FCC Essentials

Explore our latest FCC (Financial Crime Compliance) Essential article as Christopher Stringham, Global Account Manager at Neterium, dives into his strong dedication to Financial Crime Compliance (FCC).

In this fifth edition, Christopher breaks down the key points of the recent European Banking Authority (EBA) consultation paper, offering insights into its significance for industry professionals.

On 21 December 2023, the EBA released a consultation paper on internal policies, procedures, and controls to ensure the implementation of Union and national restrictive measures. This is a welcome set of guidelines for financial institutions and complements private sector guidance from organizations such as the Wolfsberg Group, a non-governmental association of thirteen global banks.

Some interesting points are required and will hopefully receive additional clarification before the final guidelines are released.

The most jarring recommendation relates to the question of which transfers should be subject to screening and when. Section 20 of the guidelines, on page 36, states: “PSPs should screen ALL transfers of funds before their completion.” This conflicts with current industry practices, which foresee the screening of some, but not all, transfers. As stated in the Wolfsberg guidance on sanctions screening, "screening cross-border payments before completing the transaction is common practice (...). By contrast, screening domestic payments in real-time may be unnecessary (...).” The EBA guidelines also seem to conflict with the new proposed regulation regarding instant credit transfers. Article 5(d)(2) states: “during the execution of an instant credit transfer, the payer's PSP and the payee's PSP involved in the execution of such transfer SHALL NOT verify if the payer or payee (...) are listed persons or entities (...).” This regulation requires daily screening of all clients rather than screening only at the time of a transfer. The EBA should take this into account and provide additional clarification on this topic to ensure alignment with EU legislation and to ensure that institutions have policies in place to avoid over-screening.

The EBA has included numerous sections which assume the availability of information and it makes sense for financial institutions to consider reputable and reliable information as part of their sanction's compliance process. Consider section 23(e)(a)(ii), page 19, which states that financial institutions should identify and assess geographic risk to the extent to which those jurisdictions are exposed to or known to be used to circumvent restrictive measures. Direct exposure to sanctions is a well-known risk factor that is considered already in Section 21.7 of the EBA's final guidelines on customer due diligence. However, knowledge about jurisdictions used to circumvent sanctions is more challenging. As potential sources, the consultation paper mentions “information from international bodies, government, national competent authorities, etc.” in section 24b. However, there is very little on this topic from the EU or member states, and the most directly relevant documentation on this topic is a compliance note from OFAC. Hopefully, the foundation of the EU's Anti-Money Laundering Authority, which will also oversee sanctions enforcement, will see the production of relevant, quality guidance.

The EBA does mention other potential sources. Section 24c states that FIs should include information from credible and reliable open sources such as reputable newspapers. While it is great to see an EU regulator highlight the importance of newspapers and media sources, there are limitations here. The (proposed) EU Media Freedom Act offers a very restrictive definition of media sources. If the EBA applies the same definition, this would not include the use of think-tank reports, academic research, or even the work of renowned freelance journalists. It would make sense for the EBA to highlight these other sources as well. Also, the proposed Anti-SLAPP (strategic lawsuits against public participation) directive, while a step in the right direction, arguably does not do enough to prevent the misuse of liable and data protection laws to restrict the publication of information relevant to the adequate assessment of circumvention risks. Without protections in place, the subjects of restrictive measures can create a chilling effect by targeting the authors of relevant material.

Finally, the proposed guidance includes several points that should be considered when designing or evaluating a sanctions compliance program. Here are some highlights:

• 4.1.1 Choice of screening system, page 34, FIs 'should regularly review the performance of the screening system to ensure that it remains effective.' Unfortunately, this section does not refer to efficiency. Effectiveness and Efficiency are two sides of the same coin, as every false positive cost time that an analyst could be using to look at a true positive.

• 4.1.2 List Management, page 34, FIs should have a process in place for identifying relevant restrictive measures and to update reference data when new restrictive measures are adopted or altered.

• 4.1.6 Calibration, page 37: this section refers to both 'the appropriate percentage of matching' and discusses separately 'fuzzy matching techniques.' It does not mention what the difference is between these two terms. This section also does not consider that different target populations within the customer base may require different settings to achieve adequate results.

• 4.2.1 Policies and procedures, page 38, should include steps for processing alerts and different levels of review, such as a four-eye process for discarding false positives. Considering the number of false alerts generated by some systems, this could require a significant increase in resources.

• 4.2.2, alert analysis, page 39: section 35 states that policies should include procedures for 'cases where it is not possible to conclude with certainty (...) that a match is a true positive match, a false positive match or a situation of homonyms.' Everyone with experience in name screening knows the difficulty of ensuring confident matches and FIs need to provide their analysts with appropriate guidance.

** Additional Links: **

EBA Consultation Document: https://www.eba.europa.eu/sites/default/files/2023-12/55f8b825-dea4-48e9-82f4-f81a11cb4e47/Consultation%20paper%20on%20Guidelines%20restrictive%20measures.pdf

Wolfsberg Group Guidance on Sanctions Screening: https://db.wolfsberg-group.org/assets/4b6c2db6-696d-492e-bdd5-c51552708597/Wolfsberg%20Guidance%20on%20Sanctions%20Screening.pdf

Proposal for Regulation regarding instant credit transfers: https://data.consilium.europa.eu/doc/document/ST-15764-2023-REV-1/en/pdf

Proposal for a directive protecting persons who engage in public participation from manifestly unfounded or abusive court proceedings: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52022PC0177
EBA final guidelines: https://www.eba.europa.eu/sites/default/files/2024-01/a3e89f4f-fbf3-4bd6-9e07-35f3243555b3/Final%20Amending%20%20Guidelines%20on%20MLTF%20Risk%20Factors.pdf

EU Guidance on Russian Sanctions Circumvention: https://finance.ec.europa.eu/system/files/2023-12/guidance-eu-operators-russia-sanctions-circumvention_en.pdf

Proposal for a Regulation on Media Freedom: https://finance.ec.europa.eu/system/files/2023-12/guidance-eu-operators-russia-sanctions-circumvention_en.pdf

Compliance Note on Evasions of Russian Sanctions: https://ofac.treasury.gov/media/931471/download?inline

Explore our latest FCC (Financial Crime Compliance) Essential article as Christopher Stringham, Global Account Manager at Neterium, dives into his strong dedication to Financial Crime Compliance (FCC).

In this fourth edition, Christopher dives into a series of case studies of the Office of Foreign Assets Control (OFAC), the financial intelligence and enforcement agency of the U.S. Treasury Department. In 2023, OFAC's sanctions highlighted the critical role of location, with many fined entities neglecting effective geolocation checks. Despite possessing valuable information, firms failed to leverage geodata for identifying sanctions risks, often due to inadequate capture of country data.

===

Sanctions are a valuable tool of geopolitics, and therefore, it is unsurprising that location plays an especially significant role. If we consider the various fines issued by OFAC in 2023, location is involved in every case, and OFAC explicitly raised the lack of inadequacy of geolocation checks in many cases. Consideration of the various OFAC enforcement actions in 2023 provides numerous examples from which to learn.

Quite often, a sanctions compliance program will consist of screening the names of customers and partners against lists of designated persons. However, not all sanctions programs involve solely specific names. Information about location can also provide an excellent way of identifying risk. In the various OFAC enforcement actions this year, there are many examples of firms failing to use this geolocation data effectively.

Many of the entities subject to fines this year collected information that could have been, but was not, used to identify the sanctions risk. One theme that appears in multiple cases relates to the way country data was captured.

1. In one example, a California-based MSB provided a drop-down menu from which new users could accept their country of residence. It was possible for the users to select a non-sanctioned jurisdiction, and then provide their actual address in a sanctioned jurisdiction in a free text field. No comparison was made between the two fields and the free text field was not used in the sanctions screening process. Additionally, the screening process did not consider if the user provided an identification document from a sanctioned jurisdiction.

31 March 2023: https://ofac.treasury.gov/media/931556/download?inline

2. In another case, a large US technology company did not collect complete and accurate information about the identities of the end customers. The screening system also did not aggregate or consider data that was collected such as names, addresses and tax identification numbers which would have helped identify blocked persons. The reference data didn’t include the entities subject to the 50% rule or the native character alias of the lists entities.

6 April 2023: https://ofac.treasury.gov/media/931591/download?inline

3. IP addresses have come up frequently this year. A US based trading platform monitored these and even would conduct extra due diligence when a connection to sanctioned jurisdictions was identified. But it did not automatically block payments. Also, it had implemented a sanctions compliance program after going live but did not retroactively screen existing customers.

1 May 2023: https://ofac.treasury.gov/media/931701/download?inline

4. A Californian cosmetics company entered into an exclusive distribution agreement with and Iranian distributor to sell the companies goods in the Middle East. After sanctions against Iran increased, a new distribution agreement with the CEO of the Iranian Distributor was signed (using a legal entity in the United Arab Emirates). At one point, the California company received an email describing the process for shipping to Tehran. While this led to an instruction to stop exports to Iran, this was not actually implemented. It was not until the cosmetic company's bank started making inquiries that exports finally were halted.

17 May 2023: https://ofac.treasury.gov/media/931761/download?inline

5. A Nordic bank onboarded a shipping Company in Crimea prior to 2014. This company owned three special purpose companies, and established bank accounts for each. The KYC records indicated the connection to Crimea with addresses, telephone numbers and statements on the customer questionnaire. The bank's e-banking platform was accessed from IP addresses located in Crimea. When a transaction was blocked by a US correspondent bank, the Nordic bank contacted its customer and was falsely assured that none of the transactions involved Crimea. The Nordic bank then rerouted the transaction to another bank.

20 June 2023: https://ofac.treasury.gov/media/931911/download?inline

6. A US manufacturing company was approached to supply license plate sheeting to a German company and believed that the customer would transform the sheeting into blank license plates for export to Iran. The scope of the project was misunderstood, the German company intend to directly reexport the sheeting to Iran. Even after the true scope became apparent, internal documents continued to state the purpose as conversion to blank license plate to avoid further scrutiny. The US company screening process did not identify the risk, because only the name of the German company was screened, not the Iranian end-user. The issue was only identified after the expiration of a general license triggered a full review of all Iran related businesses.

21 September 2023: https://ofac.treasury.gov/media/932161/download?inline

7. An Illinois payments firm manages prepaid rewards card programs. Upon receiving a list of authorized users from the client, the (Illinois payments firm) would send those persons a token for a card. This process involved the collection of the persons' names, addresses and email addresses. It was not possible to select an address in a sanctioned jurisdiction. During a compliance review, it was discovered that users with IP addresses in sanctioned jurisdictions had used its services to redeem cards over twelve thousand times. While the company started blocking based on IP addresses, the company later discovered that additional cases where users were providing email addresses with top-level domains from sanctioned jurisdictions.

6 November 2023: https://ofac.treasury.gov/media/932276/download?inline

8. A virtual currency exchange permitted customers to identify themselves as being in a sanctioned jurisdiction but did nothing with that information. Even when the decision was made to off-board these customers, the users were still able to use the platform months later. While the platform would screen IP addresses, users could change their IP address with a VPN and access services even after failing the KYC screening. To appear compliance, management seemed to push for the use of VPNs to hide connections to the US and would also ask for non-US documents. The company was able to identify the locations of users via KYC questionnaires, phone numbers, documents, and IP addresses, but did not use these.

21 November 2023: https://ofac.treasury.gov/media/932351/download?inline

9. Another virtual currency exchange implemented a KYC and sanctions screening process which included IP address monitoring. Also, if a user presented an identification document from a comprehensively sanctioned jurisdiction, the application would be blocked. However, users were able to provide a 'country of residence' that differed from their actual address. For example, they could enter that they were living in 'Russia', but other fields would show that they were in Crimea. The screening solution focused only on the name of the country and failed to recognize 'Crimea' or city names in Crimea.

13 December 2023: https://ofac.treasury.gov/media/932406/download?inline

Explore our past FCC articles by clicking here.

Explore our latest FCC (Financial Crime Compliance) Essential article as Christopher Stringham, Global Account Manager at Neterium, delves into his fervor for Financial Crime Compliance (FCC).

In this third edition, our focus delves into instances of violations of UN arms embargoes. These embargoes, mandated by the United Nations Security Council, serve as measures to curtail the provision of weapons and military equipment to specific countries or entities. They are enacted in response to concerns regarding conflicts, human rights abuses, or threats to international peace and security.

While much attention has rightly been given to unilateral sanctions programs, it is crucial to underscore the significance of multilateral sanctions imposed by the United Nations. These measures are not to be overlooked, as they are initiated and collectively agreed upon by the Security Council, comprising parties that may often find themselves in disagreement. Given the diverse composition of the Security Council, the enforcement of these multilateral sanctions should be amplified, making them more effective.

This article will delve into the accuracy of this perspective, examining whether the enforcement of UN multilateral sanctions is indeed proportional to their potential impact.

===

Much attention has been paid, justifiable, to unilateral sanctions programs. That does not mean however that multilateral sanctions from the United Nations are unimportant. Considering that these programs are initiated and agreed upon by the Security Council, including parties that are otherwise frequently at odds with each other, these regimes should be subject to greater enforcement and therefore more effective. This is unfortunately not often the case. In 2011, following the outbreak of the Libyan civil war, the Security Council passed Resolution 1970. In addition to asset freezes and travel bans against members of the Gaddafi government and family, the resolution also enacted an arms embargo to prevent the exportation of weapons to Libya. Unfortunately, the Panel of Experts called this embargo "totally ineffective" in 2021.

The annual Panel of Expert reports provide amazing information regarding the efforts and methods for evading and circumventing the embargo. These also highlight the challenges faced by both the public and private sectors regarding conducting due diligence, identifying potential crimes and eventual bringing criminal proceedings. One of the cases highlighted in the 2021 Final Report relates to the "Project Opus" private military intervention. This involved a well-funded private military company that was controlled and managed by persons from Australia, the UK and South Africa. One of the goals of the operation was to procure military goods, such as aircraft and surveillance equipment, for General Khalifa Haftar, a warlord described as the "biggest single obstacle to peace in Libya."

To accomplish this, the group established at least three shell companies in the United Arab Emirates and attempted to procure surplus military helicopters from Jordan. However, Jordanian officials learned of the plan and suspended the auction for the aircraft prompting the group to search for alternatives. In addition to helicopters procured from South Africa and the UAE, three fixed wing aircraft were also purchased from companies based in Bermuda, Bulgaria and Austria. All three of these companies were controlled by a single American citizen, who was resident in Austria. This American was previously known for his involvement with other private military companies, specifically in Iraq, and his sister was a member of Donald Trump's cabinet. The UN experts were able to determine that he had been involved in making the group's proposal to General Haftar and was directly involved with and knowledgeable of the Project Opus operation.

Despite the teams' efforts to obtain equipment for General Haftar, he was "unimpressed with the replacement aircraft procured for the operations and made threats against the team management." This resulted in a Hollywood-style evacuation of twenty of the group's operatives. The evacuation resulted in a 36-hour, 350 nautical mile trip from Benghazi to Malta on two rigid hulled inflatable boats, one of which needed to be abandoned during the trip. They landed in Malta at 13.00 and told Malta police that they "were from an oil field operation and needed to leave Libya quickly because of deteriorating security concerns."

The efforts used typologies that will be recognizable to AML specialists. In addition to founding multiple companies, these were used in ways to increase the "opacity of the operation" such as contracting goods and services with one company and paying invoices with another. In a later UN report, the experts mention an interview where someone close to the American explained that he "protected himself from litigation by not owning companies, and by controlling them through debt ownership or security pledges he would receive material or financial benefits in other ways." The team also prepared counterfeit documentation to help justify and support the shipments of the equipment, but these were often obviously "cut and paste".

While the UN gave this case a significant amount of attention in their reports, it was a 2016 investigative news report about the American and his activities in Austria that led to legal action. According to the report by The Intercept, the American had taken a 25% ownership stake in a specialist aviation company near Vienna. The employees at the company would refer to him as "Echo Papa" and they would make extremely specific modifications to aircraft, such as adding surveillance and targeting equipment, armoring the engine block, adding bulletproof windows, and added mounting points for machine guns. In the case documented here, the aircraft was exported from Austria and was sent to South Sudan. Despite the military modifications, the export took place without the necessary government approvals required for military equipment. And the documentation stated that the destination was Kenya.

Seven years after the report, the American is now on trial in Austria for exporting war material without a license. According to his defense attorney, the 'military' modifications are not sufficient to qualify the aircraft as 'military goods' because they were too weak and nonsense. Also, the true destination was really Kenya, and the plane only landed in South Sudan due to technical problems. While some of the participants are finally going to trial, journalists and official bodies have documented this story for years. And authorities in Malta brought charges against persons involved in this case in 2020, though they were eventually acquitted.

This case highlights the efforts that people will make to disguise their activities, but it also shows that journalists and investigators are still capable of uncovering the truth. This information helps the public sector take actions and bring prosecutions, and helps the private sector conduct due diligence to avoid supporting potentially illegal activity.

UN Resolution 1970 https://documents-dds-ny.un.org/doc/UNDOC/GEN/N11/245/58/PDF/N1124558.pdf?OpenElement

UN Press Release 2021 https://news.un.org/en/story/2021/03/1087562

Panel of Exprt Reports https://documents-dds-ny.un.org/doc/UNDOC/GEN/N21/037/72/PDF/N2103772.pdf?OpenElement

Newsweek article https://www.newsweek.com/khalifa-haftar-isis-libya-muammar-el-qaddafi-483246

Panel of Expert Report 2022 https://documents-dds-ny.un.org/doc/UNDOC/GEN/N22/334/41/PDF/N2233441.pdf?OpenElement

The Intercept Report https://theintercept.com/2016/04/11/blackwater-founder-erik-prince-drive-to-build-private-air-force/

AP News Report: https://apnews.com/article/austria-aircraft-export-trial-prince-blackwater-f2042f2ae0a3b2df5c3d15c17923f51a

Der Standard News Report https://www.derstandard.at/story/3000000195428/prozess-um-blackwater-gruender-prince-startet-in-wiener-neustadt

Time of Malta reports https://timesofmalta.com/articles/view/military-contractors-left-malta-for-secret-mission-to-libya.794309

and https://timesofmalta.com/articles/view/blunders-led-acquittal-libya-mercenaries-case.994317

Explore our latest FCC (Financial Crime Compliance) Essential article as Christopher Stringham, Global Account Manager at Neterium, delves into his fervor for Financial Crime Compliance (FCC).
In this edition, we’re looking into the proactive steps taken by the Financial Intelligence Unit of the Netherlands (FIU) in response to Russia's invasion of Ukraine. By promptly alerting regulated entities to potential risks, the FIU, in this specific context, successfully thwarted the exportation of dual-use goods. Join us as we dig deeper into this unprecedented measure.

Following the invasion of the Ukraine by uniformed troops from the Russian Federation and the imposition of new sanctions on Russia in February and March of 2022, the Financial Intelligence Unit of the Netherlands took steps to inform obliged entities of potential risks. Information sharing between the private and public sectors proved beneficial for both sides as significant reports of unusual and suspicious transactions were submitted. In the FIU’s Annual Review for 2022, they outlined the measures taken and highlighted some specific successes. Based on information gathered by the FIU, authorities in another country were able to prevent the exportation of dual use goods, millions of Euros connected to a sanctioned person were seized, and a person connected with evading sanctions relating to microchips was arrested.

That final point is particularly interesting since the person was recently convicted and the court judgement provides very interesting insights into his schemes. The issue was the shipment of various circuits in violation of Annex VII of Regulation 833/2014 and the court kindly provides details about the specific chips that were sold and exported. For example, they mention an invoice for a “Monolithic Inertial Sensor Digital Output of the brand/type ADIS16445BMLZ”. A quick internet search shows online traders who offer this product and helps find the relevant TARIC codes (8542399000). After converting the number to the CN code format, the first 6 digits, (8542 39), then it is easy to search for the number in the list of goods which may not be sold to any entity in Russia. By converting the number to the ECCN code format, it is also possible to confirm that this type of chip, it is also on the US’s Commerce Control List.

This exercise really highlights the difficulty of identifying restricted goods including dual-use goods. Invoices may provide part numbers or product names, but manual work is necessary to connect those product descriptions with the necessary codes used in official lists.

The court decision also provides an interesting insight into the approach of the defense in this case. The defense claimed that it wasn’t sufficient to consider just invoices and other documentation; they insisted that the goods themselves should have been investigated. The court rejected this on the basis that there was no indication that the goods delivered were different than those specified on the invoice. From a practical perspective, it is hard to say how Dutch prosecutors could have obtained the goods to inspect them as they had already been exported. Had the court agreed to this logic, it would have made prosecutions an impossibility.

One of the biggest topics in financial crime compliance circles is the usefulness of Suspicious Transaction Reports. Millions of reports are filed every year, but feedback is very rare. In this case, however, we have an example where the FIU was able to take the information received from an obligated entity, initiate an investigation, and obtain a conviction.

Netherlands FIU report 2022 Annual review of FIU-the Netherlands (fiu-nederland.nl)

Press Release about arrest Aanhouding in onderzoek naar overtreding sanctiewetgeving | FIOD

Court Decision: ECLI:NL:RBROT:2023:10072, Rechtbank Rotterdam, 83-235373-22 (rechtspraak.nl)

Council Regulation (EU) No 833/2014 of 31 July 2014 EUR-Lex - 02014R0833-20231001 - EN - EUR-Lex (europa.eu)

Discover our first FCC Essential article, where Christopher Stringham, Global Account Manager at Neterium, shares his passion for Financial Crime Compliance (FCC).

Today, we deep dive into a report from the UK's Financial Conduct Authority (FCA) on their assessment of regulated firm's sanctions compliance processes.

The UK's Financial Conduct Authority says firms are over-reliant on third party sanctions screening tools! The FCA has recently conducted assessments of firms’ sanction systems and controls based on the guidance in the FCG and other sources. The report of the key findings was released on 6th September.

The FCA based their assessment on previously issued guidance such as their Financial Crime Guide. For example, section 7.2.3 of the FCG states that, "A firm should have effective, up-to-date screening systems." The FCG offers numerous examples of good practice and also provides very informative examples of poor practice. Such as: "Where a firm uses automated systems, it does not understand how to calibrate them and does not check whether the number of hits is unexpectedly high or low."

Despite the guidance, the FCA still found, "poorly calibrated or tailored screening tools, with some firms also too reliant on third party providers with ineffective oversight over them." Additionally, "there were instances where calibration had not been adequately tailored. This resulted in it either being too sensitive, causing a high number of false positive names (…), or not sensitive enough, meaning that even minor variations in names led to sanctioned individuals not being detected. This delicate balancing act shows the importance of firms understanding how their systems work and how they are calibrated." 

De Nederlandsche Bank issued a similar report a few months ago and had similar findings. They also found that:"(M)any institutions trust that their (external) screening systems function adequately, and that they do not carry out their own periodic assessments, such as spot checks."

Interestingly, while the FCA raises the risks associated with third-party solutions, the most recent fine in the UK relating to sanctions screening involved the use of an in-house screening system. In this case, the firm’s third-party data provider quickly delivered the updates to the sanctions lists and the in-house screening system correctly generated a possible match. Unfortunately, the system generated so many false hits that analysts were not able to process the alerts in a timely manner. This led to a company policy where accounts were ‘suspended’, transfers were prohibited, but debit cards associated with the account were not blocked. And in this particular case, the debit card of a designated national was only blocked five days after listing and a withdrawal was made.

Legacy screening systems have typically functioned as black boxes. It is difficult to know what the system is doing and why. This limits the ability to conduct testing and tuning. Also legacy systems are often very inflexible. Even with significant testing, tuning is often just not possible or very limited.

Development of 'name matching algorithms' and ‘sanctions screening systems’ is not the primary business of financial service firms. The use of third-party solutions is therefore very natural. These are normally better than in-house systems due to the ability of the providers to specialise and receive feedback from a number of customers. Still, not all solutions are equal. Regulators justifiably require transparency, so it is critical to look for a provider that offers a glass box to understand in detail the results that you are getting and also provides the flexibility to actually tune the results effectively.