The Monetary Authority of Singapore (MAS) serves as Singapore’s central bank and financial regulator. MAS provides oversight for the country’s banks and financial institutions, setting anti-money laundering (AML) and counter-financing of terrorism (CFT) regulations, and enforcing compliance. In that supervisory role, MAS regularly issues guidance to help businesses implement its AML/CFT rules and in April 2022 it issued new guidance on Strengthening AML/CFT Name Screening Practices.
The 2022 guidance followed thematic inspections of AML/CFT name screening frameworks of selected Singaporean financial institutions in 2021. The inspections were conducted in order to ‘assess the robustness… of name screening frameworks and controls, relative to their risk profiles and business operations in Singapore’. Drawing on observations from the inspections, MAS’ 2022 guidance sets out expectations regarding financial institutions’ name screening processes, along with examples of good practices, and areas for improvement. According to MAS, financial institutions should ‘benchmark themselves against the practices and supervisory expectations… in a risk-based and proportionate manner’.
Given the need to comply with MAS’ rules and regulations, it is important that financial institutions in Singapore understand the regulator’s 2022 guidance and the name screening deficiencies that it revealed.
Senior Management Oversight
In its thematic inspections, MAS noted that senior management employees in Singapore tended to be well positioned within their companies’ AML/CFT infrastructure in order to access relevant name screening information, and tended to have established processes to track and address unresolved alerts. However, MAS noted a number of areas for improvement, including:
Inconsistent assessment: Certain financial institutions’ name screening policies and procedures were inadequate, resulting in inconsistent senior management assessment of AML/CFT alerts.
System reviews: Insufficient senior management understanding of name screening systems and a lack of regular system reviews were increasing the risk of inaccurate AML/CFT alerts.
Erroneous dismissal: Inadequate checks and balances in the senior management alert resolution process were increasing the risk of true positive AML/CFT alerts being dismissed erroneously. In particular, MAS’ guidance emphasised the need for ‘four eye checks’ (alerts verified by two people) and for risk-focused quality assurance (QA) to identify procedural weaknesses.
Accountability: A lack of records of senior management discussions of AML/CFT concerns were creating a lack of accountability for compliance issues and obscuring the basis for compliance decisions.
Frameworks, Policies and Procedures
The thematic inspections covered Singaporean firms’ name screening policies and procedures during onboarding, transaction processing, and periodic Know Your Customer (KYC) reviews. In practice, those policies and procedures entail the processes used to input customer names into AML/CFT frameworks, the way those names are tracked, and the criteria used to assess and dismiss those names.
MAS suggested that Singaporean financial institutions had deficiencies in their name screening policies and procedures, including:
Inadequate batch screening tools: MAS found that a ‘small number’ of Singapore’s financial institutions were not implementing adequate tools or systems to conduct batch screening of customer names against sanctions lists. In one case, a firm was conducting batch screening manually, which led to delays and human error, while another firm was using a batch screening tool that could not accommodate the full range of necessary names.
MAS pointed out that Singaporean firms should implement a suitable software screening tool to conduct name screening or put safeguards in place to mitigate human errors.
Former names: The KYC process sometimes requires firms to search for customers’ former names. In this context, MAS found that some financial institutions were not screening for former names, or had not formalised any requirements to screen for former names as part of their KYC process. MAS advises that financial institutions establish clear requirements to screen for former names as part of their AML/CFT solution.
Customer tracking: MAS found that financial institutions were failing to systematically identify and track customers that they were required to screen. Where customers were not tracked, financial institutions experienced delays and omissions in the AML/CFT process.
MAS recommended that financial institutions implement structured tracking processes in order to avoid lapses and delays in AML/CFT alert remediation.
Screening Parameters and Databases
MAS sets out supervisory expectations that financial institutions will implement suitable name screening software solutions and ensure that those solutions are capable of effectively generating name matches. With that in mind, financial institutions are expected to regularly review the parameters under which their name screening systems operate to ensure that they remain up to date with relevant information.
MAS’ thematic inspection revealed that Singapore’s financial institutions were broadly succeeding in implementing formalised frameworks to govern their name screening systems, and periodic reviews of those systems, in order to ensure ongoing accuracy. However, MAS also found the following deficiencies:
Over-reliance on vendors: MAS found that some financial institutions were overly reliant on vendors for setting their name screening system parameters, and for ensuring the adequacy and accuracy of information sources. Consequently, many name screening systems were ‘ineffective in identifying relevant name matches’ and were not receiving adequate information about customers’ specific business activities – and so were failing to identify AML/CFT risks.
Fuzzy logic matching: MAS found that some financial institutions were using name screening tools without fuzzy logic capabilities – and which could only identify customer names where there was a 100% match. By implementing fuzzy logic name screening, these firms would be able to account for partial matches, such as those caused by spelling discrepancies, and so capture potential AML/CFT risks more accurately.
Internal checks: Many financial institutions were found to be failing to conduct checks on the internal lists that held vital name screening information. By failing to regularly maintain and verify the accuracy of that information, financial institutions were degrading the accuracy of their name screening processes, and missing important AML/CFT alerts.
In response to the deficiencies revealed by the inspections, MAS emphasised the need for financial institutions to regularly review their system parameters to ensure their ongoing effectiveness, and to review the completeness of their screening databases to ensure they were updated with sufficient information to facilitate effective compliance decisions.
Alert Resolution
MAS expects financial institutions to address name screening alerts in a timely manner, and keep suitable records of the process. Similarly, financial institutions are expected to implement independent checks and balances to ensure the alert resolution process remains fit for purpose.
In conducting its thematic inspection, MAS identified the following areas of concern:
Adverse media: MAS’ inspections revealed that some financial institutions in Singapore were not effectively screening customer names against adverse media. In particular, MAS found that:
Financial institutions were dismissing adverse media from regional or local news sources.
Financial institutions were determining the relevance of adverse media based only on how recently the story was released.
MAS guidance emphasised the need for financial institutions to ‘consider all key factors’ when determining the relevancy of adverse media stories.
Documentation of screening results: MAS found that some financial institutions were failing to adequately document the results of name screenings and assessments. The deficiencies resulted in missing records and a lack of basis for dismissing AML/CFT alerts.
In order to address those deficiencies, MAS emphasised the need for financial institutions to establish clear documentation requirements for alerts derived from name screening.
Alert dismissal: MAS found that some financial institutions did not have adequate criteria for assessing and dismissing AML/CFT alerts – and were dismissing alerts without adequate basis. In particular, MAS found that:
Financial institutions were dismissing alerts on a consolidated basis rather than addressing the specific concerns of individual alerts.
Financial institutions were dismissing alerts for generic reasons rather than adequately justifying the reasons for the dismissal.
Accordingly, MAS recommended that financial institutions set out detailed guidance for the resolution of name screening alerts, and set out requirements for compliance employees to provide justification for alert dismissals.
Checks and balances: MAS’ inspection revealed that a number of financial institutions in Singapore lacked effective checks and balances to determine whether name screening alerts were being dismissed appropriately. MAS highlighted the need for financial institutions to implement checks and balances to ensure effective alert remediation, including regular QA checks to ensure the timely detection of errors.
To find out how we can help your business implement an effective name screening solution, get in touch today.
A version of this interview was first published on Cyber News on 6 March 2022.
To discuss the current environment, existing risks for organisations, and their prevention methods, we interviewed Gabriel Hopkins, the Chief Product Officer of Ripjar – a company that designs products for detecting risk and preventing financial crime.
Ripjar’s Background
Let’s go back to the very beginning of Ripjar. How did this project come about, and what has your journey been like since?
The five founders of Ripjar met while working at the United Kingdom’s Government Communications Headquarters – the intelligence and security organisation known as GCHQ. Collectively they spent many decades in that environment and built up a huge amount of technical expertise in the process, including exposure to a wide range of technologies that can be used to make sense of structured and unstructured data.
Initially, Ripjar helped private and public organisations make sense of social media data, understanding political, intelligence, and commercial signals in vast quantities of data. Over time, the company diversified and started supporting many types of clients. Today Ripjar helps banks and other large enterprises around the world leverage complex data to understand risk and identify crime.
Challenges and Solutions
Can you tell us a little bit about what you do? What are the main challenges you help navigate?
Our mission is to help governments and organisations automate the detection, investigation, and monitoring of criminal activity. We have two main products – Labyrinth Screening and Labyrinth Intelligence.
With Labyrinth Screening, we absorb structured watchlists and sanctions data alongside large quantities of unstructured news and media data – generally over 3 million articles every day. We use advanced analytic and machine learning techniques to make sense of all the data and help counter financial crime.
Our clients want to know when their customers match against a watchlist or when there is media that highlights criminal or other problematic activity. For example, when onboarding a new customer – either an individual or a company – there might be found that there is a report of bribery.
Labyrinth Intelligence is our solution for data fusion and analysis, and it gets used for a huge variety of applications – from law enforcement to cyber security investigations. There are several key capabilities that make the solution powerful. Our clients often have data in 10s or even 100s of different systems. We’re able to help them pull data in or access it in a place with all those sources. Then, a range of analytics, tools, and flexible workflows are available to explore, investigate patterns in the data, and provide meaningful outputs.
Our Labyrinth Intelligence clients are searching for patterns and connections in their data. Using powerful search techniques, entity link charts, maps, and other visualisations, they can surface the pertinent facts about suspects in a criminal investigation, transactions related to money laundering, or data compromises after a cyber incident. Clients working with the system supplement the inferences and knowledge from their investigations which are then encoded within the system’s object store to support further investigations.
The system can deal with different classifications of data and air-gapped low and high-side systems, which is essential for many of our customers.
What technology do you use to detect and analyse criminal activity?
There is a range of tools and technologies within the product to address different requirements. To make sense of unstructured data, we utilise machine learning classifiers trained on data from over 20 different languages.
Our entity and identity resolution are critical across all our solutions. Having reviewed the available tools, we determined that we needed to build out our technology which avoids a lot of the pitfalls of legacy approaches and enables us to match across scripts and colloquial name variations, such as Robert, Rob & Bob, in a wide range of languages.
Similarly, Ripjar has created proprietary object linking and graphing technology used to discover and encode knowledge within the system. The technology is used to automatically derive summaries of people and entities within the latest version of our screening solution, which massively simplifies the task of analysts reviewing matches.
What are the most common problems companies can run into if appropriate data intelligence solutions are not in place?
Amazingly, we often find ourselves using the common Donald Rumsfeld phrase “unknown unknowns” to talk about those things which an organisation doesn’t know but could be critical for them. In practice, there are many missed opportunities to detect, disrupt, and respond to criminal and national security threats.
The equation can be complex, but what we’ve seen over the last ten years is organisations accumulating large quantities of often siloed data that go unused because of inadequate technology and a related loss of corporate knowledge through failing to capture and share information in a structured way.
From a banking perspective, we see “unknown unknowns” surfacing regularly, often accompanied by weighty fines. In the UK, the fines amounted to about £500M in 2021. In many of the fines, the organisations had the information they needed, but they were not seeing it clearly. By identifying risky counterparties early – both with new and existing customers – and by pulling together data from across a bank, screening, and intelligence tools turn “unknown unknowns” to “known knowns” and making it simpler for them to do good business.
Outside of banking, the risks can be even more severe, and again, the ability to connect existing data together in the right way shines a light on where policing and governmental organisations should focus their attention.
The Future
Would you like to share some of the key takeaways from your recently published guide on adverse media?
The guide is intended to fill in the gaps for those interested in adverse media but would like to know more. Companies everywhere are trying to figure out how to use modern technology and massive quantities of data to understand business risks as they emerge. The guide explains exactly how to do that.
We’ve partnered with Ray Blake from The Dark Money Files – an organisation dedicated to fighting against money laundering and financial crime through education, awareness, and frequent enthralling storytelling.
The result is a simple-to-read, comprehensive overview of everything you need to know – why you should screen against adverse media, which media to use, how to interpret the results, how to use automation, and much more.
And finally, what’s next for Ripjar?
Nothing quite beats in-person meetings, and we’re very excited to see the world opening up again. We were able to see some of our mainland Europe clients face-to-face late last year, and we are looking forward to visiting with clients further afield.
Ripjar’s history so far has been built on innovation, and we know that we need to continue to innovate to provide next-generation capabilities to clients. We are working on some exciting new developments in both our Screening and Intelligence products which will super-charge both solutions and empower the analysts that use them.
As the pandemic hopefully ends, we’re looking forward to the chance to help clients across all sectors – and particularly in banking – to combine and make sense of their own data and other data sources to control risk and fight criminal activity.
Cryptocurrencies are disrupting financial systems for consumers and businesses alike, with crypto exchanges facilitating transactions between users in jurisdictions worldwide. However, the innovation that has driven the global rise of cryptocurrency has also introduced new risks as criminals exploit the speed and anonymity of cryptographic technology to evade regulatory controls and commit financial crimes such as money laundering and terrorism financing.
Recent geopolitical events have increased the need for crypto exchanges to implement robust anti-money laundering (AML) and counter-financing of terrorism (CFT) screening solutions. Following the Russian invasion of Ukraine on 24 February 2022, Western governments introduced an unprecedented package of economic sanctions against Vladimir Putin’s regime, with severe fines for firms found to be in violation of regulations. The sanctions apply to firms across the financial landscape, including cryptocurrency service providers.
Given the potential for cryptocurrencies to be used to commit cross-border financial crimes, not least the evasion of sanctions, crypto exchanges should understand the importance of AML/CFT client screening as part of their compliance solution, and ensure that they are capable of spotting high risk customers quickly and efficiently.
Crypto Exchange Risks
While traditional financial systems require customers to provide identifying information in order to access products and services, cryptocurrency transactions offer increased levels of anonymity which may enable criminals to evade AML/CFT controls and bypass sanctions. As platforms that facilitate cryptocurrency transactions, crypto exchanges face the following criminal risks:
Customer Identities
Since cryptocurrency transactions take place online, users may be able to conceal their identities and evade certain customer due diligence controls. Blockchain technologies also enable criminals to integrate mixing and tumbler services to add further anonymity to their financial activity.
Speed
Cryptocurrency transactions take place in seconds, enabling money launderers to move money quickly between accounts in different parts of the world, before extracting it and introducing it into legitimate financial systems.
Structuring
Crypto exchange users may be able to create multiple accounts within the same platform or with different service providers and structure their transactions in a way that does not trigger AML/CFT controls.
Money Mules
Criminals may coerce or incentivise third parties to set up accounts with crypto exchanges. These ‘money mules’ then perform transactions on behalf of money launderers.
Customer Screening Considerations
The inherent risks of cryptocurrency transactions mean that crypto exchanges should seek to establish the identities of their customers and understand their financial activity. Financial Action Task Force (FATF) AML/CFT guidance requires financial service providers to perform Know Your Customer (KYC) checks to determine the risk that individual customers present – at onboarding and throughout the business relationship. With that in mind, crypto exchanges should implement the following screening processes:
Sanctions Screening
Crypto exchanges must screen their customers against the relevant international sanctions and watch lists, including the UK sanctions list, the OFAC sanctions list, and the UNSC sanctions list. In addition, firms should pay special attention to recently updated Russia sanctions programmes.
Politically Exposed Persons
Elected officials, government employees, and members of the military present a greater AML/CFT risk and may be considered politically exposed persons (PEPs). Accordingly, crypto exchanges should screen to establish whether their customers are PEPs and adjust their risk profiles accordingly.
Adverse Media
Changes to customer risk profiles are often revealed in the news media before any confirmation by official sources. With that in mind, it’s important that crypto exchanges deploy adverse media screening measures to detect customer involvement in breaking news stories. In addition, adverse media solutions should cover media in a range of languages and consider nuances such as source credibility and political bias.
Screening Best Practices
To effectively address the risks that cryptocurrency transactions present, crypto exchanges should seek to make their screening process as efficient as possible, minimising false positives without missing genuine AML/CFT alerts. Accordingly, crypto exchanges should build their screening processes around a series of best practices, including:
Updates
Crypto exchanges must ensure that the resources they use to screen customer names are updated and accurate. The sanctions landscape can change rapidly so exchanges must ensure they are using the latest versions of sanctions and PEP lists, and checking media sources regularly for breaking stories.
Due Diligence
Crypto exchanges should perform suitable due diligence when onboarding customers, to establish their identities and the nature of their financial activity. Ideally, firms should use digital verification techniques to address the anonymity challenges of the blockchain. This includes dual-factor authentication and biometric identification such as fingerprint, voice, and face scans. In some cases, high risk customers should also be subject to enhanced due diligence (EDD).
Naming Conventions
Since they serve customers from territories worldwide, crypto exchanges must be prepared to deal with a diversity of language systems when screening customers. Ideally, screening measures should be set up to deal with non-Latinate characters such as Arabic or Cyrillic, and to detect regional naming conventions such as the reversal of first names and surnames that occurs in many cultures.
Aliases and Nicknames
Customers may engage with cryptocurrency services using nicknames or aliases, which may confuse name-matching software. Crypto exchanges should work to capture aliases and nicknames as part of the KYC process to better detect positive hits when screening against sanctions lists, PEP lists, and adverse media.
Russia Sanctions: Compliance Update
In response to Russia’s invasion of Ukraine, many Western governments updated their sanctions guidance for cryptocurrency service providers. The UK government has emphasised that crypto exchanges have the same regulatory responsibilities as other financial institutions. On 11 March 2022, the UK’s Financial Conduct Authority, Office of Foreign Sanctions Implementation, and Bank of England issued a joint statement reminding UK cryptoasset firms of their obligation to contribute to the sanctions compliance effort.
The statement encourages crypto exchanges to:
Update their sanctions compliance controls and technology, including enhancing their blockchain analytics to identify high risk wallets.
Be aware of sanctions red flags, including high risk jurisdictions, sanctioned wallet addresses, and exchanges with poor financial controls.
Be aware of cryptocurrency crime methodologies, such as the use of VPNs, and mixing and tumbling services.
Screening Technology
Screening customers against sanctions lists, PEP lists and adverse media sources requires crypto exchanges to monitor a vast amount of data. This means implementing screening software that delivers a high degree of adherence to global sanctions lists and PEP lists, and ongoing monitoring of news outlets.
Ripjar’s next generation screening solution is capable of matching names across a spectrum of languages and character sets while maximising true positives and minimising false positives. Similarly, our adverse media technology adds depth to your screening by conducting continuous monitoring of global news stories in over 21 languages, to capture customer risk data as soon as a story breaks.
Get in touch to discover how Ripjar’s advanced technology can help your company build a significant commercial advantage.
Sanctions provide governments and international organizations with ways to achieve foreign policy objectives and to punish and prevent violations of international law, including human rights abuses. An important tool in the fight against global financial crime, sanctions measures may target entire countries, or groups and individuals, and involve a range of financial prohibitions and restrictions – which firms must screen against to ensure regulatory compliance.
The sanctions screening process is a significant compliance challenge and should be an anti-money laundering (AML) and counter-financing of terrorism (CFT) priority. Targets may be designated on sanctions lists for a variety of reasons that generally reflect their government’s involvement (or their personal involvement) in international criminal activity such as terrorism, weapons proliferation, drug trafficking, cybercrime, or human rights abuse. The financial restrictions that sanctions impose on their targets include:
Trade embargoes
Trade prohibitions on certain products or industries
Investment prohibitions
Asset freezes
Travel bans
Firms that fail to comply with sanctions regulations face significant penalties, including fines and even prison sentences – along with the reputational damage that comes with doing business with sanctions targets and being publicly exposed for contravening regulations. With those risks in mind, it is important that firms implement an effective sanctions screening solution to ensure that they meet their regulatory obligations and do not wittingly or unwittingly help criminals break international law.
What is a sanctions list?
While governments devise and implement sanctions programs via the legislative process, sanctions measures are enforced by domestic authorities which add the names of designated targets to sanctions lists and watch lists. In the United States, for example, sanctions lists are maintained and enforced by the Office of Foreign Assets Control (OFAC) and in the United Kingdom, by the Office of Financial Sanctions Implementation (OFSI). Sanctions lists are updated regularly by their controlling authorities and are generally available online. In order to comply with sanctions regulations, obligated entities such as banks and financial institutions must screen their customers against the relevant sanctions lists – and take appropriate action if they find a match. Sanctions lists may be organized by target countries (or target individuals), such as the US’ Cuba Sanctions, Belarus Sanctions, or Chinese Military Companies Sanctions, or, alternatively, by the nature of sanctionable offences, such as the US’ Counter Terrorism Sanctions or Counter Narcotics Trafficking Sanctions.
Sanctions screening challenges
The sanctions screening process requires obligated entities to process vast amounts of customer and transaction data and take into account a range of relevant factors such as geographic location, political status, beneficial company ownership, and foreign naming conventions. Firms must implement a screening solution that captures the relevant data efficiently without generating an overbearing compliance burden through false positive alerts, and without searching so narrowly that they miss crucial risk liabilities.
Some of the key challenges of sanctions screening include:
Sanctions updates: Geopolitical events mean that the sanctions landscape changes constantly as governments add new names to sanctions lists and withdraw old ones. In 2021, for example, US, UK, Canada, and EU sanctions on China, prompted a range of retaliatory sanctions by the Chinese government, complicating the sanctions landscape significantly for firms within the relevant jurisdictions. Firms must keep pace with updates to sanctions lists by ensuring they are conducting continuous automated searches of the most recent versions of those documents.
Jurisdictional obligations: In any given jurisdiction, firms must manage a complicated set of sanctions compliance obligations often relating to numerous countries, organizations, and individuals. In the US, for example, firms must screen against OFAC’s Specially Designated Nationals (SDN) List, the Consolidated Sanctions List, and a number of additional sanctions lists. The most efficient screening solutions should ensure that firms screen against the lists relevant to their jurisdictional compliance regulations, and apply the relevant financial restrictions to the targets.
Policy and procedure: Given the complexity of sanctions regulations, it is crucial that firms set out clear internal policies and procedures for their screening process. Siloed data, poor communication channels, and unsuitable search software may contribute to screening inefficiencies, regulatory blindspots, and, ultimately, poor compliance performance. Accordingly, firms should review the effectiveness of their sanctions screening process regularly, performing stress tests, and audits to identify and address weaknesses.
Naming conventions: Many foreign language systems use different naming conventions that make sanctions name searches more challenging. Some Asian cultures, for example, reverse the first-name, surname convention used in Western culture, while transcriptions of Arabic names into English may involve significant spelling variation. Similarly, some names may be spelled with non-Latinate characters, using, for example, the Cyrillic, Mandarin, or Arabic alphabets. To account for foreign naming conventions, sanctions screening solutions should integrate sophisticated text analytics and transliteration tools calibrated to an organization’s risk priorities.
Sanctions best practice
Following Financial Action Task Force (FATF) guidance, firms should implement a risk-based approach to sanctions compliance and deploy compliance measures commensurate with the risk that individual customers present. Effective risk-based sanctions screening solutions are built on the Know Your Customer (KYC) process: organizations must ensure they know who their customers are, and what kind of transactions they are involved in, in order to build accurate risk profiles and to ensure sanctions compliance measures are applied correctly.
With that in mind, firms should consider deploying the following AML/CFT measures and controls to enhance their sanctions compliance performance:
Customer identification: The accuracy of the customer data that firms collect will have a significant effect on the efficiency of the sanctions screening process. Insufficient or inaccurate data will generate larger numbers of false positive alerts, over-burdening the compliance solutions and undermining customer experiences. With that in mind, it is vital that firms verify the identities of their customers prior to sanctions screening by performing suitable customer due diligence, obtaining the relevant identifying documents such as passports, driving licenses, birth certificates, and company incorporation information. During the due diligence process, firms should pay particular attention to customer names, taking into account the use of common prefixes, secondary names, suffixes and the use of AKA (‘also known as’) naming conventions.
Beneficial ownership: The use of shell companies to disguise ownership of assets and evade sanctions restrictions is a well-publicized financial crime. Recent investigations, including the Panama Papers and the Paradise Papers, have revealed numerous examples of sanctions targets concealing their identities behind foreign corporate infrastructure. The sanctions risk posed by shell companies means that firms should seek to establish beneficial ownership of any companies that they do business with, applying the same AML/CFT scrutiny to corporate customer entities as is applied to individual customers.
Technology: As sanctions list change and new regulations emerge, the technology that firms use to screen their customers becomes more important. Most sanctions regimes require firms to collect vast amounts of data – and then analyze and process that data within strict time periods. Given the potential compliance burden, sanctions technology platforms should be a priority for all compliance solutions. In addition to facilitating the flow of high volumes of data, sanctions software can help firms build out their risk-appetite as part of a risk-based response, using features like fuzzy logic and other name matching capabilities to ensure they are capturing risk liabilities without overscreening.
Sanctions data: Unstructured sanctions data elements that are pulled from an array of disparate sources will take longer to process and analyze, and increase the compliance burden that firms face. Accordingly, the sources of sanctions data should be a compliance priority: firms should consider the quality and quantity of data that a source provides, and how often that data is updated. Firms such as Dow Jones Risk and Compliance provide high quality data that firms and regulators trust globally. Similarly, firms should seek to use consolidated lists that compile all sanctions applicable under a certain regime in order to enhance the efficiency of their screening process.
Transaction monitoring: Firms should constantly monitor their customers for indications that they are transacting with sanctions targets. This means being vigilant for certain red flag financial behaviours, including unusual transaction patterns and transactions into and out of high-risk AML/CFT jurisdictions.
Politically exposed persons: Elected officials and government employees pose a much higher risk of being sanctions targets than other types of customers. Accordingly, firms must take steps to establish whether customers are politically exposed persons (PEPs) and adjust their compliance response accordingly. The PEP screening process should be performed throughout business relationships to capture changes in customer status.
Adverse media: News stories may reveal customers’ designation (or potential designation) as sanctions targets before that information is officially confirmed. With that in mind, firms should prioritize adverse media screening as part of their sanctions risk management solution. Adverse media screening should involve searches of a range of relevant sources, spanning foreign screen, print, and online news outlets from the relevant locations. While firms may be vigilant for information pertaining directly to customer sanctions designations, adverse media may also capture peripheral activities that may increase sanctions compliance risk in the future.
WANT TO LEARN HOW RIPJAR CAN HELP WITH SANCTIONS & WATCHLISTS SCREENING?
In the wake of high profile incidents of executive mismanagement and unethical behavior, banks and financial organizations around the world are turning their attention to environmental, social, and governance (ESG) factors as an important component of risk management.
The negative effects of ESG-related incidents can be significant and may include environmental damage, injury to wildlife, the destruction of natural habitats, or the exploitation of vulnerable communities and workers. Given the urgent global need to take action on issues like climate change, social inequality, and human rights abuses, ESG considerations should be a priority for all banks, corporate entities, and large enterprise organizations.
ESG failures can be extremely damaging to an organization’s reputation, resulting in regulatory fines and even exposure to criminal liability. With those risks and consequences in mind, and in order to promote corporate responsibility, banks and large corporations in jurisdictions around the world are implementing ESG screening solutions, while regulators are developing and introducing ESG compliance regulations.
In 2021, the EU conducted a study into the integration of ESG risk factors with business strategies and investment policies, looking specifically into EU banks and the EU Banking Prudential Framework. Given the increased regulator focus across the global corporate landscape, every organization should ensure that they understand the ESG risks they face, ESG risk transmission channels, and the relevant ESG compliance obligations within their jurisdiction.
What is ESG risk?
Environmental, Social, and Governance (ESG) describe a range of ethical and sustainability concerns relating to banking and business practices. While ethical financial practices were a social and governmental concern throughout the 20th century, ESG emerged as a significant priority in the wake of the 2008 financial crisis, which exposed industry-wide failures in governance, and reckless corporate behavior, that caused unprecedented damage to markets all over the world.
Beyond unethical financial behavior, ESG considerations extend to observance of environmental sustainability practices such as the need to reduce carbon emissions and preserve natural habitats, and to social practices such as the use of ethical labor, involvement in communities, and sponsorships of local initiatives. Governance concerns may relate to the way an organization makes decisions or responds to both the detail and spirit of laws within its operating jurisdiction.
Adverse media and ESG screening
In order to manage ESG risk factors and comply with relevant ESG regulations, organizations must understand what kind of risks they face, and when those risks emerge.
This means that banks and corporate entities should monitor their customers, clients, and third-party relationships on an ongoing basis, with a particular focus on adverse media stories that concern ESG risks. Breaking news stories often indicate that ESG risk profiles have changed before that change is confirmed by official outlets: a client’s involvement in an ecological disaster, for example, such as a forest fire or oil spill, may be reported on activist websites or local news before government authorities confirm the news.
However, given the significant data requirements of adverse media screening, banks should develop and implement an automated software solution to meet their adverse monitoring needs efficiently. The monitoring solution should capture and organize data from all related news articles and media, including traditional screen and print sources, and online sources. The diversity of the modern media landscape and the ubiquity of online news sources means that adverse media screening should take in as broad a range of news as possible, and include more obscure sources such as social media feeds and activist websites.
ESG Screening Considerations
The EU’s 2021 study into the integration of ESG factors into bank’s strategies and investment policies, identified the following key ESG risk management elements:
Risk definition and identification: Banks should define and identify their ESG liabilities based on the relevance of ESG factors to their approach to risk management.
Risk governance and strategy: Banks should ensure that ESG risks are understood at an executive level so that ESG risk processes can be organized around strategic objectives.
Risk management processes and tools: Banks must put measures in place to assess the ESG risk that they face. ESG data may be gathered directly from customers and clients or sourced externally. Once those risks are understood, banks can measure their exposure quantitatively against their risk appetite.
Risk reporting and disclosure: The ways in which banks report and disclose their ESG risk should vary based on their audiences. Banks should decide on the level of transparency and granularity with which they should disclose their ESG risk level in order to remain compliant with local regulations.
Integrating ESG Risk Processes
While banks may be able to closely control their ESG compliance responsibilities at a day-to-day operational level, managing ESG risk transmission channels such as investments and financing activities or third party relationships may be more challenging. Accordingly, banks should work to understand the relevance of ESG risk transmission channels to their risk assessment framework and how those risks may damage their operations.
Examples of significant ESG risk transmission channels include:
Credit risk
ESG factors may affect credit risk exposure for corporate entities of every size. When borrowers’ assets lose value due to climate change issues, for example, their ability to pay back loans may be negatively affected.
Reputational risk
ESG factors, such as financial or environmental scandals, may affect an organization’s reputation negatively, discouraging investors and stakeholders and decreasing corporate valuation.
Cybersecurity risk
Inadequate cyber-security measures, loss of customer data, privacy breaches, or cyber-crimes can result in direct financial loss and legal penalties.
Market risks
Markets may be negatively affected by a range of ESG risks, including environmental damage or climate legislation. Those factors may result in losses of earnings and value.
Legal risks
Breaches of law or codes of conduct may result in legal and civil penalties, which may, in turn, result in significant fines or even prison sentences for culpable individuals.
Climate risks
Many institutions frame climate and sustainability factors as risks that cut across different transmission channels. Banks that are exposed to climate change risks, for example, may also be exposed to legal, market, and reputational risk.
Regulator Guidance on ESG Screening
Many global financial regulators have responded to the rise of ESG risk factors by implementing new legislation and publishing jurisdictional guidance. Notable examples of authorities and entities that have published ESG guidance include:
Australia:
Australian Securities and Investments Commission (ASIC)
In January 2024, the Australian government introduced plans for mandatory climate-related financial disclosures. With reporting rules in effect from 1 January 2025, ASIC has identified around 6,000 obligated entities.
Austria:
Austrian Financial Markets Authority (FMA)
In 2020, the FMA published its Guide for Handling Sustainability Risks which sets out definitions of ESG risk factors, along with risk management best practices.
France:
The Prudential Control and Resolution Authority (ACPR)
The French banking supervisory authority published a good practices guide to governance and climate risk management in May 2020. The guide focused on climate-related risks and set out recommendations for risk management tools, disclosures, and strategies.
China:
China Banking Regulatory Commission (CBRC) The People’s Bank of China (PBC)
In January 2020, the CBRC published its ‘Guiding Opinions’ on the development of its banking and insurance industry. Although not specific to ESG, the guidance encouraged banks to incorporate or improve their ESG risk management, information disclosure, and reporting systems.
In 2024, the PBC introduced Self Regulatory Guidelines for larger companies in China, aligning the country’s climate reporting rules with international standards.
The Netherlands:
De Nederlandsche Bank (DNB)
The central bank of the Netherlands published a good practice guide to ’climate-related risk considerations’ in April 2020. The document emphasized the importance of banks developing risk identification in climate scenarios and of disclosing their carbon footprints.
EU:
European Banking Authority (EBA) European Central Bank (ECB) European Commission
In December 2019, the EBA released its Action plan on sustainable finance. The plan encourages banks to incorporate ESG factors into their business strategy and to integrate climate change scenarios within their risk assessment processes.
In May 2020, the EBA published its Guidelines on loan origination and monitoring. The guidelines recommend that banks incorporate ESG risks into their internal risk policies and perform assessments of borrowers’ exposure to ESG risks.
The ECB published its guide on climate-related and environmental risks in November 2020, setting out definitions of risk characteristics and its supervisory expectations regarding banks’ ESG risk management practices.
In 2023, the European Commission released compliance guidance for the Corporate Sustainability Reporting Directive, which sets out new climate-related disclosure rules for EU companies.
Germany:
Financial Supervisory Authority (BaFin) Federal Office for Economic Affairs and Export Control (BAFA)
Germany’s financial regulator released its Guidance Notice on Dealing with Sustainability risks in December 2019. The guidance included BaFin’s requirements for banks to integrate sustainability risks into their risk management frameworks.
Singapore’s financial regulator released Guidelines on Environmental Risk Management for Banks in December 2020. The guidelines set out MAS’ ‘expectations on environmental risk management for all banks, merchant banks, and finance companies in the city-state, including their ESG risk disclosure policies.
In 2024, following a public consultation, the FRC published changes to the UK’s Corporate Governance Code which sets out conduct and reporting responsibilities on executive-level corporate employees.
Tailoring ESG Compliance Solutions
Definitions of ESG risks vary significantly by a range of factors, including business sector and jurisdiction, while many ESG factors overlap. Environmental concerns, for example, including damage to local wildlife or plant species, may, over the short and long-term, impact local populations, negatively affecting farming and fishing practices and causing unforeseen financial damage.
To account for the diversity of ESG factors, banks, and other corporate entities should consider how their approach to ESG risk can be tailored to the specific challenges of their operating environment, and make their own call on the best way to integrate ESG into their existing risk-management frameworks.
Want to learn how Ripjar can help with ESG and Adverse Media Screening? Please Get in touch.
As companies engage with counterparties – namely customers, vendors or other parts of their supply chain – it is essential that they understand the risk associated with doing business with all of those entities. That is difficult enough when the counterparties are nearby and really challenging when they are further afield.
At the heart of KYC (Know Your Customer – or KYV for vendors), is a check to see if your customer appears on a public watchlists or sanctions lists. The lists are published by organisations such as the UN and specific governments. The most well known publisher is the US Treasury’s Office of Foreign Assets Control or OFAC. Their sanctions list must be observed by all businesses operating in the US.
In a simpler world, that would be all there was to it, but the requirement is actually more complex. OFAC’s 50 Percent Rule states that “property and interests in property of entities directly or indirectly owned 50 percent or more in the aggregate by one or more blocked persons are considered blocked”. That is to say that sometimes counterparties may not appear on watchlists and sanctions lists but may be majority owned (individually, indirectly or in the aggregate) by sanctioned actors presenting a hidden risk.
We are delighted to announce that we are partnering with Kharon to close the gap. Kharon’s premium 50 Plus data adds another important dimension to the fight against financial crime and desire to protect against reputational risk.
Kharon conducts complex, multilingual investigations for entities that appear on the sanctions list – including their subsidiaries as far down as the ownership chain extends – as well as state owned enterprises in sanctioned jurisdictions. It includes thousands of entities and maritime vessels registered in more than 100 jurisdictions.
If you’d like to know more about how Kharon data can enhance your KYC process, please contact us for a demo.
It’s a phrase we’ve got used to hearing. An abundance of caution has proven to be an essential technique in the battle against the global Covid-19 pandemic. From masks to social distancing, from working from home to vaccines, the multitude of different ways we’ve learned to manage the risk of transmission has saved hundreds of thousands, if not millions of lives worldwide. It’s also a critical component when considering how to protect your business against financial crime and reputational damage – adopting a risk-based approach when on-boarding and screening clients.
Just like the pandemic, it is easy to manage risk when considering just your immediate surroundings and needs. Manual, one-off searching of databases and search engines can unearth red flags such as adverse media hits, sanctioned entities and political exposure. But what about managing the risk of entire client populations of millions? The difficulty in maintaining an abundance of caution becomes exponentially more difficult when manual searching and human review doesn’t scale.
Ripjar’s Labyrinth screening engine now enables global financial institutions and other large enterprises to understand and manage the risks associated with all of their clients – whether old or new. The sophisticated view provides the ability to make the right decisions at the right moment, alerting on new risks when they become known, not just when they are manually reviewed. Moving from a reactive to proactive management of these types of risk means compliance teams spend less time reviewing data and can ensure that vital information is not missed.
Combining data from millions of sources including premium news feeds, the web and commercial and public watchlists, Labyrinth uses advanced Natural Language Processing (NLP) and Machine Learning to automatically identify the warning signs and alert on client risk which analysts can then fully investigate.
Ripjar’s intelligence-grade technology provides more efficient and effective ways of detecting the hidden risk of financial crime, corruption, bribery, modern slavery and other predicate offenses that are essential to managing compliance and reputational issues. Our proprietary entity resolution technology’s market-leading accuracy reduces false positives and ensures that news data in dozens of global languages, scripts and other permutations are also automatically searched to create consistent and comprehensive risk management.
With the amount of online content and news data growing every day, on-boarding and monitoring clients may require an abundance of caution to manage the clear risks of financial crime and reputational damage, however with smart technology such as Labyrinth, that risk can be managed more easily, effectively and securely than ever before.
It’s not John, it’s James. In the US alone, it is estimated there are over 30,000 people who share the same name, James Smith. In Korea, almost 20% of the population – some 10 million people – share the same family name of Kim. The world is also home to over 150 million with the same given name – Mohamed. Cases of mistaken identity are common, particularly when searching over large volumes of data, but they needn’t be.
Centuries of tradition and culture have given us an eclectic mix of ways that we refer to one another. Names can reflect our familial ties, which generation we were born into, who our ancestors were, our clan, or may even indicate a union of two families. They are a part, not just of our heritage, but of our identity. This rich diversity however, was not intended for the information age, where electronic records, transactions and communications often require a global, unique and unambiguous identity to be resolved. IP addresses may work well to uniquely identify devices on the global internet, but humans still require something more… human.
The stakes are high. Almost all investigatory work, whether in law enforcement, counter terrorism or within the anti-money laundering (AML) and due diligence processes of a bank, require accurate ways of searching and discovering specific entities in large data sets. However, poor record keeping, missing or incomplete data and legacy matching-logic hamper these efforts. False positive matches – selecting the wrong entity – and worse, false negatives (where a critical search result is missed altogether) are abundant.
Entity resolution?
When searching large datasets for names or organisations, ‘entity resolution’ refers to data analytics that aim to uniquely resolve data – often across many different sources – to a real-world entity.
Any example makes clear the benefits of this. Our collection of James Smiths could be resolved by utilising other details in the data. Email addresses, dates of birth and postcodes are common attributes that help systems disambiguate or join the dots between multiple records about the same person such that results are returned for the specific individual and not their namesake. Companies suffer from the same ambiguity too – nearly three thousand companies are registered with UK Companies House starting with the word “Sigma”, but using amplifying information such as address, phone number, company registration date, or any other feature of the record helps entity resolution technology narrow down the data to ensure that decisions are made with only the desired, and not unintended effect.
Most importantly to regulators, the global programme of international sanctions enforced by the US, EU, UK and almost every other country relies on high quality entity resolution. When GRU officer Yuriy Sergeyevich Andrienko was charged in connection with worldwide crimes in cyberspace, his name was added to many international watchlists. However, this name may be rendered not only in the latin script above, but in its native form in the Cyrillic alphabet – Юрий Сергеевич Андриенко. It may be abbreviated, or re-ordered, or simply misspelled. So to ensure that the sanction is effectively implemented, that records are not missed and that other people with similar names are not inadvertently punished, large amounts of analysts’ time are spent ensuring that poor quality alerts are fully assessed.
Key Challenges for Entity Resolution
Entity resolution can be a powerful enabling technology that can underpin anti-money laundering and counter-terrorism programmes. In its most rudimentary form it has existed for many years with deep limitations. However, new technology such as artificial intelligence means it is an area that is rapidly evolving. We see five key challenges for data scientists to overcome to create more efficient and effective systems for countering money laundering and terrorism:
Joining automatically between structured and unstructured data – The power of entity resolution is limited when it is only able to process data from structured records such as client records, watchlists, spreadsheets and other data formatted for machines. However, perhaps more than 90% of the world’s data is unstructured, meaning vital insights may be missed. When searching for “James Smith”, modern entity resolution technology needs to ensure that data sources such as news articles, websites and other notes also included, linking names as they appear adverse news (articles about corruption, bribery, fraud, terrorism or any other predicate offence) for instance, with names as they appear on watchlists. Natural Language Processing (NLP) is a field of computing that allows the automated analysis of large amounts of text content. It increasingly makes use of machine learning to allow computers to understand the intricate patterns and subtle semantics of human language by learning from the seemingly limitless quantities of text found on the internet. NLP can make sense of unstructured data and extract entities across multiple languages and dialects, which is essential in order to identify and link records wherever they may appear.
Matching names in new ways – Not only are names not globally unique, there is also no standard way of rendering them. Thus, James Smith can be Jim Smith, J Smith, J M Smith, as well as a huge array of possible typos, transpositions, aliases, or renderings in different dialects, alphabets and scripts. Matching against “exact hit” names works when data quality is very high, but it means there are no alerts at all if names have even the slightest variation, increasing the chances of criminals slipping through the net. Similarly, so-called “fuzzy matching” which will alert if one or two characters are different, still cannot account for the sheer variety and array of cultural nuances in how names are rendered in different types of data. The solution is to use data to drive a new type of matching logic. Technology such as that developed by Ripjar uses observations from millions of names, deriving matching logic from how the name is used in real-world situations.
Relationship Linking – No person is an island, and the relationships that an entity has with others give important context to analysts and investigators. Entities may relate to one another in a familial sense (father, brother, mother), or in the context of a business (owner, shareholder, person of significant control), or their location or address. Identifying these relationships vastly increases the likelihood that the person being searched for is correctly selected by the system, but many legacy systems do not extract relationships from the variety of data needed to give a complete and accurate picture – especially unstructured data. Extracting relationships at scale allows vast “Knowledge Graphs” to be built which can dramatically improve decision making and Entity resolution, providing a way of quickly analysing many different questions, from a single joined-up picture of entities and how they relate to one another.
Security and Privacy – The power of entity resolution means it must be governed appropriately. Processing personal data and connecting records effectively means safeguarding the privacy and security of those customers who place their trust in the institutions that administer financial systems or government agencies. Entity resolution systems therefore must also become tightly integrated with wider audit and data governance strategies – if entity records from two distinct datasets or systems become linked through smart logic, then the resultant resolved entity must inherit the security regime of each dataset that contributed. This means policies at the national or international level can be adhered to at all times, without compromising the effectiveness of the data analytics.
Evolving Understanding of Identity – Real data is not just messy and incomplete, but it also evolves over time with new facts being added, or incorrect facts removed. Sometimes the addition or removal of a new strong identifying fact, for example a Social Security Number or a Passport Number can cause a new match to be made or, indeed, a previous match needing to be undone. To do this, entity resolution processes must store the history of matches and merges such that they can be undone in the light of new evidence which makes the previous assumption to be incorrect. Reconsidering the best possible match on seeing a new or updated piece of data also allows for the system to provide the same results regardless of the order that data is played into it. It is crucial that an entity resolution system is able to evolve to accommodate a changing landscape and correctly handle the uncertainty in the decisions it makes.
Conclusion
Entity Resolution is an essential capability in the fight against financial crime, fraud and terrorism. By improving the quality of the data that is used to make decisions such as enforcing international sanctions or alerting to possible corruption or fraud, it can dramatically improve the effectiveness and efficiency of human analysts and allow small teams to scale investigations to the demands of the modern information environment.
Combining recent work in entity resolution and NLP means that analysts can now see the complete picture across structured and unstructured data, and data-driven approaches to name matching covering transliterations, scripts and other real-world name variants can give 90% more accuracy than legacy “fuzzy matching” technology. Robust data privacy controls mean interconnected graphs of knowledge, resolving entities from all available data sources can be now built without compromising user privacy or data protection.
If you would like to know more about Ripjar’s approach and how we have helped global institutions roll out breakthrough innovations in entity resolution to support their counter-financial crime programmes, please download the whitepaper or get in touch with the team here.
