It is crucial that senior management consider the risk of sanction breaches and determine the appropriate screening level to manage the organizational risk
Sanctions refer to notifications issued by entities and/or governments that alert and/or prohibit organizations/individuals from carrying out financial transactions with certain people/organizations identified as having committed (or suspected of committing) illegal acts. A list of such individuals/organizations is called a sanctions list. There are various sanctions lists issued by different organizations, such as OFAC, UN, EU etc and doing business with sanctioned employees can result in penalties and potential termination of business. By screening customers against sanctions lists, organizations can lower their risk of doing business with sanctioned entities.
Sanctions screening is a control employed within Financial Institutions (FIs) to detect, prevent and manage sanctions risk. As per the Wolfsberg Guidance on Sanctions Screening, screening should be undertaken as part of an effective Financial Crime Compliance (FCC) program, to assist with the identification of sanctioned individuals and organizations, as well as the illegal activity to which FIs may be exposed. It helps identify areas of potential sanctions concern and assists in making appropriately compliant risk decisions.
Most FIs tend to deploy two main screening controls to achieve their objectives: transaction screening (or payment screening) and customer screening (of which name screening is a part).
Name screening is the process of matching an internal record (customer, counterparty, and related-account party) against sanctions lists, regulatory lists, and internal lists, either manually or through an automated screening tool. It may also include batch screening, which allows a firm to screen its entire customer base and other entities, such as vendors, using automatic screening tools periodically.
Payment screening focuses on screening payment messages. Unlike name screening, payment screening takes place with current customers and is performed before a payment or message is processed. It relies on payment messages using predefined templates, codes, and acronyms to describe certain information. The information provided in these predefined templates is typically provided by another financial institution; therefore, the firm has little, if any, control over how the data is presented.
Enhancing effectiveness of screening tools
Automated screening tools (AST) use a combination of screening algorithms and fuzzy logic to detect possible matches. The Wolfsberg Guidance on Sanctions Screening defines ”fuzzy matching” as a varied algorithm-based technique to match one name (a string of words), where the contents of the information being screened is not identical, but its spelling, pattern, or sound is a close match to the contents on a list used for screening. Fuzzy matching increases the likelihood of identifying potential matches but also increases the number of false positives.
In 2014, Citigroup was fined by OFAC for failing to accurately identify a sanctions target. Citigroup had processed a payment to the Higher Institute “of” Applied Sciences, based in Syria. When the payment message was received, the name of the recipient was identified as the Higher Institute “for” Applied Science Its screening tool missed the similarity between the words “for” and “of”.
Screening software uses threshold percentages to determine the alerts to be generated. The threshold percentage indicates the percentage match to a particular name on a list. If the percentage is set too high, for example, only a few names will match. This increases the potential occurrence of false negatives, increasing the possibility to miss a match to a target named on a sanctions list. If the threshold percentage is too low, the tool will produce an excess of false positives. An over abundance of false positives leads to the inefficient use of resources due to the large number of hits that need to be investigated against sanctions lists.
To set the tool’s threshold correctly, the business needs to understand the tool and know the institution’s greatest areas of sanctions risk. It is best for an organization to base its threshold on the level of control it has over the data. For example, for screening its customer base, the organization may have high-quality data and thus, a firm control over its data. In this case, the thresholds would possibly be set higher. However, when an organization’s screening data is provided by a third party, such as a wire transfer, it is best to establish lower thresholds to account for human error, differing institutional standards, and other external variances over which it has little to no control.
Conducting periodic threshold-tuning analysis can help organizations identify the optimal threshold percentages to be applied for fuzzy matching. The threshold-tuning analysis should also take into account some common algorithms used by screening software and adjust the threshold percentage accordingly. These common algorithms include the following:
- Noisy or neutral words—noisy or neutral words are frequently used words, such as “the,” “and,” and “of”. The screening tool could allocate a lower weightage or even disregard these words when screening names. The noisy algorithm should also ensure that possible matches are not dismissed because of a slight variation in the use of such words.
- Common words—examples of common words include “National Bank of” or “Housing Finance Company”. Common words could be given a lower weightage or importance when calculating the percentage match.
- Surnames vs screening forenames—tools could possibly apply more weightage to surnames or last names. This technique reduces the risk of targets being missed or not detected due to spellings of the first name.
It is crucial that senior management consider the risk of sanction breaches and determine the appropriate screening level to manage the organizational risk. Ongoing monitoring, tuning, and testing should be conducted on all aspects of sanctions screening systems, lists, and processes on a frequent and regular basis. Organizations are expected to have a clear and demonstrable understanding of the system filters utilized in their screening technology, and to employ/equip staff with the right skills to support the deployment of effective sanction screening systems.
KV Karthik is Partner - Forensic, Financial Advisory, Deloitte India and Manish Mandhyan is Associate Director - Forensic, Financial Advisory, Deloitte India