top of page

Sanctions Testing and Auditing - A Regulatory Perspective



Yanez AI interactive Infographic experience

This blog post serves as context to Yanez AI Infographic on regulatory enforcement actions. You can access the infographic here.


Introduction to Sanctions

Sanctions are measures imposed by governments or international bodies to restrict trade or financial transactions with specific countries, entities, or individuals. Sanctions can target various activities, such as human rights abuses, nuclear proliferation, terrorism, or destabilizing actions. Sanctions screening involves the systematic review of transactions, individuals, or entities against lists of sanctioned parties maintained by governments or international organizations, such as the United Nations, the European Union, or the United States Treasury Department’s Office of Foreign Assets Control (OFAC). The goal is to ensure compliance with legal requirements and prevent inadvertent involvement with sanctioned entities.


One can think of the scope of regulatory agencies as jurisdictions. Organizations need to comply with the regulatory agencies within the jurisdictions they operate in. The scope of regulation and enforcement from some of these regulatory bodies may transcend countries and jurisdictions. OFAC in the United States is notorious for enforcing their sanctions beyond United States borders, as any organization that “touches” the US Dollar, or more accurately, the US economy, is within the scope of OFAC’s regulation and enforcement.


The degree at which these organizations prescribe a exact set of requirements to comply with their regulations vary, and the actual implementation is left somewhat to interpretation. But in general, most agencies have issued a reasonable set of guidelines that include a proper risk assessment, screening against sanctions lists, training, auditing and testing, and model governance.


This blog focuses solely on the subject and issues surrounding testing, tuning and auditing of the sanctions screening solution. There is a reasonable bulk of literature that expands on the subjects of risk assessment, training, and other subjects surrounding a proper sanctions program.


Testing, Tuning and Auditing.

Every regulatory agency considers essential in a well-executed sanctions program the incorporation of testing, tuning and auditing. This refers to the program’s set of activities to ensure that it behaves as intended, from the moment of inception and through the program’s operation. The scope of these activities should include every aspect of the program, with some regulatory agencies strongly advocating independent testing and auditing performed by a skilled third party organization.


Special attention is paid to the capabilities of the screening solution. The very comprehensive report “The Guide to Sanctions” by GIR (Global Investigations Review) published in 2023 summarizes best:


“Although there is generally no legal obligation within primary sanctions legislation to conduct sanctions screening, it is often the only practical way an organization can ensure that it does not engage in conduct that would give rise to violations of sanctions. There are multiple screening tools available to organizations, some of which will no doubt be better suited to certain industries. However, what is important is that those responsible for the screening solution within an organization understand why the tool was selected, how it operates, how it is calibrated to meet the needs of the organization and risk assessment, and how the underlying logic works. The effectiveness of sanctions screening tools, at both the customer and transaction levels, should be regularly tested to ensure it is operating within the parameters the organization needs and expects.”


Principled Guide to Sanctions Compliance Programmes


Zia Ullah and Victoria Turner


GIR Guide to Sanctions


In the United States, the New York Department of Financial Services (NYDFS) published the most prescriptive framework for sanctions compliance as part of the 504.3 Rule. It is very specific of what is expected from organizations. The following are excerpts of the rule’s language in the subject of testing screening systems and the governance model:


“Include an end-to-end, pre- and post-implementation testing of the Watch List Filtering Program, including data mapping, an evaluation of whether the watch lists and threshold setting map to the risk of the institution, the logic of matching technology, or tools, model validation, and data input and Watch List Filtering Program output.”


“Be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the watch lists and the threshold setting to see if they continue to map to the risks of the institution”


“Governance and management oversight, including policies and procedures governing changes to the Transaction Monitoring and Filtering Program to ensure that changes are defined, managed, controlled, reported, and audited.”


Most organizations achieve the testing, auditing and tuning requirements by following a process like the one depicted below. This process is either accomplished by homegrown strategies conducted by an internal team, or by hiring an independent consulting team. Organizations often prioritize hiring a team to comply with strong suggestions from regulatory agencies to keep testing, auditing, and tuning independently sourced.



1. Build the test data set. This is the likely the most difficult step as it requires broad investigation and knowledge of the acceptable and intended name variations that a program needs to satisfy. The difficulty is augmented when the institution is operating in multiple jurisdictions, as the linguistic variations per name and the demographic information behaves somewhat different from region to region.


2. Prepare and play the data. Once the dataset is generated with all the proper name and demographic data variations adequate to the institution’s risk program, it is time to execute these datasets against the sanctions screening systems. This sometimes implies to build integrations with multiple sanctions systems, and those systems may have different data preparation requirements, and different APIs, and different configuration specifications, multiplying the effort needed by IT teams.


3. Review and Analyze results. There must be a format and a way to store the results in a way that can be easily analyzed. First and foremost to measure that the results are consistent with the expectations from the test data set. The simplest review system likely implies you are storing the results in a CSV form and then employing excel to properly dissect the data.


4. Make adjustments / Tuning. Depending on the results from your analysis you may need to adjust the configuration of the screening system, until you find the proper balance between the potential alerts generated and the size of your operations team.


5. Iterate and document. You may need to iterate in your testing, and depending on your methodology you may also need to have control data sets that allow for confirming the changes to the configuration have the intended effect. More importantly, you need to ensure that you have a transparent record of all of these activities and their results, which should be provided to internal and external auditors.


Regulatory Pressure

Most enforcement agencies around the world have explicitly noted lack of testing, tuning and auditing, as the reasons for gaps and failures in the sanctions programs. Many of the uncovered gaps that turned into hefty fines could have been avoided by the implementation of proper testing and auditing processes.


“The importance of internal controls is not a new concept and has been a significant area of focus for regulated entities for many years. Both civil monetary penalties issued by sanctions authorities, and regulatory penalties issued by those regulating the financial sector, have heavily focused on internal controls to combat sanctions risk… The aim of regulators across many jurisdictions is to take action proactively in assessing the adequacy of controls to ensure the risk of sanctions violations occurring is mitigated. This message is emphasized by actions taken by regulators across the world against organizations not only for actual violations of sanctions but also because of the lack of adequate internal controls in preventing violations form occurring.”


Principled Guide to Sanctions Compliance Programmes


Zia Ullah and Victoria Turner


GIR Guide to Sanctions


The following are examples of enforcement actions issued by OFAC in the last two years that include testing and auditing within remediation suggestions or mitigation actions.


1. SCG Plastics

Committed to comprehensive remedial measures following OFAC investigation, including robust independent internal investigations and regular auditing as part of its sanctioned compliance procedures.


2. EFG International

Undertook significant compliance reforms including risk assessments and enhanced auditing aligned with OFAC’s standards to address identified deficiencies.


3. Binance Holdings, Ltd.

Incorporated real-time transaction monitoring systems with third-party oversight and periodic independent testing of its updated sanctions compliance functions.


4. Poloniex, LLC

Instituted internal controls and performed enhanced compliance monitoring, significantly improving its overall sanctions compliance posturing.


5. Uphold HQ Inc.

Implemented stringent internal testing and auditing mechanisms, including independent evaluations of its compliance frameworks to better align with OFAC’s specifications.


6. daVinci

Actively improved its compliance program by implementing real-time and periodic independent testing, ensuring effective operational controls.


Testing, tuning and auditing functions

Looking across several regulatory agencies worldwide, their guidance and suggestions on testing, tuning and auditing we can characterize it with the following functions and features:


  • Independent Testing: Review of system by a third-party.

  • Documentation: A trail of evidence that records the review and analysis process.

  • Reporting: An exportable document that can be shared with internal and external auditors.

  • Frequency: Ability to execute as periodic as necessary, from monthly, to quarterly, to yearly, or when there is an event that justifies it.

  • List updates: Ensuring that the screening systems are up to date with the sanctions lists, and updates as in real-time as possible.

  • Coverage: The screening system is robust across all of the lists applicable to the different jurisdictions.

  • Auditing: The ability to review the results of testing and auditing activities.

  • Model Validation: Evaluate the fuzzy capabilities of the screening system to ensure it can catch sensible name variations. Evaluate transaction monitoring systems that are supposed to detect sanctions evasion.

  • Monitoring: ability to continuously screen the client base as lists are updated, and monitor transactions for possible sanctions evasion.

  • Risk Assessment: Inform the testing and tuning with the risk assessment such that the evaluation aligns with the risk program implemented.

  • Training: Ensure that operations’ teams are properly and adequately trained.


Yanez AI interactive Infographic experience

We have developed an infographic to summarize the contents of this blog and highlight the valuable information contained in the regulatory agencies’ enforcement actions and how it relates to your sanctions testing and auditing programs.


Yanez AI Interactive Infographic Snippet


This is much more than an infographic, it is meant to be an interactive experience that we will continue to enhance as Yanez AI model continues to improve. The more our audience interacts with it the better it becomes. Upcoming enhancements include analysis on consent orders from FinCEN, OFSI, new ruling from Bank of Canada, and the freedom to interact with the AI model.


Yanez Compliance Testing and Tuning

The Yanez Platform is a no-code, AI-powered automation and investigation platform to empower financial crime prevention operations teams.


The Testing and Tuning module focuses on helping clients reach the best possible configuration of their screening system, and easily report to external and internal auditors. This module can also unveil gaps in coverage that may be jeopardizing an organization’s compliance stance and furthermore exposing the financial ecosystem to nefarious actors.


The Yanez platform leverages authoritative data and proprietary AI technology to create synthetic data sets that find the best possible threshold to set the screening system to not miss a true match to the sanctions systems while achieving a balance between fuzzy capabilities and false positives. The easy-to-break-apart testing data provides the opportunity to discriminate systems configurations to deal better with jurisdictional nuanced data. The system can also test the robustness of the coverage by testing deep coverage across the regions that are part of a given jurisdiction.


Take a tour of the Yanez Compliance Testing and Tuning module.




Conclusion

A comprehensive sanctions program requires a robust testing and auditing strategy that can largely mitigate risks of sanctions violations. Regulatory bodies worldwide have issued guidance or prescriptive requirements to inform the institutions’ sanctions programs. And they have noted in the remediation sections of their actions how internal controls, and audits are fundamental to test the robustness of their programs. A solid testing and auditing process will uncover potential gaps in the program that enable an organization to proactively address gaps before they are taking advantage by nefarious actors. And regulators will strongly consider it as a significant mitigation factor when calculating penalties in case there are sanctions violations found during the audit process.


Comments


Commenting has been turned off.
bottom of page