On January 21, the Wolfsberg Group published new guidance for financial institutions (FIs) on sanctions screening. In a statement of key themes in that Guidance document, the Wolfsberg Group stated that the Guidance seeks to demonstrate “where sanctions screening can be an effective part of a wider sanctions compliance programme,” “where it has limitations as a control,” and “where a risk based approach may be appropriate, notwithstanding the strict liability nature of sanctions compliance.”
The Guidance includes sections that address the following key issues:
- Definition of Sanctions Screening: This section (p. 2) defines sanctions screening as “a control used in the detection, prevention and disruption of financial crime and, in particular, sanctions risk. It is the comparison of one string of text against another to detect similarities which would suggest a possible match. It compares data sourced from an FI’s operations, such as customer and transactional records, against lists of names and other indicators of sanctioned parties or locations.”
- The Fundamental Elements of a Sanctions Screening Program: This section (pp. 2-3) cautions that “screening as a control is not sanctions specific and should be deployed as part of an integrated risk based [financial crime compliance (FCC)] programme.” It also notes that “[f]undamental pillars of an FCC programme, including key enabling functions, should be applied to screening, not in isolation, but in conjunction with other financial crime risk prevention and control processes,” including policies and procedures, designation of a responsible person, risk assessment, and internal controls.
- Consideration of a Risk Based Approach: This section (pp. 3-4) states that screening “requires a programmatic approach through which each FI must assess its own risks in order to define the manner, extent and circumstances in which screening is employed.” That process is built around four core principles summarized as follows:
- “Articulate the specific sanctions risk the FI is trying to prevent or detect within its products, services and operations.”
- “Identify and evaluate the inherent potential exposure to sanctions risk presented by the FI’s products, services and customer relationships.”
- “A well-documented understanding of the risks and how they are managed through the set-up and calibration of the screening tool.”
- “Assess w here, within the FI, the information is available in a format conducive to screening.”
- Screening Technology and Generating Productive Alerts: Given the complexity of “[w]hat is often thought of as a simple name-matching process,” this section (pp. 4-6) sets out principles for generating productive alerts; discusses the process of alert generation and review; emphasizes the need for risk-relevant metric reporting, an independent risk-based testing and validation regime, and data integrity processes; and identifies criteria for deciding whether to build the screening application internally or source from a vendor.
- Reference Data/Customer or Name Screening: This section (pp. 7-8) defines reference data screening as “the process of screening the information an FI collects and maintains on the parties it does business with, or specific types of products and services it offers.” It discusses the process of determining sanctions-relevant attributes in reference data, and the manner, timing, and frequency of reference data screening.
- Transactions/Message Screening. This section (pp. 8-10) discusses transaction screening – “the process of screening a movement of value within the FI’s records, including funds, goods or assets, between parties or accounts” – as well as the focus of transaction screening, identifying which data elements within transactions are relevant for sanctions screening, and the manner, timing, and frequency of transactions screening.
- List Management: This section (pp. 10- 12) discusses the importance of rigorous list management – “the end-to-end process of determining and managing regulatory and internal lists used for screening” – as well as considerations relevant to effective list management, data quality control for regulatory-sanctions and internal lists, and the use of identifying information and ‘weak aliases” (i.e., additional ancillary information of varying utility).
- Historical Reviews (Lookbacks). This section (pp. 12-13) states that when an FI identifies “potential sanctions risk where a sanctions related data point may have been previously undetected by the screening system, . . . the FI should consider whether or not: (i) changes to the sanctions screening system (for example, configuration or lists) are warranted, and (ii) a historical review (“lookback”) should be performed.” It also lists factors that should be considered in making that determination.
In conclusion, the Guidance advocates that FIs
seek to adopt a risk based approach to sanctions screening and to consider all aspects of a comprehensive sanctions screening control framework, as follows:
- The FI must have a robust FCC programme with a clear strategy in respect of sanctions screening, to mitigate the risk of being exposed to sanctioned parties and countries.
- The FI’s approach should recognise that while sanctions screening is a primary control, it has its limitations and should be deployed alongside a broader set of non-screening controls to be truly effective.
- It is important for FIs to document their systematic approach to screening by linking it directly to their risk appetite statements.
- The accuracy and completeness of the FI’s own data is central to an effective and efficient sanctions screening process.
- Technology remains a key enabler in the effectiveness of identifying financial crime risk through screening, more efficiently and on a real-time basis.
- Robust governance and oversight mechanisms must be put in place across the FIs to ensure transparency of risk decisions to key stakeholders and risk owners.
- The FI should ensure that people involved in the end-to-end risk event management are suitably trained, supervised and that the appropriate levels of quality control and assurance are in place to ensure compliance with requirements.
- Robust management information should be made available to management to report effectiveness, trends and performance.
Note: This latest Guidance from the Wolfsberg Group is consistent in quality and concision with the Group’s previously issued Standards on issues such as payment transparency, anti-bribery and corruption compliance programs, and Politically Exposed Persons. In drafting this Guidance, the Wolfsberg Group noted that it found “a great deal of commonality in the design and execution of sanctions screening controls across the Wolfsberg member banks,” suggesting that there is already core common practice in the financial sector. It emphasized, however, that while there were various ways in which FIs can seek to adhere to the Group’s various documents, “the means by which each FI choses to adopt these documents must make sense for each individual firm, recognising that one size doesn’t fit all and that each FI’s risk mitigation strategy must be tailored to meet its risk appetite.”
For that reason, compliance officers with responsibility for sanctions compliance should read the Guidance closely and use it as a basis for comparison with their current sanctions screening processes, bearing in mind that specific technology solutions and approaches suitable for some financial institutions may not be suitable for others.