The three lines of defence model is used in many organisations, but it isn’t used consistently, after all it isn’t a formal model with a precise definition, and its implementation is down to the knowledge and experience of the parties involved in each organisation. The three lines of defence does lend itself very well to sanctions screening, and having been involved in each line in many different organisations I can say that I have seen both good and less good examples of it in use.
Here is a personal view of how I think it should be implemented.
The first line of defence should be the responsibility of the business rather than the compliance department, and its function should be to ensure that the screening is running to its specification. Concentrate on making sure that it works day to day, doing what it is supposed to be doing.
There are many elements to this, the system should be accurate, effective, efficient, sustainable, and timely. Much of this will be validated by the standard controls that IT departments have established for systems management within their estate. There should be a well-established relationship between the IT department and the business owners as well as a relationship with the screening software vendor. Management Information produced by the specific screening engine can also prove invaluable in ensuring reliable operation on a day to day basis.
There are other elements for consideration that are particular to screening and may require some bespoke work. The provision of list information is often outsourced to a third party company, and given the high risk of sanctions screening regarding the levying of fines in recent years, the monitoring that sanctions list changes are delivered in an accurate and timely manner may be something that requires attention. There are various ways of doing this, the simplest being to subscribe to email notifications of changes from the listing authorities, and manually screening those names in your system the following day to confirm that your lists have been updated correctly. The effectiveness of fuzzy matching is notoriously difficult to establish, fuzzy is just that: not clearly defined. As a metric the effectiveness of fuzzy matching is something that is best measured as a comparison against your peers, and that is something you would have to look for from a third party, such as ourselves, that has a benchmark. Benchmarking is vital in assessing the thresholds that have been set in the system and indeed necessary when setting initial thresholds on any new or upgraded system.
The second line of defence is normally carried out by the compliance department. The big question they should be asking is: does the screening system meet the continuing needs of the organisation?
As the experts in compliance and the regulatory demand for economic sanctions, and the authors of the corporate sanctions policy, they are the only people in the organisation that can answer that question. The role of the second line of defence is not to repeat everything that the first line has done, no line of defence really needs to repeat a test that has already been properly done. But the second line should validate the controls put in place are fit for purpose, not by repeating them, but by examining the controls.
Where second line does not feel that a control is proper, or an essential control is missing, then it needs to step in and either perform the control for itself or insist that first line performs it.
Whereas first line control should be closely monitoring the systems on a daily basis, second line activity tends to be less frequent.
The third line is of course Internal Audit. Assessment of the financial sanctions systems and controls should be included as a normal part of internal audit programmes by an independent auditor. At the risk of upsetting some auditors this is where most challenges come from.
A driver of this is that unless you come from a particularly large organisation it is unlikely that you will have an audit team with specialist screening experience within it.
Another driver is that the screening process is highly risk driven, and many of those risk decisions are based from experience and judgement calls, and – even when backed by comprehensive documentation – can be hard to formally justify against regulatory requirements.
An example of this is the configuration of fuzzy matching. The regulator (OFAC) demands/expects that: all transaction involving a named person are to be blocked (asset frozen), and that fuzzy matching is used to catch similar names. Organisations have to establish a threshold past which they do not go however, or else all transactions will be stopped and the business will grind to a halt. As part of the establishment of this threshold, there is an acceptance that not all potential matches will be stopped. There is an expectation that those names that are the same and similar as the list names will absolutely match but as the variance broadens the threshold applies and less similar matches will not alert. It is the very definition of “similar” that can cause the challenges. How do you audit that? The only way I know is to benchmark against other similar institutions, and examine the details of fines that have been levied on others to see if their failures would occur in your systems.
The big question from the third line is of course: am I meeting my external obligations? This is a difficult question to answer for sanctions, more so today than in the past, regulators are passing ever more complex sanctions, and asking the industry to be innovative in how to apply them.
At SQA Consulting we can not only give you hints and tips on screening effectively and data management, we are leaders in measuring the effectiveness and efficiency of screening. Please contact us to find out more about this article, or download our brochure here.
