How To Test Your Watchlist And Sanctions Screening Software?
Sanctions Screening Test (SST)
An effective Financial Crime Compliance program includes a sanctions and watchlist screening solution to identify sanctioned individuals and organizations. It is important for financial institutions to test the effectiveness of these solutions, both during initial implementation and periodically. Testing a sanctions and watchlist screening solution may include examining who has access to the data, the process for making new sanctions or third-party data files available, the system's ability to filter and match names, and how potential name matches are handled, investigated, and tracked. Compliance teams should consider these areas when conducting audits to ensure the effectiveness of their sanctions and watchlist programs.
Compliance personnel play a critical role in ensuring the effectiveness of sanctions and watchlist screening
Effectiveness in sanctions and watchlist screening relies on a well-prepared and competent compliance team. Ensuring they have access to vital regulatory documents, company standards, and the organization's risk policies is necessary, as is implementing ongoing training and development programs. Frequent training is critical for analysts and frontline compliance staff to carry out their daily responsibilities and comprehend the wider compliance environment.
It's also vital to provide these individuals with easy and prompt access to essential reference materials. Storing crucial documents in hard-to-reach repositories is counterproductive and may obstruct successful compliance. Ultimately, employing the right personnel and equipping them with the required tools is fundamental for efficient sanctions and watchlist screening.
The Significance of Risk Reference Data Cannot be Overstated
Risk reference data is a vital element of any efficient screening system, originating from diverse sources such as regulators, law enforcement agencies, and external vendors. Evaluating the data's guarantees and compliance requirements is important, as an organization's risk profile may significantly differ based on factors like location and size.
For instance, a small, remote bank's risk profile might contrast with that of a large financial institution in a major city, leading to differing compliance requirements with sanctions lists and data files. Generally, adhering to more data files is preferable, but the associated costs and time investment must be considered.
Furthermore, assessing data quality is crucial. Financial institutions often assume the accuracy and relevance of data purchased from external vendors, but this may not always be true. Meticulously examining the data and ensuring it aligns with the organization's compliance needs and risk tolerance is vital.
In summary, risk reference data's significance cannot be overstated. Careful evaluation and selection of data in a screening system are essential for ensuring compliance and reducing risk.
The Process of Transferring and Utilizing Reference Data
Reference data flow is a crucial component of any compliance management system. It involves the process of sourcing, processing, and integrating reference data into various systems within an organization. This can include data from sources such as regulatory agencies, data vendors, and internal sources. Proper management of the reference data flow is essential for ensuring that the organization remains compliant with regulatory requirements. This involves understanding how updates and changes to reference data are incorporated into the system, as well as how quickly this data is available for use by compliance applications. Compliance departments should carefully monitor and document the reference data flow process in order to identify potential improvements and ensure that the flow of data is efficient and effective.
Understanding Your Data Vendor's Processes for Tracking and Managing Narrative Sanctions
Managing and tracking narrative sanctions necessitates understanding how your data vendor acquires and processes such information. Narrative sanctions are not linked to specific individuals or entities but are associated with criteria that must be met for a person or entity to be subject to sanctions. This complexity can make compliance challenging for financial institutions, as no definitive list of entities to avoid exists. An example is Russian sectoral sanctions, where certain businesses and their subsidiaries are affected.
To effectively manage narrative sanctions, ensure your data vendor obtains information from reliable sources and provides you access to the data. Additionally, document management processes for updates, additions, deletions, and new regulations, and confirm that these processes are consistent with your risk-based approach.
Checking Law Enforcement Data and Adverse Media
When assessing risks, it's important to compare records with lists from law enforcement groups like Interpol, Europol, and the FBI, targeting predicate offenses specified by FATF (Financial Action Task Force) standards. Such offenses might involve engagement in organized crime, financing terrorism, human trafficking, smuggling, sexual exploitation, drug and arms trafficking, corruption, bribery, fraud, counterfeiting, environmental crime, violent crimes, tax crimes, extortion, forgery, piracy, and insider trading.
Apart from scrutinizing these offenses, it's necessary to take adverse media or unfavorable news into account when carrying out screenings or implementing enhanced due diligence measures. Adverse media can comprise structured or unstructured data, highlighting the need to collaborate with a data vendor adept at handling both data types to reduce reliance on internet searches.
Politically Exposed Persons (PEPs) and State Owned Entities
To ensure compliance with regulations, organizations must implement processes for identifying and documenting information on Politically Exposed Persons (PEPs), state owned entities, and ultimate beneficial ownership (UBO). These processes may involve obtaining data from various sources, such as risk reference data or ownership records. It is crucial that the data is comprehensive and up-to-date, including information on events such as elections, impeachments, and resignations. Data providers can be useful in providing high-quality data, but it is important to compare their offerings and ask detailed questions to ensure that the data meets the organization's specific needs.
Client Data Flow
To thoroughly understand client data flow, it is important to consider de-duplication as a key step. This involves combining different lines of business data into one database, allowing for the screening of clients in the most effective and risk-averse way possible. By doing this, organizations can ensure that they are not unnecessarily screening the same individual multiple times because they have different accounts within the business. Additionally, combining data allows for a comprehensive view of an entity's products, activities, behaviors, and patterns, which can be used to determine the associated risk level. This information can then be used to tailor the screening process, taking into account the line of business and geography of the client. For example, a local small-value consumer banking individual may not need to be screened in the same way as a wealth management client. By carefully considering client data flow and implementing de-duplication, organizations can optimize their screening processes and reduce the risk of potential financial crime.
Transaction Data
Besides client data, you might also possess information related to temporary and transaction-based relationships. This data involves details about single transactions with individuals or entities not engaged in continuous, regular interactions. When handling such data, it's essential to make sure your risk reduction strategies work effectively and that your screening processes are efficient. Often, this requires checking the data against sanction lists, but based on the transaction's specific attributes, like its value and involved jurisdictions, you might want to utilize a wider array of lists for screening. It's crucial to thoughtfully assess the transaction's risk profile and implement suitable measures to alleviate potential risks.
Utilizing Date of Birth in Screening
Screening for birth dates can be difficult, as some individuals may not know, verify, or intentionally conceal their actual birth date. In such instances, using screening filters to narrow down results and identify probable matches is necessary. The filter's scope should depend on the risk level associated with the person being screened. In this case, using tighter filters for high-risk individuals and wider filters for low-risk individuals is recommended. The goal is to balance the possibility of missing matches with the time and resources needed to investigate each potential match. This risk can be mitigated by applying narrower filters in areas where birth date information is typically accurate and broader filters in high-risk jurisdictions where such information may be less reliable.
Testing Name Variations
Name variations can be a complex aspect of the screening process, and it is important for organizations to carefully test their systems to ensure that they can handle these variations. This may include testing for identical matches, phonetic similarities, missing or additional punctuation, missing or truncated components, incorrect database fields, spelling differences, titles and honorifics, out of order components, multiple languages, nicknames and initials, similar names, and noise simulation. By thoroughly testing for these variations, organizations can ensure that their systems are able to accurately and efficiently handle name variations.
Handling Accents, Transliteration, and Translation in Risk Screening
Screening names with non-Latin characters can be intricate and challenging for financial institutions mainly using Latin characters in their communication. Languages that use Latin characters, such as Spanish, Portuguese, Dutch, French, and German, can also present unique letters and accents that need attention during screening. For example, the name "José" could appear with or without an accent, with variations like "Joe" or "Joseph" acting as translations. Furthermore, names like "Johanna" in German may appear as "Joanna" or "Joanne," while "Alessandro" in Italian might translate to "Alexander," "Alex," or "Sasha" in Russian.
Complexities arise from variations in spelling and translation, and the screening process can be further complicated when individuals choose either transliteration or translation for their names. Transliteration involves converting a word from one alphabet or language into corresponding, similar-sounding characters of another alphabet. In contrast, translation conveys the meaning of a word in another language. For example, the Arabic word "اﷲ" can be transliterated to "Allah" and translated as "The God".
Names originating from languages like Korean or Thai, including Kim Seok-jin (김석진) or Thitima (ธิติมา), can undergo transliteration or translation, producing variations such as "Kim Seokjin" or "Thitima." Given these complexities, financial institutions must invest the necessary time and resources in testing their systems to ensure the accurate and efficient handling of differences in spelling, accent, transliteration, and translation.
Handling Surname Conventions
Surnames differ across the globe. In Western Europe and North America, people usually adopt their father's last name, though some keep their own after marriage. In Spanish-speaking Latin America, a person's surname typically combines the father's and mother's first surnames. In Portuguese-speaking countries like Brazil, the mother's first surname comes before the father's. This can cause complexities when someone moves between countries with different conventions.
In countries like Eritrea, Ethiopia, and Iceland, a person's surname is their father's first name. In the Arab world, names may include the person's first name, "bin" (meaning "son of"), the father's name, and possibly a family name or ancestral home. In Japan, China, and Korea, the last name comes first, although Japan is adopting the Western style for documents in the Latin alphabet. In Mongolia, a person's surname is their father's first name followed by their given name.
It's crucial for software to accommodate various surname conventions worldwide, especially in the jurisdictions where it's used, and to be ready to address false positives when names are rearranged according to these conventions.
Auditing Lines of Business and Reference Data in Compliance
It is important to audit all lines of business that you are responsible for, including newly acquired or established lines. This includes ensuring that compliance is a core part of any acquisition or growth of the business and not just trusting or making assumptions. It is also important to assess the depth and breadth of your reference data and its global coverage. Check for any gaps in coverage and see if they align with your business, and consider supplementing the data you already have if necessary. Look for points of latency in the process, such as how long it takes for an account to be entered into a database and made available to the compliance team, and consider ways to reduce this time. Make sure your reference data includes sectoral and narrative sanctions and ask your vendor how this data is kept up to date. Consider how your vendor and financial institution are dealing with Ultimate Beneficial Ownership (UBO) data, as this is or will soon be regulated in many jurisdictions. Subscribe to regulatory intelligence updates and review them regularly to stay informed about changes in regulations, new sanction regimes, policy changes, and enforcement actions. Work with your screening vendor to evaluate your current rule set, including configurations, thresholds, and rules, and review these regularly. Have regular conversations with your vendor about what is and isn't working, using metrics such as false positive rates, efficiency rates of analysts, the number of profiles reviewed per day, and false negatives during reviews. Finally, test your screening software for name variations and identify any matching holes or scoring parameters.
Summary
To maintain compliance within an organization, it's crucial to regularly test and audit its systems and processes. This includes monitoring personnel, data, and software reporting, as well as reference and client data flows. By conducting reviews, you can identify any weaknesses or delays and take necessary steps to address them.
It's important to update your software regularly to keep your systems current and secure. Make sure to install new features and security patches provided by your provider. During software testing, take into account how different attributes like name variations and dates of birth can impact results and associated risks. It's also useful to benchmark false positive rates by geography and line of business to monitor process performance and track changes over time.
Staying vigilant through regular system review and testing can help ensure your organization remains compliant and well-protected against financial crimes.