FCA assessment of SANCTION SCREENING systems and controls in financial services firms [6/9/2023]

The Financial Conduct Authority has published its [6/9/2023] findings from their assessment of sanctions systems and controls in financial services firms.

Here are some notable observations from the report:

• "Some firms' systems could not
• Generate alerts against certain names on the Office of Financial Sanctions Implementation (OFSI) consolidated list of persons subject to sanctions and
• Provide reasonable justification for the omissions."
• "Several instances where firms needed to understand how their sanction screening tools were calibrated and when lists were updated. This meant that firms were unable to understand whether:
• They were screening against the correct lists.
• Their systems were missing names that should be identified.
• Their systems were producing too many false positives.
• "There were instances where calibration had not been adequately tailored.
• This resulted in it being.
• Too sensitive, causing a high number of false positive names (putting an increased stretch on already busy teams, making the alert review process operationally inefficient and increasing the risk of errors), or
• Not sensitive enough, meaning that even minor variations in names led to sanctioned individuals not being detected.

• This delicate balancing act shows the importance of firms understanding how their systems work and how they are calibrated.”

THE FULL LIST OF AREAS THAT NEED IMPROVEMENT IS AS FOLLOWS

Governance and oversight

Senior management oversight of sanctions risks

• We identified instances where senior management were not given sufficient MI to enable them to discharge their responsibilities appropriately. This included where multinational firms sought to rely upon systems and processes used in other jurisdictions.
• Examples,
• We identified that the firm demonstrated limited knowledge of the operation, configuration, and testing of a solution used in its wider group that was used to manage its sanctions risks in the UK.
• The firm had inadequate oversight and MI of the UK-related activities undertaken by globally run teams.
• We have seen examples where the sanctions MI was limited and lacked basic metrics. For example,
• The number of sanctions alerts, number of alerts awaiting analysis, and reports submitted to OFSI.
• We also saw a lack of quantitative and qualitative MI to enable effective oversight, risk identification, and trend analysis. This led to concerns that senior management were not able to understand the risks at the firm to aid effective decision making or understand how it was performing.
• We look to firms’ senior management and, where applicable, those holding Senior Management Functions (SMFs) under the UK’s Senior Managers and Certification Regime, to have oversight of firms’ systems and controls to ensure compliance with UK sanctions. So, it is important that senior management have appropriate MI to enable them to fulfil their responsibilities and allow them to understand the sanctions risks that are applicable to their firm.

Global sanctions policies

• In some global firms, we saw evidence that global policies were not aligned with the UK sanctions regime. For example,
• Some firms operating globally were focused on US sanctions and applied insufficient focus to the UK regime, particularly where firms’ sanctions controls were operated in global centres of excellence or service centres.
• We also found instances of poor communication between global and regional sanctions teams.
• A lack of awareness on UK sanctions law, regulations, and guidance can increase the risk of potential non-compliance as UK legislation evolves and/or possibly diverges from that set by other authorities.

Over-reliance on third party sanctions screening tools

• We saw several instances where firms lacked understanding of how their sanctions screening tools were calibrated and when lists were updated. This meant that firms were unable to understand whether:
• They were screening against the correct lists.
• Their systems were missing names that should be identified.
• Their systems were producing too many false positives.
• Ultimately, this resulted in firms being unable to show that they were adequately managing their risk of breaching sanctions appropriately.
• Like any outsourced service, firms need to ensure that they have appropriate control and oversight of their sanction screening controls. This could include regular testing and agreed internal service-level agreements (SLAs) for the time taken for lists to be updated following a designation.

Contingency planning

• An important part of any risk management framework is appropriate contingency planning.
• While the level of sanctions issued by the UK Government following the Russian invasion of Ukraine was unprecedented, the potential risk of escalating tensions with Russia was known.
• We saw those firms who had conducted a risk assessment of their exposure to Russia and developed contingency plans, were generally better placed to introduce risk reducing measures, i.e., enhancing high-risk and prohibited country lists, enhancing escalation policies and procedures, seeking advice from legal counsel, revising thresholds, or suspending payments to/from Russia.
• We have also seen firms conducting lessons learned of their response to the increased levels of sanctions and contingency planning for potential future events. This will put them in a better position should a future event or further escalation in sanctions occur.

Skills and resources

• We identified that many firms had significant backlogs in the assessment, escalation, and reporting of alerts from the screening of names and payments. This affected firms’ ability to promptly identify and report exposures. These backlogs continued in some instances for a significant time due to a lack of appropriate resource.
• While in many cases action had been taken to limit sanctions risk by blocking accounts or transactions at the point of alerting, we identified that resource strain in operational teams resulted in a lack of clarity on prioritisation of alerts. Increased volumes and pressure on sanctions teams can prevent firms’ taking appropriate and timely action for true positive alerts and increases the risk of errors.
• Often backlogs in alert disposition, escalation and reporting were compounded by a lack of governance and appropriate internal SLAs.
• We also identified backlogs in ongoing due diligence reviews due to resource constraints.
• Some firms did not have adequate internal expertise to ensure effective, timely screening, with some firms having to rely on external legal or consulting resource.

Screening capabilities

• During our assessment of firms' sanctions screening tools, we found that some firms showed effective control mechanisms to measure the efficiency of their system thresholds and parameters. This included practices like sample testing and tuning, which were highly encouraging.
• However, there were instances where calibration had not been adequately tailored. This resulted in it either being too sensitive, causing a high number of false positive names (putting increased stretch on already busy teams, making the alert review process operationally inefficient and increasing the risk of errors), or not sensitive enough, meaning that even minor variations in names led to sanctioned individuals not being detected. This delicate balancing act shows the importance of firms understanding how their systems work and how they are calibrated.
• Our testing of firms’ sanctions screening systems found that some firms' systems were unable to generate alerts against certain names on OFSI’s consolidated list of persons subject to sanctions, and some firms were unable to provide reasonable justification for the omissions.
• We saw that the updating of lists to screen against is often not subject to SLAs and some firms are not monitoring how quickly they update their lists.​

Customer Due Diligence (CDD) and Know your Customer (KYC)

• As well as backlogs in CDD and KYC assessments, created from the increased number of sanctions designations, we were concerned with the low quality of CDD and KYC assessments which increased the risk of firms not being able to identify sanctioned individuals. For example,
• CDD did not always articulate the full ownership structures of entities, leading to the risk that firms were unable to show that they were screening all relevant parties​.
• It is important that firms gather sufficient information and undertake sufficient KYC and CDD to ensure they are screening all relevant parties and do not breach relevant sanctions requirements.

Breach reporting to the FCA

• Firms that know or have reasonable cause to suspect a breach of financial sanctions must report it to OFSI, and notify us if:
• A person they are dealing with, directly or indirectly, is a designated person; they hold any frozen assets; and if they discover or suspect any breach while conducting their business.
• Also, in line with Principle 11, SUP 15.3.8G(2) and Chapter 7 of the Financial Crime Guide, firms must consider whether they need to notify us, for example,
• Whether sanctions breaches resulted from a significant failure in their systems and controls.
• We identified inconsistencies with regards to reporting with some firms taking weeks or even months from identifying a breach to reporting the issue to us.​
• Other firms fully investigated the breach and undertook remediation before informing us, whereas others failed entirely to report breaches to us.
• Firms delaying breach reporting, or not reporting at all, undermines our ability to understand systems and controls issues as they occur and to work with firms to establish that those issues are being correctly remedied.​

Source

https://www.fca.org.uk/publications/good-and-poor-practice/sanctions-systems-and-controls-firms-response-increased-sanctions-due-russias-invasion-ukraine