close
close

Sanctions Reviews: A Data-Driven Approach

Posted on by darion

Sanctions compliance is a vital part of financial institutions’ regulatory frameworks. While adhering to the rules prevents doing business with sanctioned individuals or entities, even the best-prepared institutions can find themselves under the spotlight of regulatory oversight, requiring internal reviews. A data-driven approach to these reviews can be the difference between a smooth landing and a compliance nightmare.

Monitoring compliance with sanctions is a hurdle for many organizations.1 Sometimes, retrospective reviews, commonly known as retrospective reviews, involve sifting through more than five years of data, which can be a drain on resources. Below, we examine the challenges of retrospective reviews and how a data-driven approach can be a company’s secret weapon.

Need for a Sanctions List Management Program

Sanctions lists are constantly changing. Regulators routinely add, remove, and update entries to correct inaccuracies or as new information becomes available. In a retrospective review, an institution must accurately determine which entities were sanctioned at a given time and what details were known at the time. This is different from real-time screening solutions, which are integrated and rely on live data from screening vendors. Without a solid set of controls and procedures to guide how sanctions lists are managed, navigating this evolving landscape can be inefficient at best and lead to errors at worst that are propagated into regulatory submissions.

This is the place where Sanctions List Management (“SLM”) The program, the unsung hero of sanctions compliance, steps in. It provides comprehensive management and maintenance of an institution’s sanctions lists. An effective SLM program leverages technology to manage all types of lists, from government-issued sanctions to internal watch lists. And most importantly, it tracks changes to sanctions lists and broader adjustments to sanctions regimes, creating a transparent historical record.

Ideally, SLM controls are streamlined and automated, offering real-time (or near-real-time) monitoring of list updates. Institutions can source lists from third-party vendors who aggregate data from multiple sources, or they can choose to source them directly from regulators. Regardless of the source, consistent documentation is key. Updates should be logged in a central data repository designed to maintain a complete audit trail, ensuring that no historical data is lost.

The SLM programme not only enhances the operational efficiency of an institution’s day-to-day operations by ensuring ongoing compliance with sanctions regulations, but also plays a key role in compliance investigations.

Why Data Management Requires a Forensic Approach

When conducting an internal investigation into sanctions or other areas of financial crime, a financial institution and its legal counsel must navigate a jungle of data. Data on thousands, even millions, of customer records is spread out before them, including Know Your Customer (“KYC”) data, historical alerts, communications records, and counterparty data, each dating back years. All of this adds to the challenges of conducting a retrospective investigation. Worryingly for some, these investigations are now poised to become even more daunting with the passage of the 21st Century Peace Through Strength Act in April 2024, which extended the statute of limitations for violations of U.S. sanctions from five to 10 years.2 US authorities now have up to 10 years from the date of a breach to initiate enforcement actions, requiring companies to retain data for a longer period to properly assess potential liability.

Even the most robust financial institutions can find themselves in a difficult position during large-scale compliance reviews. Despite mature data management programs that address areas such as governance, security, quality, and availability, forensic data gaps can easily emerge. Institutions are left struggling with corrupt data traces, incomplete data sets, and unusable archived information.

How does this happen? Legacy system upgrades can leave data in forgotten formats, while outdated technology and staff turnover can create a knowledge vacuum, rendering archived data sets a mystery to stakeholders, rendering data essentially useless without additional work. The likelihood of cloud migrations that have occurred over the past decade also means that extending the statute of limitations for U.S. sanctions violations could be particularly problematic.

A data management program should address long-term data retention and retrieval while maintaining compliance with applicable data protection laws. A program that enables the retrieval, restoration, and use of all relevant data translates into smooth progress in compliance reviews, with all historical evidence readily available to meet legal requirements and regulatory expectations.

To ensure their data management programs are resilient to future investigations, financial institutions should consider three key actions.

  • Invest in modern, scalable technologies that can be efficiently integrated with legacy systems, ensuring that no data is left in obsolete formats.
  • Implement solid data management policies which emphasize regular audits, comprehensive documentation and staff training to maintain continuity and transparency over time, so that staff turnover does not lead to loss of knowledge.
  • Fostering strong collaboration between compliance, IT and legal functions to ensure that data management practices comply with regulatory requirements and can adapt to changing legal conditions.

A proactive approach not only protects against regulatory risk, but also builds a solid foundation for dealing with the complexities of financial crime investigations in the future.

With all the current discourse on artificial intelligence (“AI”), it would be remiss not to emphasize the importance of good data governance in the context of deploying AI solutions for sanctions investigations. To be prepared to effectively deploy AI models, it is important to have well-organized and high-quality data, because without high-quality data AI cannot perform optimally. Good data governance ensures that data is accurate, complete and accessible, providing a solid foundation for AI applications and not only increasing regulatory compliance but also enabling successful future implementation of AI technologies.

The Case for a Unified Case Management Solution

Isolated information is the enemy of holistic understanding, as well as data quality. Payment data, for example, becomes meaningless without context. Investigators need the full picture—KYC profiles, historical activity records, and customer communications.

Most financial institutions will have access to case management systems as part of their financial crime monitoring system. And while these systems tend to boast about their own case management functionality, institutions often choose solutions from multiple vendors. These solutions are often not designed to support and facilitate integration with other systems, making them difficult to connect, which impacts their effectiveness during compliance reviews.

With seamless information integration, organizations can confidently navigate reviews. When preparing for a compliance review, they should be ready to implement a case management solution that can connect different types of data. Not only will the review be more efficient and cost-effective, but it will also reduce compliance and operational risk at the source.

Application

In the evolving landscape of sanctions compliance, financial institutions face complex challenges. Innovation and organizationally inclusive collaboration are key to unraveling the complexities of sanctions compliance. By adopting technology- and data-driven approaches, institutions will not only streamline day-to-day operations but also prepare to withstand regulatory scrutiny. A cultural approach that leverages expertise across functions leads to better outcomes, increases buy-in, and ultimately leads to more sustainable change. With the right tools and a well-defined data strategy, institutions can confidently navigate compliance reviews, ensuring compliance while optimizing efficiency and keeping costs low.

Case example

  • Working closely with external legal counsel to a large Nordic financial institution, FTI Consulting was asked to bring the full scope of its global expertise to bear in supporting an investigation into alleged money laundering (ML) and sanctions breaches.
  • To facilitate the investigation, our experts have deployed a range of proprietary resources, including hundreds of machine learning detection scenarios, Financial Crime Data Review Platform (“FC DataRev”) for case management, a robust, field-proven Name Matching Platform (“NMP”) for assessing string similarity, and our live sanctions list repository, which allows us to reliably implement baseline requirements and enable us to leverage legal expertise in regulatory negotiations.
  • FTI Consulting also incorporated the Bank’s internal watchlist data, informing our NMP detection and analysis algorithms. And when attention turned to assessing regulatory filings regarding Politically Exposed Persons (PEPs), FTI worked with the Bank’s established external watchlist providers to establish a retrospective agreement, enabling our team to efficiently integrate the Bank’s data into the review.
  • By combining the Bank’s assets with FTI Consulting’s intellectual property, expertise and proven review methodologies to create an efficient and flexible solution, our team was able to leverage legal expertise to achieve the best outcome for the Bank.

FTI Consulting’s multidisciplinary team combines industry and regulatory experts with skilled data and analytics specialists. Our expertise, like the regulatory challenges our clients face, is global and we translate it into bespoke solutions that meet our clients’ specific needs because our teams include experienced professionals who have been in their shoes. You can learn more about FTI Consulting’s financial crime and sanctions investigations here.