Investors and investment decisions are directly impacted by the dynamic nature of the sanctions environment and the potential for heavy penalties should a sanctions program be violated. When there are changes to the sanctions environment it could lead investors to reevaluate current investment strategies and whether their current investments fit in their risk tolerance.

Institutional investors should have policies and procedures in place to ensure that their portfolios do not contain securities issued by sanctioned parties, they do not operate accounts affiliated with sanctioned parties, and do not execute trades involving a sanctioned party or individual/entity located in a sanctioned country or region. Further where investors have a professional relationship with a third party (e.g. a broker) to execute transactions on their behalf in which they rely on the entity for sanctions compliance, the investor should consider requesting a written confirmation that the third party maintains an effective sanctions compliance program. The investor would not be protected from liability if a violation was caused by the third party.

How can banks look to manage sudden changes in sanctions compliance?

As illustrated in February of this year Banks have two main options when it comes to sudden changes to the sanctions compliance environment. Banks can either leverage technology (either developed internally or obtained through a third party vendor) or increase headcount/pivot staff. The reality is that if you take the events of this year as a lesson in needing to be prepared, that reallocating FIU staff or hiring contract workers is not sufficient given the needs to be efficient in the marketplace.

Leveraging artificial intelligence (AI) and machine based learning (ML) provides banks with investment opportunities to mitigate the risk of future resource expansion, reduce overtime related expenses, and keep existing resources free to tackle larger sanctions related issues throughout the institution. Many AI/ML solutions available on the market can reduce the number of false positives reviewed by an existing resource of the bank by 60% or higher, are scalable in the event of a sudden change in the sanctions compliance environment, adapt to changes in the industry, provide a detailed audit log, and are customizable based on the risk tolerance of the bank.

How can banks look to identify risk exposure within portfolios and business lines?

Two methods banks have available to them to identify risk exposure within their portfolios and lines of business are a sanctions risk assessment and sanctions due diligence.

As noted by OFAC in their 2019 publication “A Framework for OFAC Compliance Commitments”[1] one of the central tenets of a risk based sanctions compliance program is for organizations to conduct a risk assessment to help identify their inherent sanctions risk and evaluate the effectiveness of their related controls to determine the residual risk. Each sanctions risk assessment should be holistic, tailored to the organization be evaluated, and review a bank’s customers, products and services, and geographic exposure. The results of the assessment can be leveraged to improve an organizations sanctions compliance program, and identify areas where additional training is required.

Sanctions Due Diligence (SDD) is the other way banks can identify their sanctions risk. While SDD is similar to Customer Due Diligence (CDD) it is specifically focused on sanctions compliance. SDD helps banks understand their customers (including the customers’ ownership structure), the nature of their customers’ business, and the geographies affiliated with the customers’ business, business activities, and transactions. Performing SDD at relationship onboarding will allow banks to appropriately risk rate the customer from a sanctions perspective, and determine whether the customer is within their risk tolerance. SDD should be performed throughout the life of a customer relationship on a scheduled basis, and in response to triggering events such as a sanctions alert generated during sanctions screening.

What are the risks of secondary sanctions?

Secondary sanctions present risks to third parties not subject to the jurisdiction of the United States from engaging in specific activities with parties subject to secondary sanctions with the threat of severing access of the third party to the U.S. financial market. Individuals or entities without a U.S. nexus run the risk of incurring penalties from the U.S. Government from what they may deem normal and legal business transactions should they involve an OFAC designated Specially Designed National (SDN) or jurisdiction such as Iran. Potential enforce penalties include denial of export licenses, being denied access to financing from U.S. financial institutions, impact to the ability to maintain or open new U.S. correspondent banking relationships, or being directly listed as a SDN.

From the perspective of the sanctioning authority, while the threat of penalty from secondary sanctions may lead to an increased impact on the target, there is a risk of harming relationships with other countries. For example, the European Union views secondary sanctions as a violation of international law.

Why should banks look to develop consolidated escalation protocols?

Having a consistent escalation protocol for sanctions alerts is an important part of establishing a dynamic, well managed, and audit/exam ready Sanctions Compliance Program. It is important that banks document, in an easily digestible format, acceptable disposition factors for level one alert review and the circumstances in which an alert should be escalated for a level two review based on the banks internal risk tolerance. Within the protocols the who, what, and when should be defined for ease of use of the individual performing the level one review, including business continuity procedures (BCP) should one of the “who” individuals be unavailable.

Consolidated escalation protocols help with the training of new employees, ensure consistency across the lines of business in regards to both disposition narratives and workflow, and mitigate risk to the bank. Maintaining consolidated escalation protocols also makes it easier to provide documentation to auditors and regulators listing how the bank handles the alert review process.

[1] https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf