying very specific logical conditions before generating an alert. On the other hand, “Good
Guys” lists work by suppressing unnecessary alerts on previously known false positives.
• Data: Data Attributes are specific pieces of identification information included in the Firm’s Reference
and Transaction Data. The screening requirements for Data Attributes are categorized in three ways:

1. Mandatory – Data Attributes that must be screened;
2. Screened If Available –Data Attributes, if available, must be screened; and
3. Supplemental – Data Attributes, if available, will be used for alert clearing, but not for screening.

Strong data governance/management processes are imperative to reducing the noise. If the data is
frequently incorrect or not available, financial institutions should consider improving data quality.
Poorly configured screening software is often a contributing factor for regulatory fines. This is leading
many financial institutions to abandon manual reviews and outdated sanctions screening systems in
favor of more customizable and sophisticated technologies. This framework is also helpful during the
vendor selection process for the financial institution’s Sanctions screening program.

Other factors to consider when selecting a vendor for screening software are:

• Transactional Volume
• Technology Synergy
• Repository of Matching algorithms

For larger or more complex financial institutions, there is an expectation that the screening program will
require the use of a technology application that includes certain core functionalities to ensure appropriate
alert creation by, and governance over, the screening process. Such functionalities include the capability
to implement risk-based screening rules, generate high quality alerts for review, provide applicable
metrics and reporting, ensure data integrity, and facilitate independent testing and validation. A robust
operating model employs expertise from IT, Operations, and Financial Intelligence Unit (“FIU”) working
together to ensure appropriate alert generation and disposition.

The figure below details the key components of a technology framework that are critical in the
success of a robust SCP:

In 2014, OFAC’s amended its “50 Percent Rule” to state that the property and interests in property of
entities directly or indirectly owned 50 percent or more in the aggregate by one or more blocked persons
are considered blocked. OFAC “urges caution” even when an SDN has significant ownership under 50
percent, or an entity is controlled (but not owned 50 percent or more) by one or more blocked persons.
This presents its own challenges as financial institutions need to ensure that they have a proper KYC
process in place to identify related parties of the entities, and ensure that they are screened as part of the
screening program.

The burden of finding these bad actors, equates to a range of tools and budgets for a comprehensive and
robust Sanctions Compliance program at financial institutions. Institutions must invest in new and
sophisticated technologies capable of automatically screening huge volumes of transactions and
precisely identifying suspected violators. This adds a layer of complexity as financial institutions need a
watchlist management system to review, update, and monitor any changes in the various watchlists.

Sanctions screening involves reviewing individuals, organizations, vessels, aircraft, and geographical
jurisdictions listed in transactional data, employees and contractors, and customer KYC information,
followed by vetting them against country-based and list-based sanctions. Country-based sanctions reflect
embargoes, such as the embargo on Cuba, while list-based sanctions focus on individuals and entities,
such as terrorists. Sophisticated name checks and list screening tools are instrumental in determining if
there is a connection with a sanctioned individual or entity.

Benchmarking Screening Capabilities

While no sanctions screening tool is perfect, it is important to understand the limitations of its technology.
Risks and their risk mitigation controls should be appropriately assessed and documented by performing
an impact assessment.

To validate the effectiveness of their compliance program, financial institutions should perform
independent testing of their Sanctions screening technology. This usually involves passing a test dataset
through the Sanctions screening tool in order to assess its effectiveness and the output data’s quality of
“matches”. Additionally, the output should be evaluated to make sure that all the relevant critical fields
(such as all available party name fields and country related fields within the transactions) are properly
mapped and monitored by the Sanctions screening tool. The real-time dataset should be a sample of
transactional data that will be tested in an environment similar to real-time screening in production at the
institution; this sample should contain a homogenized mix of various transaction types and message
types that are offered by the institution. Whereas the batch screening dataset should be a reasonable
representation or synthetic data of the institution’s customer base, customer types, and geographies.

While testing the different screening capabilities (batch and real-time) provides the institution a level of
confidence that all relevant data is processed by the screening solution, synthetic test data containing
known name variations and typologies of sanctioned individuals/entities should be used to establish a
benchmark for the screening solution. The results from the synthetic test data will provide the institution
with an indication of the controls provided by the screening solution and assess if any additional
mitigating controls or processes are needed based on the performance of the solution and the actual
customer/transactional data. Not every screening solution is created alike, and the functionalities and
algorithms are often black boxes that do not yield the same results when compared side-by-side. The
financial institution must ensure that they have the methodology, testing artifacts, and other
documentation available to demonstrate the “how” and “why” of the screening solution settings.

Due to the severity of fines associated with missed OFAC SDN matches by financial institutions, it is of
great importance to ensure that there are no true positive hits that fall through the cracks. As such,
modern sanctions solutions offers additional capabilities using more advanced algorithms and
techniques to capture potential matches in addition to the traditional exact name matches.

The robustness of these new techniques however typically leads to higher numbers of false positives and
requires a balance of risk tolerance in order to not overwhelm the capacity of investigations resources.

Why Matrix-IFS?

Regulators are looking for financial institutions to implement sufficient controls within their Sanctions
Screening program, and it is the responsibility of the financial institution to have thorough knowledge of
the risks associated with their products, geographies, and customers from both a qualitative and
quantitative perspective – which is especially important now, given the dynamic and fast changing
regulatory environment. An effective Sanctions Screening Program is a combination of policies,
procedures, and technologies that enable a financial institution to ensure that it does not provide direct or
indirect services to sanctioned parties, without a license and the approval of OFAC.

Matrix has helped global top-tier financial institutions implement, upgrade, and tune their sanctions and
list screening solutions, with leading vendor solutions from Actimize, FircoSoft, Accuity, LexisNexis, and
RDC. Our team consists of regulatory and technology subject matter experts, including former
compliance executives and product development experts, with a strong foundation and deep
understanding of compliance regulations, policies and procedures, and risk drivers to ensure these
Sanctions compliance programs meet industry standards and regulatory expectations. The Sanctions
framework developed by Matrix is solution agnostic and allows for easy identification of key Sanctions
related risks at a financial institution based on their products and services, customer types, and
geographies. Matrix developers have hands-on experience implementing out-of-the-box and custom tool
features that fit the customer type and risk profile for these organizations. The expertise of both advisory
and implementation experience across vendors ensures that the solution-specific functionalities are
considered.