More complex and farther-reaching than ever before, supply chains make it possible for organisations to venture across borders, create new relationships, and launch new commercial ventures.
But supply chains are also more vulnerable than ever before. The more third parties that a firm integrates into its network, the more exposed it becomes to regulatory risk, including money laundering, terrorism financing, and sanctions evasion risk.
As the world’s largest economy, the United States has created a strict regulatory regime to counter the threat of global financial crime. Supply chain risk is an important part of that regime and firms that operate within US jurisdiction must factor that into their compliance solutions, including implementing effective adverse media screening measures.
However, in a regulatory environment as complicated and populous as the US, implementing effective adverse media screening isn’t always straightforward. In this post, we’re going to explore that challenge.
What is adverse media screening?
The term adverse media refers to any media that indicates compliance risk. Similarly, adverse media screening is the process of actively monitoring publicly available sources of risk data in order to accurately establish individual customers’ compliance risk.
By offering valuable enhancement to standard sanctions and watchlist screening, adverse media screening eables firms to uncover otherwise hidden risk.
Also known as “negative news screening”, adverse media screening should take in all relevant data sources, including traditional media such as print and television news, and online sources such as news websites, blogs, and social media platforms.
Adverse media screening is, essentially, a name matching process in which compliance teams search for their customers’ involvement in stories and other published content from across the global media landscape. With that in mind, adverse media screening solutions need to be able to account for both structured data, such as entries in lists and forms, and unstructured data, such as names that appear in sections of prose or in recorded audio and video files.
Screening solutions should also be capable of accounting for variations in language, such as different spellings, nicknames, aliases, initials, and so on.
Why is adverse media important for supply chain compliance?
An investigative news report, for example, may hint that sanctions against a specific person are in the works, prior to a later confirmation in a government press release, thereby enabling a firm to take prompt action to minimise or eliminate its risk exposure, and avoid regulatory penalties.
That utility extends to the supply chain, and to third-party screening requirements. While firms are typically used to managing the direct risk that their customers and clients present, third-party relationships up and down the supply chain can be much harder to scrutinise. Supply chains often hide their true compliance risk, especially if a network spans multiple parties, borders, regulatory environments, and so on.
The presence of bad actors within a third-party network adds even more complexity to the problem. Persons designated on sanctions lists, for example, may try to actively conceal their identities when dealing with business partners.
Adverse media screening in the US
US AML/CFT compliance regulations impose risk-based adverse media screening requirements. Although it’s not always an explicitly stated requirement, adverse media screening is typically a part of best practice recommendations, especially those relating to customer due diligence (CDD) and, for higher risk customers, enhanced due diligence (EDD).
Key adverse media screening considerations in the US include:
The Bank Secrecy Act (BSA): The cornerstone of AML/CFT regulation, the Bank Secrecy Act requires firms to implement risk-based compliance procedures, including monitoring for suspicious activity, which typically entails screening customers against adverse media.
The Customer Due Diligence Final Rule: A 2018 amendment to the BSA, the CDD Final Rule includes a requirement for “ongoing monitoring”, which (as mentioned previously) entails adverse media checks, even if they aren’t explicitly mandated.
The Financial Crimes Enforcement Network (FinCEN): The US’ primary financial regulator FinCEN also frames the requirement for adverse media screening as “ongoing monitoring” – a component of risk-based compliance with the BSA.
The Office of Foreign Assets Control (OFAC): Like FinCEN, OFAC does not impose an explicit requirement for adverse media screening, although it does require firms to conduct risk-based compliance when managing sanctions risk. With that in mind, adverse media screening is a best practice expectation.
The primary purpose of risk-based adverse media screening is to ensure that compliance teams get an up-to-date, accurate picture of their customers’ compliance risk. In the context of supply chain and third-party screening, and with the integration of automated search technology, there are numerous benefits.
Data management
Supply chain screening necessarily requires compliance teams to collect and analyse vast amounts of customer risk data, drawing on thousands of sources from across the globe. Automated screening solutions streamline and simplify that task, adding speed and accuracy to the name search process, accounting for structured and unstructured data, and reducing or even eliminating the potential for human data-handling error.
Language variations
Cross-border supply chain relationships often mean that compliance solutions need to screen data in multiple foreign languages. Screening technology can automate multi-language analysis requirements and account for regional variations in spelling, the use of nicknames and aliases, and the use of non-Latinate characters.
Real-time updates
Global supply chains and third-party networks are constantly evolving, with each new sanction or regulation introducing fresh compliance risks. Automated screening solutions mean that compliance teams can stay ahead of these changes, and be informed as soon as election results are announced, for example, or as soon as a relevant social media post is published.
Scalability
Business growth can also complicate supply chain risk exposure, especially when firms need to expand into new territories, and adjust for new compliance regimes. Automated third-party screening gives firms a way to scale their approach to screening along with their business ambitions, keeping pace with expanding risk exposure by simply augmenting the scope of their name search process to include new regulations, new customer populations, and so on.
More than compliance
For US companies, managing compliance risk is not just a question of avoiding financial penalties.
While regulators like FinCEN may punish firms for technical regulatory violations, members of the public may view association with unethical third parties just as negatively. That guilt by association may be applied even if the firm was not directly engaged with the offending entity and no regulatory violation took place. In a fast-moving and highly editorialised media landscape, the subsequent reputational fallout can be as (if not more) damaging than the government-imposed penalty.
To that end, robust supply chain screening solutions provide not only protection from regulatory punishment but valuable peace of mind that a firm is taking all possible steps to minimise risk and deliver on internal commitments to pursue ethical business practices.
Stronger, smarter screening with Ripjar
If your organisation is required to meet US supply chain screening requirements, it’s no longer enough to rely on manual adverse media processes – Google searches are both incredibly time-consuming and highly ineffective for this purpose. You need a comprehensive solution capable of capturing global risk, and delivering actionable financial intelligence in seconds.
Ripjar 3P60 is a next-generation screening platform designed to help compliance teams stay ahead of third-party and supply chain challenges. Leveraging advanced AI analytics to build flexibility and resilience into the screening process, Ripjar 3P60 cuts through the noise to identify regulatory and reputational risks from every direction as soon as they emerge, and ensure decision-makers have all the information they need to protect their businesses, and their reputation.
In Ripjar’s recent Compliance Masterclass, co-hosted with FINTRAIL – now available to watch on demand – a panel of industry experts from FINTRAIL, Ripjar, Wise and Nomura explored all stages of the sanctions screening process, providing insights, advice and best practice on how to make the most of your screening outcomes.Here’s a round-up of some of the key takeaways from the session.
The importance of accurate screening outputs
In today’s regulatory environment – where data on sanctioned parties, politically exposed persons and entities who may present a higher risk of financial crime is ever-expanding – screening plays a vital role in detecting bad actors.
However, financial institutions face a mounting challenge: how to effectively manage ever-increasing screening alert volumes to identify and act on genuine risks without getting buried in false positives. To create efficient screening outcomes, financial institutions need to rethink the end-to-end process: not only how screening alerts are generated, but how they are investigated and resolved.
Screening alerts alone don’t dictate what action should be taken for a specific customer or transaction. Rather, they serve as the entry point for further investigation. As noted by the Wolfsberg Group, “the generation of an alert is not, by itself, an indication of sanctions risk.”
Accurate and auditable screening outcomes are crucial for two reasons:
They allow you to detect potential financial crime risk and any resultant actions that need to be taken.
The allow you to further tune and calibrate your screening system to generate better and more precise screening alerts in future.
Implementing an end-to-end alert process
Regulators are increasingly scrutinising alert handling processes, demanding not just that alerts are generated, but that they are managed, investigated, and documented with precision and consistency.
The European Banking Authority, for example, recently established standards on how it expects firms to carry out screening alert reviews, and in the UK regulatory standards focus on proper record keeping of resolved alerts.
Regulatory expectations
The EBA’s guidance states that policies and procedures should include:
Steps for starting to investigate all alerts generated.
Rules for the documentation of any decision taken in respect of alerts.
Measures to investigate alerts, such as procedures to assess and deal with indeterminate cases.
Different levels of review to be carried out in line with risk, by implementing at least a review by two people in relation to higher risk situations.
In the UK, JMLSG Part III 4.102 notes how firms should review screening alerts, including:
The process should be documented in writing.
Firms should keep an appropriate audit trail about every likely match.
A record of who made the decision and on what grounds.
A screening alert on its own will not define the screening outcome. Analysis is needed to confirm whether the alert is a match, whether funds need to be frozen, if the customer relationship needs to be terminated, if the customer’s risk rating needs to be increased, or if law enforcement needs to be contacted.
Key to reviewing screening alerts is having consistent disposition and decision-making throughout the firm, no matter how big or small, in order to comply not only with regulatory requirements but also the firm’s risk appetite. This could be achieved through:
Categorising alerts as high, medium or low risk based on the type of alert (sanctions, PEP or adverse media) and the strength of the hit (exact match or a fuzzy match).
Adoption of decision trees to ensure investigators review alerts in the same manner.
Identifying and escalating higher risk alerts – for example a nexus to high risk countries or exposure to certain high-risk industries – for expert review.
The use of the “four eyes” principle to ensure that at least two independent reviewers assess high-risk cases.
Many firms use a tiered approach for alert review and decisioning, whereby an alert will pass through several layers of review. For example, whereas all screening alerts will be reviewed by ‘Level 1’, and may need to be escalated to ‘Level 2’ for additional confirmation, the final determination of whether or not an alert is a true match and presents a risk to the firm may not occur until it is escalated to and reviewed by senior stakeholders at ‘Level 3’.
Documenting each step of the alert review process is crucial, not just for good practice, but for demonstrating robust governance. ‘Level 3’ decision-makers must be able to review the analysis and investigation already conducted, ensuring decisions are well-informed, defensible to regulators, and easily auditable. Clear documentation also streamlines escalations, reduces duplication of effort, and strengthens the overall quality of financial crime risk management. Furthermore, a clear audit trail of resolved alerts may be relevant for regulatory follow up or reporting.
Setting screening systems up for outcome success
Screening outcomes typically fall into four buckets:
True Positive: Correct escalation of a real risk.
False Positive: Incorrectly raised alert, which is later de-escalated.
True Negative: Correct non-match.
False Negative: Missed match and therefore an undetected risk for the firm.
In an ideal world, firms will be able to clearly identify and focus on true positives while ignoring false positives which carry no true risk exposure and lead to extra and unnecessary work. At the same time, firms will want to ensure that true risks do not slip through screening undetected. However, that is not always the case, and financial institutions face a number of AML compliance challenges in this area. As sanctions lists in particular expand, firms face rising false positives while spending less time detecting genuine alerts.
Understanding the root of false positives is not a one-off exercise but an ongoing process. Firms should continuously analyse data from past alerts to identify common triggers, refine matching logic, and adjust their thresholds. Leveraging historical alert data in this way not only reduces noise but also improves the precision of screening systems, enabling investigators to focus on genuine risks. Using past alerts to support ongoing tuning of screening systems can be done in two different ways:
Examining false positives: By analysing which types of alerts consistently lead to false positives, firms can refine their matching algorithms, exclude irrelevant data sets from screening, or apply different rules to specific client segments and thereby develop more precise rules for alert generation.
Examining false negatives: “Below the line” testing – the process of examining unseen alerts below the matching threshold set by the firm – to better understand what systems might be missing and whether the firm missed any false negatives.
Finally, effective screening outcomes are fundamentally dependent on two components: screening the correct watchlist data against high-quality customer data. At a minimum, firms should screen against any watchlists that they are legally required to comply with (for example sanctions lists) and lists relevant to their jurisdiction (for example PEP lists and specific adverse media lists). At the same time, customer data should also be of a good quality and consistency to ensure efficient screening alerts are generated.
Screening outcomes and AI
AI offers powerful possibilities in screening by rapidly analysing screening alerts to detect patterns, identify high risk alerts, and support enhanced decision-making. For example:
Enrichment of alerts: AI can be used to pull out additional data points (such as location data or beneficial ownership data) to provide further context to a screening alert which would otherwise only contain limited information. This can aid investigators in arriving faster, and more efficiently, at screening decisions.
Identifying high risk alerts: AI can be used to score and identify higher risk alerts that should be prioritised for review, due to a combination of the strength of the screening alert, the list it is matching against and the potential regulatory consequences.
Dealing with false positives: In certain situations, AI can even be used to auto-close alerts that are clearly false positives. Firms should note that where AI is used to make decisions, regulators expect firms to be able to demonstrate full governance and oversight over the AI’s decision-making remit.
From alerts to action
As regulatory scrutiny increases on how firms are conducting screening, firms must consider not only how they are generating screening alerts but also how they are reviewing these alerts and arriving at the right screening outcomes.
In summary, here are three things firms should do to ensure their screening process is set up for outcome success:
Undertake ongoing testing and tuning to understand the root of false positives. Analyse data from past alerts to identify types of alerts consistently leading to false positives to refine matching algorithms and rules going forward.
Screen the correct data. Carefully select the watchlists to be screened against, and ensure that the customer data used for screening is of sufficient quality to generate relevant screening alerts.
Create documented procedures for alert review and escalation. Establish clear, written procedures for how alerts are reviewed and escalated (for example, through decision trees and prioritisation of high risk alerts), including who makes decisions and on what grounds.
The guidance focuses on facilitating access to formal financial services for unserved and underserved persons, including those in low-income groups, or groups that may struggle to verify their identities easily.
Commenting on the release of the guidance, FATF President Elisa De Anda Madrazo pointed out that inclusion doesn’t just help disadvantaged people gain access to legitimate financial services, but contributes to the global fight against financial crime because it “reduces the size of the black and informal markets where criminals and terrorists hide their operations.”
As national governments adopt the new guidance, firms may need to adjust their anti-money laundering (AML) and counter-financing of terrorism (CFT) solutions. With that in mind, let’s take a closer look at the issues and risks surrounding financial exclusion, and explore the key takeaways of the 2025 guidance for domestic compliance teams.
What is Financial Exclusion?
While AML/CFT measures are a critical part of the global fight against financial crime, if they’re applied too rigorously as part of a risk-based approach to compliance they can have unintended consequences – namely, excluding persons from the financial system unfairly.
The over-application of AML/CFT measures is known as de-risking and is typically a result of firms seeking to manage a high level of compliance risk. De-risking is more likely in high risk industries and regions, and can affect vast groups of people with no connection to criminal activity, especially if they are from underprivileged backgrounds where other risk factors, such as a lack of formal identification (driving licences, passports, etc.), create additional barriers to financial services.
Why is Financial Exclusion a Compliance Issue?
Financial exclusion is often unfair, but it can also be harmful because it can actually increase the risk of financial crime, rather than reducing it. People who are excluded from the financial system are left with no choice but to use unregulated alternatives, either turning to black markets, or engaging in crime themselves and attempting to launder the proceeds.
These alternatives are, by definition, harder to monitor, and support wider criminal networks, not to mention ultimately adding to the AML/CFT compliance burden that firms face.
That’s why the new guidance from the FATF is so valuable. By turning a new regulatory focus on financial inclusion, firms can, in theory, bring more people into the legitimate financial system without compromising the integrity of AML/CFT controls.
The Key Takeaways
So, how does the new FATF guidance achieve its financial inclusion objectives? Let’s explore the key takeaways.
Proportional AML/CFT Measures
The FATF recommends that firms take a risk-based approach to AML/CFT compliance. Under previous guidance, that approach entailed a “commensurate” response to risk. Under the 2025 guidance, that term has been updated to “proportionate”.
The change reflects the need for countries to avoid imposing a uniform “one size fits all” AML/CFT regime on obligated entities. Under the proportionate risk-based response, firms have the flexibility to adjust their compliance solutions to match the “level and nature” of the risk they face, rather than simply excluding customers immediately.
Digital Onboarding Legitimacy
The guidance highlights the legitimacy of digital and non-face-to-face onboarding methods for financial services, providing that appropriate safeguarding measures are in place, and that the level of risk is manageable. The option of conducting digital and non-face-to-face onboarding makes it easier for some customers to open bank accounts where travel or other issues relating to physical distance might represent a barrier.
Automatic Risk Classification
The FATF guidance states that financial institutions should not automatically classify unserved and underserved persons as presenting a low AML/CFT risk, but points out that “risk assessments often conclude that they present a lower risk.”
It goes on to stress that financial inclusion initiatives must be predicated on the proper application of the risk-based approach, including an effective risk assessment process with “enhanced measures for higher risk” and “simplified measures for lower risk.”
De-risking Sectors and Populations
The guidance emphasises that the FATF has “long recognised the harmful impact” of de-risking, and that the practice is “not in line” with the risk-based approach that it mandates. It specifically warns against the “wholesale cutting loose of entire classes of customers” without properly taking their risk into account – in other words, applying appropriate risk mitigation measures on the level of individual customers.
Financial Inclusion Goals
The FATF recommends that governments formally incorporate financial inclusion goals into their National Risk Assessments (NRAs).
While it recognises that there is “no single or universal methodology” for conducting an AML/CFT risk assessment, the FATF suggests that NRAs should set out key concepts and stages involved in the process, in order to support “effective, proportionate implementation”. It also emphasises that NRAs should be coordinated at a national level, and be “comprehensive in scope”.
Financial Inclusion with Ripjar One
The FATF guidance suggests firms should reframe financial inclusion as an important part of their risk management strategies. However, in order to achieve better compliance outcomes for unserved or underserved customers, compliance teams need to be able to collect and analyse vast amounts of risk data accurately and efficiently, and make decisions with confidence.
Ripjar One is designed to address that challenge. Powered by cutting-edge artificial intelligence, Ripjar One is a next-generation AML risk management platform that creates a comprehensive view of customer risk, consolidating static and dynamic risk data from thousands of sources, including sanctions lists and watchlists, adverse media, and more.
The European Banking Authority (EBA) released new guidelines on sanctions screening in November 2024. Scheduled to come into effect across the EU on 30 December 2025, the guidelines set out the regulator’s expectations for how financial institutions (FIs) should implement governance, policies, procedures, and controls for their sanctions screening solutions.
With less than 6 months left before the new compliance requirements come into effect, it’s critical that obligated entities prepare, by reviewing and uplifting existing screening measures or developing new measures. In this post, we’ll explore that process in more detail.
What are the EBA guidelines?
The EBA’s November 2024 guidelines actually comprise two sets of guidelines, and apply in the following ways.
1) Guidelines for All Financial Institutions (EBA/GL/2024/14)
The first set of guidelines concern all FIs in the EU; banks, credit institutions, investment firms, and so on. The guidelines specifically focus on governance and risk management systems for sanctions compliance, and require FIs to:
Implement and maintain up-to-date sanctions compliance policies, procedures, and controls.
Establish a clear, well-defined governance structure and allocate responsibility (including to senior management) for sanctions compliance.
Conduct a sanctions risk exposure assessment to inform decisions on the controls and procedures necessary to establish effective sanctions compliance controls. The EBA has stated that this assessment should “be based on a sufficiently diverse range of information sources”.
Implement regular training programmes to ensure compliance teams are able to identify, assess, and manage sanctions compliance risk.
2) Guidelines for PSPs and CASPs (EBA/GL/2024/15)
The second set of guidelines concern payment service providers (PSPs) and crypto-asset service providers (CASPs). They focus on bringing these FIs under the scope of existing sanctions compliance regulations when handling specific types of transactions, including transactions involving crypto-assets. The guidelines require PSPs and CASPs to:
Choose and implement reliable sanctions screening solutions, and test their reliability regularly.
Define the dataset that they will be screening against the EU sanctions list and, where relevant, national restrictive measures.
Ensure that their sanctions screening measures are capable of verifying designated names on sanctions lists, managing the inherent risks involved in the screening process, and addressing the risk that customers engage in sanctions evasion strategies.
Preparing Your Screening Solution for Compliance
With the implementation date now on the horizon, it’s time for FIs to prepare their compliance teams, and adjust their screening solutions.
Here are the key stages in that process.
1. Align policies and procedures
Conduct a gap analysis to determine how your existing sanctions screening framework measures up against the EBA guidelines. Focus on identifying weaknesses in governance, technology, training, and documentation.
2. Update investigative steps
Following any updates to your screening policies and procedures, codify the steps your compliance team will take when investigating sanctions alerts. For example, set thresholds for escalating sanctions name matches, and define responsibilities within the compliance team.
3. Documentation of compliance process
Ensure your compliance process is fully documented, with an option to log the reasons for compliance decisions in a centralised and secure location. Your compliance documentation may be critical to subsequent investigations by law enforcement agencies, and so your decisions, and the information on which they were based, must be explainable and readily available for audit.
4. Invest in technology
For most FIs, manual screening methods will not be capable of meeting the EBA’s screening requirements. In order to achieve compliance, FIs should invest in screening technology capable of searching thousands of global sanctions lists and watchlists, along with other critical risk data sources such as adverse media stories, beneficial ownership lists, and politically exposed persons (PEP) lists.
Given the scope of the new screening obligations, many firms will find value in AI-powered screening tools capable of advanced analysis of huge volumes of unstructured data, and of making connections between risk data points that human compliance teams and manual tools might miss.
5. Train people and test processes
Your screening technology is only as good as the human compliance experts managing it. Develop a training schedule to familiarise compliance team members with new screening policies and procedures, and new screening technology integrations. Similarly, perform regular testing to identify weak spots in the new compliance process.
6. Risk-based review
Implement different levels of review for higher-risk sanctions alerts, such as those involving high-risk jurisdictions. While a sanctions list check may be sufficient for routine transactions, higher risk alerts may warrant enhanced due diligence, including supply chain risk screening and global adverse media searches.
Stay Ahead of Sanctions Risk with Ripjar One
With the EBA’s new sanctions screening guidelines imminent, it’s up to you to make sure your team is ready, by putting the right people, the right policies, and the right tools in place.
Powered by next-generation AI, Ripjar One is designed to help FIs manage that challenge, and take on an increasingly complex sanctions landscape.
Consolidating static and dynamic risk data seamlessly, including sanctions lists, adverse media, beneficial ownership registers, and transaction alerts, Ripjar One is a comprehensive screening solution that empowers compliance teams to make faster, stronger compliance decisions, identify risks more effectively, and optimise compliance outcomes for both their businesses and their customers.
The proliferation of weapons of mass destruction (WMDs) is one of the critical security issues of the 21st century. With geopolitical tensions rising, the business community must play its part in preventing terrorist and criminal organisations not only acquiring these types of weapons, but facilitating their movement around the world.
In this climate, spotting potential proliferation financing activity is a compliance priority. This means that firms must understand the relevant regulations, and adjust their screening solutions to account for risk exposure.
What is Proliferation Financing?
Proliferation financing (PF) is the act of providing funds that support the movement of WMDs, including nuclear, chemical, and biological weapons, around the world.
Given the elevated global risk of terrorist attacks, and the challenges involved in detecting financial crimes, governments have placed regulatory obligations on businesses, and particularly on financial services firms, to help combat PF and target its sources.
PF shares characteristics with other financial crimes, specifically money laundering and the financing of terrorism, and so may be detectable via existing screening measures. Persons involved are often designated on sanctions lists, for example, or may attempt to conceal their transactions via shell companies and corporate infrastructure.
In other contexts, however, it is harder to detect PF because related transactions and activities do not necessarily share the same red flag indicators of criminality. For example, criminals may seek to bypass regulations and screening measures by transporting only legal component parts of WMDs, or by transporting “dual use” materials that may be repurposed for the construction of WMDs by end users.
The risk of PF goes beyond persons directly paying for the transport of WMDs, and extends to persons that may be providing services unknowingly. On the other hand, persons that are knowingly involved in PF often employ sophisticated evasion tactics to evade screening measures. In some cases, heavily sanctioned governments may engage in PF activity, and use state apparatus to do so.
High Risk Countries
Certain countries represent a higher PF risk than others, these include:
North Korea: The government of North Korea is actively pursuing a nuclear weapons programme and has demonstrated a willingness to attempt to evade sanctions.
Russia: Heavily sanctioned by multiple countries since the invasion of Ukraine in 2022, Russia is attempting to evade restrictions by importing dual use materials for use in military weapons technology.
Iran: The government of Iran has demonstrated an ongoing desire to develop a nuclear weapons programme.
China: China has demonstrated a desire to expand its own nuclear arsenal, and has facilitated other countries’ evasion of sanctions, including North Korea and Russia.
Syria: Under its previous government, Syria was known to have deployed chemical weapons, and financed its acquisition of WMDs via the sale of oil and petrochemicals.
Global Regulatory Response
Governments around the world are increasingly framing PF as a serious criminal risk, however, other than designation in sanctions programmes, dedicated PF regulations lag behind those applicable to similar financial crimes, such as money laundering and terrorist financing.
In light of the FATF’s strengthened focus on PF, the United Kingdom has led the international community in taking regulatory action. In 2021, for example, the UK government conducted its first National Risk Assessment of Proliferation Financing (NRAPF). Given the UK’s status as an international financial hub, the NRAPF suggested that the UK government put regulatory measures in place to address PF risk.
Accordingly, in 2022, the UK government amended the Money Laundering and Terrorist Financing Act to introduce new PF identification and risk screen requirements. The UK has also applied strict liability to sanctions breaches, meaning that penalties may be applied regardless of knowledge or intent behind the violation.
Firms that break PF rules and regulations face serious financial and even criminal consequences.
In the UK, for example, under the Money Laundering Act, the Office of Financial Sanctions Implementation (OFSI) has the authority to impose unlimited fines, and prison sentences of up to 7 years for PF rules breaches. Those penalties may be imposed in addition to existing sanctions rules, under which OFSI can fine companies up to £1 million, or 50% of the value of the offending transaction (whichever is greater), and name and shame companies publicly.
Regulatory Risk to Financial Institutions
Banks and financial services organisations are on the front line in the fight against PF, and may be exposed to compliance risk in numerous ways. Key examples of PF risk include:
Layered transactions: Persons designated on sanctions lists may route transactions through multiple accounts in order to obscure their origin and evade screening measures.
Dual use materials: Companies trading in dual use materials, particularly technology such as aerospace components or microelectronics, pose an elevated PF risk.
Shell companies: Criminals may attempt to use shell companies or complex corporate infrastructure to obscure the origin and destination of PF-related transactions.
Missing or incorrect transaction details: Criminals may intentionally withhold or misspell PF-related transaction details in order to evade AML/CFT scrutiny.
High risk countries: Transactions that involve parties in high risk AML/CFT territories (such as those listed above) carry an elevated PF risk.
Cryptocurrency: The anonymity of cryptocurrency transactions puts them at a higher risk of involvement in PF activity.
Third Party Risk
PF activity typically involves firms’ relationships with third party organisations, such as shipping and transportation companies. With that in mind, PF compliance screening should go beyond a singular focus on companies in the financial sector, and include relationships up and down the supply chain.
That means screening measures should account for the complexity of supply chains, and the potential for regulatory disparity across international borders. Key third party and supply chain risk factors include:
Persons designated on global sanctions lists.
Companies trading in dual use materials.
Suppliers operating in high risk industries, such as shipping.
Suppliers operating in high risk jurisdictions.
Persons designated on politically exposed persons (PEP) lists.
While third party risk factors may not necessarily result in direct regulatory violations, firms that are revealed to have relationships with third parties that are exposed as being involved in PF often incur reputational damage.
Implementing a Proliferation Financing Risk Management Strategy
The scale and complexity of PF risk means that firms should carefully consider their compliance posture, and, ideally, integrate an AML/CFT screening solution to help them manage their threat environment.
An effective PF risk management strategy should involve the following measures and controls:
Screening during onboarding
Firms should establish new clients’ PF risk levels as quickly and as accurately as possible. This means conducting robust customer due diligence (CDD), and applying suitable screening measures during onboarding, with a focus on sanctions designation, and designation on PEP lists. The screening process should be global in scope, which means searches should be conducted in multiple languages, and include scrutiny of other critical risk indicators, such as adverse media stories.
Beneficial ownership
As part of the due diligence process, firms should aim to establish the beneficial ownership of client companies in order to account for the possible misuse of shell companies or complex corporate structures as a means to disguise PF activity.
Continuous monitoring
Following onboarding, firms should continuously monitor their clients for PF risk in order to account for changes to risk profiles over time. This means maintaining a regular screening schedule with a focus on updates to sanctions lists, suspicious transaction patterns, changes in company ownership, and emerging adverse media stories.
Risk scoring and segmentation
PF screening should be risk-based. With that in mind, firms should seek to establish a risk scoring system to enhance their risk assessment process, with higher scores applied to higher risk jurisdictions, industries, and transactions, or to persons designated as PEPs. Similarly, audience segmentation – the process of grouping audiences by risk characteristics – can help compliance teams conduct risk assessments more efficiently.
Sanctions and watchlists
Effective sanctions and watchlist screening is a critical component of PF compliance. Firms must implement sanctions solutions that capture domestic and international sanctions designations, and listings on the relevant watchlists.
Adverse media
Changes to a client’s risk profile may be revealed by the media before they are confirmed officially. With that in mind, PF screening should include automated adverse media searches, in multiple languages, and with sufficient scope to capture third party risk.
Going Beyond the List
Given the global scale of PF, it’s critical that compliance solutions “go beyond the list”, which means going further than simple sanctions and watchlist name searches, and instead building out the most complete risk profile possible for each client.
That means leaving manual screening processes behind and, instead, implementing automated AML/CFT screening tools with powerful name search and identity matching capabilities. The tools that you choose should be able to screen against thousands of data sources, in multiple languages, while accounting for sanctions evasion tactics, disparities in spelling and naming, and the possibility of PF risk emerging from third party relationships and PF-adjacent activities. With those factors in mind, and the need to manage vast amounts of customer screening data, it’s worth leaning into the efficiency benefits of AI-enhanced search technology, which can not only boost the accuracy of PF screening results, and reduce false positives, but support stronger compliance decision-making.
The UK’s sanctions landscape has evolved dramatically since 2022, primarily in response to Russia’s invasion of Ukraine. During that time, the Office of Financial Sanctions Implementation (OFSI) has worked to ensure the UK government’s sanctions against Russia are enforced effectively, and that entities within the UK understand their compliance responsibilities.
With the UK’s Russia sanctions programme ongoing, in February 2025, OFSI released its Financial Services Threat Assessment. The report is intended to help UK firms deal with the changing global sanctions landscape, and, in particular, with the complexity of the restrictions against Vladmir Putin’s regime. To that end, the Threat Assessment focuses on the risks associated with Russia sanctions violations, including the need to accurately identify designated persons (DPs), the enablers of sanctions violations, the use of alternative payment methods to avoid restrictions, and failures in internal compliance solutions.
The report serves as an essential resource for all UK-based financial services firms, which should now review their compliance solutions in order to ensure alignment.
To help you navigate your UK sanctions obligations, we’ve put together a list of key takeaways from the report.
Key OFSI Takeaways for Financial Services
Failure to self-disclose
OFSI monitors suspected breaches of UK sanctions rules on a sectoral basis, and suggests that, while most reports are self-disclosed by financial institutions in a timely manner, the standard varies across different sectors and across the UK’s various sanctions regimes.
The report reveals that OFSI observed breaches that did not lead to self-disclosure by “some” UK financial services firms and non-bank payment service providers (NBPSPs). OFSI’s assessment implies a regulatory risk for firms that are not being fully transparent or rigorous in executing their sanctions compliance obligations.
Enablement activity
OFSI suggests that it is “almost certain” Russian designated persons (DPs) are using both professional and non-professional enablers to help them breach UK sanctions, and that activity has “significantly increased” since 2023.
OFSI defines non-professional enablers as individuals or entities that act on behalf of DPs to breach sanctions. These enablers have “close personal ties” to DPs and may include family members, spouses and ex spouses, and professional associates.
The report classifies three types of enabler activity:
Making payments to maintain the lifestyle or assets of DPs.
Fronting on behalf of a DP to claim ownership of frozen assets.
Money laundering to provide DPs with liquidity.
The Threat Assessment adds that Russian DPs are using “increasingly sophisticated methods” to breach sanctions, and that banks and financial institutions are in particularly advantageous positions to spot this kind of activity and report it to the authorities.
Compliance teams can address enabler activity by monitoring any new movement of assets and applying enhanced due diligence to the persons involved.
Fronting risks
The report suggests that it is “likely” that “a small number of enablers” have engaged in fronting activities on behalf of Russian DPs.
Fronting is defined as the act of professional enablers coming forward to claim ownership of assets that have been frozen under UK sanctions rules. The enablers typically target frozen assets that have unclear ownership – such as those associated with insolvency and complex corporate structures (shell companies), or situations in which significant liquidity is involved.
Enablers engaged in fronting present themselves as legitimate business persons, and often have links to DPs which they seek to conceal. These links are not necessarily obvious and may involve previous employment with a DP, or past membership of a shared community.
OFSI sets out a number of red flag indicators of fronting activity, which include:
Individuals with limited public profiles and little relevant experience to the professional roles they hold.
Inconsistent spellings of names – particularly those derived from Cyrillic.
Recent changes of name.
Recently-acquired non-Russian citizenships.
Maintenance payments
The Threat Assessment suggests that it is “highly likely” that enablers have used NBPSPs to help Russian DPs maintain their lifestyle and assets in the UK – in violation of sanctions restrictions. Maintenance activity involves payments that relate, for example, to DPs’ superyachts, personal security services, school fees, concierge services, and high value goods.
Enablers involved in maintenance payments “are typically small companies” engaged in services for “ultra-high-net-worth lifestyles”, and have relationships with the DPs which predate their designation on the UK sanctions list. Maintenance payments may also be made by DPs’ family members and close associates.
The report points out that financial services firms are, again, well placed to spot maintenance payment activity, which often leverages multiple payment methods, including cash and cryptocurrencies. OFSI has set out a number of red flags for maintenance activities, including:
Regular payments previously made by a DP now made by a new individual.
Family members and close associates of DPs receiving significant funds without adequate explanation.
Frequent payments between entities controlled by a DP.
Individuals attempting to deposit large sums of cash without adequate explanation.
Family members and close associates of DPs engaging in cryptocurrency transactions.
Next Steps: Strengthening Russia Sanctions Compliance
In the wake of OFSI’s Threat Assessment report, compliance teams should take the following steps:
Strengthen due diligence: Financial institutions should ensure they establish and verify the identities of their customers by performing adequate customer due diligence. In addition to collecting identity documents, firms should seek to scrutinize assets ownership and beneficial ownership, complex corporate structures, and cashflow sources.
Improve screening and monitoring: Financial institutions should review their sanctions screening solutions to ensure they are capable of capturing Russia sanctions risk effectively. In practice, this means integrating an automated screening solution, with global scope, and multi-language name search capabilities.
Proactive self-reporting: Given OFSI’s focus on failure to self-disclose, financial institutions must review their sanctions breach reporting process.
Russia Sanctions Screening Advantages
Russia sanctions are only a component of an evolving global landscape, which hosts thousands of potential threat vectors. In this environment, UK banks and financial institutions must remain agile and adaptable, without compromising the rigorousness of their sanctions screening capabilities.
With that in mind, automated screening technology should be a critical part of any sanctions compliance solution. Automated screening tools not only add speed and accuracy to sanctions list name searches, but reduce the potential for costly human error, and enable organisations to scale their response to their unique needs.
Screening tools enable organisations to search thousands of global sanctions lists and watchlists in seconds, along with other indicators of risk such as adverse media stories that can reveal changes in customer risk profiles long before official designation. Screening technology may also leverage artificial intelligence tools, to help compliance teams work with vast amounts of data, eliminate false positive alerts, generate meaningful intelligence, and ultimately, make stronger, faster decisions.
Although still in the early days of his administration, President Donald Trump has introduced significant changes to US sanctions policy, with consequences for firms operating in the US and around the world.
During his previous term, sanctions were a cornerstone of President Trump’s foreign policy, and were often applied quickly and unpredictably in order to achieve administration objectives. With that in mind, in 2025, it’s critical that obligated entities implement screening solutions capable of not only delivering robust compliance, but adapting to a potentially-volatile sanctions risk landscape.
If you have US sanctions compliance concerns, now is the time to review your risk environment and screening mechanisms. To help you get to grips with that burden, here are the latest key changes to US sanctions policy that risk leaders should be aware of:
1. Intensified Sanctions On Iran
On 6 February, 2025, the US Treasury announced that it would be “restoring maximum pressure” on Iran by imposing new economic sanctions on the Iranian oil industry. The latest restrictions target an international network of shipping tankers that transport oil from Iran to countries like China, with the proceeds used by the Iranian government to fund the development of nuclear weapons.
Since the sanctions designations include firms operating in locations around the world, including India and the UAE, it’s critical that compliance teams recalibrate their screening tools to account for the broadened scope of the program.
2. Reversal of Cuba Sanctions Relief
On 14 January 2025, President Joe Biden removed Cuba from the US’ list of state-sponsors of terrorism. However, on 20 January 2025, hours after taking office, President Trump revoked that decision.
Cuba is already subject to robust sanctions measures under existing US policy, but by reinstating Cuba on the state sponsor of terrorism list, the Trump administration has blocked US citizens and entities from doing business with certain Cuban entities that would otherwise have been relieved. Examples of the reinstated restrictions include licensing requirements for technology exports that could be used by the Cuban military, and the requirement for the US to oppose loans to Cuba by the World Bank.
3. Dissolution of Russian Oligarch Sanctions Task Force
Under the Biden administration, in response to the invasion of Ukraine, the US Treasury assembled a task force to enforce sanctions against Russian oligarchs. On 6 February, President Trump disbanded that task force, signalling that the Treasury would be shifting its focus to combatting Mexican drug cartels and international criminal gangs operating in the US.
The US Justice Department will continue to prosecute cases currently in motion against Russian oligarchs but the change will see the number of new Russian targets drop significantly. The shift to Mexico and international gangs also suggests that the Justice Department will lean more heavily on the Foreign Corrupt Practices Act as a means to prosecute bribery investigations.
4. Tariffs on Canada, Mexico, and China
The Trump administration recently imposed new 25% tariffs against imports from Canada and Mexico, and an additional 10% tariff on imports from China, citing concerns about imbalances in the US’ trade relationships with those countries. In response, Canada announced that it was imposing a retaliatory 25% tariff against the US, while Mexico and China also indicated they would also be responding in kind.
The imposition of tariffs typically has indirect effects on supply chains, necessarily changing the risk profile of parties involved in a trading relationship. That change may require US firms to adjust their screening solutions going forward, with an emphasis on supply chain and third party risk.
Tariff update: On 4 February, President Trump announced that the US was “pausing” the introduction of tariffs against Canada and Mexico – as a result of productive discussions. He indicated that tariffs against China would remain in place.
5. Potential ICC Sanctions
On 6 February, President Trump announced that he was imposing sanctions against persons supporting International Criminal Court (ICC) investigations into US citizens, and into allies of the US. The sanctions represent a retaliation against recent arrest warrants issued by the ICC against Israeli Prime Minister Benjamin Netanyahu.
The list of US ICC sanctions designations has not been made public. However, the restrictions include a ban on travel to the US, and possible asset freezes, and extend to family members and close associates of the targets.
US ICC sanctions will impose new screening obligations on obligated firms, but will likely have further consequences, not least on international legal cooperation agreements. With that in mind, firms must monitor ICC sanctions developments carefully and be ready to react if new retaliatory measures are forthcoming.
Stay Ahead of Sanctions Risk in 2025
The Trump administration has assumed an aggressive and dynamic sanctions posture in its first few weeks, and it’s likely that further changes are on the horizon in 2025. The best way to manage sanctions risk, especially in a volatile environment like the US, is to gather as much risk data as possible, and lean into the possibilities of software automation in order to make sense of it.
Beyond the speed, efficiency, and accuracy, sanctions screening technology offers valuable flexibility for firms working to ease compliance pressure. Screening technology enables compliance teams to search thousands of sanctions data sources, including global watchlists and adverse media stories, and generate actionable intelligence in seconds. Don’t let the evolving US sanctions landscape outpace your screening capabilities, explore your automation options to stay ahead of the regulatory curve.
The Anti-Money Laundering Act 2020 (AMLA) is a cornerstone of US financial crime legislation. Setting out numerous corporate rules and obligations, the Act affects all US banks and financial institutions, and requires CFOs, and their teams, to think carefully about their day-to-day compliance duties.
In this post, we’re going to explore AMLA’s key regulatory details and compliance implications, and examine incoming regulatory activity that might affect your AMLA compliance posture.
What is AMLA?
Passed by the US Senate in 2020, AMLA came into effect on 1 January 2021 under the National Defence Authorisation Act.
Representing the most significant reform of US anti-money laundering (AML) rules since the Patriot Act in 2001, AMLA introduced significant regulatory changes. The Act was part of an effort to modernise the US’ AML infrastructure to account for advances in financial technology, and increasingly sophisticated criminal methodologies.
AMLA broadly expanded the authority of federal regulators, including the US Treasury’s Financial Crimes Enforcement Network (FinCEN), with new investigative powers. With that in mind, AMLA’s key AML/CFT provisions include:
Beneficial ownership: Expanded beneficial ownership disclosure requirements for smaller firms, with 20 employees or fewer. The requirements are designed to address the misuse of shell companies to conceal illegal financial activity.
Politically exposed persons: Expanded requirements for preventing politically exposed persons (PEPs) from misrepresenting the source of funds when dealing with US firms.
Non-traditional financial institutions: Expansion of Bank Secrecy Act (BSA) compliance requirements to certain non-traditional financial institutions, including those dealing with virtual currencies, such as cryptocurrency exchanges.
Criminal and financial penalties: New penalties for violations of money laundering rules, including prison sentences of up to 10 years, and fines of up to $1 million.
Expanded penalties: Increased financial penalties for violations of existing money laundering regulations – set out in the BSA and Patriot Act.
Whistleblowers: Enhanced protections and rewards for whistleblowers that expose violations of money laundering regulations.
International money laundering: Expanded powers for US law enforcement agencies to investigate foreign entities suspected of money laundering. The provision includes new US Treasury subpoena powers.
Information sharing: New information sharing rules for US entities with foreign subsidiaries and affiliates.
AMLA Compliance Priorities
Given the increased penalties imposed by AMLA, it’s critical that firms in the US understand how to comply with the regulations, and are able to adjust their compliance posture to account for emerging risks.
Key priorities for compliance with AMLA include:
Customer due diligence: AMLA’s focus on beneficial ownership (along with existing BSA requirements), means that firms must be able to verify customer identities through robust customer due diligence (CDD) and, where necessary, enhanced due diligence (EDD). While customer identities may be verified via official documentation such as passports or driving licenses, firms must also affirm beneficial ownership, which involves capturing shareholder information, incorporation dates, operating locations, and so on.
Screening: To account for increased customer risk, firms should review their AML/CFT screening capabilities. AMLA’s focus on non-traditional financial institutions, PEPs, beneficial ownership, and foreign money laundering may require firms to take a different approach to risk screening in order to capture emerging risks.
Compliance automation: The sheer volume of risk data that firms must consider as part of their AMLA obligations means that compliance teams should seek to integrate automated solutions wherever possible. Automated screening tools, for example, can search thousands of global news stories and deliver actionable financial intelligence in seconds – a level of efficiency that would be impossible in a manual search process.
Recent AMLA Developments
The US government continues to adjust the regulatory detail of AMLA in order to account for changes in the domestic and global risk landscapes.
The Corporate Transparency Act: The Corporate Transparency Act (CTA) was passed on 1 January 2024, strengthening AMLA’s beneficial ownership provisions. As part of the CTA, “reporting companies” have to submit company details, including owners’ personal information, to a FinCEN beneficial ownership database. In December 2024, several courts, including the US 5th Circuit Court of Appeals, blocked the implementation of the CTA nationwide. The US Supreme Court subsequently overturned the 5th Circuit decision but as of 1 February 2025, CTA enforcement remains blocked as a result of an earlier decision by a court in Texas.
Proposed Rule: In July 2024, FinCEN put forward a ‘proposed rule’ to strengthen certain AMLA provisions. The rule emphasises that compliance solutions need to be “effective, risk-based, and reasonably designed”, in order to help firms become more responsive to the specific challenges of their risk environment.
Fintech innovation: FinCEN has continued to encourage US firms to explore technological solutions to AML/CFT challenges through ‘the promotion of responsible financial service innovation,’ in alignment with AMLA’s broader objectives. For example, innovations such as AI-supported analytics, may help firms enhance their screening processes and reduce false positive alert rates.
Screening Advantages
In an evolving regulatory environment like the US, firms must be capable of managing existing risks while anticipating future challenges. With that in mind, automated screening solutions represent the best way of keeping pace with AMLA requirements.
Merging human expertise with advanced data collection and analysis, screening technology provides critical visibility of the risk landscape which, in turn, facilitates stronger, more informed compliance decision-making. Even better, automated screening solutions ensure compliance teams stay agile, adapting quickly to incoming AMLA amendments, while managing evolving money laundering methodologies.
Around $300 billion is laundered in the United States every year, a trend which undermines the integrity of both the US and global economies, and perpetuates ongoing criminal enterprises. To address that threat, the US government has passed strict financial regulations, and established the Financial Crimes Enforcement Network (FinCEN) as the country’s primary financial regulator.
In this post, we’re going to explore the regulatory function of FinCEN, and some of the key regulations that it is responsible for enforcing.
What is FinCEN?
FinCEN provides regulatory oversight for banks and financial institutions operating in the US.
Established in 1990, FinCEN is a bureau of the US Department of the Treasury, and is headquartered in Virginia. FinCEN’s stated mission is to “safeguard the financial system from illicit activity, counter money laundering and the financing of terrorism, and promote national security through strategic use of financial authorities and the collection, analysis, and dissemination of financial intelligence.”
FinCEN’s Role and Responsibilities
In order to fulfil its mission, FinCEN works to enforce US financial regulations by monitoring financial institutions, and collecting and analysing financial data for indications of criminal activity. It also works with other government departments, law enforcement authorities, and foreign counterparts to combat domestic and international financial crime.
In its supervisory role, FinCEN’s day-to-day duties include:
Monitoring corporate compliance with US financial regulations, such as the Bank Secrecy Act.
Collecting and analysing data and financial reports from US financial institutions.
Analysing financial intelligence, including trends and patterns, that might indicate criminal activity.
Enforcement of regulatory noncompliance penalties.
Assisting law enforcement agencies with financial investigations.
Providing compliance guidance and other educational materials to US banks and financial institutions.
Liaising with foreign counterparts and international regulators, such as the Financial Action Task Force (FATF), in the global fight against financial crime.
Key US Financial Regulations
FinCEN is responsible for supervising compliance with the US’ financial regulations, including the following key articles of legislation:
The Bank Secrecy Act
The Bank Secrecy Act (BSA) is the US’ primary article of anti-money laundering (AML) legislation. Introduced in 1970, the BSA imposes a range of AML compliance requirements on banks and financial institutions, including the implementation of customer screening, and financial reporting and record-keeping measures.
The Patriot Act
Passed in 2001 in the wake of the September 11 terror attacks, the Patriot Act is a counter-financing of terrorism (CFT) regulation, and an amendment to the BSA. The Patriot Act gives US law enforcement agencies powers to investigate financial crimes, in addition to those conferred by the BSA. Notably, the Patriot Act imposes customer due diligence (CDD) and screening obligations on financial institutions, with an emphasis on cross-border payments and business relationships.
The Anti-Money Laundering Act
When it came into effect in 2021, the Anti-Money Laundering Act (AMLA) represented the most significant reform of the US AML/CFT legislation since the Patriot Act. AMLA was introduced to address the risks posed by new technologies and criminal methodologies, but also set out increased penalties for money laundering, new protections for corporate whistleblowers, new beneficial ownership rules, and expanded international information sharing rules.
Optimising FinCEN Compliance
FinCEN applies the international AML/CFT compliance recommendations set out by the Financial Action Task Force. Following that standard, US firms must implement risk-based compliance solutions, performing risk assessments of their customers and deploying proportionate compliance responses to that risk.
Risk-based compliance solutions should involve the following measures and controls:
Customer identification: Firms must perform customer due diligence in order to identify their customers, and the beneficial owners of customer-entities.
Transaction screening: Firms should screen customer transactions for indications of criminal activity. Those indicators include unusual transaction patterns and transaction amounts, and transactions that involve high risk counterparties.
Adverse media screening: Since AML risk is often revealed in news media before it is officially confirmed, firms should implement global adverse media screening measures in order to capture changes in customer risk as soon as possible.
The US’ risk-based screening requirements, including the need to screen adverse media stories, mean that firms may have to collect and analyse vast amounts of financial data, from thousands of global data sources. To manage that burden, most firms need to lean into screening technology in order to automate as much of their screening process as possible, rather than relying on outdated manual search processes, fraught with the potential for human error.
Beyond speed, efficiency and accuracy, automated screening platforms help firms take the pressure off compliance teams, and take advantage of emerging innovations and enablers, such as AI-powered analytics. In a fast-moving compliance environment like the US, automated screening solutions offer game-changing agility, enabling firms to react quickly to regulatory trends and emerging criminal methodologies, and, ultimately, make faster, stronger compliance decisions.
After financial disasters like Enron in 2001, and Worldcom in 2002, and more recent scandals such as the collapse of Wirecard in Germany in 2018, public focus on the behaviour of corporations has increased significantly. That focus has translated into governmental pressure, and the introduction of environmental, social, and governance (ESG) regulations to prevent these kinds of incidents from reoccuring.
In 2024, global ESG momentum is increasing, forcing firms to adjust their compliance posture to accommodate a changing risk landscape. In this article we’re going to explore what ESG means, why it’s an essential compliance concern, and how effective screening can mitigate ESG risk. We’ll also explore the latest key ESG regulatory developments from around the globe.
What is ESG?
The financial scandals of the 21st century shook public confidence in financial systems. To prevent that kind of corporate misconduct, governments began to introduce regulations that set higher ethical standards for businesses, and placed new legal responsibilities on executive-level employees. The US’ Sarbanes-Oxley Act (2002), also known as the ‘SOX Act’, is an early example of this kind of ethics-focused legislation.
In the two decades since SOX, the scope of ESG regulations has expanded to take in not just financial activities but a spectrum of labour, health, climate, sustainability, and community concerns. With those issues in mind, ESG may be defined as:
Environmental: Environmental factors such as carbon emissions, sustainable business practices, waste disposal, and impact on wildlife and plantlife.
Social: Treatment of its employees, customers, and the communities in which a company operates. Social factors may include workplace diversity and inclusion, health and safety performance, and charitable initiatives.
Governance: The way that a company makes decisions about itself, including avoiding conflicts of interest, acting in the interests of shareholders, and upholding both the letter and spirit of jurisdictional laws.
There’s a lot of overlap between ESG factors. For example, although carbon emissions are typically characterised as an environmental issue, they may also be understood as a social concern because excessive air pollution can cause respiratory illnesses in employees.
Why is ESG Important?
Climate change, social equality, and fair labour practices have never been more prominent in public discourse, and the rise of ESG reflects the global community’s desire to see corporations play their part addressing these challenges.
To that end, government regulatory activities have focused on executive level compliance controls and responsibilities, and on new reporting requirements that force firms to publicly disclose their progress towards the relevant ESG objectives. Under these regimes, firms not only face financial and legal penalties for noncompliance but have their ESG performance made visible and comparable to competitors, increasing the likelihood of reputational consequences.
ESG and Supply Chain Screening
Many ESG regulations require firms to consider not only their own ESG compliance risk but the risk presented by their supply chain and third-parties. Consider the following examples of supply chain risk:
Firms in the oil and gas industry face elevated sanctions risks because of supply chains that transit high risk countries.
Firms that source their products, such as clothing, from unscrupulous global manufacturers risk being connected to forced labour practices.
Financial services firms with international customers may be doing business with politically exposed persons (PEPs) who are involved in crimes such as corruption and bribery.
Since firms may be penalised if they do business with persons that violate ESG regulations, they must factor supply chain risk into their compliance solutions. This typically means integrating some form of supply chain screening capability.
ESG Compliance Regulations Around the World
The global ESG landscape is evolving. Noteable regulatory developments from around the world include:
The European Union
Corporate Sustainability Reporting Directive (CSRD): Taking a broad ESG focus, the CSRD imposes reporting rules on obligated firms across the EU. The CSRD requires firms to conduct a double materiality assessment of ESG risk, considering the impact on both internal operations and on external stakeholders such as customers or nearby communities. The CSRD is now in effect and will expand in scope in the coming years.
Corporate Sustainability Due Diligence Directive (CSDDD): Passed by the EU Parliament in 2022, the CSDDD (or CS3D) focuses on strengthening corporate supply chain due diligence as a way of protecting global human rights and reducing carbon emissions. The CSDDD will initially apply to larger firms, inside and outside the EU, with reporting rules likely to come into effect in 2027.
EU Deforestation Regulation (EUDR): Passed in 2023, the EUDR imposes strict supply chain due diligence rules that require firms to ensure their products are ‘deforestation free’. The scope of the EUDR includes products such as cattle, cocoa, palm oil and coffee, and the regulation will come into effect on 30 December 2024.
United Kingdom
Forest Risk Commodities (FRC): While the regulation has not yet been finalised, the FRC regime will be similar in application to the EUDR in that it will impose due diligence requirements on larger firms trading products like cattle, cocoa, and palm oil.
Corporate Governance Code (CGC): Sometimes known as ‘UK SOX’, the UK CGC sets out financial reporting obligations on larger UK businesses, with an emphasis on executive-level responsibility and compliance. An updated version of the UK CGC is scheduled to come into effect in late 2024.
ESG Rating Regulation: In 2024, the UK government announced plans to regulate ESG ratings agencies. The law will align UK ESG ratings with international counterparts, introduce oversight and transparency, and build industry confidence in the wider ESG regulatory regime.
Sustainability Disclosure Requirements (SDR): Similar to the CSRD, the UK SDR will impose ESG reporting and transparency requirements on larger UK businesses. Phased implementation of the SDR will begin in 2024.
United States
Customs enforcement: The US has strengthened existing customs rules in order to combat imports of goods that may have been produced using forced labour. A key example is the introduction of the Uyghur Forced Labour Prevention Act in 2022.
SEC Climate Disclosure rules: On 6 March 2024, the US Securities’ and Exchange Commission introduced federal regulations to standardise climate-related disclosures for public firms operating in the US. On 15 March 2024, following legal challenges by several US states, the SEC stayed the introduction of the rules.
APAC
China: In May 2024, China introduced ESG disclosure rules for its biggest companies. Known as the Self Regulatory Guidelines, the rules broadly align with the standards set out in the EU’s CSRD, and emphasise double materiality.
Adverse media stories typically offer firms a significant compliance advantage as they adjust to their ESG risk landscape. Environmental, governance, and financial scandals may be reported widely by news organisations (and in other media) before any official confirmation, giving firms that are vigilant an opportunity to gauge their risk exposure and take prompt action to avoid penalties.
With this in mind, automated adverse media screening solutions can transform the ESG compliance challenge, offering an expansive global perspective on risk and the flexibility to adjust quickly when the landscape changes.
Ripjar’s Labyrinth Screening platform provides this kind of screening power, enabling name searches across thousands of unstructured data sources, including global news outlets, sanctions lists, and watchlists, and delivering actionable intelligence in seconds. Explore an array of powerful screening features designed to enrich your ESG risk data: extract only the most relevant information and minimise false positives with AI Risk Profiles, and use AI Summaries to generate concise prose paragraphs for each target in order to make faster, stronger compliance decisions.
In July 2024, Germany’s financial supervisor, Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) updated its Auslegungs und Anwendungshinweise (AuA) which sets out compliance guidance for Germany’s Money Laundering Act, known as Geldwäschegesetz (GwG).
The draft guidance — AuA 2.0 — precedes the incoming EU Anti-Money Laundering Act (AMLA) which will introduce new anti-money-laundering (AML) and counter-financing of terrorism (CFT) rules across all member states, and change regulatory compliance obligations for many businesses. BaFin’s AuA 2.0 focuses on a number of emerging compliance risk factors, such as the rise of cryptocurrency, and includes new adverse media screening requirements.
With AMLA set to come into effect in July 2025, the window for preparation is starting to close and, while Germany’s final AML compliance landscape under the new regime is not fixed, BaFin is seeking to offer clarity to obligated entities.
Let’s take a closer look at the key points from AuA 2.0.
Mandatory Adverse Media Screening in Germany
One of the key points in the updated AuA, is BaFin’s emphasis on the need for adverse media screening. While acknowledging there is no explicit legal obligation, BaFin makes it clear that firms in Germany must include adverse media screening as part of their AML risk assessment process.
AuA 2.0 states that “screening customers using sanctions or high-risk country lists alone” is no longer sufficient, and firms must “use all knowledge available to them… for example from media analyses” in order to establish risk in accordance with international AML standards.
Insurance Holding Companies Under AML Scope
BaFin expects that Germany’s new compliance regime will expand the scope of AML regulations to insurance holding companies. As obligated entities under the GwG, insurance holding companies will have to implement AML reporting and record-keeping, and screening and monitoring obligations.
The expanded scope ensures a tighter focus on firms that are particularly vulnerable to money laundering risk, and will enhance regulatory consistency within Germany.
Outsource Oversight and Business Relationships
Where German firms outsource their AML compliance, BaFin emphasises that these organisations remain directly responsible for the function. This means that firms must ensure that third-party AML providers are capable of achieving a satisfactory level of AML compliance and, if necessary, implement internal safeguards.
BaFin also clarified the term “business relationship”, suggesting that, beyond one-off transactions, it should also apply to irregular and infrequent cases of customer contact. In these contexts, firms are expected to conduct suitable customer due diligence (CDD) in order to identify customers for AML purposes.
Risk Analysis
BaFin offers advice on the assessment process that firms are expected to conduct as part of their risk-based approach to AML compliance. AuA 2.0 sets out an explicit list of sources and guidance that firms should adhere to when conducting risk assessments, these include:
Under AuA 2.0, firms must update their customer due diligence (CDD) checks on customers more frequently, especially in higher risk cases. Under the new regime, the intervals for updating CDD checks are as follows:
Time between updated CDD check
AuA (old version)
AuA 2.0
Low risk customer
No longer than 15 years
“Risk appropriate” updates
Medium risk customer
No longer than 10 years
No longer than 5 years
High risk customer
No longer than 2 years
Annual updates
Crypto Asset AML
AuA 2.0 highlights the new AML risks posed by cryptocurrencies and virtual assets. Accordingly, under the new regime, crypto-asset service providers will fall under the scope of AML regulations. BaFin states that these firms will be expected to use blockchain analysis software in order to monitor customer transactions involving cryptocurrencies and other virtual assets.
Similarly, AuA 2.0 highlights the need for crypto-asset service providers to apply enhanced due diligence (EDD) measures when handling transactions of €1,000. EDD should also be applied when handling transactions that involve “self hosted addresses” in order to account for the elevated AML risk associated with blockchain technology.
Money Laundering Officer
AuA 2.0 clarifies the role of the Money Laundering Officer (MLO) for firms that operate across international borders. In this context, BaFin states that the MLO must carry out their supervisory activities in Germany. A cross-border firm may appoint a foreign proxy to act as MLO, but that person must carry out their MLO activities in Germany.
Further to that clarification, BaFin states that companies with fewer than 15 full time employees should factor in their AML risk exposure when deciding whether to appoint a member of their own management to the MLO role. BaFin also states that the MLO should generally not simultaneously hold the role of outsourcing or data protection officer, or be a member of the internal audit team.
Whistleblower Reporting Office
BaFin states that firms only need to establish a single internal reporting office to meet the GwG’s whistleblower requirements. It points out that the internal reporting office must facilitate confidential and anonymous reporting, to the standards set by Germany’s FIU.
Preparing for Germany’s New AML Regime
Stay ahead of AMLA compliance challenges, and prepare your organisation for Germany’s new AML regime with Ripjar’s Labyrinth Screening platform.
Powered by cutting-edge artificial intelligence, Labyrinth enables global adverse media screening of thousands of data sources, in multiple foreign languages, and delivers actionable compliance intelligence in seconds. Labyrinth’s advanced AI features promise to supercharge the screening process from end to end: identify, extract, and connect the most relevant unstructured data with AI Risk Profiles, and use AI Summaries to support high pressure compliance decision-making by generating clear, concise prose summaries of risk for each customer.
Since 2022, Western economic sanctions have limited the ongoing war in Ukraine by stifling the Russian economy and preventing the Russian government from acquiring goods and services for military end-use. Under that pressure, Russian president Vladmir Putin has increasingly relied on illicit means of importing military and other critical resources, including a so-called ‘dark fleet’ of ships willing to evade international trade restrictions at the risk of severe legal penalties.
With international shipping at the heart of its sanctions evasion strategy, the number of transportation and logistics companies actively engaged in Russia sanctions violations has increased dramatically. This has not only led to sanctions against these entities but sanctions against ships and vessels engaged in evasion strategies. Given the shift in the threat landscape, international businesses must be aware of the compliance risk they face when dealing with certain vessels and aircraft, and be able to spot sanctioned operators.
Why are Sanctions on Vessels and Aircraft Necessary?
Shipping entities pose a particularly high compliance risk because of their potential to operate in contravention of international sanctions rules. Many of those illegal activities involve the practical operation of vessels and aircraft themselves, in tandem with the manipulation of shipping practices and regulations. Putin’s shadow fleet has grown dramatically since 2022, with some estimates now putting it at over 1,000 tankers (and other vessels) owned and operated by persons willing to violate international law, and supply resources directly to Russia’s military.
These shadow vessels do not just pose regulatory risks but create legal and diplomatic issues, and even pose a threat of physical harm against other vessels and their crews. Their illegitimate operational status means they often have not acquired appropriate indemnity insurance and are typically older, poorly-maintained vessels that pose a significant health and safety risk to their crews and the crews of other vessels.
Key strategies that shadow vessels use to evade sanctions include:
Disabling automatic identification systems (AIS) to prevent tracking attempts.
Use of abnormal and potentially hazardous transportation routes.
Fraudulent or manipulated registration documentation.
‘Flag hopping’ or misrepresenting the flag under which the vessel operates.
Physically altering a vessel’s markings to thwart identification by authorities.
Ship-to-ship transfers, mid-route, in order to avoid customs controls.
Complex corporate ownership structures designed to hide the identity of the individuals behind the sanctions evasion crime.
In addition to financial penalties, when shadow vessels and aircraft are detected by authorities or customs officials, subsequent enforcement actions may result in significant jeopardy for crew members, who may not even be aware of the legal status of the goods they are transporting. Similarly, the consequences of any action by authorities may create or escalate diplomatic tensions, resulting in further financial costs and legal consequences.
Maritime Sanctions Impact
Western governments are addressing the sanctions threat posed by vessels and aircraft by implementing dedicated sanctions measures, such as the UK’s maritime shipping sanctions regulations, or the US Office of Foreign Asset Control’s (OFAC) blacklisting of specific shipowners, vessels, and aircraft that facilitate the transport of goods to sanctioned countries.
Maritime (and other) shipping sanctions vary by regime but typically restrict firms from engaging in business with specific vessels and aircraft. Measures and controls may include:
Designation of the vessel or aircraft registration on a sanctions list.
Seizure of the vessel or aircraft by authorities.
Seizure or freezing of assets of the vessel or aircraft’s controlling company.
Airspace restrictions and denial of access to ports and airports.
Vessel and Aircraft Sanctions: Recent Updates
In June 2024, the UK along with its G7 partners introduced a new round of Russia sanctions which included several targets within, or connected to, the Russian shadow fleet. The designations were made because the owners of the targeted vessels were found to be using shell companies as a means of concealing their involvement in the sanctions violations. The targets included:
Four vessels in the fleet itself:
Ocean AMZ (IMO 9394935)
Canis Power (IMO 9289520)
Robon (IMO 9144782)
NS Laguna (IMO 9339325)
Two vessels involved in the transportation of weapons to Russia:
Lady R (IMO 9161003)
Angara (IMO 9179842)
A ship manager:
One Moon Marine Services LLC
Combat Sanctions Risk with Effective Screening
The complexity of the sanctions risk landscape, and the impact of new sanctions against specific vessels and aircraft, represent a significant compliance challenge. With governments cracking down on sanctions evasion in jurisdictions around the world, firms must tighten their screening and monitoring solutions to ensure they keep pace with new risks.
In practice, this means that screening solutions must be able to detect ships and vessels currently designated under sanctions regimes with a high degree of accuracy, and react quickly when sanction lists are updated. That evolving data burden requires firms to implement powerful, continuous automated name screening, with global scope, in order to meaningfully contribute to the fight against sanctions evasion and, critically, avoid penalties.
Ripjar’s Labyrinth Screening platform is designed to deliver that kind of screening power, facilitating name searches of thousands of global sanctions lists and watchlists, in real time, and delivering actionable intelligence in seconds. Powered by next-generation AI technology, Labyrinth’s sanctions compliance support not only adds automated speed and accuracy to the screening process, but can add additional insight from adverse media to help compliance teams make better, faster decisions about potential sanctions risks in every corner of the world.
AI technology is changing global banking and financial services, with new commercial opportunities, and new criminal risks, prompting governments to reconsider their positions on supervision and legislation. Regulator attitudes reflect that shift, with some supervisory bodies leading with overarching AI compliance frameworks or, alternatively, taking a principles-based approach. Meanwhile, others are holding off completely, waiting instead for more data, and more insight, to better shape their response.
AI Regulations: Compliance Challenges
The pace of AI innovation, and the diversity of regulatory perspectives, have made many firms reluctant to adopt the technology within existing compliance infrastructure. Aware of that hesitancy, both governments and supervisory bodies are working to develop their technical expertise in order to make informed decisions, and ultimately, implement better AI laws.
With that in mind, many regulators have indicated that they understand the potential of AI to enhance anti-financial crime (AFC) efforts, including the promise of powerful new capabilities to detect and prevent damaging activities such as money laundering and the financing of terrorism. The UK’s Financial Conduct Authority (FCA), for example, has stated that it is ready to “make the UK the global hub of AI innovation”, while the government of Singapore re-launched its National AI Strategy in 2024, stating that it wants the city to be “a place where AI is used to uplift and empower” people and businesses.
Regulator efforts to nurture AI innovation demonstrate a broad acceptance of the potential of the technology to enhance compliance. It also means that the regulatory landscape will continue to evolve rapidly, and that firms should be ready to adapt to changing rules.
Global Perspectives
Let’s take a look at the current AI perspectives of key global regulators.
In that document, the FATF explores the potential for AI to enhance implementation of its anti-money laundering (AML) and counter-financing of terrorism (CFT) standards, not least by making firms’ compliance efforts “faster, cheaper, and more effective”. The report focuses on the technical compliance possibilities of subsets of AI, such as machine learning and natural language processing, that can help firms screen customers against vast data sets, recognise patterns that human compliance teams might miss, make predictions and recommendations, and facilitate stronger decision-making.
While emphasising the potential for positive change, the FATF has also cautioned that AI compliance innovations must offer sufficient explainability and transparency. Those factors are critical in investigative contexts given the need for data to be scrutinised and verified by regulators, authorities and auditors.
The European Union
The EU has been relatively proactive in its approach to AI regulation, opting to develop an overarching legal framework as early as 2021. On 9 December 2023, the EU Parliament reached a provisional deal on its AI Act, which was characterised as a landmark bill and the first of its kind in the world. The EU Council adopted the AI Act on 21 May 2024, and the regulation is expected to come into effect across the EU at some point in Q3 2024.
The Act will serve as an industry-agnostic, risk-based framework that will pave the way for the EU to shape the use of AI and address its risks. The EU’s stated goal is to ensure that use of AI is “safe, transparent, traceable, non-discriminatory and environmentally friendly,” and that it continues to be “overseen by people”, rather than automation.
Under the EU’s new regime, national regulators will classify AI systems by risk, and apply proportionate compliance requirements. The EU has set out an implementation timeline for the AI Act which will see certain aspects of the legislation come into force up to 2030, including the addition of AI literacy requirements and prohibited AI practices.
The United Kingdom
The Financial Conduct Authority has characterised itself as “technology-agnostic”, pointing out that it does not regulate technology, but the use of technology and technology’s impact on financial services. The regulator has expressed a commitment to innovation in its approach to AI in compliance contexts, and revealed that it is already using AI tools to detect certain criminal activities. The FCA has invested in the development of AI compliance technology through horizon scanning, synthetic data capabilities, and a “first of its kind” digital sandbox in which firms can test their innovations safely.
It is unclear whether the UK will follow the EU’s regulatory approach but the government has indicated that it will seek to apply principles-based AI regulations and prioritise international harmonisation. In 2021, the UK government published its National AI Strategy, which included details of a proposed regulatory framework that would be “proportionate, light-touch, and forward-looking”. In February 2024, the government published a whitepaper offering further detail on its “pro-innovation approach” to AI regulation.
In April 2024, the UK government began the early-stage discussion of an AI Regulation Bill. The Bill was ultimately paused following the dissolution of the UK parliament for the 2024 general election.
The United States
There is currently no federal regulation of AI in the US, but the Financial Crimes Enforcement Network (FinCEN) has recognised the potential of the technology to enhance anti-money laundering and counter-financing of terrorism strategies, while reducing the cost of compliance. State-level AI regulation standards vary across the US with many state governments enacting, or proposing to enact, transparency-focused requirements to prevent fraud and protect intellectual property rights.
While it has not matched the regulatory pace of other world governments on AI, the Biden administration introduced the Algorithmic Accountability Act in 2022, and an Executive Order on Safe, Secure and Trustworthy AI in 2023. Both articles of legislation require firms to assess the impact of AI systems in order to ensure transparency and fairness, and to share certain information with the government.
In 2022, the Biden administration introduced a blueprint for an AI Bill of Rights. The document represents a set of principles that firms may use to govern the “design, use, and deployment” of AI systems in a manner that aligns with the rights of American citizens.
Cutting-Edge AI Screening
Ripjar’s Labyrinth Screening platform helps firms stay at the cutting-edge of AI in compliance, with proven global screening tools built on decades of regulatory expertise. Labyrinth’s AI-powered screening gives users the power to extract risk-relevant data points from millions of unstructured sources, build in-depth customer profiles in seconds, and use generative AI to create concise prose summaries of each profile in order to speed-up compliance decision-making.