Compliance Matters recently attended a workshop hosted by Pekka Dare (pictured), the director of training, education and development at International Compliance Training Ltd and a world-renowned expert on terrorist finance. In it, he gave the participants a good grounding in the sanctions screening process.

Dare began by stating that every financial firm should have effective, up-to-date screening systems that are appropriate to the nature, size and risk profile of its business. The compliance officer, according to Dare, must ask himself whether he knows which screening software systems his firm uses "at a high level" and who is responsible for maintaining them. He must have a grasp of the factors that his firm must take into account while choosing such software products, know how they are maintained and have a good grasp of the way in which 'fuzzy logic' works.

Fuzzy logic

Fuzzy logic is a way of co-opting computers to make decisions along vaguely human lines rather than coming up with the usual binary 'yes/no' answers to questions. It uses fuzzy sets (which allow the user to deal with situations that are not precise) and fuzzy rules (using human concepts and not strict measurements) to model the world and make decisions about it. In financial crime control 'fuzzy logic' name searches provide a broader set of results than exact character matches would.

The US Office of Foreign Assets Control's sanctions list search software, for example, uses two matching logic algorithms and two matching logic techniques to calculate the score. The two algorithms are Jaro-Winkler, a string difference algorithm, and Soundex, a phonetic algorithm. The first technique involves using the Jaro-Winkler algorithm to compare the entire name string entered against full name strings of entries on OFAC's sanctions lists. The second technique involves splitting the name string entered into multiple name parts (for example, John Doe would be split into two name parts). Each name part is then compared to name parts on all of OFAC's sanctions lists using the Jaro-Winkler and Soundex algorithms. The search calculates a score for each name part entered, and a composite score for all name parts entered. OFAC uses both techniques each time the search is run, and the higher of the two scores appears in the 'score' column. Only the name field influences the score and only the name field uses the fuzzy searching logic. OFAC provides this software freely to help the public comply with sanction-related rules.

Whom should we screen?

Pekka Dare had a comprehensive list of people and firms that the financial institution in question ought to be 'screening.' This included customers (both people and firms); all of its staff; all third-party service providers, including suppliers of screening IT or of staff connected or related parties "identified to be connected to the business relationship or the sanctioned target," ultimate beneficial owners but also other key parties to the business relationship, and (presumably in the case of corporate customers) products, services and transactions. Dare added: "How many suppliers do you have? You must screen them and they change all the time. It's a huge piece of work and I know banks are struggling with it."

72 hours' leeway

Up came a case study which began: "A customer holds a US$ account with your financial services firm. On the same day, but after it is designated by OFAC as a "specially designated national," your client transfers the balance of the account to an associate who holds another account at your firm. That contact then withdraws the cash locally (Dare said that this was in Hong Kong). Your firm uses the OFAC SDN list for screening globally."

It was in Hong Kong that the associate took the money out and, Dare pointed out, "You can't stop him taking it out in cash. Hong Kong doesn't recognise OFAC in Hong Kong. Also, I think 72 hours is what OFAC thinks is a 'reasonable' lag between somebody being charged and a firm noticing/screening."

Should the screening controls used by the firm have detected this withdrawal? If they had done so, what steps should the compliance officer/money laundering reporting officer take in response? If, after being 'designated,' i.e. put on OFAC's blacklist, the customer asked for the balance to be transferred to a bank in Singapore of which the MLRO has never heard, what should he do?

Dare noted that this situation had happened in the past and the bank had taken legal advice.

"The lawyers said 'don't block it.' It would give the guy notice that he's being investigated or that he's been spotted. Tell them that he's on our OFAC sanctions list and put the onus on them to freeze."

What to do with alerts

When a customer's name matches that of a person on an internal (bank) or external (government) watchlist, an alert is generated and the compliance officer now has some decisions to make. Pekka Dare had some case study samples on hand.

Example 1

An alert has been generated by the bank's internal system to highlight a potential match between a customer and a person on the watchlist. The customer is a male called James Brown, date of birth 17/02/1965, of New Zealand nationality. The watchlist details mark out a male called John James Brown, date of birth 17/05/1985 (20 years' difference), nationality USA (also different). How should the MLRO investigate this match for closure or escalation? What is his risk-based decision?

Dare had the answer: "You'd get crucified if you escalated this! You have a rationale to reject and discard it. It's defendable. You can prove you made endeavours. Otherwise, imagine the vast numbers of cases that you'd been pushing upstairs."

Example 2

An alert has been generated by the firm's internal system to highlight a potential match between a customer and a person on the watchlist. The customer is a male called James Brown, dob 9/01/1955, nationality UK. The watchlist person is a male called 'Brown' and no other name, dob 09/01/1955, no recorded nationality. This is trickier. Dare's advice was: "Escalate it. Push it up the line. It's very poor quality, but there's not enough here to have to reject it."

Example 3

An alert has been generated by the firm's internal system to highlight a potential match between a customer and a person on the watchlist. The customer is a female called Jennifer Brown, dob 9/01/1955, nationality UK. The watchlist person is a female called Jennifer Brown, dob 9/01/1955, nationality UK. Dare explained: "That is what we call a true match. It's unlikely that two Jennifer Browns were born on the same date." This is, of course, assuming that Brown is a spinster who has never changed her surname or that the MLRO has ascertained her maiden name.

Escalations

It is very important to have an escalation process in place during the investigation process and especially in the event that someone has identified a potential evasion of sanctions. This process must include the following.

• A defined, approved and written-down process.
• Jobs, constitution, make-up and responsibilities of the individual or committees receiving the escalation to be defined clearly.
• The job of the point of escalation - what do they do with it?
• Training and awareness. People need to know that they can never give anyone advice that could be construed as conducive to the evasion of sanctions. They must realise that this is 'career suicide.'
• Confidence on the part of staff.

Dare reassured the class: "You WILL breach sanctions. It's such a complicated field and the regulators know that. Just report to the regulators what you find out. It's vital to be open and honest with the regulator. Look at the Standard Chartered OFAC settlement notice. They sent in a letter to OFAC saying 'we never use cover letters [the document calls them cover payments] with Sudan' [section 9 of the document says Libya] and they didn't, but next door they were doing it with Iran."

The $132 million settlement agreement, made in 2012, says: "In August 2003, SCB NY sent a letter to OFAC addressing a then-blocked Libya payment that had been re-effected using a cover payment. That letter said in part: "SCB (London) has advised us that...the use of cover payments was contrary to Standard Chartered Bank's global instruction relating to OFAC sanctioned countries that would have precluded the initiation of such cover payment instructions." SCB maintains that this statement was accurate when made in connection with the Libya-related transaction in question. OFAC, however, finds the statement to be misleading in light of the large number of Iran-related transfers that were processed using cover payments."