If an organisation is lucky enough to have a regulator take interest in their sanctions screening, the regulator will undoubtedly focus on the control environment.
The primary control for managing sanctions risk is the Sanctions Screening Engine, although there are other controls that an organisation can operate within the end to end screening process to help minimise sanctions screening risk, and this article will explore the key controls that should be implemented.
The controls that get the most scrutiny from regulators tend to be those that (i) ensure all the right data is screened and (ii) ensure that screening is being performed effectively.
Is source data that is submitted for screening complete and of sufficient quality required for effective screening?
Screening effectiveness, particularly that of customer data is highly dependent on the quality of the data being screened. SQA Consulting considers customer data quality to be a significant screening risk and provide the SQA Data Profiler tool designed specifically to determine data quality in respect of the potential impact on screening effectiveness.
A question that might well be asked of an organisation by an auditor or regulator is “how do you know you are screening all your data?”.
After the effectiveness of the screening system itself, being able to satisfactorily answer this question is perhaps the next most significant screening control to mitigate screening risk, and particularly for larger organisations, answering this question with certainty may not be straightforward.
There may be many different databases holding customer data in different data structures, any or all of which might supply different data feeds for screening. Over time this can develop into a complex data collection, with data migration between systems both within and external from the organisation resulting in data complexity with aggregation, duplication, and dormancy of different sets of data. There could be rules for selecting or filtering of data for screening purposes, perhaps for historical reasons that may no longer be obvious, and perhaps the business has changed over time and such rules might have become out of date. Can you be certain there are no pockets of customer data sitting somewhere within an organisation that might not be being screened?
For payments screening, confirming that all payment messages are being screened is usually a little more straightforward since no matter where the payments originate they will all usually enter or leave an organisation at known points where screening can occur, but still, in larger organisations, there can be a spiders web of network routing of global payments, and can you be certain that all payments are going through screening?
Are there reconciliation checks in place to reconcile that all customer records are being screened, and are these reconciliation checks being undertaken regularly?
Being able to confirm that all necessary data is being screened is vital but being able to validate this statement may require some detailed and complex data analytical work.
This is, of course, the primary control – is the customer or payments screening system operating effectively and with up to date screening lists? Providing assurance over this control is at the heart of SQA Consulting’s AML work using SQA’s Sanctions Assessment Centre tool. Please see the many SQA articles that delve into the intricacies of this screening effectiveness in some detail.
Are you able to confirm that screening lists are updated within the required timeframe as defined within an organisation’s screening policy and that screening lists are accurate and complete?
Screening list provision might be outsourced to a third-party lists provider in which case are SLAs in place in respect of timely list updates, and have you independently validated the list contents? SQA Consulting can assist with this; as part of screening effectiveness testing, SQA’s Sanctions Assessment Centre includes validation of list content and SQA can also provide regular monitoring of list content.
Regulators will also be keen to see a number of other controls in operation.
For the above controls, when reviewing what controls are implemented there are two key considerations:
From an understanding of the specific risk that a control is designed to address, is the control as designed, adequate to mitigate that risk? In other words, is the control suitable?
Assuming a control is judged adequate for the purpose, is the control being operated effectively? It is no good having a well-designed control if it is not being operated effectively resulting in the risk not being appropriately addressed. Regular assurance testing of controls is required to ensure controls continue to operate effectively.
To find out how SQA Consulting can assist you with your sanctions screening needs contact us.
