With sanctions freezing assets and restricting trade, digital compliance strategies are being reworked this year. In this article we explore the impact of putting digital trade barriers in place, which will also be discussed at our 23 June virtual seminar.
2022 sanctions policy
Financial services have seen a significant increase in the number of sanctions they must comply with across a variety of jurisdictions because of the conflict in Eastern Europe. Our research indicates that the first wave of linking no-longer permissible products and services for clients by wandering a maze of ancient legal definitions and company structures has eased slightly, giving managers a pause and think about the medium-term way in which sanctions are managed.
The current process is laborious, time consuming, and far from cost effective, with over 300 sanctions lists[i] spread across multiple jurisdictions. Not only is it difficult to obtain real-time sanctions data, but the speed with which certain transactions can be processed means that firms are struggling to keep up with the continuous changes. When you combine this with the inevitability of human error, you end up with a patchwork of rules that are difficult to enforce.
FATF’s 40 recommendations[ii] and KYC guidance, like that which we’ve seen from the PRA in their Client Onboarding Working Group findings[iii], go some way in providing firms with a set of measures to help with customer due diligence and record-keeping, but neither are sanction specific nor aid in effectively implementing sanction screening or compliance programmes.
The Office of Foreign Assets Control (OFAC)[iv] in the United States is leading the way towards better operating models, offering guidance, FAQs and implementation notes for both firms and consumers. In contrast, the United Kingdom’s Office of Financial Sanctions Implementation (OFSI)[v] established in 2016, has only a single guidance note in which to aid firms with understanding and enforcing sanctions compliance.
OFAC guidance provides an implementation framework in which they list foundational capabilities:
- Management commitment – authority, autonomy, resource delegation
- Risk assessment – methodology, identify, analyse, and address risk
- Internal controls – written policy and procedure, record-keeping, identify, interdict, escalate and report risk
- Testing & auditing – senior management accountability, immediate and effective resolution
- Training – adequate information, accessible resource, appropriate scope for products and services.
Whilst comprehensive, they do not address detailed process challenges like screening. Sourcing up-to-date sanctions data and hierarchies within entities, especially those where beneficial ownership is presented, are incredibly difficult.
A second issue lies with the lack of a common language for the sanction itself. For example, a prohibition to deal with sanction works the same way as an asset freeze and yet, it cannot be called the latter, making keyword searches complex and time-consuming task. Pulling together all the names, entities and associations is complex. Compliance needs to navigate rules such as the 50% rule, which identify any persons with more than a 50% interest in a sanctioned entity as they too, will be also subject to the same restrictions.
Thirdly, when multiple jurisdictions issue sanctions, the results can often be contradictory. For example, a UK firm dealing with both European and American domiciled clients may discover that while the US has imposed a sanction on one related entity, the EU has imposed a sanction on a different entity whilst the UK has refrained from any activity.[vi]
A final challenge we have picked up in our research is the implementation of new message standards. New ISO 20022 payment messages are being implemented in November 2022 which will require all SWIFT Members to migrate to the new codes into their screening. While the new MX messaging format will coexist with the present MT messaging format until 2025, an upgrade to the messaging interface will be required before the November 2022 deadline to guarantee that messages are processed correctly.[vii]
RegTech solution components, risks, and issues
Without a comprehensive review of the current role of regulators in producing Sanctions, thousands of firms will struggle to maintain the digital barriers. Compliance needs better tools to interpret the obligations, spot the risks and communicate the issues. However, before many of these tools can be put in place, standards and global practice guides are required.
An example of this would be the use of AI. Though typically used by firms currently to sort through the masses of information, it hosts a range of issues of its own, such as name translation. Chinese sanctions, for example, would need to be translated into western languages which leaves room for error and duplicated records.
Regulators will also be expecting firms to communicate and provide evidence of a methodology, quality assurance testing and other elements that demonstrate that due diligence has occurred which means everything must be recorded in great and granular detail with little room for error. To paraphrase senior regulatory intelligence experts, ‘if it isn’t written down, it didn’t happen.’
This is not a small ask for both regulators and TradFi. The rule books are antiquated, regulatory mandates are stuck in the past and budgets are scarce. Digital asset providers will, however, have a natural advantage as they can take a digitally native approach.
Even when the Eastern European crisis comes to an end, there is no suggestion that these sanctions will be revoked in quick succession. Past events have already seen huge fines, such as the 2019 fine on Italy’s UniCredit SpA who agreed to pay a total of $1.3 billion for breach of sanctions on Iran and other countries[viii]. Many expect regulators to follow suit.
The bottom line is that temporary fixes are simply not going to be enough. We can expect that global conflicts in a digital age will bring with it great volumes of complex sanctions. There is an opportunity to leverage digital approaches to put in place permanent solutions, but these will require a collaborative approach to RegTech and the public sector will need to sit at the table to help make it happen.
Only then will we see real collaboration, interpretation, taxonomies, interoperability and standards build the digital barriers we all need.
Join us at our next half-day seminar on 23 June RegTech seminar to learn more about sanctions, AML and market abuse in a digital age.