This is the final piece in a three-part guest blog series by Clayton Mitchell, UK Financial Services Practices Lead for Crowe Risk Consulting, following his presentation 'Focus on Sanctions: Current trends and best practice' at the recent ACAMS UK Chapter meeting hosted by LexisNexis.
As we have seen, companies are at greater risk than ever of violating global sanctions regimes thanks to the complicated nature of the restrictions themselves and of the variety of international bodies governing them.
Although there are no grey areas when it comes to compliance, the dynamic nature of the sanctions environment means that without sufficient resources and expertise, a business can fall foul of a regime completely inadvertently, putting it at risk of potentially ruinous civil or criminal liabilities.
Financial institutions are at risk because of the fragmented way that they store their information. Multiple IT systems, ongoing mergers and data silos often make data incoherent. The systems that financial institutions use to filter their customers and transactions can be ineffective, either because they have not been configured appropriately or because they are not routinely tested and calibrated.
Additionally, organisations often rely upon third parties to perform tasks on their behalf without adequate due diligence or risk management, raising the danger of non-compliance with sanction regimes. Many businesses lack complementary resources with the necessary technical and operational expertise, whilst also not having staff sufficiently familiar with the current regulatory environment in the right positions.
To mitigate these risks and protect against an inadvertent sanctions breach, a company should adopt what we believe to be best practice in compliance.
The stakes for companies could not be higher and recent cases have brought this into sharp focus, particularly last year's record fine for BNP Paribas. Perhaps one of the most important pieces of advice for any business is to be robust with your compliance programme and think-outside-the-box. For example, is your sanctions risk assessment covering just customers or transactions? A comprehensive risk assessment will cover suppliers, vendors, third party providers and even employees.
As a final note, if you do suspect that your company is or has been in violation – come forward or at a minimum take advice of counsel. Self-reporting is typically taken into consideration in any decision and the penalty imposed will be lowered. Companies are penalised for failing to make a voluntary disclosure if it can be shown at a later date that they were aware, or have since become aware, of a sanctions violation.
ps 3 ways you can apply this information right now to…