The dynamic nature of sanctions risk—stemming from nuanced sanctions requirements, complex corporate structures and transaction protocols, and imperfect data insights on customers and related parties—makes operating a sanctions compliance program (SCP) no easy endeavor. Firms need to have a clear understanding of their inherent sanctions risk and control effectiveness, be regularly monitoring regulatory changes, and act accordingly whenever new sanctions risks arise or existing ones change.
One of the most effective ways to achieve these goals is to execute a sanctions risk assessment (SRA). While every SRA is different, there are some general development and execution approaches that can and should be considered. Most importantly, the SRA must be kept current in order to be effective.
Introduction to the SRA
An SRA is a key regulatory expectation, though not a regulatory requirement. The Office of Foreign Assets Control (OFAC) published “A Framework for OFAC Compliance Commitments,”1 which outlines five essential components of an SCP, one of which is executing a risk-based SRA. OFAC highlights that an SRA should be:
- Routine and ongoing, if appropriate
- Risk-based to the firm’s risk profile
- A holistic top-to-bottom review of the firm’s businesses, products, services and geographies
- Informative to drive improving change to the firm’s SCP
- Updated to account for the conduct and the root cause of any violations or systemic deficiencies identified
OFAC recognizes that while all SRAs should have these key elements, each firm will design and implement a unique SRA. The results of an SRA should also inform the SCP’s policies, procedures, internal controls and training in order to mitigate such risks.
While the SRA should be aligned to the standards set forth in the OFAC framework, SRAs do have some commonalities with a Bank Secrecy Act/anti-money laundering (BSA/AML) risk assessment. As such, firms may also leverage guidance from the Federal Financial Institutions Examinations Council’s BSA/AML Examination Manual’s section on conducting a BSA/AML risk assessment2 or even the Wolfsberg Group’s guidance.3
Finally, failure to implement an effective SRA could lead to regulatory censure and operating a below standard SCP, potentially resulting in legal violation and penalties.
Key Elements of the SRA
There are four key elements that comprise an SRA:
- Scope and methodology
- Data acquisition
- Data analysis and risk determination
- Results sharing and stakeholder communication
Scope and Methodology
The first step is to determine the scope and develop an SRA methodology—specifically, which legal entities, business teams, customers, products, services, supply chains, geographies, etc., will be included—and defining how inherent risk, control effectiveness and residual risk will be “scored.”
The most common methodology follows a conventional, three-phased approach—inherent risk, control effectiveness and residual risk
Scope Elements
There are two scope element options to consider:
- Comprehensive
- Focused
A comprehensive SRA will cover all or most material scope elements (see Table 1), where applicable, and is typically used by a more mature/advanced SCP. This approach can take a significant amount of time and stakeholder engagement. In addition, this SRA may be executed all at once or in stages, akin to multiple focused SRAs combining ultimately into one comprehensive SRA.
A focused SRA is intended for those elements that pose the highest sanctions risk (see Table 1). This allows the firm to be targeted and nimble in order to assess and mitigate risks quickly. While this approach is typically used by a more nascent/developing SCP, it may also be used by a mature SCP when new risks emerge, or when there are new product offerings, new business geography, etc. For firms starting with a focused SRA, there should be a plan in place to eventually achieve a comprehensive SRA approach, particularly in light of the OFAC framework, which outlines the need for a comprehensive view of sanctions risk.
Methodology
The most common methodology follows a conventional, three-phased approach—inherent risk, control effectiveness and residual risk (see Figure 1).
This methodology should be deployed to cover each scope element, ultimately rolling up to an enterprise-wide residual risk rating and culminating in the firm’s risk appetite (see Table 2).
The methodology should also document how each of the remaining steps will be executed.
Acquiring Data
The second step is acquiring data. There are three elements to this process:
- Source of data
- Method of acquisition
- Validation
Source of Data
When selecting data sources, data should be gathered on each of the defined scope elements from internal and external data sources, where applicable, for the SRA time period. Internal data can come from sources such as a customer database, transaction records, security holdings and product list. External data—such as industry views on product risk, jurisdictional corruption indexes and regulatory actions/fines—can provide a quantitative lens to evaluate internal data.
If data is needed and not readily available or incomplete, then make a note of this in the SRA and work toward acquiring or completing the data element for the next SRA.
Methods of Acquisition
The following acquisition methods should be considered and both methods (at least for higher-risk scope elements) should be utilized for the most complete internal data pull:
- Automatic data pull from data repositories (e.g., customer database, lending portfolio, security holdings, list of products and services offered by the firm)
- Manual stakeholder questionnaire asking legal entity/business team stakeholders specific questions to get both quantitative and qualitative data
The frequency of the SRA may be a compelling factor in determining the type of data acquisition.
Validation
Following acquisition, data validation—including documenting the validation—is key. Many firms have multiple systems, some aged or not subject to rigorous data management practices, which can result in data that is incomplete, incorrect or simply hard to understand. Validation that the data provided is correct—and challenging that the data makes sense—is critical to ensure data analysis is appropriately executed. Validation is best accomplished through the following scenarios:
- Data owners confirming correct transmission of data from the source system to the SRA team.
- Data owners confirming how data is populated and stored (e.g., is there dummy data included, abbreviations or shorthand?).
- Risk owners reviewing the data for a qualitative challenge.
Data Analysis and Risk Determination
The third step is data analysis and risk determination. While measuring the quantity of risk via data is a vital component of an SRA, it is just as important to have the risk analysis reviewed by relevant subject-matter experts (SMEs). It may be the case that a qualitative view will impact—up or down—the risk determinations.
For example, while transactional data may show limited activity involving Russia, transaction screening controls exist and individuals responsible for engaging in Russia activity and/or reviewing transactions have been trained. Thus, the SME may qualitatively determine:
- The individuals responsible are still having trouble or are inexperienced in executing the control.
- While limited transactions were identified from a numerical perspective, those transactions involve higher-risk sanctioned industries.
The SME, through their qualitative view, may recommend the residual risk be rated higher than the inherent data suggests.
Ultimately, the evaluation of each scope element should result in an inherent risk rating that is overlaid with the control effectiveness and concludes with the residual risk.
Stakeholder Engagement
The fourth step is stakeholder engagement, communication and go-forward actions. Stakeholder engagement throughout the SRA process is important and provides three key benefits:
- Stakeholder confirmation on the accuracy of the information being analyzed and presented
- Stakeholder view on the risk presented by the data (which may be different from the SRA team, and thus beneficial to understand)
- Stakeholder understanding/awareness of the data (stakeholder lack of understanding/awareness may indicate insufficient controls/governance)
SRA results must then be communicated to senior stakeholders within the firm’s business units and other appropriate executives to inform their risk view of the firm. The firm should utilize the standard governance framework it has in place for such communication, as this should ensure appropriate engagement. Importantly, the SRA team should create action items based on the SRA findings. For example, if the SRA found that a particular product or service was a higher risk, then a review should be conducted to determine whether improved control effectiveness can be implemented to lower the residual risk. This action log puts the findings of the SRA into practice, improving the firm’s sanctions risk posture.
Frequency of the SRA
The OFAC framework notes that an effective risk-based SCP includes executing a regular, periodic SRA to identify and mitigate potential sanctions risk. While the frequency is up to the firm, the dynamic nature of sanctions regulations could encourage a more real-time approach. Even in the absence of changes to sanctions regulations, new business opportunities, new or changes to existing products and services, mergers and acquisitions, etc., can bring about new or increased sanctions risks that need to be understood and mitigated in a timely fashion. Ultimately, while SRA frequency is up to the firm’s risk-based decision, keeping the SRA as current as possible is most important.
Finally, resource availability should not be a primary driver for SRA frequency determination. Risk determination and mitigation needs should drive resourcing.
Periodic SRA
SRAs are traditionally executed on a periodic basis, typically every 12 to 18 months, depending on the firm’s risk profile and regulatory expectations. The following factors should be considered when determining frequency:
- The risk profile of the firm, ideally viewed through the lens of a completed SRA (see residual risk description)
- Number of changes to the firm’s risk profile since the last SRA (minimal changes to risk profile may warrant a longer period between SRA execution)
- Internal operational considerations (e.g., resource availability, coordination with other risk assessment activities, material changes to data sources/systems)
Ongoing SRAs
As a firm matures, it may begin executing an ongoing SRA approach—wherein the firm’s comprehensive SRA is tactically updated when material events, such as mergers and acquisitions, material remediation/regulatory censure and impactful new sanctions requirements, drive a reassessment of risk.
This ongoing SRA approach provides the most real-time risk assessment but is typically the most resource-intensive. Most firms executing an ongoing SRA process make tactical updates to the comprehensive SRA throughout the year. This approach leverages all of the ongoing SRA work along with, potentially, a once-per-periodic-cycle work product.
Ongoing SRAs require strong data management, system-generated/automatic reporting and a responsive SME stakeholder group for a timely qualitative review.
Staying Current on SRA Developments
Industry best practices, tips and tricks for executing an SRA evolve over time and require certain steps to stay current including the following:
- Monitor and review industry, regulatory and enforcement agency guidance. Guidance documents are regularly published by OFAC, Congressional Research Service,4 the Federal Reserve Bank, other U.S. government agencies,5 industry professionals6 and think tanks.7 Outside the U.S., many governmental8 and intergovernmental parties, such as the Financial Action Task Force (e.g., Recommendation 6 and 35) and the Wolfsberg Group9 have issued SRA guidance.
- Join an industry group(s) and benchmark with peers. Few firms are truly unique in their sanctions risk or the way in which they would execute an SRA. Leverage peer firms’ experience and share your own. If a firm does not know where to begin, then reach out to external counsel, consultants or the screening technology provider as they likely work with many of the firm’s peers.
- Attend conferences, training events and obtain industry certifications.
Conclusion
An SRA enables a firm to identify and mitigate its sanctions risk, communicate risk issues to stakeholders and execute SCP improvements to mitigate risk better. A firm that fails to implement and keep its SRA current exposes itself to regulatory, financial and reputational risk.
The following are four key takeaways to remember when it comes to an SRA:
- A periodic SRA is critical and a minimum regulatory expectation to identify and mitigate sanctions risk.
- An ongoing SRA process is emblematic of a mature SCP and key to effective ongoing risk identification and mitigation.
- Data acquisition, validation and analysis are a cornerstone of any SRA effort.
- Stakeholder engagement is fundamental to ensure SRA findings are effectively communicated and actioned.
Take the right step toward risk mitigation and integrate a regular periodic SRA into your firm’s SCP!
Max Lerner, CAMS, managing director, global head sanctions compliance and anti-bribery & corruption compliance, State Street, MA, USA, MLerner@StateStreet.com
Chris Bagnall, CAMS-FCI, CFE, principal, Sojourn Technologies, Bagnall@sojourn-technologies.com
- “A Framework for OFAC Compliance Commitments,” Department of the Treasury, May 2, 2019,
https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf - “BSA/AML Risk Assessment,” FFIEC BSA/AML, https://bsaaml.ffiec.gov/manual/BSAAMLRiskAssessment/01
- “The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions, and Bribery & Corruption,” Wolfsberg Group, 2015, https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/faqs/17.%20Wolfsberg-Risk-Assessment-FAQs-2015.pdf
- “U.S. Sanctions On Russia: An Overview,” Congressional Research Service, September 1, 2021, https://crsreports.congress.gov/product/pdf/IF/IF10779
- “Economic Sanctions Policy and Implementation,” U.S. Department of State, https://www.state.gov/economic-sanctions-policy-and-implementation/
- “The Guide to Sanctions – Second Edition,” Global Investigations Review, July 2021, https://globalinvestigationsreview.com/guide/the-guide-sanctions/second-edition?page=3
- “Atlantic Council: Economic Sanctions,” Atlantic Council, https://www.atlanticcouncil.org/issue/economic-sanctions/
- “Financial Services Agency, Guidelines for Anti-Money Laundering and Combating the Financing of Terrorism,” Financial Services Agency, https://www.fsa.go.jp/common/law/amlcft/en_amlcft_guidelines.pdf
- “Wolfsberg Guidance on Sanctions Screening,” The Wolfsberg Group, 2019, https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/Wolfsberg%20Guidance%20on%20Sanctions%20Screening.pdf