• wblogo
  • wblogo
  • wblogo

Sound sanctions enforcement regimes at banks: some examples

Chris Hamblin, Editor, London, 23 August 2016

articleimage

Compliance Matters recently attended a workshop hosted by Pekka Dare, the director of training, education and development at International Compliance Training Ltd and a world-renowned expert on terrorist finance. In it, he gave the participants a good grounding in some basic issues.

Dare was holding his workshop for members of the International Compliance Association. From the perspective of financial institutions, no set of notes could be better for a rudimentary grounding in this ever-expanding subject. The discussion centred around how to design a strong sanctions regime at a financial firm. Dare encouraged the delegates to think about what such a regime might typically include and what is merely 'nice to have' rather than absolutely necessary.

In the United Kindgom and elsewhere, 'sanctions risk' - a term Dare did not define - is the responsibility of the board of each financial firm. The board typically follows a 'governance strategy' to manage the practical side of the firm' sanctions policy and to articulate its appetite for running sanctions-related risks. It is also the responsibility, according to Dare, of individual members of staff who are required to know about it. The board typically appoints a so-called designated officer, who receives support from a team of subject-matter experts and senior managers to execute the firm's "sanctions compliance programme" - a term of Dare's that the Financial Conduct Authority, the UK's financial regulator, has not used once.

One of the many comments that the class of compliance officers made was that "senior managers don't understand sanctions." They also commented on the areas of business that HNW clients occupy that are considered 'high-risk industries.' These are oil, gas, petroleum, anything to do with mining or 'extraction,' and the import/export business. People from the 'high tech' or 'fintech' sectors are now being held up as "the new concern."

Checking on people

In order to manage 'sanctions risk' effectively, Dare thought it important for a firm to identify and address its exposure to such risk for further action. In other words, he was advocating a risk assessment. He exhorted firms to take "a proactive management approach," which sounded expensive. Effective checks (Dare borrowed the term 'due diligence' from the US Securities Act 1933 to describe them) have to be:

  • done (Dare said 'taken') at the start of a relationship with a client before the relationship is established;
  • updated regularly during the life-cycle of the relationship;
  • updated when an event demands or warrants an update of key information; and
  • at the end of the relationship with the client.

The risk assessment, meanwhile, must establish the 'level' of information required for effective checks and allow the firm to establish controls that are effective for the kind of risks that the business runs.

Highly risky industries

People's risk categories are often too simplistic. Dare said that the compliance officer in question ought to look at each country of origin. He did, however, come out with some generic 'high risk' industries. Under 'product risk' he listed oil, gas, petrochemicals, armaments or defence manufactures for sale, aviation, precious metals, jewellery dealders/wholesalers, mining and metal extraction, and 'dual use' goods that can be used peacefully and/or militarily. Under 'customer risk' he listed money service businesses and high tech businesses, and under 'jurisdictional risk' he listed maritime and international transport and import/export agents. He was referring to trade-based sanctions-breaking rather than HNW client risk per se, but these are areas in which many HNW clients operate and from which they come.

Individuals and businesses

How does one check individuals and businesses (Dare called them 'entities')? What information should one gather and why? How should one use such information as date of birth, resident address etc.? Dare tried to answer these questions in a series of case studies in which the class participated. They developed as follows.

Case study one

You are a financial services firm based in Europe. Your client is involved in building water and sanitation installations in the Sudan and these operations were negotiated before sanctions were imposed. The customer has provided relevant licences for this activity and the relationship manager is satisfied that 'customer due diligence' requirements have been met. The customer has other products with the bank, for example bonds and guarantees. What should the compliance officer consider in these circumstances? Are there any additional steps to take?

The class placed little emphasis on the relationship manager's belief in 'due diligence'; one delegate said "well, good for him." The need, everyone agreed, was for a news search for adverse comments in the media. The bank, they thought, should also try to find out what the customer actually had a license for and to verify its validity. The 'other products' that the customer has with the bank might be covered in the licence, so the compliance officer ought also to verify that. Dare added: "I know, if you exit the relationship the press could publish a story saying "heartless bank shuts down humanitarian aid;" Barclays and HSBC have had this in response to relationships they've ended. I would expect you to talk to the customer directly. If he doesn't play ball, it's another red flag."

Linked to that, Dare explored the techniques for evasion that the client might employ. There are three ways in which a client may try to evade sanctions: wire transfers, wire-stripping (covered many times on Compliance Matters and entailing the deliberate removal of information from wire transfers) and shell companies, which entail the setting-up of a front company that does no business and the routing of money through it. He commented that even now, after interference from the Financial Action Task Force, SWIFT messages were 'spartan.'

Case study two

An alert is generated for a payment with a link to Iran in the payment message. Upon further investigation, you are not able to discount the alert and therefore reject the payment. The customer then resubmits the payment with some of the information relating to Iran missing. What do you do?

The correct answer to this was to 'escalate' it. The first payment could indeed be a genuine mistake. The bank must determine who is being paid and then weigh up whether it is an attempt to get round sanctions. Many attempted evasions have featured resubmissions. In HSBC's deferred prosecution agreement of 2012, moreover, it says that if they suspect a staff member of collusion, there has to be a formal enquiry. When this happens, Dare said, "the four horsemen of the apocalypse descend on someone, and they are interviewed in front of lawyers from a call centre. If there's a US nexus you'd report it to OFAC (the US Office of Foreign Assets Control), although people are less willing to do that."

Case study three

Your client, an Australian company, imports coal from Nepal. The raw material is shipped overland through Iran to an Iranian port for onward transport by sea to Australia. Payment for the goods is in US dollars and is made through Bank A. Payments to the freight companies based in Europe are in US dollars and euros and are also processed through the importer's bank. Should the bank have any concerns about processing these payments?

The answer is yes. If there is a US dollar nexus, your bank cannot have anything to do with things that go through Iran. More to the point, the coals are going to Australia, which has a massive coal industry of its own; why ship coals to Newcastle? This does not make commercial sense and is therefore a 'red flag.' Dare said that this was a 'bastardisation' of a real case.

What should a robust sanctions compliance effort do?

At a minimum, Dare listed the following necessities for a well-functioning effort against sanction-runners at a bank.

  • A commitment from the board, which sets up a culture of compliance.
  • An established policy that lays out the firm's appetite for 'sanctions risk' in black and white.
  • Systems and controls, for example procedures to support a consistent implementation of policy, screening software and investigations of alerts and 'due diligence.'
  • Underpinning this process, audit.

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll