HKMA sharpens its sanction requirements
Chris Hamblin, Editor, London, 17 April 2018
The Hong Kong Monetary Authority has conducted a thematic review of financial firms’ sanction-screening systems and come up with a list of observations and requirements.
The regulator has picked up its British counterparts' disconcerting habit of announcing its 'expectations' without linking them to any rules, thereby leaving the reader to wonder whether he is legally obliged to meet this-or-that 'expectation' or not. Its review revealed that sanction-screening systems are "in general performing within industry benchmarks," i.e. satisfactory, but it nonetheless wants firms to pay attention to some "good practices" to do with effectiveness and efficiency.
It expects firms to (i) think about "adopting the good practices, where appropriate," performing gap analyses if they do nothing else, and (ii) put in place, "if not already," regular sanctions screening system tests that send reports and assurances of quality to senior managers 'robustly,' the better to reassure them that they are making the HKMA's 'expectations' a reality. These expectations are as follows. Assurances of quality should come from people who know the subject matter. Some firms have dedicated teams to provide them; others hire firms in.
- Senior managers should weigh up the risks that their firms are running of failing to enforce financial sanctions against their customers breaches and set the right level of screening.
- Firms should test new systems, or upgrade existing systems, thoroughly before they deploy the results. In doing so they ought to oversee varous things (the regulator does not say what) and send reports to various people in a 'sufficient' way.
- Monitoring, tuning and testing should be never-ending.
- Firms should have a clear and demonstrable understanding of the system filters (algorithms/rules) they use. This includes a requirement to equip staff with the right skills and knowledge to support good sanction-screening systems.
- Firms should keep tuning their system filters to reduce the chance of "false positives" but without making them less effective.
The HKMA will collect information from all its charges in the third quarter of the year. The information will be about "individual action plans," whatever those are. It is staging a seminar on 23 April to explain its policy further.
Most firms that the regulator reviewed were able to explain the settings that they had chosen for their IT systems; some relied to heavily on the vendors of those systems and found it hard to explain. The HKMA has a trap for the unwary here: if a group of companies has a global compliance policy, the regulator expects it to explain every deviation in IT settings or configuration from the norm. Management Information (MI) should provide senior managers with enough information to understand the risks that they run as far as financial crime is concerned.