Policies, instructions and procedures as internal controls
Internal controls are multiple different actions and tools working together to form a comprehensive package of measures which are the means to minimize the sanctions risks to your company. There should be an inherent interplay between the findings of your company’s risk assessment and the internal controls applied to control the risks. This interplay is first and foremost born out in the policies, instructions and procedures that your company enacts to establish a control framework for managing sanctions risk.
Written policies, instructions, and procedures outline the organization’s SCP and are the bedrock of internal controls and should be implemented to ensure compliance. They should address the organization’s risk profile, risk appetite, day-to-day operations, and business activities.
- Policies operate as the organization’s guiding “North Star” and should be as short and to the point as possible.
- Policies should be broad and outline the scope and approach, providing just enough detail for employees to understand “what” is trying to be achieved, be it complying with EU sanctions everywhere your company operates, or avoiding all business with specific countries.
- Instructions outline who is in charge of implementing the policies, the requirements for implementation, and the point of contact for escalations when there is doubt about satisfying the policy.
- Instructions provide the “who and how” your company will achieve compliance with the policy and should outline the roles, responsibilities and accountabilities of different offices and employee positions.
- Procedures explain in exhaustive detail how to carry out the instructions and should be specific for each operational unit and task.
- Procedures provide the “detailed how” of the specific operating actions for specific roles and positions to achieve their stated responsibilities.
When designing policies and procedures, it is important to keep in mind that these should be easy to implement and follow, and should reflect the organization’s culture of compliance. Dedicated personnel should be responsible for monitoring the implementing of policies and procedures, and for improving internal controls once weaknesses are discovered, as we will cover in the testing and auditing posts. All personnel should be informed and trained on your organizations policies as well as the procedures that are relevant for their role, and a reporting mechanism should be established so that all employees know who to escalate and report any potential sanctions violations or misconduct.
KYC as primary control and screening as secondary control
One area where we often see confusion is a common view that “screening is the control” rather than an appreciation that screening is one essential tool in a internal control framework. The most powerful means for controlling risk is avoiding it from the start and that is best accomplished through the Know Your Customer (KYC) process.
KYC enables you to ask risk identifying questions for your customer and counterparties, and is best thought of as the “primary control” for managing risk because the process allows your company to avoid risk before customers and counterparties are onboarded. The length and level of evaluation for each company’s KYC process will differ for each industry but it is important to appreciate that the aim of the KYC process is to gain enough information on the customer, counterparty or supplier, to be able to rule out or effectively control likely violations of sanctions.
While screening is an appropriate component of the initial KYC process it is best thought of as a “secondary control” which is used to help ensure that customers and counterparties are operating in line with your company’s expectations as demonstrated through the KYC process. Put another way, screening is best thought of as “finding the risk we are looking for” because the action of screening is setting criteria of filters so that the system generates alerts. The criteria for the filters is defined by your company, be it choosing which sanctions regulatory lists to screen (US SD/SSI/Entity List, EU Consolidated List, ect.) or indicators of potential risk such as geographic locations, products or activities or behaviors.
Also, because screening is the act of “finding the risk we are looking for” it empowers us to pre-define the actions that we take on the alerts that are generated. Because we have set the criteria of what is risky, the indicators of risk that the screening alerts on should lead to specific actions as defined in your company’s procedures and instructions. For example, if your screening system generates an alert for a potential match to an entity on the EU consolidated list, you should be able to look to your procedures to know the next steps to take to ensure that no funds or economic resources of any type are provided to that entity as you follow your company instructions to escalate the potential match for action up the management chain.
Finally, screening can often seem like it is imposed on you and your company from the outside. It can often feel like drinking from a fire hose from regulators, enforcement bodies, or vendors but the truth is that you and your company are in control of criteria used in screening criteria and the actions taken on screening results.
The United States’ Office of Foreign Assets Control (OFAC), the office regulating US sanctions, found MidFirst Bank breaching sanctions specifically due to their screening tool not being updated with the latest sanctions 1 . The vendor MidFirst Bank used for screening only screened the bank’s customers once a month, resulting in the bank not being notified about the designation of a customer until 14 days had passed, in the meantime conducting transactions on behalf of the designated person.
Fuzzy matching in screening
The purpose of fuzzy matching in a screening system is to generate alerts for close potential matches of words, phrases and information that are similar to identified risk indicators. For example, a screening system should be able to identify not only “Crimea,” but also “Krimea” to generate an alert for potential sanctions risk. Similarly, screening solutions should have the capability to detect alternative spellings and languages (including the same word in different alphabets such as Arabic or Cyrillic), abbreviations, misspelled or omitted words as part of the fuzzy matching capabilities.
We often receive many questions about fuzzy matching and what is the “best threshold?” The best threshold for fuzzy matching depends on the technical capabilities of your screening system, but the honest response is that the screening system should be able to generate alerts to the same ability that an informed human would be able to make a potential connection. Additionally, an in house screening system should certainly return potential matches at the same ability that publicly available search tools from US Treasury’s OFAC and UK HMT’s OFSI offer.
Questions to ask to evaluate your organization’s internal controls
- Do we know what to do when a risk is identified? What capabilities and learning about the risks facing our company do we have beyond screening?
- Do we have appropriate policies, instructions procedures in place?
- Do our personnel know who to escalate and report sanctions risk and misconduct to?
- Is the KYC process used as our primary control for our sanctions risk?