Sanctions battle creates compliance challenge for banks
Banks that are desperate to reduce costs are cutting their IT budgets across the board, but the one growth area for technology vendors is in compliance systems. The rapid speed and growth in the number of global transactions combined with a growing number of watch-lists have caused banks’ operational costs for sanctions compliance to sky-rocket.
Banks are struggling to comply with changing regulations coming from every direction. But one of the most daunting challenges is complying with sanctions imposed on rogue individuals or institutions. The US, EU and UN maintain separate sanctions lists, and doing business with an entity on one of those lists risks serious implications – namely astronomical fines, a bloodied reputation and public opprobrium. From terrorist financing, money laundering, international criminal gangs to drug networks, the challenge for banks is made greater by the increasing volume and speed of banking transactions. Where such transactions used to take four days to clear, now each one must be checked against the list almost in real time. Accordingly, banks have had to devote increased resources to ensure they comply. But therein lies execution risk.
"There are a lot of products designed to help with this, for example Firco, which allow the banks to comply without managing the databases themselves. It is very hard to manage this in-house, and you run an increased risk of failing," says David Lewis, CEO at PMi Global, a consultancy for financial institutions.
There are many things that can go wrong, from human input errors to technical glitches in computer systems or a failed system update that can go unnoticed for months. Banks conduct “look backs”, combing through up to five years of transactions to double check no banned transactions have slipped through the net, adding to the cost.
“Banks have generally focused their efforts on implementing the necessary systems, but have not spent as much time on the need for ongoing testing,” says Brian Dilley, a forensic partner at KPMG.
US banks are generally ahead of the curve, due to their government being the most active imposer of sanctions. European banks have been slower to understand the implications US regulations have on their businesses, either where they operate in the US or transact in US dollars, anywhere. Now they fully understand the seriousness of the situation and there is a race to secure staff with the necessary compliance experience and skills.
Bigger banks are increasingly taking a “better safe than sorry” approach, rejecting business that might be perfectly legitimate if they feel the required due diligence will be too costly or time consuming. This can make it more expensive for clients in, or wishing to do business in, political trouble-spots, who are forced to turn to a smaller number of institutions willing to do business in those areas.
It also gives banks a potentially ongoing problem if they are asked to conduct business with a long tail in a jurisdiction where someone may later be put on a list, even if that is not currently the case. Of course entities can be taken off lists, as well as put on, meaning banks have to constantly revise their systems.
Some UK banks may use risk profiling of transactions to save them from screening every one they execute, a practice allowed under FSA rules. But it is very hard to identify which trades are most risky.
“A fraction of 1% of transactions involve counterparties on a sanctions list,” said Dilley at KPMG. “Even if you scrutinise the 5% or so of your transactions that create an alert in your screening systems, 4.99% will still be false positives.”
The problem is it is very hard to identify where in the totality of a bank’s business that 0.01% problem transaction will occur.
“Most of the international banks opt to screen everything,” says Peter Watson, litigation partner at Allen & Overy. “Though UK to UK transactions may seem low risk they could involve the funding of terrorism, with considerable financial and reputational consequences.”
The Single European Payment Area means Europe is considered a single block. Yet there are significant discrepancies between European countries in how seriously anti-fraud and money laundering measures are taken, further complicating the risk assessment.
High profile bank fines have ensured all banks are now aware of the seriousness of the problem, and the focus regulators have on the issue, though this too has drawn criticism from some quarters. "The fines appear to be beyond reasonable, a way to fund the regulatory body, rather than to compensate any injured party in the public,” says Lewis. “The process appears to be outside judicial review."
There will always be cases of individuals within banks fraudulently altering documentation to smooth the passage of a transaction for a profitable client, or deleting incriminating messages. But the knowledge that regulators are watching has ensured such instances are now rarer than they were, analysts say.
There may be a case for greater regulatory distinction between a willful cover up, and a genuine case of trades slipping through the net. The main problem now is logistical, as banks struggle to check an increasing number of transactions in a decreasing amount of time.
Either way, banks will be spending more on compliance systems for a long time to come. “This problem isn’t going away,” says Dilley at KPMG. “As long as there are problems with data quality there will be a problem with these sanctions lists.”