Assessing sanctions – How to mitigate compliance risk | SmartSearch

Overview

Sanction compliance is a critical part of risk management for regulated businesses, particularly for those operating in the finance, legal and property sectors.

Non-compliance not only significantly increases the risk that the business becomes a victim of fraud, money laundering or other financial crime – meaning it also becomes an enabler of serious organised crime – but can also result in severe penalties, reputational damage, and increased scrutiny from regulatory bodies.

It is therefore vital that regulated firms take sanction compliance seriously by having a robust compliance solution - including screening for sanctions - in order to mitigate risks and meet regulatory requirements effectively.

What is a sanction?

Sanctions are restrictive measures that serve various purposes, but primarily financial restrictions put in place to prevent individuals, groups and sometimes entire countries from conducting business, or receiving or transferring funds. In the UK, they support foreign policy and national security, maintain global peace and security, prevent terrorist financing and ensure compliance with UN and international obligations.

The UK enforces a range of sanctions regimes through regulations established under the Sanctions and Anti-Money Laundering Act 2018 - the primary legal framework for imposing, updating, and lifting sanctions.

Sanction compliance obstacles for regulated businesses

Businesses are obligated to ensure that they are not engaging in transactions with sanctioned entities or individuals.

However, Global sanctions lists, such as those maintained by the Office of Foreign Assets Control (OFAC), the United Nations, and the European Union, are continually being updated and therefore, require constant monitoring, making sanction compliance a complex, ever-evolving landscape for regulated firms.

The key challenges for regulated businesses that are required to run sanctions checks as part of their overall risk management and due diligence processes are the fact that new entities can be added or removed daily and that different countries may impose their own unique sanctions, making it difficult if to comply if the business operates in multiple regions. Furthermore, if the business is using a manual screening process, there is a risk of human error, leading to costly errors in compliance.

How do you conduct a risk assessment for sanctions?

A risk assessment for sanctions is an essential component of a business's compliance strategy. Generally conducted as part of a wider customer due diligence check, the process aims to evaluate the likelihood of engaging with sanctioned individuals or entities in line with the overall risk appetite of the business. The risk assessment will be based on factors such as the clients’ own personal geographical and financial background, their public profile or status, the business sectors that they work in, the types of transactions they undertake – and with whom.

The easiest way to run a risk assessment for sanctions is to use a third-party digital compliance check. This will involve three key stages:

• Identification and verification - this is the process of ensuring the person is question is a real person, and that they match the identification documents they have produced.

• Sanctions screening - this is the key part of sanctions compliance. It involves screening the verified person against sanctions lists to ensure that they are not subject to any sanctions, either personally, through association or as a result of where they live or work.
• Enhanced due diligence - If the individual in question does match with a sanctioned individuals, enhanced due diligence must be performed to ensure that the match is true (and not a false positive). If the match is positive, the business is not permitted to work or trade with the individual in question.
  
  

All good digital compliance solutions will incorporate sanctions screening into the verification process and use information from Global sanctions lists to infirm the results. Global sanctions lists – such as the Dow Jones Global Watchlist, which has access to more than 1,100 PEPs and Sanctions lists - are updated daily, and therefore, if your sanctions checks is using these lists, will be able to immediately identify if any individuals that are subject to sanctions.

What is the risk assessment for AML compliance?

AML compliance is more than just screening for sanctions - it requires a thorough assessment of the risk associated with any potential customer – individuals or businesses – in relation to the likelihood that they are, were, or could be involved in financial crime, including money laundering and fraud. This is known as ‘Know Your Customer’ or KYC. Under UK law, regulated firms must take a risk-based approach to money laundering, which means having a good KYC programme in place that meets the businesses’ own risk level i.e. some businesses are at more risk than others, so their AML process must be more stringent. However, whatever the risk profile, all AML compliance and KYC programs must determine these three things:

1. That the client’s identification documents are those of a legitimate person.
2. That the client is that legitimate person.
3. The risk that they pose, if any, to the business.

To successfully run the KYC process, regulated business needs to:

• Identify and verify

The first stage is to obtain personal information about the potential customer, including their name, photograph, address and date of birth. This is usually done by using personal identification documents such as a passport or driver’s license and documents that confirm the address, like bank statements and utility bills, and then cross referencing this information with publicly available information, credit reference agencies etc.

• Run sanctions screening, PEP checks and enhanced due diligence

Once you are happy that the individual is who they say they are, the next part of the onboarding process is the sanctions search and PEP screening. As discussed earlier, this stage checks the individual against global sanctions and PEP lists in order to establish if they pose a risk to the business, and if so, the level of that risk. If this check reveals that there are sanctions against the person, you may simply be prohibited from entering into a business relationship with them, in which case no further investigation is needed; the relationship cannot be established.

However, if the screening process reveals that the client is a PEP, RCA (Relatives and Close Associates, of PEPs) SIP (Special Interest Person - someone who has or has had links to financial crime), a High-Net-Worth person, or someone who has a lot of negative coverage in the press, they are seen as ‘high-risk’.

This is because they may be more susceptible to bribery because of their position or wealth (PEP, RCA or high net worth) or have a history of being linked to financial crime or other suspect activity (SIPs, anyone with adverse media coverage) or a combination of those things.

It is not illegal to enter a business relationship with a PEP, RCA, SIP or High-Net-Worth person, but you will need to undertake enhanced due diligence - where you investigate the person even further - to determine if entering into a business relationship with them would be harmful to the business.

• Host data and run ongoing monitoring

Once the risks have been assessed, the results must be recorded and monitored on an ongoing basis for any changes to the customers’ risk level. This means that every single customer check needs to be recorded somewhere and regularly ‘re-checked’ to ensure the risk they pose has not changed.

Changes could include – but are not limited to - becoming subject to sanctions (as many Russian individuals when Putin invaded Ukraine), moving or starting to transact in a high-risk jurisdiction, or becoming a PEP. It could also go the other way – a customer may become lower risk if they are no longer a PEP, have sanctions removed, or they move to a low-risk country.

Key components of AML and sanctions compliance

As touched on briefly earlier, AML and sanctions compliance involves several key components:

• Know Your Customer (KYC) / Customer Due Diligence (CDD) - Verifying customer identities and assessing their risk profile.

• Ongoing monitoring - Continuously monitoring transactions and updating risk assessments.

• Sanction screening - Automatically screening customers, suppliers, and partners against global sanctions lists.

• Record-keeping - Maintaining detailed records of compliance activities for audit purposes.

By incorporating these elements into a compliance strategy, businesses can ensure they meet regulatory requirements and reduce their exposure to financial crime.

What is sanction screening in AML compliance?

Sanction screening involves checking individuals, companies, or entities against global sanctions lists to ensure they are not subject to sanctions or restrictions imposed by government bodies. This helps ensure compliance, prevent involvement with illicit financial activities – such as terrorism, human rights abuses, or arms trafficking - and manage reputational risk.

Key areas in sanctions compliance

Sanctions compliance covers several key areas:

• Customer verification - This is the first part of the process, and as mentioned earlier in this paper, is the process by which regulated firms check that their potential clients are not listed on any sanction lists.

• Monitoring - This is a part of the process that not all regulated firms are good at fulfilling properly as it involves ongoing monitoring of clients – both in terms of their status and their activities. It is vital that regulated firms have a process by which they can monitor for red flags such as unusual transactions, secretive clients and suspicious funds.

• Reporting obligations - A key part of compliance is ensuring anything suspicious is reported. Not only does this ensure the business has met its obligations in terms of reporting, but also helps authorities and regulated firms to update central databases to ensure other businesses don’t make the same mistakes. It is therefore vital that regulated firms submit a suspicious activity report (SAR) if any prohibited activity is identified.

• Training - Ensuring that staff are aware of their obligations and know how to identify risks is a key part of compliance. It is all very well having systems in place to identify red flags - and mitigate risk. But if employees do not understand the processes, the system will break down, and the business will be at risk of non-compliance.

Which issues may complicate complying with sanctions?

Sanctions compliance is a complicated process and there are a number of issues that can complicate complying with sanctions. These include:

• Staying up to date - Sanctions lists can change frequently, making it hard for businesses to keep up.

• Understanding different rules - Different countries may have conflicting sanctions regimes – and different rules around how they are monitored and how sanctioned individuals are treated - making compliance more difficult. It is therefore vital that businesses understand the latest AML Directives, the current regulations in the UK and the latest Global guidelines as set out by the Financial Action Task Force (FATF).

• False positives - Manual screening can often produce inaccurate results – positive matches that are in fact false - leading to unnecessary delays or investigations, wasting time and resources.

What could failure to adhere to sanctions requirements lead to?

Failure to comply with sanctions can have serious consequences for regulated firms. These include:

• Fines and penalties - Regulatory bodies can impose substantial fines for non-compliance. In the UK, regulators have been particularly stringent in recent months, imposing record fines to ensure robust compliance. For instance, in 2023, the FCA fined a single firm £6.4m for significant AML control while HMRC issued £3.2 million in penalties to hundreds of businesses for breaches of AML rules between July and December 2022​ (GOV.UK)​.

• Reputational risk - Businesses that fail to adhere to sanctions can suffer from reputational harm, leading to lost customers and partnerships – data suggests that more than half of UK consumers would switch banks if theirs was involved in a money laundering scandal.

• Legal action - Non-compliance can also result in legal challenges, including lawsuits and criminal charges.

• Operational disruption - Being subject to a regulatory investigation can disrupt business operations, which can result in lost revenue and productivity.

How do you ensure compliance with sanctions?

In the past, the entire AML process – including sanctions checks - were done manually, with customers asked to fill out forms and provide identification documents - such as a passport, driver’s license, or social security card - to prove they were who they were claiming to be.

This information was then cross-referenced with sanctions lists, but undertaking this process manually is not only hugely time consuming but is also open to error, with huge numbers of sanctioned individuals missed, while time is continually being wasted investigation false positives.

The best way to run sanctions checks is via a digital compliance platform. This type of solution can run the initial check, screen for sanctions and PEPs and then automatically run enhanced due diligence when it’s required. Not only is this quicker, easier and more secure, but it also greatly reduces false positives by only alerting the regulated business if there is a true match.

How can SmartSearch help?

SmartSearch is an award-winning digital compliance solution that runs identification, verification, PEP and sanction screening, enhanced due diligence and monitoring, all from one place.

• Identification, verification and automatic screening

SmartSearch uses global data from three partners Experian, Equifax and TransUnion – the three largest credit reference bureaus in the world – and the Dow Jones Global Watchlist, which has access to more than 1,100 PEPs and sanctions lists and is updated daily.

Using the data provided by the customer and cross-referencing with these global data partners, SmartSearch is able to identify, verify and screen an individual or business in a matter of seconds.

• Enhanced due diligence

If SmartSearch finds a match, enhanced due diligence is triggered automatically. This will comprise of running extensive checks, including building up a comprehensive adverse media profile, on any SIPs (Special Interest Persons with links to financial crimes), anyone named on sanctions lists, as well as any PEPs or RCAs (Relatives and Close Associates of PEPs).

Anyone identified as any of the above are seen as higher risk, because either they already have known links to financial crime, or because they are more vulnerable to bribery and corruption. This information is then passed on so you are able to assess the risk to your business.

• Automatic record keeping and ongoing monitoring

As well as completing all the required checks, doing a SmartSearch rather than a standard AML check also means that your record keeping will always be up to date.

That is because when you run a SmartSearch, the check is automatically saved into the system to ensure watertight record-keeping. The entire system is monitored every night meaning that any changes to any customers’ status or public position will be identified, and you will be alerted if this affects the potential risk to the business.

Why is SmartSearch better than other digital compliance solutions?

There are many digital compliance solutions on the market that perform identification and verification checks, there are also a number of platforms that are able to screen for sanctions and PEPs, while other firms have programs set up to monitor customer databases. However, SmartSearch is the only one to offer all three, as well as a number of other benefits, including:

• Batch upload – A unique service that enables businesses with compliance gaps to retrospectively perform full AML and screening on their entire customer database to ensure a clean compliant position.

• International Business reports – An innovative service that can create comprehensive reports - including UBO information - on businesses in more than 200 countries worldwide.

• Ultimate Beneficial Owner Checks – The ability to quickly and accurately identify the ultimate beneficial owner (UBO) returning results on individual UBOs, Director UBOs and any additional entities in one search.

• International Individual Checks - Accesses high-quality international data from over 200 global data sources and combines this information with in-depth local knowledge to offer robust and accurate verification of international individuals.

• Source of Funds checks - SmartSearch has open banking functionality to enable source of funds checks as part of a clients’ overall AML process.

• Triple bureau data - SmartSearch has three data partners - Experian, Equifax, and TransUnion - to offer triple bureau accuracy and the highest match and pass rate (97%) on the market.
  
  
• Perpetual KYC (pKYC) – SmartSearch not only runs initial identification and verification but also automatically re-runs client searches, delivering instant access to the latest search outcomes and audit trails.
  
  
• Configurability and Automation - SmartSearch’s KYC and KYB solutions can be fully tailored to each businesses’ unique needs and offers the ability to create bespoke, fully automated workflows that are able to assign, notify and create applications based on rules.
  
  
• API functionality - All SmartSearch services are now available through RESTful APIs, meaning clients can be integrated quickly and efficiently. By having all compliance checks on one platform – and integrating this with clients’ existing systems - users can manage everything from one place.

For regulated firms looking for a reliable service that can both ensure sanction compliance and streamline their operations, SmartSearch's award-winning platform offers the solution.