How To Leverage Due Diligence Analysis/Reviews Of Sanctions And Pep Screening
June 11, 2019
In the world of sanctions and PEP screening, there are a couple of regulatory guidelines and requirements that if not managed properly, will exacerbate the manual processes that analysts have to go through, elevating the overall cost of the screening program. On one hand, screening your customer base should be a periodic task. But how frequently should you do it? It really depends on your program. In the US, FinCEN does not actually require periodic testing of your client base, but failure to detect matches of your client base can carry significant fines, therefore it is strongly suggested that you do. A program without re-screening is very high-risk, and while this doesn’t constitute legal advice of any sort, you should make sure your program does re-screen your clients periodically. Sanctions and PEP lists are updated constantly, so in general, every time there is a change to these lists, you should re-screen your clients.
On the other hand, if there is a match, as an analyst, you MUST review the match and reach a conclusion about whether the match against a sanctions/PEP list is indeed the individual or the business in the matching list or not. In most cases, the matches will be false positives, meaning the entry that your user matches against isn’t the actual intended individual or business on the list. The compounded effect of these two requirements is that you may end up matching the same user over and over on the same entry on a list, causing unnecessary manual cycles. Now, since you have to re-screen your users periodically, ideally, you’d want to preserve your previous analysis and apply it to the user such that you don’t have to perform the same analysis again. Here are a few observations before we move into how to accomplish that within the IdentityMind platform:
- Most examiners and regulators would support a risk-based approach to compliance, meaning the risk of reusing a proper analysis on your client to dismiss a match can fall within the risk-based framework; however, you do need to document that this is your process.
- The process for deciding whether a match is a false positive has to be adequate and has to be performed by a trained analyst. The last thing you want to do is reuse the results of a faulty process.
- Lists are updated constantly. Matching and clearing against a given entry in a list is not a reason to dismiss other matches against other entries in the same list or other lists. You have to be careful that reusing the process carefully checks that it is the same entry in the same list.
- While regulators will accept and support a risk-based approach, it does not necessarily constitute an excuse if you end up missing a true match against the sanctions lists, no matter what your program says.
How Can You Implement this in IdentityMind
The IdentityMind Platform allows you to:
- Automatically re-screen your clients
- Screen users on every transaction
- Remember for a period of time the decision you manually took when reviewing a sanctions/PEP match
- Automatically remove the match from your review list if this is the match you have previously reviewed and accepted
Periodic Testing: KYC/KYB
The first thing you need to do is configure the capability in the system to do so. This is in the admin configuration interface under “Periodic Merchant Testing” (KYB) and “Periodic Consumer Testing” (KYC). In this configuration, you specify how frequently you’d like to re-screen. Note that for this to work, you must have done (or loaded) the KYC/KYB into the IdentityMind platform.
You also need to contact your CSM ([email protected]), because there is a minor configuration that needs to be turned on in the backend, and we need to make sure you have the right services purchased from us to enable this feature. Then, within your Profile configuration, you have to assign the sanctions match rule to the “periodic testing” stage, the same way you added to the initial sanctions/PEP screen.
Screen on Every Transaction
An additional feature of the platform is to screen the users on every transaction. So, if you are using the “transfer” API in the system, you can screen the users in every transaction, and, if the transaction has both a source and a destination (e.g., P2P transfers and remittances), both can be screened.
Configure Automated Review Policy
In order for the system to remember and apply your manual decision, you need to enable the ARP rule within your profile, and you need to do this for every profile you have. And for every profile, you need to add the time (in days) you want the platform to remember your decision.
Accept an Application or a Transaction Manually
At the moment, the system remembers and applies an automated decision when a KYC (or KYB) application, or a transfer/payment transaction results in manual review, and there was a sanctions match associated with it, and the application/transactions move from “Manual Review” to “Accept” state. So, if during a re-screen the same user triggers the sanctions rule, then the application/transaction will move from “Accept” to “Manual Review” to reflect the match. The ARP configuration compares whether the entry/list is the same as it was originally accepted, then it makes sure that is within the configured time, and if so, it will automatically move the application or transaction from “Manual Review” to “Accept.” All of this happens transparently in real-time. If the ARP rule applies, it will leave an audit trail message, recording both the match and the fact that the system automatically accepted the application. If the application or the transaction was never moved from “Manual Review” state to “Accept” state, then the ARP will not apply.
A Few More Thoughts
It is recommended that in the rules you create for sanctions screening, there are only the sanctions security tests (SS:1, SS:4, SS:5). When using other security tests in the same rule, the whole thing can get a bit complicated because other tests may be more relevant for the rule to trigger; in which case the overall behavior of the automated decision is dependent on the combined behavior of the tests. So, to make it easier, it is recommended to have only sanctions screening tests in the rule. Depending on your monthly re-screen volume, you may want to ask your CSM if S4 (Sanctions Screening Subscription Service) makes more sense for you in terms of cost. For further reading, take a look at:
