Sanctions requirements are growing both in their scale and complexity. Since 2022, not only have thousands of new names have been added to UK, US, and EU sanctions lists, but many new activity-based restrictions, such as the need to block comprehensively sanctioned territories in occupied Ukraine or the prohibition of services to Russia, have been introduced. Coupled with ever-more sophisticated sanctions evasion techniques, and a regulatory expectation that financial institutions should detect sanctioned activity, financial institutions need to think more creatively about their screening controls.
Sanctions screening is no longer just screening against a list of names, but also capturing additional data and applying a more proactive and intelligence-led approach. Artificial intelligence (AI) may play a significant role in this transformation. Ripjar’s recent Sanctions Masterclass, co-hosted with FINTRAIL, explored some key questions for firms building and scaling their sanctions framework.
1. How can firms detect sanctions activity using a risk-based approach?
Many regulators allow (and even expect) financial institutions to apply a risk-based approach to screening. As one of their key practical considerations for sanctions screening, financial institutions should understand how their customers, products and payment channels contribute to sanctions risk, and concentrate their resources on the areas of the business presenting the most risk.
A risk-based approach is not about having or not having a particular control, but rather dialling up or down the intensity of certain controls in line with risk. For example, some firms may concentrate payment screening efforts on cross-border transactions instead of domestic payments where the sanctions risk is lower. Every sanctions system programme needs to be unique to your inherent and residual risks.
To understand what regulators expect from firms, it is a good idea to read enforcement notices and conduct a gap analysis against your own programme, to highlight weaknesses and proactively address any gaps. For example, if a firm is fined for not screening certain payment fields, consider if you should be doing the same. It also can serve as a validation exercise to demonstrate that your systems and controls are effective and commensurate to your sanctions risk.
2. What data should firms collect for sanctions screening?
The quality of sanctions screening depends not only on the lists you screen against but also the customer and payment data you use. Firms should consider what data points they hold on customers that might indicate sanctioned activity, and incorporate these into screening. Mechanisms to measure data completeness and data lineage are an important part of your sanctions programme for ensuring you supply quality data into your tool to minimise false positives and increase efficiency.
Crucially, it is important to recognise what regulators are expecting firms to identify. Many sanctions lists will contain additional data on sanctioned persons and entities, such as email addresses and websites, which can be integrated into screening. At the same time, a customer’s IP address location may be used to block access from sanctioned jurisdictions.
Practical questions for firms building their sanctions framework
1. What data is being screened? | Do you have a clear picture of what is coming into the screening system and is it complete and validated? |
2. What are you screening against? | Do you have a clear view of list management and what is provided by external parties? |
3. When are you screening? | How does this tie into the risks presented by your customer profile and flow of funds? |
4. Why are you screening? | Do you have a clear view of your regulatory obligations and your own internal risk appetite on which to build your framework? |
Once these questions have been answered, you can then consider:
5. How are you screening? | Can you define your suppression logic, the use of machine learning and AI, and the levels of fuzzy matching? |
6. How do you operationalise your screening? | How do your settings and processes inform case management, information requests, and capacity planning? |
3. How can financial institutions adopt a proactive approach to screening?
Governments publish guidance to industry on the latest sanctions evasion tactics adopted by sanctioned parties. For example, as recently as September 2024, the G7 published joint industry guidance on red flag indicators of potential sanctions evasion and best practices for firms to conduct enhanced due diligence. Staying on top of evolving sanctions and regulatory guidance is one of the biggest screening challenges organisations face, and firms are expected to read such guidance and adjust their controls accordingly.
Many firms are also looking to adopt a more proactive approach in response to such guidance. While sanctions evasion typologies are unstructured data, screening software works with structured data, and the challenge for firms is to build rules to detect the behaviour called out in typologies. This requires resources and technical expertise.
4. What role can technology and AI play in keeping up with the pace of change?
Advanced screening solutions leverage technology to help firms move beyond simple name screening, and allow them to adopt a more proactive approach to screening. Technology can help link multiple data sets and digest unstructured information at scale – such as adverse media and corporate relationships – to flag potential sanctions risk.
Many firms also see a role for AI in screening, ranging from assisting with operational tasks (such as automating requests for information, and obtaining further information that a human investigator needs to resolve an alert) through to potential use cases where AI can make true match or false positive determinations.
A key challenge here is that, since breaching sanctions is a criminal offense in many jurisdictions, firms must be able to place trust in the AI and – crucially – be able to maintain oversight over the system and explain it to the regulator.
Sanctions is not a one-size-fits-all approach
In summary, the key challenge for firms is to ensure that their screening systems and approaches are aligned to their sanctions risk. Firms need to understand how their business model influences their inherent and residual sanctions risks and how this interacts with the increasingly complex sanctions landscape. Firms should use all of the data available to them – both structured and unstructured data, whether in sanctions lists or in typology reports – to inform their sanctions typologies and build out their sanctions controls. In order to do so, firms must explore how technology – such as automation, machine learning, and advanced forms of AI – can help reduce the operational burden while optimising the possibilities of detecting sanctioned activity.
Discover how Ripjar’s sanctions screening can take you beyond the list