- Accueil
- / Publications
- / Articles
- / Sanctions List Management: Common Pitfalls & Strategies
Sanctions List Management: Common Pitfalls & Strategies
Sanctions List Surged by 3,029 Additions This Year, Highlighting the Need for Robust Management
-
décembre 09, 2024
-
Since the Russian invasion of Ukraine in February 2022, enforcement agencies around the globe, including the U.S. Office of Foreign Assets Control (“OFAC”) and the U.K. Office of Financial Sanctions Implementation (“OFSI”), have introduced an unprecedented number of new sanctions list additions and changes. The 2021 OFAC Specially Designated Nationals (“SDN”) List saw 771 list additions, while 2022 and 2023 saw 2,555 and 2,685, respectively.1 So far this year, we’ve seen 3,029 new additions, highlighting the continued rapid pace of change, the increased focus on national security amidst geopolitical uncertainty and the ongoing commitment of enforcement agencies to curb activities that threaten economic and international stability.
Recently the U.K.’s Financial Conduct Authority (“FCA”) issued a £29 million fine against Starling Bank for significant financial crime controls failures, including multiple potential breaches caused by screening its customers against partial, rather than full, sanctions lists for at least six years.2 These recent enforcement actions highlight a critical need for financial institutions to maintain strong List Management (“LM”) programs in order to prevent regulatory breaches, manage risks, safeguard their reputations and comply with global enforcement agencies.
What is a List Management Program?
A LM program is a key component of any financial institution’s ability to adjust to changes published by regulatory bodies, mitigate sanctions risks and protect its reputation. A LM program comprises the framework(s), systems, processes and procedures used to manage and monitor sanctions lists containing entities, individuals, organizations or transactions that may be subject to regulatory restrictions, particularly those related to sanctions compliance. As with implementing any regulatory compliance measures, organizations must be aware of three common pitfalls for LM programs, and how to avoid them.
Overreliance on Third Party List Providers
Many financial institutions rely on third-party providers to source their watch lists. Opting for a reputable, well-established third-party provider offers multiple advantages including access to expertise, comprehensive coverage across jurisdictions, timely updates, efficiency, scalability, risk mitigation and cost-effectiveness. By leveraging these advantages, institutions can enhance their compliance efforts and reduce regulatory risks.
Overreliance on the third-party vendors, especially in large institutions, can develop and increase over time. As reliance increases, financial institutions may become detached from ensuring that lists are delivered, uploaded and screened in a timely and accurate manner. This gradual detachment poses a compliance risk as the institution may lose oversight over the sourcing of their lists. A potential failure from the provider may go unnoticed by the institution, exposing it to potential regulatory risk and even a breach of sanctions.
The dependency on the third party, without proper due diligence and oversight, can leave the institution vulnerable to disruptions or failures from the third party. For example, a delay in updating a list, an outage caused by technical failures and issues on data quality and completeness all represent compliance risks.
In 2022, the OFAC issued an enforcement action against MidFirst Bank for violating the Weapons of Mass Destruction Proliferators Sanctions Regulations. The bank maintained accounts and processed payments for two individuals added to OFAC’s SDN List up to 14 days post-designation.3 These violations occurred due to MidFirst Bank’s misunderstanding of how frequently the screening vendor screened new names added to the SDN List against its existing customer base.
While the institution believed that its entire customer database was being screened on a daily basis against additions and changes to the SDN List, in reality, the daily screening only included new customers and a limited number of customers subject to certain account changes. This meant that new additions or updates to the SDN List may not have been screened until up to 30 days after publication.
This serves as a practical example of how an institution’s overreliance on a vendor and lack of awareness regarding how list and screening is handled ultimately resulted in a sanctions violation.
Watch Lists
When using third-party providers for watch lists, institutions should implement data safeguards to mitigate risks. These safeguards should, at the very least, be capable of identifying and reporting on two key issues: 1) failures related to the timely distribution of watch lists by the third party; and 2) issues pertaining to the quality and completeness of the data within these lists.
A key safeguard that should be considered involves the implementation of controls that cross-reference the provider’s data with other reputable sources to guarantee its accuracy and comprehensiveness. While this type of control may not be feasible (and sensible) to be implemented for every single list, consideration should be given to its implementation for lists considered “high priority”, such as OFAC’s SDN List.
The design and implementation of these safeguards should be guided by a risk-based approach, tailored to the institution’s risk appetite, operational constraints and specific circumstances. In addition to implementing these data safeguards, institutions should routinely review and update their compliance processes to ensure alignment with current regulatory requirements and verify that third-party providers adhere to guidelines set by regulators and government bodies.
This way financial institutions can effectively mitigate risks associated with using third-party providers for sourcing watch lists while ensuring compliance.
Lack of Centralized List Management Program
Another key area of risk for financial institutions is the challenge of managing various watch lists that are applicable to different customer populations and/or jurisdictions. This is especially true for institutions that have gradually grown to operate in multiple jurisdictions, which correspondingly increases the number of lists against which the institution should screen.
Global institutions must also ensure they are in compliance with dozens of jurisdiction-specific lists, such as local Politically Exposed Person (“PEP”) lists which are regulated by local governments or regulatory bodies, and may be provided by local vendors.
A global or central approach to LM allows for a more thorough identification and monitoring of individuals, entities or activities with potential sanctions nexus and, at the same time, allows for streamlined compliance processes, reduced duplication of efforts and enhanced effectiveness of risk mitigation measures.
Centralizing the list management function also provides a framework to develop and maintain critical know-how and documentation in an organized way, setting the standard and best practices for subsidiaries to replicate.
Beyond adopting a centralized approach to LM, institutions should ideally leverage a technical solution to the management of watch lists. Ultimately, a global technical solution boosts both compliance and operational efficiency and allows for:
- Improved risk monitoring, standardization and compliance for institutions across all business lines and regions
- Enhanced consistency, closer alignment with regulatory requirements and less possibility for human error
- Data integrity and reduced redundancies, streamlining operations and driving cost savings across operations regardless of business line, geography or jurisdiction
Inadequate Coordination and Oversight
A frequent problem in large financial institutions is the insufficient oversight and coordination between the internal team managing the list content and the team responsible for customer and transaction screening. This is partially related to overreliance on a third-party list provider, which can exacerbate lack of clear ownership within the organization.
However, we often see LM programs managed outside of the screening functions, which can lead to gaps in understanding of list content and structure. For example, critical reference data (e.g., dates of birth or related parties) could be truncated or even completely absent during the screening process without the screening function awareness. Institutions should establish governance structures that enhance communication and enforce clear controls, procedures and tools between these two functions to minimize the risk of screening gaps or misses.
As institutions add more customer and transaction data systems, inconsistent list mapping becomes a risk. While list providers standardize content, institutions may screen different list components across databases with varied structures, increasing the chance that not all systems screen consistently. For example, if customer data in one system aligns with list data but others do not, screening gaps can occur.
Institutions that grow through mergers and acquisitions face an even higher risk of mapping inconsistencies across diverse systems, which may lead to uneven screening results and potential sanctions violations.
Institutions can mitigate these risks by defining clear roles and responsibilities, clear communication channels, forums and governance structures that incorporate screening and list management functions. Both functions should have input and oversight into vendor management, list contents, list structure and screening system configuration to optimize the balance between sufficient sanctions screening coverage, available resources for alert review and the institution’s overall risk appetite and sanctions compliance policy.
Conclusion
When implementing and assessing a LM program, institutions must go beyond simply contracting a reputable third-party vendor. Institutions also need to implement appropriate safeguards to prevent potential shortcomings from the third-party vendor.
Institutions should ensure that proper governance, processes, policies, frameworks and controls are in place so that customer and transaction data is screened in the most effective, consistent way and critical alerts are generated and appropriately escalated. To enhance compliance and to drive operation efficiency and cost savings, institutions should implement a global technical solution for LM and foster coordination between LM and screening functions.
By proactively addressing these common pitfalls, institutions can navigate the challenges of sanctions compliance with the confidence that their reputation and integrity is safeguarded.
Footnotes:
1: As per FTI Consulting analysis of OFAC-published additions to the SDN list as of November 18, 2024.
2: Financial Crime Authority (“FCA”), “FCA fines Starling Bank £29m for failings in their financial crime systems and controls” 10/2/2024.
3: Office of Foreign Assets Control (“OFAC”), “OFAC Issues a Finding of Violation to MidFirst Bank for Violations of the Weapons of Mass Destruction Proliferators Sanctions Regulations” 21/07/2022.
Date
décembre 09, 2024