The Wolfsberg Group has published new guidelines by which its signatory financial institutions - Bank of America, Banco Santander, Bank of Tokyo-Mitsubishi, Barclays, Citigroup, Credit Suisse, Deutsche Bank, Goldman Sachs, HSBC, JP Morgan Chase, Société Générale, Standard Chartered Bank and UBS - ought to screen people and entities in accordance with international sanctions.

The group of large private banks thinks of 'sanctions screening' as a good way of detecting, preventing and managing something to which it refers as 'sanctions risk.' It wants its members and followers to do this screening as part of an effective Financial Crime Compliance programme, to spot sanctioned individuals and organisations and also to spot illegal activity. International sanctions regulations are expanding and becoming ever-more complex, so the group thought that some updated guidance might be timely.

The fundamentals of the guidelines are derived from legal/regulatory requirements, the 'expectations' of regulators and global industry best practice. The group does not intend to suggest that all financial institutions should apply all parts of it "to the same level," whatever that might mean.

Instead, its guidelines try to show the reader the instances in which 'sanctions screening' can be an effective part of a wider sanctions compliance programme - a phrase it seems to use in this instance to describe a plan of action of some kind rather than any governmental initiative. They also point out the instances in which such screening has its limitations as a control mechanism and cases in which a risk-based approach is appropriate. The guidelines include sections on the definition of sanctions screening, the fundamental elements of a sanctions screening programme, consideration of a risk based approach, technology, alert generation and handling, reference data, transaction screening, list management and lookbacks.

'Sanctions risk'

Never once do the guidelines define the term 'sanctions risk.' The generation of an alert as a result of the screening process is not, of itself, an indication of such risk. Cross-border transactions, a currency used as part of a transaction and the route down which that transaction goes are but three 'sanctions risks factors.' 'Sanctions risk' is also sectoral; it can occur in finance, which represents one sector, or other sectors of the economy.

'Sanctions screening'

Wolfsberg sets out some things that every firm ought to apply to screening in conjunction with other ways of "preventing financial crime risk." It should evolve policies and procedures that set out the things that it wants to 'screen,' the context in which it ought to do so and the frequency at which it ought to do so. It ought to 'adjudicate' (sit in judgment upon) alerts, working out how to resolve them if the information it wants is unavailable, incomplete or potentially unreliable. The group never defines 'sanctions screening' but does define 'customer screening' as "the screening of full legal name and any other name provided by the customer, such as known aliases, against applicable official sanctions lists."

Every firm should also appoint a 'responsible person' who oversees the process. This person must have the right skills and experience of understanding the nuances of the often arcane requirements of OFAC and less frightening issuers of lists. He must know how such demands might influence "screening outcomes and decisions" and must know about the technical capabilities of screening software. Wolfsberg is also keen on every firm assessing risks when deciding on the kind of 'data attributes' it wants to 'screen.' Fuzzy logic is a factor here, matching up names and other data imprecisely in order to spot patterns that adherence to the actual spellings on the sanctions lists might not reveal. The 'responsible person' should decide how fuzzily the firm should set its screening filter. The decision-making and governance structure has to be articulated, written down and supported by analysis and testing. Wolfsberg expects 'financial institutions' - presumably its member-firms, who are the only firms of which it can expect anything - to keep records of the configurations of their screening systems so that they can 'demonstrate' things about them. Regular testing is important for every system and the firm in question should analyse the results and report them to 'stakeholders,' another term that Wolfsberg's document never defines.

Wolfsberg describes 'fuzzy matching' as "a varied and algorithm-based technique to match one name (a string of words), where the contents of the information being screened is not identical, but its spelling, pattern or sound is a close match to, the contents contained on a list used for screening."

Super-equivalence

Wolfsberg touches on the idea of 'super-equivalence' in a roundabout way. The United Kingdom pioneered this doctrine, which says that all operations everywhere in the world must be up to the same standard as those of the home country. It is no good, therefore, to take a risk-based approach to transaction monitoring in the UK but not in the Seychelles. The UK eventually prevailed upon the EU to take up this doctrine, although its acceptance in the offshore world is patchy.

The Wolfsberg version of this idea is expressed thus: "A global financial institution may determine that its policy is to prohibit any dealing with any party sanctioned by the US, the United Nations, the EU, its home country and any number of its core jurisdictions of operations. A smaller FI operating only in one country, however, may determine that its policy is limited to complying with the sanctions laws of the sole jurisdiction in which it operates."

What data should a bank scrutinise?

A bank is likely to pay close attention to customers' names if it is looking at a typical sanctions list, whereas addresses are more relevant if OFAC or some other body has issued sanctions against a country. Other pieces of data such as bank codes may be relevant for both types.

Banks often have to check the following factors to do with transactions: the parties involved, including the remitter and beneficiary; agents and intermediaries; bank names and routing codes; free text fields, such as payment reference information or the stated purpose of the payment in Field 70 of a SWIFT message; International Securities Identification Numbers (ISINs).