Having recently been included in the Chartis RiskTechAI50, we’re proud to announce that Ripjar has also been recognised as a Category Leader in two Chartis RiskTech Quadrants for 2025:
Name & Transaction Screening Solutions
Adverse Media Monitoring Solutions
Chartis defines Category Leaders as exhibiting “strength across the broadest set of capabilities in the segment, showing a clear execution of core strategy and innovation”.
Assessments were based on a number of criteria, and we’re delighted to have scored consistently highly across the board, reflecting our dedication to building the most advanced products to help our customers stay ahead of financial crime risks.
Our success in this quadrant came from having a high-performing, scalable infrastructure, with robust integrations and global data coverage. Our flexible deployment model also put us at an advantage in this space.
Ripjar scored highly across all criteria for name and transaction screening, with particular recognition for our data methodology, and reporting and auditing capability.
Adverse media monitoring
For the adverse media monitoring quadrant, success factors included effectively using GenAI to improve results, removing ambiguity through the use of sentiment and contextual analytics, and the ability to integrate a wide range of data sets and provide high quality multilingual name matching and screening.
Ripjar performed strongly across all adverse media capabilities, with significant strengths identified in data methodology and packaging. Our use of advanced disambiguation techniques to provide clear, accurate screening results also set us apart.
Ripjar’s position in the rankings reflects the strength of its proprietary analytics, particularly its matching methodology. Ripjar has also built full workflow and automation capabilities around its analytical, matching and data capabilities, enhancing the usability of its solution.
In Ripjar’s recent Compliance Masterclass, co-hosted with FINTRAIL – now available to watch on demand – a panel of industry experts from FINTRAIL, Ripjar, Wise and Nomura explored all stages of the sanctions screening process, providing insights, advice and best practice on how to make the most of your screening outcomes.Here’s a round-up of some of the key takeaways from the session.
The importance of accurate screening outputs
In today’s regulatory environment – where data on sanctioned parties, politically exposed persons and entities who may present a higher risk of financial crime is ever-expanding – screening plays a vital role in detecting bad actors.
However, financial institutions face a mounting challenge: how to effectively manage ever-increasing screening alert volumes to identify and act on genuine risks without getting buried in false positives. To create efficient screening outcomes, financial institutions need to rethink the end-to-end process: not only how screening alerts are generated, but how they are investigated and resolved.
Screening alerts alone don’t dictate what action should be taken for a specific customer or transaction. Rather, they serve as the entry point for further investigation. As noted by the Wolfsberg Group, “the generation of an alert is not, by itself, an indication of sanctions risk.”
Accurate and auditable screening outcomes are crucial for two reasons:
They allow you to detect potential financial crime risk and any resultant actions that need to be taken.
The allow you to further tune and calibrate your screening system to generate better and more precise screening alerts in future.
Implementing an end-to-end alert process
Regulators are increasingly scrutinising alert handling processes, demanding not just that alerts are generated, but that they are managed, investigated, and documented with precision and consistency.
The European Banking Authority, for example, recently established standards on how it expects firms to carry out screening alert reviews, and in the UK regulatory standards focus on proper record keeping of resolved alerts.
Regulatory expectations
The EBA’s guidance states that policies and procedures should include:
Steps for starting to investigate all alerts generated.
Rules for the documentation of any decision taken in respect of alerts.
Measures to investigate alerts, such as procedures to assess and deal with indeterminate cases.
Different levels of review to be carried out in line with risk, by implementing at least a review by two people in relation to higher risk situations.
In the UK, JMLSG Part III 4.102 notes how firms should review screening alerts, including:
The process should be documented in writing.
Firms should keep an appropriate audit trail about every likely match.
A record of who made the decision and on what grounds.
A screening alert on its own will not define the screening outcome. Analysis is needed to confirm whether the alert is a match, whether funds need to be frozen, if the customer relationship needs to be terminated, if the customer’s risk rating needs to be increased, or if law enforcement needs to be contacted.
Key to reviewing screening alerts is having consistent disposition and decision-making throughout the firm, no matter how big or small, in order to comply not only with regulatory requirements but also the firm’s risk appetite. This could be achieved through:
Categorising alerts as high, medium or low risk based on the type of alert (sanctions, PEP or adverse media) and the strength of the hit (exact match or a fuzzy match).
Adoption of decision trees to ensure investigators review alerts in the same manner.
Identifying and escalating higher risk alerts – for example a nexus to high risk countries or exposure to certain high-risk industries – for expert review.
The use of the “four eyes” principle to ensure that at least two independent reviewers assess high-risk cases.
Many firms use a tiered approach for alert review and decisioning, whereby an alert will pass through several layers of review. For example, whereas all screening alerts will be reviewed by ‘Level 1’, and may need to be escalated to ‘Level 2’ for additional confirmation, the final determination of whether or not an alert is a true match and presents a risk to the firm may not occur until it is escalated to and reviewed by senior stakeholders at ‘Level 3’.
Documenting each step of the alert review process is crucial, not just for good practice, but for demonstrating robust governance. ‘Level 3’ decision-makers must be able to review the analysis and investigation already conducted, ensuring decisions are well-informed, defensible to regulators, and easily auditable. Clear documentation also streamlines escalations, reduces duplication of effort, and strengthens the overall quality of financial crime risk management. Furthermore, a clear audit trail of resolved alerts may be relevant for regulatory follow up or reporting.
Setting screening systems up for outcome success
Screening outcomes typically fall into four buckets:
True Positive: Correct escalation of a real risk.
False Positive: Incorrectly raised alert, which is later de-escalated.
True Negative: Correct non-match.
False Negative: Missed match and therefore an undetected risk for the firm.
In an ideal world, firms will be able to clearly identify and focus on true positives while ignoring false positives which carry no true risk exposure and lead to extra and unnecessary work. At the same time, firms will want to ensure that true risks do not slip through screening undetected. However, that is not always the case, and financial institutions face a number of AML compliance challenges in this area. As sanctions lists in particular expand, firms face rising false positives while spending less time detecting genuine alerts.
Understanding the root of false positives is not a one-off exercise but an ongoing process. Firms should continuously analyse data from past alerts to identify common triggers, refine matching logic, and adjust their thresholds. Leveraging historical alert data in this way not only reduces noise but also improves the precision of screening systems, enabling investigators to focus on genuine risks. Using past alerts to support ongoing tuning of screening systems can be done in two different ways:
Examining false positives: By analysing which types of alerts consistently lead to false positives, firms can refine their matching algorithms, exclude irrelevant data sets from screening, or apply different rules to specific client segments and thereby develop more precise rules for alert generation.
Examining false negatives: “Below the line” testing – the process of examining unseen alerts below the matching threshold set by the firm – to better understand what systems might be missing and whether the firm missed any false negatives.
Finally, effective screening outcomes are fundamentally dependent on two components: screening the correct watchlist data against high-quality customer data. At a minimum, firms should screen against any watchlists that they are legally required to comply with (for example sanctions lists) and lists relevant to their jurisdiction (for example PEP lists and specific adverse media lists). At the same time, customer data should also be of a good quality and consistency to ensure efficient screening alerts are generated.
Screening outcomes and AI
AI offers powerful possibilities in screening by rapidly analysing screening alerts to detect patterns, identify high risk alerts, and support enhanced decision-making. For example:
Enrichment of alerts: AI can be used to pull out additional data points (such as location data or beneficial ownership data) to provide further context to a screening alert which would otherwise only contain limited information. This can aid investigators in arriving faster, and more efficiently, at screening decisions.
Identifying high risk alerts: AI can be used to score and identify higher risk alerts that should be prioritised for review, due to a combination of the strength of the screening alert, the list it is matching against and the potential regulatory consequences.
Dealing with false positives: In certain situations, AI can even be used to auto-close alerts that are clearly false positives. Firms should note that where AI is used to make decisions, regulators expect firms to be able to demonstrate full governance and oversight over the AI’s decision-making remit.
From alerts to action
As regulatory scrutiny increases on how firms are conducting screening, firms must consider not only how they are generating screening alerts but also how they are reviewing these alerts and arriving at the right screening outcomes.
In summary, here are three things firms should do to ensure their screening process is set up for outcome success:
Undertake ongoing testing and tuning to understand the root of false positives. Analyse data from past alerts to identify types of alerts consistently leading to false positives to refine matching algorithms and rules going forward.
Screen the correct data. Carefully select the watchlists to be screened against, and ensure that the customer data used for screening is of sufficient quality to generate relevant screening alerts.
Create documented procedures for alert review and escalation. Establish clear, written procedures for how alerts are reviewed and escalated (for example, through decision trees and prioritisation of high risk alerts), including who makes decisions and on what grounds.
The guidance focuses on facilitating access to formal financial services for unserved and underserved persons, including those in low-income groups, or groups that may struggle to verify their identities easily.
Commenting on the release of the guidance, FATF President Elisa De Anda Madrazo pointed out that inclusion doesn’t just help disadvantaged people gain access to legitimate financial services, but contributes to the global fight against financial crime because it “reduces the size of the black and informal markets where criminals and terrorists hide their operations.”
As national governments adopt the new guidance, firms may need to adjust their anti-money laundering (AML) and counter-financing of terrorism (CFT) solutions. With that in mind, let’s take a closer look at the issues and risks surrounding financial exclusion, and explore the key takeaways of the 2025 guidance for domestic compliance teams.
What is Financial Exclusion?
While AML/CFT measures are a critical part of the global fight against financial crime, if they’re applied too rigorously as part of a risk-based approach to compliance they can have unintended consequences – namely, excluding persons from the financial system unfairly.
The over-application of AML/CFT measures is known as de-risking and is typically a result of firms seeking to manage a high level of compliance risk. De-risking is more likely in high risk industries and regions, and can affect vast groups of people with no connection to criminal activity, especially if they are from underprivileged backgrounds where other risk factors, such as a lack of formal identification (driving licences, passports, etc.), create additional barriers to financial services.
Why is Financial Exclusion a Compliance Issue?
Financial exclusion is often unfair, but it can also be harmful because it can actually increase the risk of financial crime, rather than reducing it. People who are excluded from the financial system are left with no choice but to use unregulated alternatives, either turning to black markets, or engaging in crime themselves and attempting to launder the proceeds.
These alternatives are, by definition, harder to monitor, and support wider criminal networks, not to mention ultimately adding to the AML/CFT compliance burden that firms face.
That’s why the new guidance from the FATF is so valuable. By turning a new regulatory focus on financial inclusion, firms can, in theory, bring more people into the legitimate financial system without compromising the integrity of AML/CFT controls.
The Key Takeaways
So, how does the new FATF guidance achieve its financial inclusion objectives? Let’s explore the key takeaways.
Proportional AML/CFT Measures
The FATF recommends that firms take a risk-based approach to AML/CFT compliance. Under previous guidance, that approach entailed a “commensurate” response to risk. Under the 2025 guidance, that term has been updated to “proportionate”.
The change reflects the need for countries to avoid imposing a uniform “one size fits all” AML/CFT regime on obligated entities. Under the proportionate risk-based response, firms have the flexibility to adjust their compliance solutions to match the “level and nature” of the risk they face, rather than simply excluding customers immediately.
Digital Onboarding Legitimacy
The guidance highlights the legitimacy of digital and non-face-to-face onboarding methods for financial services, providing that appropriate safeguarding measures are in place, and that the level of risk is manageable. The option of conducting digital and non-face-to-face onboarding makes it easier for some customers to open bank accounts where travel or other issues relating to physical distance might represent a barrier.
Automatic Risk Classification
The FATF guidance states that financial institutions should not automatically classify unserved and underserved persons as presenting a low AML/CFT risk, but points out that “risk assessments often conclude that they present a lower risk.”
It goes on to stress that financial inclusion initiatives must be predicated on the proper application of the risk-based approach, including an effective risk assessment process with “enhanced measures for higher risk” and “simplified measures for lower risk.”
De-risking Sectors and Populations
The guidance emphasises that the FATF has “long recognised the harmful impact” of de-risking, and that the practice is “not in line” with the risk-based approach that it mandates. It specifically warns against the “wholesale cutting loose of entire classes of customers” without properly taking their risk into account – in other words, applying appropriate risk mitigation measures on the level of individual customers.
Financial Inclusion Goals
The FATF recommends that governments formally incorporate financial inclusion goals into their National Risk Assessments (NRAs).
While it recognises that there is “no single or universal methodology” for conducting an AML/CFT risk assessment, the FATF suggests that NRAs should set out key concepts and stages involved in the process, in order to support “effective, proportionate implementation”. It also emphasises that NRAs should be coordinated at a national level, and be “comprehensive in scope”.
Financial Inclusion with Ripjar One
The FATF guidance suggests firms should reframe financial inclusion as an important part of their risk management strategies. However, in order to achieve better compliance outcomes for unserved or underserved customers, compliance teams need to be able to collect and analyse vast amounts of risk data accurately and efficiently, and make decisions with confidence.
Ripjar One is designed to address that challenge. Powered by cutting-edge artificial intelligence, Ripjar One is a next-generation AML risk management platform that creates a comprehensive view of customer risk, consolidating static and dynamic risk data from thousands of sources, including sanctions lists and watchlists, adverse media, and more.
The European Banking Authority (EBA) released new guidelines on sanctions screening in November 2024. Scheduled to come into effect across the EU on 30 December 2025, the guidelines set out the regulator’s expectations for how financial institutions (FIs) should implement governance, policies, procedures, and controls for their sanctions screening solutions.
With less than 6 months left before the new compliance requirements come into effect, it’s critical that obligated entities prepare, by reviewing and uplifting existing screening measures or developing new measures. In this post, we’ll explore that process in more detail.
What are the EBA guidelines?
The EBA’s November 2024 guidelines actually comprise two sets of guidelines, and apply in the following ways.
1) Guidelines for All Financial Institutions (EBA/GL/2024/14)
The first set of guidelines concern all FIs in the EU; banks, credit institutions, investment firms, and so on. The guidelines specifically focus on governance and risk management systems for sanctions compliance, and require FIs to:
Implement and maintain up-to-date sanctions compliance policies, procedures, and controls.
Establish a clear, well-defined governance structure and allocate responsibility (including to senior management) for sanctions compliance.
Conduct a sanctions risk exposure assessment to inform decisions on the controls and procedures necessary to establish effective sanctions compliance controls. The EBA has stated that this assessment should “be based on a sufficiently diverse range of information sources”.
Implement regular training programmes to ensure compliance teams are able to identify, assess, and manage sanctions compliance risk.
2) Guidelines for PSPs and CASPs (EBA/GL/2024/15)
The second set of guidelines concern payment service providers (PSPs) and crypto-asset service providers (CASPs). They focus on bringing these FIs under the scope of existing sanctions compliance regulations when handling specific types of transactions, including transactions involving crypto-assets. The guidelines require PSPs and CASPs to:
Choose and implement reliable sanctions screening solutions, and test their reliability regularly.
Define the dataset that they will be screening against the EU sanctions list and, where relevant, national restrictive measures.
Ensure that their sanctions screening measures are capable of verifying designated names on sanctions lists, managing the inherent risks involved in the screening process, and addressing the risk that customers engage in sanctions evasion strategies.
Preparing Your Screening Solution for Compliance
With the implementation date now on the horizon, it’s time for FIs to prepare their compliance teams, and adjust their screening solutions.
Here are the key stages in that process.
1. Align policies and procedures
Conduct a gap analysis to determine how your existing sanctions screening framework measures up against the EBA guidelines. Focus on identifying weaknesses in governance, technology, training, and documentation.
2. Update investigative steps
Following any updates to your screening policies and procedures, codify the steps your compliance team will take when investigating sanctions alerts. For example, set thresholds for escalating sanctions name matches, and define responsibilities within the compliance team.
3. Documentation of compliance process
Ensure your compliance process is fully documented, with an option to log the reasons for compliance decisions in a centralised and secure location. Your compliance documentation may be critical to subsequent investigations by law enforcement agencies, and so your decisions, and the information on which they were based, must be explainable and readily available for audit.
4. Invest in technology
For most FIs, manual screening methods will not be capable of meeting the EBA’s screening requirements. In order to achieve compliance, FIs should invest in screening technology capable of searching thousands of global sanctions lists and watchlists, along with other critical risk data sources such as adverse media stories, beneficial ownership lists, and politically exposed persons (PEP) lists.
Given the scope of the new screening obligations, many firms will find value in AI-powered screening tools capable of advanced analysis of huge volumes of unstructured data, and of making connections between risk data points that human compliance teams and manual tools might miss.
5. Train people and test processes
Your screening technology is only as good as the human compliance experts managing it. Develop a training schedule to familiarise compliance team members with new screening policies and procedures, and new screening technology integrations. Similarly, perform regular testing to identify weak spots in the new compliance process.
6. Risk-based review
Implement different levels of review for higher-risk sanctions alerts, such as those involving high-risk jurisdictions. While a sanctions list check may be sufficient for routine transactions, higher risk alerts may warrant enhanced due diligence, including supply chain risk screening and global adverse media searches.
Stay Ahead of Sanctions Risk with Ripjar One
With the EBA’s new sanctions screening guidelines imminent, it’s up to you to make sure your team is ready, by putting the right people, the right policies, and the right tools in place.
Powered by next-generation AI, Ripjar One is designed to help FIs manage that challenge, and take on an increasingly complex sanctions landscape.
Consolidating static and dynamic risk data seamlessly, including sanctions lists, adverse media, beneficial ownership registers, and transaction alerts, Ripjar One is a comprehensive screening solution that empowers compliance teams to make faster, stronger compliance decisions, identify risks more effectively, and optimise compliance outcomes for both their businesses and their customers.
“Third-party risk is both daunting and kaleidoscopic.“
In global businesses, an endless stream of parties must be assessed, from payment counterparties to the value chain of suppliers and distributors. Furthermore, each party is examined for a growing list of risks, including compliance, ethical, reputational and prudential.
More than ever, businesses need a comprehensive and flexible risk management tool that scales up and down as needed to assure a consistent risk process and a singular library of all third-party risk. Welcome to Ripjar 3P60.
Different risks, different challenges
There are four key categories of third-party risk, each presenting distinct operational challenges:
Compliance risk
Legal obligations to comply with sanctions, restricted party classifications and export controls all bring compliance risks. Businesses typically assess this risk through simple screening tools in a low latency environment, such as customer onboarding or counterparty payments. False positives proliferate here due to difficulties with name matching and entity resolution.
Potential headline risk associated with customers, suppliers, distributors or other third parties can impact your reputation. In recent years, this type of risk has taken on a life of its own, especially in relation to forced labour, child labour or human trafficking. But risk coverage goes beyond these disturbing topics to cover areas including corruption, fraud, non-delivery and potential criminal wrongdoing.
Risk assessment here involves screening against wrongdoer lists and adverse media. False positives abound, due largely to ineffective entity resolution, especially among commonly used names.
Prudential risk
How well do you know your value chain? That indispensable group of suppliers and distributors? Do you know who controls them? Do you know all beneficial owners? Do you know their reputation in the market? Do you know their performance history? Do you know what political, corruption and sovereign currency risks may affect them?
Corporate entities tend to manage this risk through a largely manual process of researching, mapping and assessment. Ownership structures are identified and assessed. Political risk environments and supply routes are identified and assessed. These assessments, plus reputational risk gauging, are brought together and scored. The process is incredibly complex, heavily manual and needs to be continuously updated. In short, it is very expensive to fully implement.
Ethical risk
Do the parties you deal with share your values? Do they, or will they, follow your ethical policies and procedures? Often, risk is managed here through the use of certifications. Businesses will require suppliers and distributors to certify – usually annually – that they follow the firm’s ethical policies or procedures, or at least follow similar ones of their own. This annual certification process is tedious, time-consuming and full of manual tracking processes.
Risk strategy vs business reality
While the types of third-party risks are straightforward, the methods businesses use to assess these risks are anything but. Not every firm believes managing all these risks is prudent or commercially reasonable. No two businesses face the exact same risks, while risk tolerances – or “acceptable loss norms” as they are more broadly known – differ widely.
Some firms, therefore, make the commercially reasonable decision not to incur management expense related to particular risks, such as hiring personnel to manage the process, eliminate false positives and update results accordingly. And, even those that manage all four types of risk across the board rarely do so in a similar manner. Certain risks receive substantial management attention, while others are relegated to a “compliance only” status.
“Clearly, this is a market where one size does not fit all.”
You need a tool that fits your specific risk tolerance and enables you to scale up and down as needed. All risks and risk parties potentially need to be covered, even if you address each in your own bespoke way. You need a single, consistent and configurable way to assess and view risk, as well as an easily accessible central library providing single risk panes for all parties.
The good news is that current technology makes all this possible. A single, scalable platform is much more achievable now, and the latest AI has substantially lowered investment costs, as the number of employees required to run your system is a fraction of what it used to be.
Welcome to Ripjar 3P60
Ripjar 3P60 is the only tool on the market to afford you this convenience. The tool comes in three variations, each sharing configurable workflows which can be tailored specifically to your organisation, a common risk assessment schema, and an AI-powered Digital Assistant to double check your team’s work, reduce false positives, and constantly update your results.
“Thoroughness, consistency, flexibility, efficiency and tailoring is what you need.”
Ripjar 3P60 comes in three options to suit different third-party risk management requirements:
Ripjar 3P60 Screen
This dual low and high latency screening engine enables you to satisfy your regulatory compliance obligations. Screening against a potentially limitless group of sanctions, restricted party and export control lists, Ripjar 3P60 Screen utilises the latest in probability-driven entity resolution and AI digital assistant technology to significantly reduce false positives and work to avoid all false negatives. Its configurable scoring matrix allows you to customise your risk assessments to meet your needs, enabling all results to be scored properly and consistently.
Ripjar 3P60 Assess
This option meets your compliance and reputational risk needs as well as covering baseline prudential risk management. Screen all counterparties for compliance purposes, screen all suppliers and distributors (and potentially some or all customers) for reputational risk concerns, and identify all beneficial owners and control persons across your value chain.
Ripjar 3P60 Assess is backed by the same technology and features as Ripjar3P60 Screen, while enabling you to cast the net wider to assess a broader range of risks. Your AI-powered Digital Assistant will continuously monitor and update records, scores and approvals as needed, and will create the building blocks to establish your global value chain map.
Ripjar 3P60 Intelligence
This comprehensive solution covers all your third-party risk management needs. Everything in Ripar 3P60 Screen and Assess is included, plus a full value chain map listing vulnerabilities from political, sovereign and transport route risks. All parties are thoroughly vetted and assessed, with your Digital Assistant working continuously in the background and supporting your team to avoid false negatives and positives.
Your Digital Assistant ensures that all work is up to date and properly assessed according to your configured scoring rules. Furthermore, our ethical certification engine configures certifications for your needs, with Ripjar’s Digital Assistant constantly tracking and ensuring compliance across your supplier and distribution chains.
We’re proud to have been included in the Chartis RiskTechAI50 2025 – a ranking of the world’s most influential AI vendors in risk management technology for financial services.
The RiskTechAI50 is an annual benchmark undertaken by Chartis Research, the leading provider of research, advice and in-depth analysis on the global risk technology market. The ranking evaluates companies’ solutions based on impact, deployment, strategy and innovation. These four scoring criteria focus specifically on the application of AI to meet the evolving demands of risk and compliance in financial services.
Ripjar’s placing in our RiskTech AI 50 ranking reflects several key capabilities. Foremost among these are the company’s state of the art and foundational AI tools, which power its robust screening and investigation capabilities.
Sid Dash, Chief Researcher at Chartis
Ripjar’s placement in this year’s list reflects our continued leadership in AI-driven AML risk management, with particular emphasis on how our solutions provide automated workflows and continuous risk profiling powered by advanced AI, as well as enhancing screening with networking capabilities to identify hidden risks and connections.
“At Ripjar, we believe that AI should do more than power new features – it should transform how organisations fight financial crime, manage risk, and serve their customers. This recognition from Chartis validates our strategic focus on embedding scalable, efficient AI into operational contexts where it delivers meaningful outcomes for our customers.”Tom Obermaier, CEO, Ripjar
When assessing ranking criteria, Chartis focused on AI solutions that deliver “measurable, real-world benefits” while providing effective, proportionate solutions to customer challenges. Low-latency and scalability were also highlighted as key factors in highly ranked solutions – both of which are core to Ripjar’s product development approach.
We’re honoured to be included among the most forward-thinking firms in AI and risk management, and we remain committed to helping our customers tackle their toughest challenges with the most innovative use of trusted AI technology.
Sanctions risk is a fact of life for every global business but in the last few years, that risk has grown significantly. Geopolitical crises, such as Russia’s invasion of Ukraine, have prompted governments to add hundreds of new designations to sanctions lists, and renew or expand existing measures. The US, for example, added over 3,100 names to its Specially Designated Nationals (SDN) and Blocked Persons List in 2024 – a 25% increase on 2023.
In this climate, sanctions obligations don’t end with a round of basic checks of global watchlists. Compliance solutions need to be capable of dealing with the direct sanctions risk exposure posed to firms by their customers and clients, but also with the third party risk posed by their supply chains.
An organisation’s suppliers, partners and vendors may represent third party networks that span multiple jurisdictions, geographies, goods, intermediaries, and ownership structures. Add to that, the potential for bad actors attempting to evade sanctions, or conceal their actions with shell companies, and the supply chain risk factor quickly becomes considerable.
Given the complexity of this environment, and the potential regulatory penalties, it’s imperative that sanctions risk is treated as a core compliance priority as firms build their supply chain.
And the best way to approach that challenge is to build robust sanctions compliance into the supply chain from the outset, with a solution that can adapt to an evolving regulatory landscape and emerging geopolitical risks.
In this post, we’re going to discuss the key steps involved in doing just that.
Effective screening remains the best way for firms to learn about their clients and establish the sanctions risks that they pose. Accordingly, acquiring suitable screening technology should be your first priority when building a sanctions-ready supply chain.
However, while most approaches to sanctions compliance entail a screening process for clients, involving a search for names designated on the relevant sanctions lists (such as the SDN list), supply chain risk requires a much broader screening scope.
That means that you must implement screening technology capable of covering all relevant counterparties that form part of the third party network – vendors, suppliers, partners, and so on – in those list searches. This comprehensive approach to sanctions risk shouldn’t stop at list searches, either, but should serve to acquire as much data as possible on search targets including:
Adverse media stories: Sanctions risk is often revealed in adverse media stories long before persons are officially designated on sanctions lists. Investigative journalists may break stories that impose sanctions evasion activities and indicate that you should change your compliance response.
Politically exposed persons (PEPs): Elected officials and government employees pose a greater sanctions risk because of their proximity to political and bureaucratic financial resources.
Following Financial Action Task Force (FATF) recommendations, sanctions screening solutions should be risk-based. This means that you must deploy compliance measures in proportion to the risk that your organisation faces: lower risks demand a less intensive compliance response, higher risks, a more intensive response.
However, the effectiveness of a risk-based screening solution relies on you being able to accurately assess your supply chain to determine the risk that it poses. The sanctions risk assessment serves to help establish your risk appetite, define thresholds for compliance decision-making, and then dedicate resources to achieving those compliance objectives.
To conduct an effective risk assessment, you need to map your supply chain and capture any relevant risk factors. These may include:
Sanctions lists: It’s important to identify the relevant sanctions lists that pose a compliance risk to your organisation. For example, firms in the EU must screen against the EU consolidated list, and so on.
Industry: Different industries pose different levels of sanctions risk. Persons involved in, or connected to the shipping industry, for example, or those that trade in dual-use items, often carry a high sanctions risk.
Location: Supply chains that contact certain geographic locations, such as Russia, China, and the Middle East, may carry an elevated risk.
Corruption: Supply chains that involve jurisdictions with comparatively weaker regulatory infrastructure may be more vulnerable to corruption and associated sanctions evasion activities.
Step 3: Leverage Technology and Data
The success of the steps outlined above is dependent on you being able to implement a technology solution capable of managing the vast amounts of data involved in the supply chain risk assessment process. The solution must also output high quality intelligence that facilitates effective compliance decision-making in a constantly evolving sanctions risk landscape.
Given the expanded data demands of supply chain compliance, you’ll need to move your solution beyond manual processes and focus on automating as much of the process as possible, enabling your compliance team to focus their time on the activities where their skills are best used. With that in mind, you need your sanctions screening technology tools to deliver the following capabilities:
Real-time monitoring to help identify suspicious activity, including red flag indicators of sanctions evasion.
Data integration from a wide range of sources, including sanctions, watchlists, PEP data, adverse media, plus your own internal data in both structured and unstructured formats.
Entity resolution and advanced analytics capable of revealing hidden links to sanctions risk, and connecting supply chains to persons designated on sanctions lists.
Global adverse media screening capabilities covering screen and print media, digital media, and social media content.
Multi-language tools capable of screening natively against foreign language sources, and accounting for regional spelling and naming variations.
Automation to streamline responses to sanctions risk, including triaging alerts, assessing evidence, and automatically reviewing and closing false positive alerts.
Step 4. Train and Raise Awareness Across Your Organisation
A sanctions screening solution is only as good as the human employees that run it. To that end, you’ll need to ensure your compliance team members understand the organisation’s risk appetite, and have the necessary expertise to deal appropriately with the outputs and alerts that your solution generates.
So, to keep compliance teams up to speed with the capabilities of your screening technology, and the latest regulatory developments, you’ll need to implement a schedule of regular training and skill development. Your goal should not only be to impart regulatory and technical understanding, but to create a culture of compliance in which emergent challenges don’t disrupt services, and teams can adapt quickly to new risks.
You’ll need to extend this culture of sanctions compliance across your wider business, especially if your firm is part of a larger group of companies where some may be operating in different regulatory environments. This could mean establishing your sanctions obligations at group level, identifying further obligations for different locations, developing additional training materials, and implementing a mechanism to verify that overseas branches, subsidiaries, and local partners have understood, and are compliant with, the relevant standards.
To facilitate this kind of organisation-wide transformation, think about:
Policies: Consider centralising your compliance policies while localising specific controls.
Overseas training: Focus on training overseas offices on key sanctions obligations and red flag indicators of sanctions evasion activity specific to their locations.
Tools and frameworks: Provide access to shared screening tools and decision-making frameworks to ensure a consistent approach.
5. Maintain Robust Third Party Due Diligence Processes
Your supply chain sanctions compliance work is never done – it’s an ongoing process that evolves and grows with the business relationships that you maintain, and the sanctions risks that you face.
It’s therefore important to think about the following third party due diligence processes:
Continuous monitoring: Don’t simply conduct a risk assessment at the beginning of a business relationship as a one-off. You’ll need to monitor third parties in your supply chain constantly to ensure their risk profiles remain accurate. Leverage technology to automate rounds of screening and integrate real-time adverse media monitoring tools to be notified of changes in risk as soon as possible.
Geopolitical risk: Stay informed of emerging areas of geopolitical risk as a way of anticipating sanctions risk. The greater your awareness of potential new risks, the better able you’ll be to adjust your sanctions solution.
Evasion strategies: Be aware of the latest sanctions evasion tactics. Monitor for updates and guidance from relevant national and international regulators, such as the FATF, to ensure you receive the correct information and advice when the global risk landscape changes.
Reassess regularly: Conduct periodic risk assessments to test the efficacy of your supply chain risk solutions. Reevaluate your risk appetite after regulatory updates and geopolitical events.
Master Supply Chain Screening with Ripjar
In a period of unprecedented geopolitical uncertainty, it’s more important than ever to protect your organisation, and your reputation, from risk. You can do that by extending your sanctions compliance priorities to your supply chain, and leveraging technology to shoulder the increased data burden.
Ripjar’s AI-powered screening platform Ripjar 3P60 is designed to help firms meet that goal. A scalable, comprehensive approach to third party risk management, Ripjar 3P60 builds automated efficiency, flexibility, and resilience into your third party screening process, leveraging advanced machine learning to help you spot supply chain risks, and deal with them before they can harm your business.
The proliferation of weapons of mass destruction (WMDs) is one of the critical security issues of the 21st century. With geopolitical tensions rising, the business community must play its part in preventing terrorist and criminal organisations not only acquiring these types of weapons, but facilitating their movement around the world.
In this climate, spotting potential proliferation financing activity is a compliance priority. This means that firms must understand the relevant regulations, and adjust their screening solutions to account for risk exposure.
What is Proliferation Financing?
Proliferation financing (PF) is the act of providing funds that support the movement of WMDs, including nuclear, chemical, and biological weapons, around the world.
Given the elevated global risk of terrorist attacks, and the challenges involved in detecting financial crimes, governments have placed regulatory obligations on businesses, and particularly on financial services firms, to help combat PF and target its sources.
PF shares characteristics with other financial crimes, specifically money laundering and the financing of terrorism, and so may be detectable via existing screening measures. Persons involved are often designated on sanctions lists, for example, or may attempt to conceal their transactions via shell companies and corporate infrastructure.
In other contexts, however, it is harder to detect PF because related transactions and activities do not necessarily share the same red flag indicators of criminality. For example, criminals may seek to bypass regulations and screening measures by transporting only legal component parts of WMDs, or by transporting “dual use” materials that may be repurposed for the construction of WMDs by end users.
The risk of PF goes beyond persons directly paying for the transport of WMDs, and extends to persons that may be providing services unknowingly. On the other hand, persons that are knowingly involved in PF often employ sophisticated evasion tactics to evade screening measures. In some cases, heavily sanctioned governments may engage in PF activity, and use state apparatus to do so.
High Risk Countries
Certain countries represent a higher PF risk than others, these include:
North Korea: The government of North Korea is actively pursuing a nuclear weapons programme and has demonstrated a willingness to attempt to evade sanctions.
Russia: Heavily sanctioned by multiple countries since the invasion of Ukraine in 2022, Russia is attempting to evade restrictions by importing dual use materials for use in military weapons technology.
Iran: The government of Iran has demonstrated an ongoing desire to develop a nuclear weapons programme.
China: China has demonstrated a desire to expand its own nuclear arsenal, and has facilitated other countries’ evasion of sanctions, including North Korea and Russia.
Syria: Under its previous government, Syria was known to have deployed chemical weapons, and financed its acquisition of WMDs via the sale of oil and petrochemicals.
Global Regulatory Response
Governments around the world are increasingly framing PF as a serious criminal risk, however, other than designation in sanctions programmes, dedicated PF regulations lag behind those applicable to similar financial crimes, such as money laundering and terrorist financing.
In light of the FATF’s strengthened focus on PF, the United Kingdom has led the international community in taking regulatory action. In 2021, for example, the UK government conducted its first National Risk Assessment of Proliferation Financing (NRAPF). Given the UK’s status as an international financial hub, the NRAPF suggested that the UK government put regulatory measures in place to address PF risk.
Accordingly, in 2022, the UK government amended the Money Laundering and Terrorist Financing Act to introduce new PF identification and risk screen requirements. The UK has also applied strict liability to sanctions breaches, meaning that penalties may be applied regardless of knowledge or intent behind the violation.
Firms that break PF rules and regulations face serious financial and even criminal consequences.
In the UK, for example, under the Money Laundering Act, the Office of Financial Sanctions Implementation (OFSI) has the authority to impose unlimited fines, and prison sentences of up to 7 years for PF rules breaches. Those penalties may be imposed in addition to existing sanctions rules, under which OFSI can fine companies up to £1 million, or 50% of the value of the offending transaction (whichever is greater), and name and shame companies publicly.
Regulatory Risk to Financial Institutions
Banks and financial services organisations are on the front line in the fight against PF, and may be exposed to compliance risk in numerous ways. Key examples of PF risk include:
Layered transactions: Persons designated on sanctions lists may route transactions through multiple accounts in order to obscure their origin and evade screening measures.
Dual use materials: Companies trading in dual use materials, particularly technology such as aerospace components or microelectronics, pose an elevated PF risk.
Shell companies: Criminals may attempt to use shell companies or complex corporate infrastructure to obscure the origin and destination of PF-related transactions.
Missing or incorrect transaction details: Criminals may intentionally withhold or misspell PF-related transaction details in order to evade AML/CFT scrutiny.
High risk countries: Transactions that involve parties in high risk AML/CFT territories (such as those listed above) carry an elevated PF risk.
Cryptocurrency: The anonymity of cryptocurrency transactions puts them at a higher risk of involvement in PF activity.
Third Party Risk
PF activity typically involves firms’ relationships with third party organisations, such as shipping and transportation companies. With that in mind, PF compliance screening should go beyond a singular focus on companies in the financial sector, and include relationships up and down the supply chain.
That means screening measures should account for the complexity of supply chains, and the potential for regulatory disparity across international borders. Key third party and supply chain risk factors include:
Persons designated on global sanctions lists.
Companies trading in dual use materials.
Suppliers operating in high risk industries, such as shipping.
Suppliers operating in high risk jurisdictions.
Persons designated on politically exposed persons (PEP) lists.
While third party risk factors may not necessarily result in direct regulatory violations, firms that are revealed to have relationships with third parties that are exposed as being involved in PF often incur reputational damage.
Implementing a Proliferation Financing Risk Management Strategy
The scale and complexity of PF risk means that firms should carefully consider their compliance posture, and, ideally, integrate an AML/CFT screening solution to help them manage their threat environment.
An effective PF risk management strategy should involve the following measures and controls:
Screening during onboarding
Firms should establish new clients’ PF risk levels as quickly and as accurately as possible. This means conducting robust customer due diligence (CDD), and applying suitable screening measures during onboarding, with a focus on sanctions designation, and designation on PEP lists. The screening process should be global in scope, which means searches should be conducted in multiple languages, and include scrutiny of other critical risk indicators, such as adverse media stories.
Beneficial ownership
As part of the due diligence process, firms should aim to establish the beneficial ownership of client companies in order to account for the possible misuse of shell companies or complex corporate structures as a means to disguise PF activity.
Continuous monitoring
Following onboarding, firms should continuously monitor their clients for PF risk in order to account for changes to risk profiles over time. This means maintaining a regular screening schedule with a focus on updates to sanctions lists, suspicious transaction patterns, changes in company ownership, and emerging adverse media stories.
Risk scoring and segmentation
PF screening should be risk-based. With that in mind, firms should seek to establish a risk scoring system to enhance their risk assessment process, with higher scores applied to higher risk jurisdictions, industries, and transactions, or to persons designated as PEPs. Similarly, audience segmentation – the process of grouping audiences by risk characteristics – can help compliance teams conduct risk assessments more efficiently.
Sanctions and watchlists
Effective sanctions and watchlist screening is a critical component of PF compliance. Firms must implement sanctions solutions that capture domestic and international sanctions designations, and listings on the relevant watchlists.
Adverse media
Changes to a client’s risk profile may be revealed by the media before they are confirmed officially. With that in mind, PF screening should include automated adverse media searches, in multiple languages, and with sufficient scope to capture third party risk.
Going Beyond the List
Given the global scale of PF, it’s critical that compliance solutions “go beyond the list”, which means going further than simple sanctions and watchlist name searches, and instead building out the most complete risk profile possible for each client.
That means leaving manual screening processes behind and, instead, implementing automated AML/CFT screening tools with powerful name search and identity matching capabilities. The tools that you choose should be able to screen against thousands of data sources, in multiple languages, while accounting for sanctions evasion tactics, disparities in spelling and naming, and the possibility of PF risk emerging from third party relationships and PF-adjacent activities. With those factors in mind, and the need to manage vast amounts of customer screening data, it’s worth leaning into the efficiency benefits of AI-enhanced search technology, which can not only boost the accuracy of PF screening results, and reduce false positives, but support stronger compliance decision-making.
This is what every compliance officer says when talking about screening today. Little to nothing has changed on the technology and data front, despite ever increasing demands placed on compliance professionals.
This once simple compliance process is now anything but. Sanctions screening has grown beyond simple Latin alphabet name matching to include multi-alphabet and street address matching, not to mention the newer regulatory requirement to identify related and “network” members. Politically exposed person (PEP) identification has moved well beyond matching against established third party lists, to include potential unrelated and non-network “close associates”. Adverse media screening, once destined for the privileged few, is increasingly being demanded across all client segments.
Despite this changing landscape, regtech providers haven’t budged. “Static” data providers continue to generate lists based on their own assessments of who is important, and who isn’t, regardless of your risk tolerance. Or, worse, they provide media feeds of literally billions of articles, asking you to filter relevance. Screening tech firms are even worse, employing “fuzzy logic” (lots of fuzz, little logic) ostensibly to show their solutions’ ability to reduce false positives, even though regulators, from the beginning, primarily emphasise avoiding false negatives.
But from a risk perspective, the situation is even worse.Screening occurs on many levels – clients, payments and counterparties. The risk demands are similar across all levels, however the regtech solutions produce at times materially different outcomes. Screening at each level differs, as name matching and risk scoring typologies differ markedly. Similar risks are treated differently, causing frustration for any risk manager.
All this changes today.
It’s time to move to a 21st century solution and embrace the latest in technology from advanced data science, probabilistic programming and AI, all brought together in Ripjar’s powerful tech. Combine all your static data, including third party lists from sanctions, PEP and adverse media providers, as well as your own lists such as Do Not Do Business (DNDB), Approved Counterparties, and “Reported”. Then integrate this with your dynamic information, such as payment and account transaction data, to create a single “risk brain” – a holistic assessment process that produces the far too elusive “one pane of glass” for all clients, counterparties, originators, beneficiaries and, even, vendors.
Ripjar One
Unlimited data integrations
Enhanced with UBO data and transaction monitoring
Continuous live risk scoring with Dynamic Risk Profiles
Networking and advanced workflow capabilities
Backed by Ripjar’s powerful Digital Assistant
Welcome to the Ripjar One family of products
Ripjar One’s product family uses dynamic risk profiling to give compliance officers the power to achieve in today’s environment. Rather than relying on static risk profiles judgmentally created by third parties, dynamic risk profiling creates your own unique profile for each of your clients, counterparties, and even payment originators and beneficiaries. Powered by the latest AI technology, each profile is live, constantly checked in accordance with your rules, scored against your risk appetite, and continuously updated for new developments from both the outside world (such as sanctions or adverse media) and the inside (such as a new transaction monitoring alert or DNDB designation).
How dynamic risk profiling works
Centralise: Combine all your client name screening activities into one engine, regardless of whether the data is structured (by a third-party or your firm) or unstructured. This is then all searched as one, powered by the latest probabilistic-based name matching capability, and expandable to incorporate the results of your transaction screening and transaction monitoring systems’ outputs.
Unify: Subject all your processes to a single risk scoring methodology, completely configurable to meet your needs. All your screening risks will be treated not just in a similar, but the same manner.
Clarify: Build your own profile for every client and counterparty. Relevant output from your third party and internal sources is blended into your very own curated, dynamic risk profile. The profile is AI-generated, summarising the critical data points, and even highlighting links with other related and unrelated parties. The profile has a unique ID so it can be easily retrieved in milliseconds. The profile is the alert, sent to your team for review. And your Digital Assistant double checks your team’s work, notifying you of potential discrepancies.
Monitor and update: Your Digital Assistant works in the background constantly to update profiles when material changes occur and alerting you when necessary. These changes are highlighted to expedite review.
The benefits are numerous
One risk profile from all systems transforms static data into a dynamic answer, constantly updated, giving you the most complete risk picture.
One system eliminates redundant work arising from running multiple systems and processes, substantially increasing productivity.
False negative risk is substantially reduced through consolidating different characterisations from different lists into a uniform whole and having your Digital Assistant work as a “sixth pair of eyes” to double check your screening team’s work.
False positives are nearly eliminated from the use of a mathematically-driven probability matching schema and AI assessed alerting which prioritises alerts for review according to your rules, providing exponential ROI.
Identify hidden relationships and networksto significantly improve your compliance efforts.
Supply chains are critical to the global corporate landscape, but any reliance on a third party also comes with a level of regulatory risk, which firms must factor-in to their compliance solutions.
From breaches of anti-money laundering (AML) and counter-financing of terrorism (CFT) rules to institutional corruption, cyber-security failures, and human rights abuses, the consequences of third party risk can be just as damaging as internal regulatory failures – not least because incidents often also inflict reputational damage. Third party risks are not a low-priority issue: a focus on cybersecurity risk alone reveals that up to 98% of organisations worldwide have had a business relationship with a third party vendor that has suffered a data breach.
Awareness and understanding are key to identifying and managing third party risks, and to implementing effective mitigation measures. In this post, we’re going to examine some of the key pain points associated with third party risk management, and how firms can deal with them.
Supply chain risk
Most organisations are comfortable managing the challenges of their immediate risk environment, including carefully calibrating their screening and monitoring solutions. When it comes to the risk environments of their suppliers, however, identifying threats becomes more complicated.
Supply chains typically cross multiple borders and multiple risk environments, which complicates the risk assessment process. Not only do firms have to think about a higher volume of threat vectors, but take steps to ensure that their suppliers are operating in compliance with the relevant regulations. The complexity of a supply chain magnifies the compliance challenge: cross-border chains carry a higher likelihood of regulatory disparity, while multiple different entities make different internal compliance approaches more likely.
Key supply chain compliance risks include:
Suppliers that operate in high risk industries, such as shipping or payment services.
Suppliers that operate in jurisdictions with lower AML regulations.
Sanctions designations against persons or countries within, or connected to, a supply chain.
The presence of politically exposed persons (PEPs) within supply chain companies, or connected to them via friends or close associates.
The principles of supply chain risk management are similar to those applied to customers. That means firms must implement suitable supply chain due diligence measures, along with screening and monitoring processes, in order to assess and establish risk as accurately as possible.
Reputational risk
We’ve focused on the regulatory risks that supply chains pose, but third party risk is not just about legal consequences – it also includes reputational damage. In fact, reputational damage can occur even in cases where there is no technical breach of law, and can hurt a firm just as much as a financial penalty.
In some contexts, the mere existence of a business relationship between one entity and another can be enough to create a negative public impression, regardless of whether a client organisation has broken compliance rules. With that in mind, reputational damage is often a result of negative environmental, social, and governance (ESG) factors, which may include:
Carbon emission levels
Preservation of biodiversity and natural habitats
Ethical labour practices
Workplace diversity, equity, and inclusion
Health and safety practices
Corruption
Human rights abuses
The consequences of reputational damage can be difficult to predict, but may translate to customer boycotts, adverse media stories, and increased regulator attention. The sheer diversity of reputational concerns can be a particularly problematic factor for corporate entities with large global footprints, or with extensive supply chains. Reputational risks can be managed in the same way as other compliance concerns but, again, may require firms to extend the scope of their screening and due diligence measures.
Ongoing due diligence
The supply chain and reputational risks listed above represent ongoing compliance concerns, and mean that firms must factor them into their risk-based compliance solutions. In practice, this means treating third party relationships in a similar manner to business relationships, including performing due diligence in order to inform risk assessments.
Where conventional customer due diligence (CDD) measures help firms verify that customers are who they say they are, supply chain due diligence helps to verify that suppliers are meeting the standards that they claim to be. Supply chain due diligence is often a compliance pain point because it involves an intensive manual collection process of third party documents and information such as:
Company names, addresses, tax numbers and incorporation documents
Beneficial ownership details
Historical financial data such as tax reports
Internal risk assessment data
Internal financial data such as cash flow, debts, and liabilities
Regulatory environment information and historical AML/CFT compliance records
Supply chain due diligence should take place at the start of the supplier relationship and should be refreshed on a regular schedule to capture changes in a supplier’s risk profile. Ideally, that ongoing due diligence should be supported by peripheral compliance measures, including adverse media screening, and sanctions and watchlist screening.
Stay ahead of third party risks
Third party risks typically require firms to expand the scope of their compliance solutions, rather than taking a different approach to existing screening, monitoring or due diligence. That need adds volume to the compliance burden – a factor that can put unsustainable pressure on firms that rely on manual techniques to establish risk, such as searching for customer names on Google, or manually entering names into sanctions lists or PEP lists.
Fortunately, compliance teams have options for mitigating the challenges of third party risk, not least by supporting or (where possible) replacing manual processes with automated software tools. Automated screening software adds valuable speed to tasks that would have taken hours to complete manually, and high detail accuracy which reduces the potential for human error.
Most importantly, automated third party risk screening enables firms to dramatically boost the scope of their searches to a truly global scale. Automated name searches, for example, can cover thousands of global data sources, including news reports, sanctions lists, watchlists and more, delivering actionable intelligence in seconds, and helping firms make faster, stronger compliance decisions about every third party relationship.
Sanctions requirements are growing both in their scale and complexity. Since 2022, not only have thousands of new names have been added to UK, US, and EU sanctions lists, but many new activity-based restrictions, such as the need to block comprehensively sanctioned territories in occupied Ukraine or the prohibition of services to Russia, have been introduced. Coupled with ever-more sophisticated sanctions evasion techniques, and a regulatory expectation that financial institutions should detect sanctioned activity, financial institutions need to think more creatively about their screening controls.
Sanctions screening is no longer just screening against a list of names, but also capturing additional data and applying a more proactive and intelligence-led approach. Artificial intelligence (AI) may play a significant role in this transformation. Ripjar’s recent Sanctions Masterclass, co-hosted with FINTRAIL, explored some key questions for firms building and scaling their sanctions framework.
1. How can firms detect sanctions activity using a risk-based approach?
Many regulators allow (and even expect) financial institutions to apply a risk-based approach to screening. As one of their key practical considerations for sanctions screening, financial institutions should understand how their customers, products and payment channels contribute to sanctions risk, and concentrate their resources on the areas of the business presenting the most risk.
A risk-based approach is not about having or not having a particular control, but rather dialling up or down the intensity of certain controls in line with risk. For example, some firms may concentrate payment screening efforts on cross-border transactions instead of domestic payments where the sanctions risk is lower. Every sanctions system programme needs to be unique to your inherent and residual risks.
To understand what regulators expect from firms, it is a good idea to read enforcement notices and conduct a gap analysis against your own programme, to highlight weaknesses and proactively address any gaps. For example, if a firm is fined for not screening certain payment fields, consider if you should be doing the same. It also can serve as a validation exercise to demonstrate that your systems and controls are effective and commensurate to your sanctions risk.
2. What data should firms collect for sanctions screening?
The quality of sanctions screening depends not only on the lists you screen against but also the customer and payment data you use. Firms should consider what data points they hold on customers that might indicate sanctioned activity, and incorporate these into screening. Mechanisms to measure data completeness and data lineage are an important part of your sanctions programme for ensuring you supply quality data into your tool to minimise false positives and increase efficiency.
Crucially, it is important to recognise what regulators are expecting firms to identify. Many sanctions lists will contain additional data on sanctioned persons and entities, such as email addresses and websites, which can be integrated into screening. At the same time, a customer’s IP address location may be used to block access from sanctioned jurisdictions.
Practical questions for firms building their sanctions framework
1. What data is being screened?
Do you have a clear picture of what is coming into the screening system and is it complete and validated?
2. What are you screening against?
Do you have a clear view of list management and what is provided by external parties?
3. When are you screening?
How does this tie into the risks presented by your customer profile and flow of funds?
4. Why are you screening?
Do you have a clear view of your regulatory obligations and your own internal risk appetite on which to build your framework?
Once these questions have been answered, you can then consider:
5. How are you screening?
Can you define your suppression logic, the use of machine learning and AI, and the levels of fuzzy matching?
6. How do you operationalise your screening?
How do your settings and processes inform case management, information requests, and capacity planning?
3. How can financial institutions adopt a proactive approach to screening?
Governments publish guidance to industry on the latest sanctions evasion tactics adopted by sanctioned parties. For example, as recently as September 2024, the G7 published joint industry guidance on red flag indicators of potential sanctions evasion and best practices for firms to conduct enhanced due diligence. Staying on top of evolving sanctions and regulatory guidance is one of the biggest screening challenges organisations face, and firms are expected to read such guidance and adjust their controls accordingly.
Many firms are also looking to adopt a more proactive approach in response to such guidance. While sanctions evasion typologies are unstructured data, screening software works with structured data, and the challenge for firms is to build rules to detect the behaviour called out in typologies. This requires resources and technical expertise.
4. What role can technology and AI play in keeping up with the pace of change?
Advanced screening solutions leverage technology to help firms move beyond simple name screening, and allow them to adopt a more proactive approach to screening. Technology can help link multiple data sets and digest unstructured information at scale – such as adverse media and corporate relationships – to flag potential sanctions risk.
Many firms also see a role for AI in screening, ranging from assisting with operational tasks (such as automating requests for information, and obtaining further information that a human investigator needs to resolve an alert) through to potential use cases where AI can make true match or false positive determinations.
A key challenge here is that, since breaching sanctions is a criminal offense in many jurisdictions, firms must be able to place trust in the AI and – crucially – be able to maintain oversight over the system and explain it to the regulator.
Sanctions is not a one-size-fits-all approach
In summary, the key challenge for firms is to ensure that their screening systems and approaches are aligned to their sanctions risk. Firms need to understand how their business model influences their inherent and residual sanctions risks and how this interacts with the increasingly complex sanctions landscape. Firms should use all of the data available to them – both structured and unstructured data, whether in sanctions lists or in typology reports – to inform their sanctions typologies and build out their sanctions controls. In order to do so, firms must explore how technology – such as automation, machine learning, and advanced forms of AI – can help reduce the operational burden while optimising the possibilities of detecting sanctioned activity.
Sanctions pressure is increasing in jurisdictions all around the world, with financial institutions struggling to adapt to an increased volume of regulations, and more intensive approaches to enforcement. To meet that rising sanctions challenge, financial institutions must rely on employee skills and technical resources, integrated as part of a risk-based screening solution.
In November 2024, Ripjar and FINTRAIL jointly hosted a Sanctions Masterclass on exactly that issue, with industry experts discussing some of the most significant concerns of a changing compliance landscape – and regulator expectations for managing them.
As political tensions have grown dramatically all over the world, sanctions restrictions have become a lot more complex. Financial institutions need to stay ahead with screening solutions that look to advanced technology or intelligence-led solutions.
Ciara Aitchison, FINTRAIL Director
Industry Opinion: Top Screening Challenges for 2025
During the Sanctions Masterclass, audience members were asked to share what they felt were the top sanctions screening challenges for their organisations (with the option to select up to 3). The results reflect how complicated the sanctions screening question has become for many compliance teams and highlight the need for new ways to manage risk data.
Evolving Sanctions
The Masterclass poll highlights a number of specific sanctions compliance pain points, not least the ongoing issue of evasion. But it also reflects a collective concern with the pace at which the sanctions landscape is changing.
Leading the discussion, FINTRAIL Senior Consultant & Sanctions Lead Emil Dall pointed to this change as the root of the screening burden that many firms are experiencing, identifying Russia’s invasion of Ukraine as a key driver.
“We’ve had a huge increase in the number of designations since 2022,” said Emil. “In the United Kingdom alone we’ve seen £22.7 billion worth of assets frozen because of Russia sanctions, and recorded 473 suspected breaches – up significantly from 147 at the beginning of Russia’s invasion.”
It’s not just the increasing volume of sanctions that is making life difficult for compliance teams but the type of restrictions that are being imposed. Western governments have introduced new types of sanctions restrictions, including those involving cryptocurrency wallets and crypto services, the ban on Russian banks using the SWIFT banking system, and sanctions that involve specific territories within occupied Ukraine.
“All these different types of sanctions increase the levels of controls that financial institutions require,” said Emil. “Name screening won’t necessarily help you implement these restrictions, so we need to think creatively about how we can go further.”
In this case, “thinking creatively” may require capturing a greater depth of information about a given customer, including their passport number, email address, and so on, or a deeper-dive into potential evasion strategies which have emerged as a result of the changing nature of the sanctions regulations themselves. Illustrating that point, Emil brought up the example of the designated company Aeroscan. The UK listing includes the company’s website and email domain “scan.aero”, which some screening providers may not pick up through fuzzy matching, or which may not be picked up if not screening client websites or email domain names.
Regulatory Expectations
In the face of an increasing number of regulations, and new evasion strategies, businesses rely on regulatory guidance, insight and advice as a means to support compliance efforts.
Emil noted that there has been an uptick in regulator guidance to match that need, and specifically guidance that highlights financial institutions’ primary concern: detecting sanctions evasion. In September 2024, for example, the G7 released joint guidance, for the first time ever, on preventing Russia sanctions evasion. The guidance includes a list of red flag evasion characteristics, screening best practices, and top customer due diligence (CDD) controls. The UK has also issued red alert notices more frequently since the invasion, including one targeting sanctions evasion techniques used by Russian oligarchs.
The focus on sanctions evasion techniques reflects another prominent sanctions challenge: the need to understand company ownership structures and the risk of sanctioned parties using third countries to evade restrictions. For example, news media reported on a surge in car exports to Azerbaijan, coinciding with a drop in exports to Russia as the export of luxury vehicles to Russia became prohibited.
“It begs the question of what our financial institutions are being asked to detect,” said Emil. Referring to OFAC’s Framework for Sanctions Compliance Programs, he continued, “If you ask OFAC, it goes beyond name screening and focuses on firms having policies, procedures, and controls in place to detect prohibited activity – not just preventing certain people from accessing financial services.”
That point reflects another important consideration in a changing sanctions landscape. While the volume of regulator guidance has kept pace with new rules, it is also clear that regulators “increasingly expect” financial institutions to successfully spot sanctions evasion.
“There is a growing realisation that financial institutions have a lot more data at hand which can allow them to detect sanctions activity,” said Emil, “beyond just detecting whether someone’s name is on a list.”
There is a growing realisation that financial institutions have a lot more data at hand which can allow them to detect sanctions activity, beyond just detecting whether someone’s name is on a list.
Emil Dall, Senior Consultant & Sanctions Lead, FINTRAIL
Real-world enforcement actions seem to reflect that trend:
In 2021, financial services firm Payoneer was fined over $1.4 million for multiple failures in its fuzzy matching screening controls.
In 2022, crypto service provider Kraken was fined over $300,000 for failing to screen customer IP addresses correctly during onboarding.
In 2023, Swedbank was fined over $3.4 million for not acting on location data that suggested transactions were connected to sanctions-listed Crimea.
The examples demonstrate the growing need for financial institutions to consider the risk data that they hold on their customers, and integrate that into the screening process – rather than just verifying against a list of sanctioned names.
Risk-Based Compliance
Sanctions compliance is risk-based, which means financial institutions must deploy a proportional response to the risk that their clients present. This makes the accurate assessment and understanding of risk critical on an individual-organisation basis, and means there are a number of practical sanctions screening considerations organisations must make.
In this climate, out-of-the-box screening solutions do not offer an adequate level of compliance protection, since those systems are not calibrated or tested to the specific risks of a given firm’s operational environment. Risk assessment is all the more important in an evolving sanctions landscape, where new sanctions are issued regularly, along with the emergence of new evasion techniques.
Effective risk-based compliance requires firms to look inwards, as much as to the introduction of new regulations. Emil set out questions that firms should ask themselves to strengthen their approach to risk assessment:
How can we innovate? How can we tune? How can we test and make our systems better at addressing the risk we’re facing? As sanctions risks increase globally, our screening systems must also follow suit.
Emil Dall, Senior Consultant & Sanctions Lead, FINTRAIL
With that in mind, effective risk-based compliance should also be thought of as a series of dials that apply different levels of screening intensity to different points in an organisation’s infrastructure.
In the context of customer screening, for example, that could include a dial for selecting the right lists to screen, a dial for screening adverse media, a dial for screening cadence, ongoing testing and so on. Meanwhile, in the context of fuzzy matching, there may be a dial for adjusting alert triggers in line with risk, based on client profiles, payment types, products being used, and so on.
Key Takeaway: The Value of Data
The pace of change in the modern financial landscape requires every firm to prioritise the development of a unique screening process that takes sanctions screening beyond name matching. This process must not only meet regulatory expectations, but also internal assessments of risk. Building that solution should involve careful tuning and calibration on an ongoing basis, informed by every available data point, both in official sanctions lists and published guidance, and on the customer side in records and internal documents.
That data challenge is significant, but financial institutions can make their job easier by leaning-in to the speed and efficiency possibilities of automation, and integrating cutting-edge screening technology such as Ripjar’s sanctions screening solution.
Capable of capturing thousands of data points, including sanctions lists, watchlists, and adverse media sources for further screening enhancement, Ripjar screening can be tailored to a firm’s risk appetite and environment. In a changing and challenging regulatory landscape, Ripjar gives compliance teams the power to adapt, incorporating powerful AI-supported screening features that add depth to customer name searches, enrich the quality of search data, and ultimately enhance compliance decision-making.
It’s no longer enough to simply search for a customer’s name on a sanctions list in order to meet regulatory compliance obligations.
Risk-based sanctions compliance rules – imposed in jurisdictions across the globe – ask more of compliance teams, and typically require analysts to go beyond government-issued lists, and consider a much wider range of data when making decisions. Complying with these rules also brings a number of practical considerations for organisations.
In November 2024, Ripjar and FINTRAIL hosted the Sanctions Masterclass webinar “Going Beyond the List”, assembling a panel of experts to discuss the ways that firms can harness technology to add depth to their sanctions screening processes. In that discussion, Ripjar Operational Data Science Lead Abhijith Rajan drilled down into strategies that enhance customer name searches, and how artificial intelligence (AI) tools are helping compliance teams take their screening processes beyond the limitations of traditional name matching.
Organisations tend to be conservative in the way they do sanctions screening, but there are ways that technology can help us understand things about a name.”
Abhijith Rajan, Operational Data Science Lead, Ripjar
Industry Opinions: Screening Technology Impact
The Sanctions Masterclass captured the opinions of an industry audience in a poll that focused on the specific impacts that compliance teams would like technology to have on the screening process.
The poll suggests that firms value screening efficiency and accuracy, with results weighted towards the remediation of false positives, and managing an increasingly complex and crowded regulatory environment. Scrutinising that data, Abhijith suggested that the efficiency and accuracy challenge might actually start from an over-reliance on names in the first place:
“Sometimes even names can be problematic,” said Abhijith. “You might not be allowed to screen in the script that the name is originally available in. And going from a script you might be unfamiliar with to a script you are familiar with is usually a poor process. It leads to false positives, and might end up meaning you have to build in a set of rules to assess the data.”
That challenge suggests that a new approach to screening is needed.
Traditional vs Identity-Based Sanctions Screening
Traditional screening processes, in which financial institutions attempt to match names to designations on the relevant sanctions lists, are limited for a number of reasons, including:
Having a sole focus on the names designated on sanctions lists.
High rates of false positives.
The increased likelihood of missing hidden or indirect connections to sanctioned entities, especially if screening for a common name with no additional information.
Given the expanding sanctions compliance burden, the limited scope of traditional screening can expose organisations to significant regulatory risk. Abhijith raised the prospect of a better way to screen – essentially “going from names, to identities”.
In this identity-based approach, instead of focusing on names alone, compliance teams search for customer identities, capturing the vast amount of additional risk data behind every individual.
An identity-based approach to screening:
Incorporates all available risk data.
Reduces false positives and false negatives by capturing nuance and detail.
Future-proofs compliance solutions by adapting to increasingly complex regulatory demands.
Incorporating Linked Data
We need to make sure that we’re challenging ourselves to be screening with more information.
Abhijith Rajan, Operational Data Science Lead, Ripjar
Identity-based screening requires compliance teams to enhance their search processes, typically by integrating technology tools. In this context, Abhijith suggested that the name can serve as a foundation for the effective application of screening technology:
“You can immediately look at a name and have a sense of what kind of rules should be applied to screening,” said Abhijith. “Then you can start to do intelligent things around screening. It gives you ways of building in technology and applying different rules for different customers.”
With that in mind, when screening for identities, financial institutions should move beyond only using traditional fuzzy matching, and seek to implement software that links names to other types of data. This might include considering name origins, or partial-name matches, but should extend across all available data types, including email addresses, customer behaviour, bank codes, and, importantly, adverse media.
Taken in isolation, each of these data points might offer little compliance value. Linked together, on the other hand, they help financial institutions build customer identities into ‘risk profiles’, which add critical contextual intelligence, and enhance the proactive identification of sanctions risk.
Screening software that facilitates the use of linked data helps compliance teams assemble all relevant sanctions information in one place, which not only adds efficiency to risk analysis but speeds up decision-making.
Enhancing With Adverse Media
Adverse media is particularly useful in identity-based screening, not least because sanctions evasion risk may be reported by news organisations long before governments make designations on official sanctions lists.
However, effective adverse media screening is challenging for a number of reasons, not least because of the vast amount of complex data that financial institutions must search through to find relevant risk information, and the noise that data generates – all of which can lead to an overwhelming amount of false positive alerts.
With the Sanctions Masterclass poll suggesting that false positives are a top priority for financial institutions, Abhijith again pointed to the value of technology in enhancing the sanctions screening process with adverse media, including reducing noise, refining results, and reducing false positives.
Specific adverse media applications include:
Creating and leveraging curated adverse media feeds that focus on relevant risk categories.
Screening customer profiles for matches, rather than screening articles.
Applying filters for jurisdictions, entity types, or level of activity.
Tailoring alerts for specific industries and regions.
Incorporating Relationships
Identity screening also helps firms uncover the compliance risk presented by relationships, including not only family members of sanctioned persons, but their friends and close associates.
Abhijith emphasised the importance of using risk profiles to uncover relationship connections – an approach that leans in to the capabilities of search technology to capture data, including adverse media.
“People get married, they get divorced. You want to be able to see this information updated on a regular basis,” said Abhijith. “At Ripjar, we’re comfortable extracting information around things like close familial relationships, corporate relationships, and employee relationships from media.”
Using Ripjar’s screening platform as an example, Abhijith noted that relationships can be tracked visually in graphs or networks, or simply laid out textually as part of a customer’s profile. Even better, screening software can allow compliance teams to make connections with other sanctioned entities automatically, helping financial institutions uncover potential hidden links and networks.
Understanding AI Advantages
The need to incorporate linked data, from an expansive global landscape, represents a significant administrative burden for compliance teams, not least thanks to the increased volume of false positive alerts.
Acknowledging that challenge, Abhijith pointed to the potential of AI tools to not only broaden search reach and reduce manual effort, but to enhance detection and reduce false positive rates. Some of the the key potential benefits of AI screening include:
Natural language processing (NLP) tools for the analysis of adverse media and other forms of unstructured data.
Machine learning algorithms for the detection of behaviour patterns that indicate sanctions evasion.
The incorporation of unstructured contextual data in the compliance decision-making process.
The automation of decision-making for low-risk false positive alerts.
The benefits of AI were acknowledged in the Sanctions Masterclass audience poll, that found the vast majority of attendees see a role for AI in sanctions screening.
Managing AI Challenges
“AI is complicated. It’s not a transparent process, and very often you’ll find that even people who built the software will struggle to explain why a match has happened.”
Abhijith Rajan, Operational Data Science Lead, Ripjar
While AI holds promise for sanctions screening, it’s critical that firms also remember its limitations, including – in many instances – its lack of transparency. The transparency issue is a significant consideration in the integration of AI tools, and particularly generative AI (GenAI), in screening processes, since financial institutions must be able to explain a set of results to regulators during an investigation.
“Explainability in AI has become better, and it keeps getting better over time,” said Abhijith. “We need better transparency. The audit trails need to be very clear. Regular validation and fine-tuning of AI models is critical.”
The need for explainability was a recurring theme in the Sanctions Masterclass, with other panel members expressing a desire to see GenAI develop as a component of the sanctions screening process:
“It’s explainability and reliance,” said Parminder Turna, Wise Director of Product Compliance for Sanctions & Screening. “Explainability in AI has the same risk as placing reliance on a black box vendor. I would want to be able to sit in front of a regulator and explain how I’ve implemented GenAI. I think that’s the next hurdle.”
The limitations of AI don’t mean that financial institutions should shy away from using it in compliance contexts, but instead consider how they will implement it in a way that doesn’t compromise the integrity of their search results. To that end, Abhijith suggested that AI tools should be used with “guardrails” that ensure their validation and repeatability. These might include their integration with human oversight to balance efficiency and accountability, and ensuring that compliance teams receive comprehensive training in their use.
“Copilots are very common,” said Abijinth, referencing the way that Ripjar incorporates GenAI into its search solution. “The idea is that you have a GenAI support system that’s sitting next to you and allowing you to speed up your work. You allow AI to act as your first line analyst and give recommendations that can be adopted or rejected.”
Go Beyond the List with Ripjar
Going beyond the sanctions list means embracing the opportunities and challenges of a vast and evolving data landscape, and ensuring that your compliance team has the resources, skills, and tools they need to deliver results.
Financial institutions can make that process easier by exploring the capabilities of AI-powered screening platforms – such as Ripjar’s sanctions screening solution.
Supported by cutting-edge GenAI, Ripjar’s tool is capable of screening thousands of sources in seconds, including sanctions lists, watchlists, and adverse media. Customisable to the unique needs of an organisation, it captures and connects data from evolving risk environments, incorporating powerful screening features that add depth to customer name searches, and enrich the quality of search results, in order to facilitate stronger compliance decision-making.
