Adjusting to changes in U.S. sanctions compliance challenges and regulatory expectations is like jumping rope. If the leap is made too late, one inevitably feels the lash of the rope as it hits their legs. But, if the jump is made too early, one expends their time and energy on something that is not really required—yet.
To a certain extent, the problem is unique to sanctions, and the confusing messages put out by regulators. In contrast, the anti-money laundering (AML) world is allotted a fair amount of leeway in the “risk-based approach” that is a basic tenet of its practicum. As long as controls are appropriate to produce a level of residual risk that is within the firm’s stated risk appetite, the specific sources and methods used to produce that result are not particularly prescriptive.
On the other hand, sanctions compliance is significantly more detailed when it comes to stating regulatory expectations. Compliance professionals are expected to utilize not only the letter of the law and legislation to achieve the proper results, but they also need to be knowledgable in the advisories, guidance documents and FAQs published by regulators—as well as infer the “real requirements” from prior enforcement actions.
That level of detail, while burdensome to keep track of and implement, nonetheless gives a relatively clear path to comply properly with explicit regulatory dictates. On the other hand, when it comes to enforcement, a violation that may draw a fine for one firm may not for another because of the consideration given to the nature of the firm’s business (using the terminology of the U.K. regulator Office of Financial Sanctions Implementation, or OFSI) and/or its “commercial sophistication” (from the Office of Foreign Assets Control [OFAC] Enforcement Guidelines). Thus, what seems prescriptive may, in fact, be optional—especially when considering what level of effort needs to be made to identify entities subject to OFAC’s 50 Percent Rule, or the standard of care needed to identify “property or interests in property” that are covered by sanctions regulations.
So, given this, how do companies know when to extend their sanctions compliance capabilities—and how long should they wait for regulatory expectations to become clearer?
Tardy to the Party
At its core, sanctions compliance requirements in the U.S., other than those imposed by bank examiners and similar regulatory oversight (or New York banking law, which is pretty prescriptive), are fairly basic: do not conduct business which contravenes the spectrum of published regulation and guidance, or there will be an investigation. How one accomplishes that goal, by implementing appropriate controls, is up to the individual firm.
There are a number of useful ways to gauge the appropriate level of controls for a sanctions compliance program. First, one should gauge what one’s peers are doing, and are planning to do, in order to comply. To produce an accurate analysis, peer modeling should be done within one’s industry and similar industries for firms of similar size. From that range of compliance practice, one can determine where one can reasonably fit in, for now. To be safe, firms should skew toward the more rigorous end of the modeled group, as the expected standard of care only increases over time—and certainly should not lag at the lower end of it.
Second, one should keep up-to-date on industry developments and thought leadership. Firms should keep tabs on sanctions compliance trends by reading the trade press, and participating in industry events and social media forums. This will not only provide a glimpse into industry challenges, and how others are currently addressing them, but also provide insight as to the capabilities of emerging third-party solutions and how they might apply to the particulars of the firm’s business. Such insight should also be filtered through the lens of one’s peers. Again, one should err on the side of having more stringent controls, rather than less so, if one has a choice.
One should consider the enforcement action to be a call to action sooner rather than later
Lastly, one should review enforcement action information issued by regulators. While only OFAC has issued civil monetary policies for actual violations of sanctions regulations, other regulators have taken firms to task for inadequate system controls. In addition, Her Majesty’s Treasury (HM Treasury) was recently empowered to impose OFAC-like fines, and has published detailed enforcement guidelines. Over the next few years, HM Treasury will become an important source for enforcement information as well.
Over time, the compliance failings documented in enforcement actions raise the bar for all covered persons and firms. However, one should consider the enforcement action to be a call to action sooner rather than later. It is tempting to compare one’s firm to the firm that violated sanctions regulations, and determine when the regulatory expectation will trickle down to firms of its size. However, such an assumption is misguided once one considers the time that elapses between the violating behavior and the regulatory response. If a firm’s behavior five years ago was unacceptable enough to result in a civil monetary penalty, then that behavior is likely to be unacceptable today for a firm much smaller and less commercially sophisticated.
More generally, one should assume that once a new compliance practice, or a new regulatory expectation, is made public, a countdown timer begins that determines when a firm of a given size, in a given line of business, with a given level of commercial sophistication will be expected to use that in their program—if it is applicable to that type of firm. While one cannot be certain when the timer will expire, it is useful to realize that it is “merely a matter of time” until it does, and plan to react accordingly.
Early birds get the worms?
What should be done if the timer has not yet started? Should one lead the industry in sanctions compliance practice?
The short answer, of course, is “it depends.” It depends on a firm’s size, the nature (and inherent risk) of its business, and its risk appetite, among other factors. Certainly, the largest firms, with the riskiest books of business, are most likely to be ensnared by rising regulatory expectations. For them, determining what more they can do is, and will continue to be, an ongoing challenge.
However, beyond that the answer, for the large majority of firms, is “not unless it is cost-effective.” Companies simply cannot afford to invest significantly in efforts with poor risk/reward ratios, absent a clear imperative from regulators (such as the publication of OFAC’s advisory about North Korean shipping practices).
It is not uncommon for companies to overreact, whether it is to enforcement actions, or to news in the sanctions world, or to complex compliance challenges. For example, a large European bank, in the wake of an enforcement action, changed its sanctions systems to match only on last names. It switched back three days later, once the operational impact of its change became apparent. Similarly, a large Asian bank requested a database of the most common Burmese family names for its screening application, despite there being no regulatory requirement or expectation for doing this.
Before thinking out of the box, either out of a desire to leave regulators no avenue to find one’s program wanting, or out of a fear of a black mark on one’s interactions with them, it might make sense to run the proposed change past regulators. Even for firms with the largest targets on their backs, especially when the size of the upfront and ongoing investment seems out of line with the size of the risk being mitigated, discovering whether or not such program elements are actually expected of the firm makes it worth picking up the phone.
The Second Rope
For those who are unfamiliar, Double Dutch utilizes two ropes, which jumpers must avoid. For sanctions compliance professionals, the cost of compliance can trip them up as surely as regulatory requirements and expectations. Therefore, if sanctions compliance professionals wish to extend their capabilities, they must continually be on the lookout for efficiencies so the underlying business remains profitable.
Nevertheless, in Double Dutch, both ropes are swung by the same two people. In compliance terms, that analogy implies that any efficiencies that a firm hopes to realize have to pass regulatory muster. While AML systems can rely on machine learning and artificial intelligence to reduce match rates without their methods being clearly explainable, the “strict liability” attached to economic sanctions regulation and enforcement seems to prohibit use of those advanced technologies, at least for now.
However, even when emerging technologies are the norm accepted by regulators, the game will not be over. The ropes will probably keep on swinging, faster and faster—and compliance professionals will need to be more nimble in order to not get tangled up in the ongoing pressures of regulatory expectations and operational overhead.
For more information on crucial sanctions compliance principles that all compliance staff should understand, please visit http://www.acams.org/sanctions-compliance-training/.