Andrew Pimlott of FTI Consulting discusses the current sanctions landscape
A volatile political landscape makes compliance a challenge, especially when malefactors are good at covering the evidence, but advanced analytical techniques can reveal the truth.
The sanctions landscape is becoming more complex and challenging by the day. Regulatory expectations are increasing and already we have seen the imposition of hefty fines for those that fall short.
As the press has extensively reported in recent months, the US is renewing the sanctions against Iran that were eased by the Obama administration in 2015. However, the EU together with Russia and China is trying to preserve the internationally agreed nuclear accord, and is planning to create a special purpose vehicle (SPV), a mechanism to ‘assist and reassure economic operators pursuing legitimate business with Iran’ (see ‘Implementation of the Joint Comprehensive Plan of Action: Joint Ministerial Statement’, European External Action Service). The SPV would provide a clearing house for euro transactions with Iran. No doubt this will cause tension with the US, making the sanctions landscape more complex. It is possible we will then see further sanctions being applied on both sides.
Developments like this are creating a challenging and volatile environment for financial institutions as they strive to comply with sanctions – and comply they must. Fines for financial institutions that breach US Office of Foreign Assets Control (OFAC) sanctions have soared in recent years. We have seen banks agree to pay settlements in the billions to US prosecutors over allegations of sanctions violations – penalties intended by the regulators as a clear warning signal.
‘A culture of compliance cannot be established overnight; it requires ongoing and committed effort from the chief executive and top-level management.’
Cases like this have sent shock waves through the financial community and kicked off a domino effect of similar investigations and remediations. At FTI Consulting, we anticipate that the escalation of regulatory expectations and fines will continue. The scope of the problem will also expand as governments seek to address issues like Russia’s alleged interference with Western elections, alleged money laundering in Latvia and Pyongyang’s potential nuclear ambition.
Financial institutions’ responsibilities and why they are hard to discharge
Financial institutions need to be proactive about ensuring sanctions compliance. They must adopt a culture of compliance through policy implementation. That culture cannot be established overnight; it requires ongoing and committed effort from the chief executive and top-level management, setting the tone that non-compliance will not be tolerated.
Institutions also need to be able to enforce their policies. This means being able to account fully for each transaction – not always easy, especially if someone has tampered with data or orchestrated a complex mirror system (where a set of interrelated transactions across multiple financial institutions is used to conceal dealings with sanctioned third parties). In one of our recent cases, the names of certain clients had been stripped out of the bank’s data – a typical method of concealing sanctions violations.
Violations can be particularly hard to spot where teams and technologies are siloed in the organisation, making it difficult to visualise suspect patterns of trading.
Technology can help institutions discover the truth
Fortunately, today’s technology is capable of bringing together and analysing disparate data to find out what someone has attempted to conceal. It is now possible to link together not just structured data like core banking transactions, SWIFT messages and know-your-customer (KYC) data, but also unstructured data such as emails and even audio. Once you can integrate all these different types of data in one environment, you can really get at the truth of what has been going on, answering essential questions about who, what, when and how much.
A variety of data visualisation tools can help human experts explore the resultant information. For example, we can display data graphically to show transactional movements in a particular geographical area that is subject to sanctions.
An even more exciting technology is machine learning. To apply this, our analysts begin by teaching the application what ‘normal’ data behaviour looks like, or equally what typical data relating to a compliance breach would look like. This knowledge is turned into algorithms that can be run automatically on masses of historical data. The application then refines the algorithms in the light of the known outcomes associated with that data.
The identification of future anomalous behaviours can then be automated, with the application raising red flags on unusual patterns to be further explored by human investigators. The investigators in turn provide the application with feedback about which patterns have proved to be genuinely associated with crime. In this way, we set up a feedback mechanism that continually trains the application and optimises its performance.
Unusual activities identified by a machine-learning application could include money being moved to sanctioned countries or individuals, or rapid sequences of mirror trades between several international accounts suggesting possible money laundering.
The crucial difference between new machine-learning tools and legacy approaches is that with machine learning the application is continuously improving its capabilities. This means that when criminals change their ways of working, the application can quickly adapt, without any need for rewrites by humans.
Another advanced technology being applied by banking compliance teams is sentiment analysis: the process of extracting patterns relating to human emotion (anger, fear, resentment, etc) across data sets. Sentiment analysis can support a proactive approach to compliance by determining the culture within the organisation or within a department, eg a trade finance team.
‘Today’s technology is capable of bringing together and analysing disparate data to find out what someone has attempted to conceal.’
The new tools and techniques can be used in a variety of ways. Some of these are proactive, for example:
- Checking that the organisation is complying with sanctions.
- Investigating a suspected breach. This enables the institution to take preventative action and also disclose the violation to the regulator as soon as possible, which is always advisable.
- Understanding current activity in an area that may be subject to future sanctions, eg Iran. If sanctions become operative, you can act fast to ensure compliance.
- Automating the future identification of sanctions breaches by using advanced analytics and machine learning to understand patterns in historical data and then extrapolating from them.
- Using sentiment analysis to identify any aspects of your organisational culture, such as deceit, fear or anger, that suggest the possibility of sanctions violation or money laundering.
Other contexts for applying the tools are reactive, for example:
- Meeting regulatory reporting requirements if you have been subpoenaed for suspect transactions.
- Remediation if your organisation is already listed as having violated sanctions (‘transactional look-back’).
The need for collaboration
Because of the current political climate – notably the differing positions of the US and EU regarding Iran – it is getting more difficult than ever to avoid falling foul of sanctions policies. When someone is moving money around to hide where it is going, often the only way to get a full picture before OFAC investigates is through collaboration between financial services organisations. And that collaboration is only going to get more problematic if the global political landscape fragments. Consider the current US-Europe differences, which relate not only to Iran but also, for example, to the Paris Agreement on climate change. Brexit could add another layer of complexity.
‘Fintech companies are showing what is possible, with their willingness to pool information with one another.’
Financial institutions have in any case been reluctant to collaborate on these issues because of their desire to keep valuable KYC information to themselves. However, they will need to overcome this obstacle. Fintech companies are showing what is possible, with their willingness to pool information with one another. Technologists may make this approach more acceptable to traditional financial institutions by providing platforms that share information selectively. Already there are several pools of shared KYC information available. Being able to check a new customer against a shared master database might be a better governance model than the current one and might help overcome any political barriers to collaboration. Information sharing must of course respect the constraints of GDPR and other privacy requirements.
Given the unsettled political landscape, financial institutions must be seen to be proactive about sanctions. They need to put in place technology and mechanisms that protect their business from exposure to sanctioned countries, businesses and individuals. Failure to do so can lead not only to financial penalties, which as we have already seen can be in the billions, but also to serious reputational issues. Planning a strong compliance programme, identifying the right technology, sourcing the best staff or third-party suppliers to manage the implementation – multinationals will be comfortable to bank on financial institutions that take these steps.
For more information, please contact:
Andrew Pimlott, senior managing director, data and analytics
London EC1A 4HD
T: 020 3727 1285