Sanctions Reviews: A Data-Driven Approach
-
July 08, 2024
-
Sanctions compliance is a vital part of financial institutions’ regulatory framework. While sticking to the rules prevents the conduct of business with sanctioned individuals or entities, even the best-prepared institutions may find themselves in the spotlight of regulatory scrutiny, which necessitates internal reviews. A data-driven approach to these reviews can be the difference between a smooth landing and a compliance nightmare.
Sanctions screening is a hurdle for many organisations.1 Sometimes retrospective assessments, commonly known as look-back reviews, involve sifting through more than five years of data, which can strain resources. Below we examine the challenges of look-back reviews and explore how a data-driven approach could be a firm’s secret weapon.
The Need for a Sanctions List Management Programme
Sanctions lists are constantly changing. Regulators routinely add, remove and update entries, correcting inaccuracies or disclosing new information. During a look-back review, an institution must pinpoint exactly which entities were sanctioned at a specific time, and what details were then known. This is different from real-time screening solutions, which are integrated and rely upon at-the-moment data from screening solutions vendors. Without a robust set of controls and procedures determining how sanctions lists are managed, navigating this shifting terrain can at best be inefficient and at worst lead to errors that get propagated to representations made to authorities.
This is where a Sanctions List Management (“SLM”) programme, the unsung hero of sanctions compliance, comes in. It ensures comprehensive governance and upkeep of an institution’s sanctions lists. An effective SLM programme leverages technology to manage all types of lists, from government-issued sanctions to internal watchlists. And, crucially, it logs changes made to sanctions lists and broader adjustments to sanctions regimes, creating a clear historical record.
Ideally, SLM controls are streamlined and automated, offering real-time (or near-real-time) monitoring of list updates. Institutions can source lists from third-party providers, who aggregate data from multiple sources, or may choose to source them directly from regulators. Regardless of the source, consistent recordkeeping is key. Updates should be logged in a central data repository designed to maintain a complete audit trail, ensuring that no historical data vanishes.
An SLM programme not only creates operational effectiveness for an institution’s day-to-day operations, ensuring continuous compliance with sanctions regulations, but it is also crucial during compliance investigations.
Why Data Management Needs an Investigations Mindset
When conducting an internal investigation relating to sanctions or other areas of financial crime, a financial institution and their legal advisors must carve a path through a jungle of data. Data pertaining to thousands or even millions of customer records sprawl before them and includes Know Your Customer (“KYC”) data, historical alerts, communication records and counterparty data, each stretching back years. All these elements add to the challenges of conducting a look-back investigation. Concerningly for some, these investigations are now poised to become even more daunting following the enactment of the 21st Century Peace Through Strength Act in April 2024, which extended the statute of limitations for U.S. sanctions violations from five to 10 years.2 U.S. authorities now have up to 10 years from the date of a violation to initiate enforcement actions, which requires companies to maintain data records for longer periods to properly assess potential liabilities.
Even the most robust financial institutions can find themselves vulnerable during large-scale compliance reviews. Despite mature data management programmes covering areas such as governance, security, quality and availability, an investigation data gap can easily emerge. Institutions find themselves wrangling broken data trails, incomplete data sets and unusable archived information.
How does this happen? Legacy system upgrades can leave data stranded in forgotten formats, while obsolete technology and staff turnover can create knowledge vacuums, making archived datasets a mystery to stakeholders, rendering the data essentially useless without extra work being done. The likelihood of cloud migrations having occurred in the past decade also means that the extension on the statute of limitations for U.S. sanctions violations can be particularly problematic.
A data management programme should account for long-term data storage and retrieval while maintaining compliance with relevant data protection regulations. A programme that enables the retrieval, restoration and use of all relevant data, translates into smooth progress through compliance reviews, with all the historical evidence readily available to meet legal requirements and regulatory expectations.
To future-proof their data management programmes for upcoming investigations, financial institutions should consider three key actions.
- Invest in modern, scalable technologies that can effectively integrate with legacy systems, ensuring no data is left behind in outdated formats.
- Implement robust data governance policies that emphasise regular audits, comprehensive documentation and staff training to maintain continuity and clarity over time, so staff turnover doesn’t lead into knowledge loss.
- Foster strong collaboration between compliance, information technology and legal functions to ensure that data management practices are aligned with regulatory requirements and can adapt to evolving legal landscapes.
A proactive approach not only safeguards against regulatory risks but also builds a resilient foundation for navigating the complexities of financial crime investigations in the future.
With all the current discourse around artificial intelligence (“AI”), it would be negligent to not call out the importance of sound data management in the context of deploying AI solutions for purposes of a sanctions investigation. To be prepared for deploying AI models effectively, it is important to have well-organised and high-quality data as, without quality data, AI cannot function optimally. Proper data management ensures that data is accurate, complete and accessible, providing a solid foundation for AI applications and not only enhancing regulatory compliance, but also enabling the successful future implementation of AI technology.
The Argument for a Unified Case Management Solution
Siloed information is the enemy of holistic understanding, and of data quality too. Payment data, for instance, becomes meaningless without context. Investigators need the full picture — KYC profiles, records of historical activity and communications with clients.
Most financial institutions will have access to case management systems within their financial crime monitoring setup. And while these systems tend to boast their own case management functionality, institutions often choose solutions from different providers. These solutions are often not designed to support and facilitate integration with other systems, making it difficult to connect them together, which impacts their effectiveness during compliance reviews.
By integrating information seamlessly, institutions can navigate reviews with confidence. While preparing for a compliance review, they should be ready to deploy a case management solution that can bring together a variety of data types. Not only will the review be more efficient and cost-effective, but it will also reduce compliance and operational risks at the source.
Conclusion
In the evolving landscape of sanctions compliance, financial institutions face complex challenges. Organisationally inclusive innovation and collaboration are the key to untangling sanctions compliance intricacies. By embracing technology-enabled, data-driven approaches, institutions will not only streamline daily operations, but also prepare themselves to withstand regulatory scrutiny. A cultural approach that taps expertise across functions leads to better outcomes, enhances buy-in and thus leads to more sustainable change. With the right tools and a well-defined data strategy, institutions can confidently navigate compliance reviews, ensuring adherence to regulations while optimising efficiency and keeping costs down.
- Working closely with the external legal counsel of a major Nordic financial institution, FTI Consulting was asked to bring the full complement of its global expertise to support an investigation into alleged money laundering (ML) and sanctions violations.
- To facilitate the investigation, our experts deployed a number of proprietary assets, including 100s of ML detection scenarios, its Financial Crime Data Review platform (“FC DataRev”) for case management, a robust matter-proven name matching platform (“NMP”) for evaluating string similarity, and our Live Sanctions List Repository, allowing us to credibly deliver on core requirements and enable legal expertise in regulatory negotiations.
- FTI Consulting also incorporated the Bank’s internal watchlist data, informing our detection algorithms and NMP analyses. And when attention came to evaluating regulators’ requests around Politically Exposed Persons (PEPs), FTI worked with the Bank’s established third-party list providers to establish a contract responsive to the look-back, enabling our team to efficiently integrate Bank data into the review.
- Combining Bank assets with FTI Consulting IP, human expertise, and time-tested review approaches to create an efficient and agile solution, our team was able to enable legal expertise to arrive at the best outcome for the Bank.
FTI Consulting’s multidisciplinary team combines industry and regulatory experts with skilled data and analytics professionals. Our expertise, like the regulatory challenges our clients face, is global, and we translate it into bespoke solutions that meet clients’ specific needs, because our teams include senior professionals who have stood in their shoes. You can learn more about FTI Consulting’s financial crime and sanctions investigations offering here.
Published
July 08, 2024
Key Contacts
Senior Managing Director, Leader of EMEA Data & Analytics
Managing Director