Sanctions 101: insights, operational challenges and best practice
October 10, 2019 by Mark Dunn
This is the final piece in a three-part guest blog series by Clayton Mitchell, UK Financial Services Practices Lead for Crowe Risk Consulting, following his presentation 'Focus on Sanctions: Current trends and best practice' at the recent ACAMS UK Chapter meeting hosted by LexisNexis.
As we have seen, companies are at greater risk than ever of violating global sanctions regimes thanks to the complicated nature of the restrictions themselves and of the variety of international bodies governing them.
Although there are no grey areas when it comes to compliance, the dynamic nature of the sanctions environment means that without sufficient resources and expertise, a business can fall foul of a regime completely inadvertently, putting it at risk of potentially ruinous civil or criminal liabilities.
Financial institutions are at risk because of the fragmented way that they store their information. Multiple IT systems, ongoing mergers and data silos often make data incoherent. The systems that financial institutions use to filter their customers and transactions can be ineffective, either because they have not been configured appropriately or because they are not routinely tested and calibrated.
Additionally, organisations often rely upon third parties to perform tasks on their behalf without adequate due diligence or risk management, raising the danger of non-compliance with sanction regimes. Many businesses lack complementary resources with the necessary technical and operational expertise, whilst also not having staff sufficiently familiar with the current regulatory environment in the right positions.
To mitigate these risks and protect against an inadvertent sanctions breach, a company should adopt what we believe to be best practice in compliance.
- First and foremost, it is essential that the business carries out a sanctions risk assessment across all areas of operation.
- Financial institutions must align their business, data and IT processes to ensure that their sanctions screening processes are effective. Sanctions screening tools must be fundamental to the way that a business operates to ensure that the company is constantly abreast of developments in a rapidly changing regulatory environment.
- Model risk management techniques and in-house sanctions programs must be subject to periodic independent review, including validation (conceptual and data) and calibration of the screening systems.
- Staff need to be well trained in compliance. That means enhanced compliance management programs that include making employees aware of policies and practices, training them and then carrying out intermittent testing.
- Sanctions programs must be subject to testing from the second and third lines of defense from risk management and internal audit.
The stakes for companies could not be higher and recent cases have brought this into sharp focus, particularly last year's record fine for BNP Paribas. Perhaps one of the most important pieces of advice for any business is to be robust with your compliance programme and think-outside-the-box. For example, is your sanctions risk assessment covering just customers or transactions? A comprehensive risk assessment will cover suppliers, vendors, third party providers and even employees.
As a final note, if you do suspect that your company is or has been in violation – come forward or at a minimum take advice of counsel. Self-reporting is typically taken into consideration in any decision and the penalty imposed will be lowered. Companies are penalised for failing to make a voluntary disclosure if it can be shown at a later date that they were aware, or have since become aware, of a sanctions violation.
ps 3 ways you can apply this information right now to…
- An enhanced due diligence process in place can help you protect against your business from working with sanctioned entities. Find out how you can help mitigate this risk.
- Follow this Sanctions series; subscribe to our blog to have the updates delivered to your inbox.
- Share this blog on LinkedIn to keep the dialogue going with your colleagues and contacts.