How To Test Your Watchlist And Sanctions Screening Software?
Sanctions Screening Test (SST)
An effective Financial Crime Compliance program includes a sanctions and watchlist screening solution to identify sanctioned individuals and organizations. It is important for financial institutions to test the effectiveness of these solutions, both during initial implementation and periodically. Testing a sanctions and watchlist screening solution may include examining who has access to the data, the process for making new sanctions or third-party data files available, the system's ability to filter and match names, and how potential name matches are handled, investigated, and tracked. Compliance teams should consider these areas when conducting audits to ensure the effectiveness of their sanctions and watchlist programs.
Compliance personnel play a critical role in ensuring the effectiveness of sanctions and watchlist screening
To ensure that sanctions and watchlist screening is effective, it is crucial to have a team of compliance personnel who are properly trained and equipped to do their job. This means making sure that they have access to all necessary regulatory documents, corporate standards, and the organization's risk policies, as well as having processes in place for ongoing training and development. Regular training is essential to ensure that analysts and frontline compliance personnel are able to do their work on a day-to-day basis, as well as understand the broader compliance landscape. It is also important to make sure that these individuals have quick and easy access to the reference documents they need to do their job effectively. Having "must-read" documents in a repository that is difficult for personnel to access is not helpful and can hinder effective compliance. Overall, having the right people and giving them the tools they need to do their job is key to ensuring effective sanctions and watchlist screening.
The Significance of Risk Reference Data Cannot be Overstated
Risk reference data is an essential component of any effective screening system. This data can come from a variety of sources, including regulators, law enforcement agencies, and external vendors. It is important to carefully evaluate the guarantees and compliance needs of the data, as the risk profile of an organization can vary greatly depending on factors such as its location and size.
For example, a small bank in a remote region may have a very different risk profile than a large financial institution in a major city. As such, the sanctions lists and other data files that they must comply with may also be different. In general, it is always better to comply with more data files than fewer, though the cost and time invested in doing so should also be taken into account.
Additionally, it is essential to consider the quality of the data being used. Many financial institutions may simply trust that the data they purchase from external vendors is accurate and applicable to their needs, but this is not always the case. It is always better to thoroughly evaluate the data and ensure that it meets the organization's compliance requirements and risk tolerance.
Overall, the importance of risk reference data cannot be overstated. It is crucial to carefully evaluate and select the data that is used in a screening system to ensure compliance and minimize risk.
The Process of Transferring and Utilizing Reference Data
Reference data flow is a crucial component of any compliance management system. It involves the process of sourcing, processing, and integrating reference data into various systems within an organization. This can include data from sources such as regulatory agencies, data vendors, and internal sources. Proper management of the reference data flow is essential for ensuring that the organization remains compliant with regulatory requirements. This involves understanding how updates and changes to reference data are incorporated into the system, as well as how quickly this data is available for use by compliance applications. Compliance departments should carefully monitor and document the reference data flow process in order to identify potential improvements and ensure that the flow of data is efficient and effective.
Understanding Your Data Vendor's Processes for Tracking and Managing Narrative Sanctions
In order to properly manage and track narrative sanctions, it is essential to understand how your data vendor obtains and processes this information. Narrative sanctions are those that are not tied to specific individuals or entities, but rather to certain criteria that must be met in order for a person or entity to be subject to the sanctions. This can make it difficult for financial institutions to ensure compliance, as there is no definitive list of entities to avoid. An example of this can be seen in the case of Russian sectoral sanctions, where certain businesses are named, but their subsidiaries are also subject to the sanctions. In order to effectively manage these narrative sanctions, it is important to ensure that your data vendor is obtaining this information from reputable sources and that you have access to this data. Additionally, you should document the processes in place for managing updates, additions, deletions, and new regulations, and ensure that these processes align with your risk-based approach.
Checking Law Enforcement Data and Adverse Media
When conducting risk screenings, it is important to check records against lists from various law enforcement agencies, such as Interpol, Europol, and the FBI, for offenses that are considered to be predicate offenses under the FATF (Financial Action Task Force) standards. These offenses can include involvement in organized criminal groups, terrorism and terrorist financing, human trafficking, smuggling, sexual exploitation, drug trafficking, arms trafficking, corruption, bribery, fraud, counterfeiting currency and products, environmental crime, murder and other violent crimes, smuggling, tax crimes, extortion, forgery, piracy, and insider trading. In addition to checking for these offenses, it is also important to consider adverse media, or negative news, when conducting screenings or enhanced due diligence processes. Adverse media can come in the form of structured or unstructured data, and it is important to have a data vendor that can efficiently handle both types of data to avoid relying solely on internet searches.
Politically Exposed Persons (PEPs) and State Owned Entities
To ensure compliance with regulations, organizations must implement processes for identifying and documenting information on Politically Exposed Persons (PEPs), state owned entities, and ultimate beneficial ownership (UBO). These processes may involve obtaining data from various sources, such as risk reference data or ownership records. It is crucial that the data is comprehensive and up-to-date, including information on events such as elections, impeachments, and resignations. Data providers can be useful in providing high-quality data, but it is important to compare their offerings and ask detailed questions to ensure that the data meets the organization's specific needs.
Client Data Flow
To thoroughly understand client data flow, it is important to consider de-duplication as a key step. This involves combining different lines of business data into one database, allowing for the screening of clients in the most effective and risk-averse way possible. By doing this, organizations can ensure that they are not unnecessarily screening the same individual multiple times because they have different accounts within the business. Additionally, combining data allows for a comprehensive view of an entity's products, activities, behaviors, and patterns, which can be used to determine the associated risk level. This information can then be used to tailor the screening process, taking into account the line of business and geography of the client. For example, a local small-value consumer banking individual may not need to be screened in the same way as a wealth management client. By carefully considering client data flow and implementing de-duplication, organizations can optimize their screening processes and reduce the risk of potential financial crime.
In addition to client data, you may also have data related to transient and transactional relationships. This type of data includes information about one-time transactions with individuals or entities that are not part of ongoing, regular relationships. When dealing with this type of data, it is crucial to ensure that your risk mitigation strategies are effective and that your screening processes are efficient. Often, this involves screening the data against sanctions lists, but depending on the specific characteristics of the transaction, such as its value and the involved jurisdictions, you may want to consider using a broader range of lists for screening purposes. It is important to carefully consider the risk profile of the transaction and take appropriate measures to mitigate potential risks.
Utilizing Date of Birth in Screening
Screening for dates of birth can be a challenging task because some people may not know or be able to verify their exact date of birth, and because some individuals may intentionally obscure their real date of birth. In these cases, it may be necessary to use screening filters to narrow down the results and identify the most likely matches. The width of the filter should be determined based on the level of risk associated with the individual being screened. For example, a tighter filter may be used for high-risk individuals, while a wider filter may be used for low-risk individuals. The goal is to balance the risk of missing potential hits with the cost and resources required to investigate every potential hit. The risk can be mitigated by setting tighter filters for regions where date of birth information is generally reliable, and wider filters for high-risk jurisdictions where this information may be less reliable.
Testing Name Variations
Name variations can be a complex aspect of the screening process, and it is important for organizations to carefully test their systems to ensure that they can handle these variations. This may include testing for identical matches, phonetic similarities, missing or additional punctuation, missing or truncated components, incorrect database fields, spelling differences, titles and honorifics, out of order components, multiple languages, nicknames and initials, similar names, and noise simulation. By thoroughly testing for these variations, organizations can ensure that their systems are able to accurately and efficiently handle name variations.
Handling Accents, Transliteration, and Translation in Risk Screening
The process of screening names that use non-Latin characters can be complex and challenging for financial institutions that primarily use Latin characters in their communication. This is because even languages that use Latin characters, such as Spanish, Portuguese, Dutch, French, and German, can have unique letters and accents that must be accounted for during the testing process. For example, the Hispanic name "Jose" or "José" may be written with or without an accent, and variations such as "Joe" or "Joseph" may be considered translations of "José". In addition to these variations, names such as "Johanna" in German may be written as "Joanna" or "Joanne", and "Alessandro" in Italian may be translated as "Alexander", "Alex", or "Sasha" in Russian.
In addition to the complexities introduced by variations in spelling and translation, the screening process can also be complicated by the fact that some individuals may choose to transliterate their names, while others may opt for translation. Transliteration is the process of transferring a word from one alphabet or language into the corresponding, similar-sounding characters of another alphabet. Translation, on the other hand, provides the meaning of a word in another language. For example, the Arabic word "اﷲ" when transliterated becomes "Allah", and its translation is "The God".
Examples of names that may be transliterated or translated from Korean or Thai include Kim Seok-jin (김석진), which may be transliterated as "Kim Seokjin" or translated as "Kim Seokjin", or Thitima (ธิติมา), which may be transliterated as "Thitima" or translated as "Thitima". As a result of these complexities, it is important for financial institutions to devote adequate time and resources to testing their systems to ensure that they can accurately and efficiently handle these variations in spelling, accent, transliteration, and translation.
Handling Surname Conventions
surnames in different parts of the world. In Western Europe and North America, it is common for a person's surname to be their father's last name. However, this tradition is beginning to change, and some people choose to retain their own surname after getting married. In Spanish-speaking Latin America, a person's surname is typically a combination of their father's first surname and their mother's first surname. In Portuguese-speaking countries such as Brazil, the surname is the mother's first surname followed by the father's first surname. This can create complexities when someone from Brazil moves to a country like Columbia, where their surname may change. In some countries, such as Eritrea, Ethiopia, and Iceland, a person's surname is their father's first name rather than a traditional surname. In the Arab world, names may include the person's first name, "bin," which means "son of," and the father's name, along with sometimes another descriptor such as a family name or ancestral home. In Japan, China, and Korea, the last name appears first, although Japan is working to change this convention to the western style for documents written in the Latin alphabet. In Mongolia, a person's surname is their father's first name followed by their given name. It is important for software to be able to handle the various surname conventions that exist around the world, particularly in the jurisdictions where it will be used, and to be prepared to deal with false positives when names are rearranged to conform to these conventions.
Auditing Lines of Business and Reference Data in Compliance
It is important to audit all lines of business that you are responsible for, including newly acquired or established lines. This includes ensuring that compliance is a core part of any acquisition or growth of the business and not just trusting or making assumptions. It is also important to assess the depth and breadth of your reference data and its global coverage. Check for any gaps in coverage and see if they align with your business, and consider supplementing the data you already have if necessary. Look for points of latency in the process, such as how long it takes for an account to be entered into a database and made available to the compliance team, and consider ways to reduce this time. Make sure your reference data includes sectoral and narrative sanctions and ask your vendor how this data is kept up to date. Consider how your vendor and financial institution are dealing with Ultimate Beneficial Ownership (UBO) data, as this is or will soon be regulated in many jurisdictions. Subscribe to regulatory intelligence updates and review them regularly to stay informed about changes in regulations, new sanction regimes, policy changes, and enforcement actions. Work with your screening vendor to evaluate your current rule set, including configurations, thresholds, and rules, and review these regularly. Have regular conversations with your vendor about what is and isn't working, using metrics such as false positive rates, efficiency rates of analysts, the number of profiles reviewed per day, and false negatives during reviews. Finally, test your screening software for name variations and identify any matching holes or scoring parameters.
It is important to regularly test and audit the systems and processes that are in place to ensure compliance in your organization. This includes personnel, data, and software reporting, as well as reference data and client data flows. By regularly reviewing these systems, you can identify any weaknesses or delays and take steps to address them. It is essential to update your software when your provider releases new features or security patches, as this helps to keep your systems current and secure. When testing your software, be sure to consider how different attributes, such as date of birth and name variations, may affect the results and the associated risks. It is also helpful to benchmark your false positive rates by geography and line of business, as this can help you to see how your processes are performing and to track changes over time. By staying vigilant and regularly reviewing and testing your systems, you can help to ensure that your organization remains compliant and protected against financial crimes.