Sanctions Screening: Challenges and Control Considerations
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
Economic sanctions have evolved dramatically over the past few years, and especially after Russia’s February 2022 invasion of Ukraine. The resulting sanctions are unprecedented in number, scope, complexity and type. While governments are increasingly turning to highly specific measures that prohibit particular types of transactions, list-based sanctions, which broadly prohibit business dealings with specific persons and entities rather than entire countries or geographic regions, remain the most frequently deployed type of sanctions. The best-known list-based sanctions are those maintained by the US Office of Foreign Assets Control (OFAC) and published on its Specially Designated Nationals and Blocked Persons (SDN) List. These finely targeted sanctions generally result in fewer unintended collateral consequences than do country-based measures, but they can often be more difficult to comply with. In 2022, further additions have been made to SDN lists, by jurisdictions such as the EU and UK, which has added to the complexity of maintaining current lists. Screening against targeted sanctions lists presents considerable challenges, given the complex corporate structures used to obscure underlying sanctioned parties, the inherent difficulties in name matching and the difficulties in screening for entities that are, directly or indirectly, 50 per cent or more owned in the aggregate by sanctioned parties, under OFAC’s 50 Percent Rule.
An example of this increasing complexity are sanctions that address both entities and their underlying activities. Following Russia’s invasion of Ukraine in 2022, additional sanctions to the 2014 sectoral sanctions were imposed, which limit specific investment activities, among other things, with Russian entities. This new type of sanction added another level of complexity to compliance. Existing challenges in correctly identifying sanctioned parties were compounded by the requirement to also understand the nature of the proposed transaction by the customer.
Sanctions screening failures have figured prominently in a number of OFAC penalty settlements with both financial institutions and non-financial entities. To this end, we discuss current regulatory guidance for a successful sanctions screening programme, how screening relates to the core elements of the overall sanctions compliance programme, examples of enforcement actions focusing on screening failures, and screening in the context of a sanctions investigation.
Regulatory expectations for sanctions screening
In the US, OFAC has not published detailed guidance regarding expectations for sanctions screening programmes. The 2019 ‘Framework for OFAC Compliance Commitments’ (the Framework), after addressing five high-level elements for a sound sanctions compliance programme, identifies 10 common root causes of sanctions compliance failures. The sixth root cause addresses some of the failures that occur due to poor configuration of sanctions screening software. The guidance mentions some specific failings, including using outdated screening lists, incomplete data screening and not accounting for alternative spellings of names. These are a few of the potential points of failure when screening for possible sanctions targets, and we discuss several others in this chapter.
In 2015, OFAC published a one-page guidance document regarding the management of ‘false hits’ lists. Pursuant to that guidance, where companies have determined that potential match alerts can be disregarded as false positives and suppressed going forward, compliance personnel should be involved in oversight and administration of the lists, and, among other things, the lists should be modified promptly and as necessary to account for changes to sanctions lists.
In contrast to the limited guidance from OFAC, the New York Department of Financial Services (NYDFS), which regulates financial institutions licensed within the state of New York, has taken a more prescriptive stance as to sanctions screening programmes. NYDFS has identified weaknesses in transaction monitoring and sanctions screening programmes within regulated institutions, and attributed them to insufficient governance and accountability at senior levels. As a result, NYDFS set out specific requirements for these programmes that require boards of directors or senior officers to certify compliance on an annual basis.
The first compliance findings were due in April 2018 and required regulated institutions to:
- Undertake comprehensive and holistic assessments of their transaction monitoring and sanctions filtering programs;
- Provide appropriate supporting evidence to demonstrate the effectiveness of the programs;
- Execute remedial efforts, material improvements, or redesigns to keep the programs in compliance; and
- Implement governance processes for the annual certification.
At a more detailed level, each regulated institution must maintain a sanctions screening programme that is reasonably designed to interdict transactions prohibited by OFAC and that includes the following attributes:
- Be based on the risk assessment of the institution;
- Be based on technology, processes or tools for matching names and accounts, in each case based on the institution’s particular risks, and transaction and product profiles;
- End-to-end, pre- and post-implementation testing of the Filtering Program, including, as relevant, a review of data matching, an evaluation of whether the OFAC sanctions list and threshold settings map to the risks of the institution, the logic of matching technology or tools, model validation, and data input and program output;
- Be subject to on-going analysis to assess the logic and performance of the technology or tools for matching names and accounts, as well as the OFAC sanctions list and the threshold settings to see if they continue to map to the risks of the institution; and
- Include documentation that articulates the intent and design of the Filtering Program tools, processes or technology.
In addition, the sanctions screening programme must include:
- Identification of all data sources that contain relevant data;
- Validation of the integrity, accuracy and quality of data to ensure that accurate and complete data flows through the Transaction Monitoring and Filtering Program;
- Data extraction and loading processes to ensure a complete and accurate transfer of data from its source to automated monitoring and filtering systems, if automated systems are used;
- Governance and management oversight, including policies and procedures governing changes to the Transaction Monitoring and Filtering Program to ensure that changes are defined, managed, controlled, reported, and audited;
- Vendor selection process if a third party vendor is used to acquire, install, implement, or test the Transaction Monitoring and Filtering Program or any aspect of it;
- Funding to design, implement and maintain a Transaction Monitoring and Filtering Program that complies with the requirements of this Part;
- Qualified personnel or outside consultant(s) responsible for the design, planning, implementation, operation, testing, validation, and on-going analysis of the Transaction Monitoring and Filtering Program, including automated systems if applicable, as well as case management, review and decision making with respect to generated alerts and potential filings; and
- Periodic training of all stakeholders with respect to the Transaction Monitoring and Filtering Program.
Although not all financial institutions are subject to these rules (and non-financial entities are not within their scope), they provide a useful benchmark in evaluating whether a sanctions screening programme has been designed well and is operating effectively.
In the UK, the Financial Conduct Authority’s (FCA) Financial Crime Guide addresses compliance with sanctions and asset freezes. In the context of a risk assessment, a firm should understand where sanctions risks reside, considering different business lines, sales channels, customer types and geographical locations, and should keep the risk assessment current. Examples of good practices related to sanctions screening include:
- where a firm uses automated systems, these can make ‘fuzzy matches’ (be able to identify similar or variant spellings of names, name reversal, digit rotation, character manipulation, etc.);
- the firm should screen customers’ directors and known beneficial owners on a risk-sensitive basis;
- where the firm maintains an account for a listed individual, the status of this account is clearly flagged to staff; and
- a firm should only place faith in other firms’ screening (such as outsourcers or intermediaries) after taking steps to satisfy themselves that this is appropriate.
In addition to these examples of best practices, the Guide cites a £5.6 million fine by the FCA’s predecessor against Royal Bank of Scotland (RBS) in 2010, where RBS failed to adequately screen its customers and payments against the sanctions list, did not ensure its ‘fuzzy matching’ remained effective, and, in many cases, did not screen the names of directors and beneficial owners of customer companies. Regulators have continued to cite lack of sufficient fuzzy matching in enforcement cases since then.
In addition to the OFAC, NYDFS and FCA guidance, the Wolfsberg Group, an association of 13 global banks, published ‘Wolfsberg Guidance on Sanctions Screening’ in 2019. The Guidance indicates that sanctions screening should be supported by key enabling functions, such as policies and procedures, a responsible person, a risk assessment, internal controls and testing. These areas roughly correspond to the high-level elements within OFAC’s Framework. In addition to Wolfsberg’s key enabling functions, the Guidance also discusses principles for generating productive sanctions alerts, the need for metrics and reporting, independent testing and validation, data integrity and criteria used to develop screening technology in-house or to select a vendor to provide these services.
How sanctions screening fits into the sanctions compliance programme
Sanctions screening does not operate in a vacuum; it is an integrated piece of the compliance programme. In this section, we describe some of the key elements of an effective sanctions screening programme in relation to the five high-level areas of compliance articulated in OFAC’s Framework.
Governance and risk assessment
When an entity implements proper governance and oversight and performs a sound sanctions risk assessment, there should be clear alignment between identified sanctions risks and the screening programme configuration. If the sanctions risk assessment determines that certain geographies, customers or products present significant sanctions risk, regulators would expect to see that the relevant sanctions lists are utilised for screening and that there are more stringent screening criteria applied in higher-risk areas.
For example, NYDFS requires that sanctions screening attributes address links between the risk assessment and the screening programme configuration. Specifically, screening tools must be based on the risk assessment, configured in a risk-based manner and tested to ensure they provide results in accordance with the identified risks; in addition, the entity must document links between risks identified and the configuration of the sanctions screening. This is an important reminder that entities should not just implement software to address general sanctions risks; rather, they should identify specific sanctions risks and then develop or procure software that sufficiently addresses those identified risks.
Internal controls – due diligence
To properly screen for potential sanctions violations, sufficient due diligence must be performed. During customer onboarding, the entity must obtain and verify key information to identify the customer, including, but not limited to, name, alternate names, address, date of birth, registration number and country of incorporation, residence or nationality. These attributes are useful during subsequent sanctions screening as they help determine if a potential sanctions match is valid. The entity should also understand ultimate beneficial ownership (UBO) information, key trading partners and supply chain information, where relevant. UBO information, in particular, is relevant in determining if a person or company falls within the sanctions restrictions due to their beneficial ownership of a sanctioned entity. Before processing transactions, the company may need to understand the counterparty UBO, supply chain information, shipping information and mergers and acquisitions (M&A) due diligence information, including UBOs, controllers, goods and services and origin of goods. UBO issues have taken on greater priority in recent years, including, for example, in the landmark US Anti-Money Laundering Act of 2020, which requires (among many other things) that the Financial Crimes Enforcement Network establish a registry of beneficial ownership information. At the time of writing, those efforts are underway. If insufficient due diligence is performed during onboarding and before transactions occur, it is difficult to put an effective sanctions screening programme in place later, when necessary and relevant information with which to identify potential sanctions violations is not present.
Internal controls – screening
Proper sanctions screening processes involve many controls. At a high level, we can consider three distinct phases: (1) inclusion of complete and accurate information; (2) the logic behind how matching occurs; and (3) how potential sanctions violations are evaluated.
The first consideration in sanctions screening is to determine whether you have gathered all of the relevant information. This often involves collating siloed data across different business or product lines. It can also entail ensuring that all relevant information within those systems is included in the population of data for screening. In several recent OFAC enforcement actions, the agency noted absence of, or failure to properly utilise, relevant data in the sanctions screening process.
- November 2022: Payward, Inc (doing business as Kraken) settled with OFAC for US$362,158.70 for exporting services to users in Iran. OFAC found the violations resulted from Kraken’s failure to timely implement appropriate geolocation tools, including an automated internet protocol (IP) address blocking system.
- October 2022: Bittrex, Inc settled with OFAC for US$24,280,829 for processing virtual currency exchanges for over three years, where they possessed IP data, physical address and passport information that indicated that the customer was located in a sanctioned jurisdiction, but did not utilise that information for sanctions screening. As a result, customers with IP addresses or other details indicating origination in Crimea, Cuba, Iran, Sudan and Syria were able to transact with parties in the US and elsewhere using digital currency on Bittrex’s platform.
- September 2022: Tango Card, Inc settled with OFAC for US$116,048.60 for transmitting over 27,000 stored value products (‘electronic rewards’) to individuals with IP and email addresses associated with countries subject to OFAC sanctions (Cuba, Iran, Syria, North Korea and Crimea). OFAC found that although Tango Card used geolocation tools to identify transactions in which its customer – the sender of rewards – was from a sanctioned jurisdiction, it did not use those tools to identify whether award recipients were located in these jurisdictions.
- January 2022: Airbnb Payments Inc settled with OFAC for US$91,172 for processing payments for Cuba-related travel that was outside the approved categories. OFAC noted that neither the guest country of residence and payment instrument information nor IP addresses were gathered for sanctions screening.
- April 2021: SAP SE, the global software provider, settled with OFAC for US$2,132,174 for providing software licences and related services to Iran. Internal audits conducted by SAP between 2006 and 2014 found that it did not screen customers’ IP addresses, which limited its ability to determine the location where software was downloaded. OFAC identified the lag in addressing the lack of geolocation IP blocking as an aggravating factor in determining the settlement amount.
- December 2020: BitGo Inc settled with OFAC for US$98,830 for processing digital currency transactions for customers with IP addresses in numerous sanctioned jurisdictions.
Of particular note, between July 2020 and January 2022, of the 30 settlements or ‘Findings of Violation’ against companies, OFAC mentioned the lack of screening IP addresses in seven. Although there is no regulation that requires IP address screening, it is clear from the regulatory feedback, including recent guidance, that this is expected as part of a successful sanctions screening programme.
Once all relevant information is gathered, the quality of the data must also be addressed. For example, typing errors, non-standard inputs, blank values and inconsistent structure can all impede effective sanctions screening.
The second consideration is the configuration of the sanctions screening. There are many areas to consider when defining the configuration, but we focus on the importance of an effective name-screening process.
Sanctions screening can be performed against standing data within an entity or against transactions. The most common type of sanctions matching is based on name screening, determining whether there is a match between the sanctions list entry and a company’s internal information. This is performed, for example, during due diligence on new customers, when due diligence is periodically refreshed, when transactions occur and during M&A activity. Name screening can generate both false-negative and false-positive matches.
False positives occur when names of non-sanctioned entities or individuals are incorrectly matched and flagged as sanctioned. Sanctions screening can reduce false positives and validate matches by leveraging the many attributes included in sanctions lists for individuals, companies, ships, aeroplanes and financial institutions. Sanctions lists typically contain several different pieces of identifying information, such as aliases, street addresses, dates of birth, nationalities, passport numbers, tax identification numbers, email addresses, corporate registration numbers, aircraft tail numbers, vessel registration identification numbers, website addresses and digital currency addresses.
However, the risk of false negatives – that is, failure to identify a true match to a sanctioned party – is often much higher than the risk of false positives. A common problem occurs when screening looks only for exact matches, and therefore misses a potential match due to a slight variation in the name. Name variations can occur for a number of reasons, such as the presence of hyphens, use of titles, punctuation, spelling errors, use of initials, acronyms, name reversals, phonetic spellings, abbreviations and shortened names.
Language differences, phonetic transcriptions and transliteration from one alphabet or writing system to another further complicate the landscape of name matching. For example, a lack of standards for the spelling of Cyrillic names in Roman script introduces at least a dozen name variations for the former Russian leader Boris Yeltsin, ranging from Jelzin to Eltsine.
‘Fuzzy matching’ introduces flexibility in how the screening system matches names and terms. For example, ‘Jon’ and ‘John’ might be considered equivalent in a fuzzy matching system, particularly where the last name or date of birth is an exact match. However, the more expansive the fuzzy match criteria become, the greater the risk that the company will become inundated with false positives, which affects the effectiveness and efficiency of the screening process as a whole.
Configuration of fuzzy matching is both art and science. There are many data analytic methods to employ in fuzzy matching, such as sound methods (which use algorithms to turn similar sounding names into the same key to identify similar names), distance methods (which measure the difference in characters between two names), statistical similarity methods (which look at large data sets to train the model to find similar names) and hybrids of these methods. A detailed analysis of the various methods is outside the scope of this chapter, but the more important point is that there is a regulatory expectation that fuzzy matching techniques will be employed and continually fine-tuned to address each company’s unique environment and sanctions risk.
In recent years, several OFAC enforcement actions have noted fuzzy match inadequacies, including the following.
- July 2021: Payoneer Inc’s US$1,385,901 settlement with OFAC noted several screening failures, including ‘weak algorithms that allowed close matches to SDN List entries not to be flagged by its filter’.
- April 2021: MoneyGram Payment Systems, Inc’s US$34,328 settlement with OFAC cited, among other things, the company’s ‘fuzzy logic failures’.
- September 2020: Deutsche Bank Trust Company Americas’ September 2020 settlement with OFAC cited, among other things, the company’s complete lack of fuzzy matching for names.
- July 2020: Amazon.com Inc settled with OFAC for US$134,523 for Amazon’s screening processes, which did not flag orders with address fields containing an address in ‘Yalta, Krimea’ for the term ‘Yalta’, a city in Crimea, nor for the variation of the spelling of Crimea. It also failed to interdict or otherwise flag orders shipped to the Embassy of Iran located in third countries. Moreover, in several hundred instances, Amazon’s automated sanctions screening processes failed to flag the correctly spelled names and addresses of persons on OFAC’s SDN List.
- November 2019: Apple settled with OFAC for US$466,912 for failing to identify that SIS, an App Store developer, was added to the SDN List and was therefore blocked. Apple later attributed this failure to its sanctions screening tool’s failure to match the upper-case name ‘SIS DOO’ in Apple’s system with the lower-case name ‘SIS d.o.o.’ as written on the SDN List. The term ‘d.o.o.’ is a standard corporate suffix in Slovenia identifying a limited liability company.
- October 2019: General Electric Company (GE) settled with OFAC for US$2,718,581 for accepting payments from an entity on the SDN List. The sanctioned entity was Cobalt Refinery Company, or Corefco. The payments contained Cobalt’s full legal entity name as it appears on OFAC’s SDN List as well as an acronym for Cobalt (Corefco), but GE’s sanctions screening software, which screened only the abbreviation of the SDN’s name, never generated an alert on Cobalt’s name.
All of the enforcement examples described above show that failures as to completeness of data and fuzzy matching can lead to ineffective sanctions screening and enforcement actions.
On a related note, one of OFAC’s and the UK’s Office of Financial Sanctions Implementation’s (OFSI) ‘mitigating factors’ used to determine the final civil penalty amount is the strength of an entity’s sanctions compliance programme, including the screening component. More recently, OFAC has increasingly given mitigation credit for meaningful and effective remedial measures, including in the following cases.
- Godfrey Phillips India Limited’s March 2023 settlement with OFAC included mitigation for implementing an enhanced compliance policy, including screening, know-your-customer and record-keeping elements, post-violation.
- Kraken’s November 2022 settlement included mitigation for several significant remedial measures, including additional geolocation blocking and blockchain analysis tools, and enhancements to compliance training and staffing.
- Toll Holdings Limited’s April 2022 settlement included mitigation for the company’s extensive remedial measures, including enhanced screening, training and auditing.
- Sojitz (Hong Kong) Limited’s January 2022 settlement with OFAC noted that the company revised its screening procedures to require all counterparties in all business transactions be subject to screening.
- NewTek Inc’s September 2021 settlement with OFAC noted that it implemented bulk name screening of product registrants and both current and pending distributors against the SDN List. In addition, it noted that the company implemented geo-IP blocking measures to prevent downloading or registering products from blocked locations.
- First Bank SA’s August 2021 settlement with OFAC noted that its remediation measures included updating its sanctions screening tool.
- In a January 2021 settlement, OFAC noted that Union de Banques Arabes et Françaises now utilises the sanctions screening software used by its largest shareholder, which includes screening the client database, an anti-stripping module, negative news research, risk database research, vessel screening and country screening.
- BitGo, Inc’s December 2020 settlement with OFAC noted that the company now performs IP address blocking, as well as email-related restrictions for sanctioned jurisdictions, and performs periodic batch screening, reviews of screening configuration criteria, screening all ‘hot wallets’ against the SDN List, including cryptocurrency wallet addresses identified by OFAC and a retroactive batch screen of all users.
Finally, it is important to note that the examples thus far have focused on identifying matches for list-based sanctions targets. As noted above, there are other types of sanctions that are more targeted and complex; for example, OFAC’s sectoral sanctions, which focus on entities and activities. In 2019, Haverly Systems, Inc settled an OFAC enforcement action for US$75,375 after it invoiced JSC Rosneft, a Russian oil company, for payment within 90 days. The invoices were not paid within that time frame and this violated Directive 2 under the Russia sectoral sanctions, which, at the time of the transaction, prohibited dealing in new debt of greater than 90 days’ maturity. Similarly, Standard Chartered Bank was fined over £20 million by the UK’s OFSI for loans with maturity of over 30 days to specific entities as part of the Ukraine sanctions.
Another example is the recent ban on US person investment in identified Chinese Military-Industrial Complex Companies (CMICs) on public exchanges; this involves identification of both the investor (are they a US person?) and the activity (does this transaction involve investment in or derivative of, or provide investment exposure to, securities in the specified CMICs?). As sanctions include more complex, targeted criteria, the methods needed to ensure compliance likewise become more complex, in some cases requiring companies to flag both the entity and the activity to determine whether potential sanctions violations have occurred.
OFAC’s 50 Percent Rule adds an additional element to screening complexity. Under this Rule, any entity owned in the aggregate, directly or indirectly, 50 per cent or more by one or more blocked persons is itself considered blocked, and therefore subject to the same sanctions as the owners. This Rule means that screening may require tools that review and assess an entity’s ownership structure, and do not just stop at a review against designated parties’ lists. The difficulty in applying the 50 Percent Rule is evident in the recent designation of numerous Russian oligarchs with large, complex business holdings. As in 2014, when some Russian oligarchs were added to sanctions lists after the annexation of Crimea, they have employed various methods such as signing over assets to close relatives, registering entities in secrecy havens and creating nominee shareholders to evade detection through the 50 Percent Rule.
The Wolfsberg Group’s sanctions screening guidance contains a discussion regarding the assessment of which data elements to screen. Specifically, the guidance states:
Names of parties involved in the transaction are relevant for list based sanctions programmes, whereas addresses are more relevant to screening against geographical sanctions programmes and can be used as identifying information to help distinguish a true match from a false match. Other data elements, such as bank identification codes, may be relevant for both list and geographically based sanctions programmes.
In a sanctions context, some data elements are more relevant when found in combination with other attributes or references. For example, detection of sectoral sanctions risk typically requires detection of multiple factors, such as those where both the targeted parties and the prohibited activities are involved. Many controls may not be capable of detecting both factors simultaneously and, therefore, may not be effective.
Internal controls – virtual currency screening
There is incentive for heavily sanctioned countries, such as North Korea, Iran and Russia, to use cryptocurrency to evade sanctions. Recent analysis indicates that cryptocurrency transactions indicating sanctions evasion increased in 2022 to 43 per cent of transactions received by illicit addresses, compared to a relatively small portion in 2021.
OFAC’s SDN List includes cryptocurrency addresses that should be blocked. In practice, enforcement of the block relies on compliant cryptocurrency exchanges. If cryptocurrency is transferred with a non-compliant exchange or peer-to-peer, it likely will not be blocked.
Blockchain analysis has indicated that the majority of cryptocurrency transactions related to sanctions evasion were subsequently transferred to centralised exchanges. OFAC sanctioned Russia-based Garantex in 2022, which accounted for the majority of the sanctions-related transaction volume.
The methods used to identity sanctions evasion via cryptocurrency include screening for: the cryptocurrency addresses on the SDN List; addresses associated with those same blocked addresses; addresses associated with known exchange hacks; and addresses associated with ransomware payments, which are often associated with efforts to evade sanctions.
Internal controls – investigation
The third consideration is the evaluation process for potential sanctions violations. After the potential violations are identified through the screening process, manual investigation is required to determine whether there is a true match. If repeated alert closures due to non-matches are obvious during the manual review, these repetitive false matches should be incorporated into whitelists, to ensure that the names generating the false matches will not trigger alerts going forward. However, it is important to note that those whitelists should be reviewed each time changes are made to relevant sanctions lists. Relevant key controls within this area include: sufficient personnel to review sanctions alerts; policies and procedures specifying how alerts are adjudicated and the relevant information that must be included; and procedures for approval and communication of potential sanctions breaches to relevant authorities.
Evaluating the auditing component of the sanctions compliance programme involves three key areas of focus with respect to screening. The first is determining if the configuration of automated screening tools is explicitly tied to the sanctions risk assessment. The second is performing an independent evaluation of the software configuration and results. This can be accomplished through an independent party that re-scans existing customers or transactions to determine if they receive similar results. Finally, it is important to determine how the company gains comfort over the outsourcing of any elements of the screening process. Where the entity relies on external parties to provide timely updated sanctions lists, or to screen against the lists and provide alerts, the company needs to confirm for itself whether or not those results match the configuration. As an example of where this can go wrong, in December 2021 TD Bank settled with OFAC for US$115,005 for violations of the North Korea and Drug Kingpin sanctions regimes. Within the North Korea violations, five employees at the North Korean Mission to the United Nations were able to open accounts with North Korean passports because the bank relied on a vendor-supplied politically exposed persons list, which did not include government employees of sanctioned countries.
There are two key aspects to evaluating the training component of the sanctions compliance programme as it relates to screening. The first is determining if those charged with managing the sanctions screening process received specialised training that may include sanctions evasion techniques, data analytic methods related to fuzzy matching, and language or cultural training for understanding how names and punctuation differ between countries. The second is incorporating information learned during the potential sanctions matching process into the sanctions training that is provided to the wider company. For example, after GE discovered the alleged sanctions violations noted above, during testing and auditing of its compliance programme it implemented remedial measures, including developing a training video for employees using the violations as a case study.
Sanctions screening in an investigation
A sanctions investigation can be initiated for a number of reasons, including an independent evaluation of a company’s sanctions compliance programme, a tip from a whistle-blower, an adverse audit or compliance finding, or a regulatory inquiry. As part of any sanctions compliance investigation, the sanctions screening process and tools will require review. The investigation should include:
- review of the due diligence performed and included in the screening process;
- review of the specific data subject to screening and its field mapping;
- independent evaluation of the current screening configuration, such as fuzzy matching, in a test environment to see if it is comparable to what the screening tool is supposed to determine; and
- comparative analysis of search terms run through the existing screening tool against a sanctions search engine to determine if any likely matches were missed over time.
Complete and accurate sanctions screening is a critical component of any successful compliance programme. Many companies utilise automated screening tools to flag potential matches for review. Regulators expect proper oversight and effective use of these tools, which is illustrated in the recent settlement agreements for both financial and non-financial entities. In addition, regulators (and prosecutors) typically credit companies for having sound and effective compliance programmes (including screening controls), even when there are violations, by mitigating the penalties they pursue. While many entities focus on their technical screening capabilities, successful programmes equally require proper oversight, clear mapping between screening configuration and relevant sanctions risks, and regular review to ensure results are complete, accurate and efficient. And while there has so far been little in the way of sanctions guidance and enforcement from the UK and other governments as compared to the US, that appears to be changing, with those other jurisdictions beginning to emulate the US approach (as was the case previously with anti-corruption and anti-money laundering). Companies should therefore consider looking to US compliance best practices (including for sanctions screening) and building from there.
 Charlie Steele, Gerben Schreurs and Weng Yee Ng are partners, and Jona Boscolo Cappon is a director, at Forensic Risk Alliance.
 https://ofac.treasury.gov/specially-designated-nationals-and-blocked-persons-list-sdn-human-readable-lists. Because this chapter focuses on sanctions screening in particular – as opposed to, for example, export control rules and other requirements – it focuses on Office of Foreign Assets Control (OFAC) and other sanctions screening lists. However, readers should also be aware of the Consolidated Screening List maintained by the US Department of Commerce (www.trade.gov/data-visualization/csl-search). This List helpfully consolidates a number of US government lists of interest to those engaged in international business. It includes parties on which the US maintains restrictions on certain exports, re-exports or transfers of items, and it includes the Specially Designated Nationals and Blocked Persons List and other OFAC lists.
 ‘VI. Sanctions Screening Software or Filter Faults: Many organisations conduct screening of their customers, supply chain, intermediaries, counterparties, commercial and financial documents, and transactions in order to identify OFAC-prohibited locations, parties, or dealings. At times, organizations have failed to update their sanctions screening software to incorporate updates to the [Specially Designated Nationals and Blocked Persons] List or [Sectoral Sanctions Identifications] List, failed to include pertinent identifiers such as SWIFT Business Identifier Codes for designated, blocked, or sanctioned financial institutions, or did not account for alternative spellings of prohibited countries or parties – particularly in instances in which the organisation is domiciled or conducts business in geographies that frequently utilize such alternative spellings (i.e., Habana instead of Havana, Kuba instead of Cuba, Soudan instead of Sudan, etc.).’
 Part 504 of the New York State Banking Regulations in 2017.
 New York State Banking Regulations.
 id., at Section 7.2.3.
 See, for example, the cases cited in ‘Internal controls – screening’.
 Airbnb Payments, NewTek, Payoneer, SAP, BitPay, BitGo and Amazon.
 Cryptocurrency wallets that are online and connected in some way to the internet.
 ‘The 2023 Crypto Crime Report’, Chainalysis, February 2023.
 OFAC FAQ 563.
 See footnote 29.
 The US Department of Justice has stated, for example: ‘Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.’ www.justice.gov/opa/speech/file/1571911/download.