5 ways firms can optimize their approach to sanctions compliance

The international sanctions landscape continues to evolve at pace, with new designations constantly coming into effect: the US alone made 2500 additions to its primary sanctions list in 2023. In this ever-evolving environment, financial institutions (FIs) and other regulated businesses cannot afford to stand still. It is more vital than ever for firms to reassess their sanctions compliance strategies: a layered approach, involving multiple lines of defense, will form their strongest guard against the regulatory and reputational damage of breaches. 

As part of ComplyAdvantage’s State of Compliance 2024 webinar series, industry experts from our Regulatory Affairs team, Anna Stylianou of AML Cube, and Yannick Cherel of Sleek shared their thoughts on the principles and benefits of a layered approach to sanctions compliance. 

This article runs through some of the webinar’s central insights and discussion points, summarized into five actionable tips firms can follow in 2024. 

1. Understand where sanctions risks come from 

Any firm’s starting point for sanctions compliance is its risk profile. Firms should evaluate the risks they will face, considering which products and services carry greater exposure, such as private banking and other services that let customers operate anonymously or independently of oversight. In parallel, firms should consider which customer profiles carry a higher risk level, including customers from high-risk countries or those with a history of involvement in financial crime. FIs operating internationally must also stay aware of differences between the sanctions regimes of different jurisdictions. 

These principles are critical for establishing a firm’s business-wide risk assessment, which should be regularly updated, especially following significant changes in sanctions regulations. The insights gained from this assessment are crucial for crafting a risk-based strategy, enabling firms to direct their resources towards areas of greatest vulnerability. 

This approach highlights the necessity of developing and implementing a customized compliance program. Given the distinct risk landscapes faced by each organization – even those operating within the same industry – it’s clear that a generic, one-size-fits-all solution cannot adequately address the specific needs of every firm.

There’s no one-size-fits-all size solution. Why? There are law firms, they have different risks when they are dealing with their customers. We cannot compare these risks to banks. And we cannot compare the risks of a bank with a casino. So, we understand that all these firms are regulated entities – they must comply with AML and sanctions regulations, and they need to understand their own risks and implement appropriate measures. And these measures cannot be the same. 

Anna Stylianou, Founder & Principal, AML Cube

2. Know what good data looks like  

As new sanctions designations continue to come into force at pace, effective compliance depends on how well organizations can stay informed of these changes. However, not all data providers are the same. Firms can measure data quality and effectiveness using these factors: 

• Accuracy: The data firms use must be error-free to be effective. 
• Currency: Firms should ensure they can access up-to-date information, ideally with real-time updates to sanctions lists. 
• Coverage: Data should come from a wide range of sources across all jurisdictions relevant to the firm and its customers.
• Completeness: Firms should consider which data points they need to make informed decisions on compliance. Names alone are often insufficient to identify targets properly. Dates of birth and addresses are two further data points that can be used to confirm the identities of sanctions targets, but not all sanctions lists include this information.
• Relevance: Irrelevant or duplicated data can cause spikes in false positive alerts. Firms should make sure they only screen customers against relevant data. For example, screening on a particular company should filter out any results from before it was incorporated. 
• Context: Without a holistic view of where and how data has been captured, firms risk using information whose integrity cannot be guaranteed. 
• Networks: Firms should also understand the networks around sanctions targets to recognize attempts to evade sanctions. These relationships can vary in kind – for example, family relationships can also be business relationships – and should be investigated. 

The first stage is understanding the problem that you’re needing to solve. Then you look at, what data do I need to solve that problem? In this case, sanctions risk management. And then make sure that that data is of a sufficient quality and you’ve got all of the relevant data points to solve the underlying problem. 

Andrew Davies, Global Head of Regulatory Affairs, ComplyAdvantage

3. Conduct daily customer screening  

FIs now operate in a world of instant payments, which means for sanctions to be effective, they must be instantly enforceable. 

Under new regulations introduced by the EU in 2024, all payment service providers (PSPs) must be able to send and receive instant payments. Aside from requiring upgrades to many FIs’ payment infrastructures, the new rules oblige banks and PSPs to: 

• Verify whether their customers are subject to sanctions on at least a daily basis. 
• Screen customers against sanctions lists when these lists are updated, rather than during payment execution, to avoid delays. 

In practice, this means a shift towards regular customer screening over transaction screening in sanctions compliance. Firms should make sure they are prepared for this and regularly update their screening process to capture the latest international sanctions information. 

However, this does not mean transaction monitoring is no longer a priority for FIs: it remains an essential tool for detecting unusual or suspicious payment patterns indicating sanctions evasion.

Taking a layered approach to sanctions compliance

Watch our on-demand webinar to explore how implementing multiple, integrated strategies for sanctions compliance can effectively manage and mitigate potential violations.

Watch on-demand

4. Choose the right KPIs 

Once firms have teams and policies in place to meet their sanctions compliance obligations, they need to track how effective they are. This means using the right metrics and KPIs, such as: 

• Volume of alerts raised. 
• False positive rates. 
• Volume of alerts received vs. completed. 
• Referral rate (the volume of alerts escalated to the firm’s second line of defense). 
• How long it takes for sanctions updates to be added to a firm’s system after a government or other issuing authority releases them. 

Senior officers should monitor these metrics for spikes or trends and properly investigate them. For example, if a company sees an increase in false positive rates, this could indicate a need for further staff training, or that their system is not sophisticated enough to ingest a large amount of new designation information at once. 

Your senior leadership should know if there’s been a big spike in alerts for some reason. That could be because of a big batch of new designations, it could be related to some change in the structure of your own customer data which has prompted a spike, but you need visibility of these things so you can have a proper handle on your operational risk. 

Iain Armstrong, Regulatory Affairs Practice Lead, ComplyAdvantage

Clear communication between compliance and commercial teams underlies a strong culture of performance evaluation. Given the commercial function’s focus on sales, compliance officers should check how well they understand their customers so compliance policies are not ignored in favor of growth objectives. 

5. Evolve screening processes with machine learning 

When effective sanctions compliance relies on processing large and complex volumes of data, machine learning (ML) becomes a critical tool for organizations to stay ahead of the curve. ML is useful both for automating lower-risk or repetitive work so human expertise can be devoted to more complicated, higher-risk work, and for deriving insights from data at huge scales beyond manual capabilities. Specifically, there are three main ways ML can help firms with sanctions screening: 

• Securing and curating the right information: This includes collecting customer and transaction data and its sources, validating its integrity with regulators and other authorities, and removing any redundant or duplicated data points. 
• Going deeper with the data: ML models, appropriately configured, can be highly intuitive and granular in their approach. New rules can be added to account for additional information and ensure firms screen customers against relevant data. Examples could cover how common a name is in particular countries, honorifics and other naming conventions, and common words in company names that should be disregarded by matching algorithms (such as ‘consulting’ or ‘enterprises’). 
• Prioritizing sanctions alerts: ML models can be trained on historical data to learn which cases are higher-risk and prioritize these when passing on alerts to compliance teams. This means that rather than simply returning undifferentiated positive alerts, screening software can analyze them and streamline compliance workloads in the process. 

You should focus on exactly where your highest risk is, which will help to train your machine learning or any AI, because that will be helpful for them to understand where you need to prioritize eventually. 

Yannick Cherel, Head of Compliance and Risk, Sleek

When businesses choose a sanctions screening solution, they should thoroughly investigate any claims made around its ML model’s capabilities – not only to test how effective the solution is, but to ensure they can explain how it works. Explainability is not only crucial for building trust among customers but for compliance, given regulators expect firms to demonstrate the reasoning behind their use of a particular software.