Future Trends in Sanctions
As political leaders discuss relaxing – or in some cases tightening – sanctions regimes, financial institutions are struggling under the weight of fragmented lists and requirements, outdated technology and millions of false positive alerts. New sanction regime structures that require an understanding of ownership structures and not just names on a list have increased the burden and heightened ambiguity. With profit margins shrinking and the correspondent banking model under siege by new entrants and a retrenchment in globalisation, could automation, artificial intelligence and outsourcing provide cost relief? As utility solutions gain currency, will regulators provide assurance that banks can count on third-party or outsourced models to operationalise sanctions compliance?
Sanctions compliance is a very complex area to manage. In the first place, gathering the right information is challenging as there large number of competent authorities and some notices can lead to interpretation and require complementary analysis. In fact, it is not just a matter of looking at names on a list and ensuring you are not doing business with any of them. A major part of the process is collecting information about ownership structures and know your customer (KYC). Across the globe, sanctions are very fragmented and subject to constant change. For example, the most recent US sanctions on Russia target particular business projects, in addition to individuals and sectors. As the complexity increases, so does the cost of compliance.
Secondly, banks must ensure that they have full sanctions lists and that these lists are up to date – compliance is required immediately once a list has been issued. The goal is to create documentation that will ensure sanctions breaches do not occur. The truth is that there isn’t one obvious solution to get there: many external providers but not one universal solution to embrace the diversity of businesses and geographies. At the same time, banks are automating processes to enable compliance teams to work on alerts and reduce the number of false positives. Societe Generale, for example, is working on an inhouse initiative to automate alerts processing, applying AI and machine learning. Such initiatives must ensure that they can demonstrate to regulators why an alert has been dismissed as a false positive.
Thirdly, the accuracy of sanctions screening relies on the quality of our client’s knowledge including his beneficial owners, his products, his purchasing and selling locations and channels, but also his business relationships with Societe Generale or his other banking relationships . This is an area of continuous improvement.
Without the quality of the processes around these three prerequisites, the added value of artificial intelligence as featured by machine learning, robots and big data would be limited. As always, data quality and velocity are everything: garbage in, garbage out!
Automation of sanctions compliance will not occur overnight. It takes time to collect the information for even v the very basic tasks that can be automated.
A question remains about how much can be automated. Robotic processes are not bank employees and do not take responsibility for decisions. To date, SG is using automation and machine learning to do analysis of alerts management processing. The decision to further investigate an alert is made by a human, not a machine.
Because sanctions are subject to change and updates on an almost daily basis, the potential of machine learning in automating sanctions compliance is limited. A machine learning system would have to learn on a daily basis and what applies one day, may not the next. Also, sanctions compliance must be immediate, giving a machine learning program no time to ‘learn’ the appropriate response. Banks must ensure that any automation solution is flexible enough to rebuild its model and be applicable in other contexts as circumstances change. The identification of patterns in data, which could help to build filtering rules and reduce the number of false alerts, is difficult. Banks must be sure that any patterns they identify are not subject to change as sanctions lists change. However, being able to identify one true alert identified among 10,000 false alerts will prevent a bank from breaching sanctions.
It is very important that any sanctions compliance program is resilient. Even if a process becomes fully automated, if that solution fails, banks must have a backup because compliance is an intraday activity.
One of Societe Generale’s projects is about how we reduce the number of false positives in our sanctions programs. Sanctions may apply to a part of a business, but not all of it. We are working on how to apply sanctions to specific areas and on specific SWIFT message types. We can further define and go into the details by applying business analytics to fine tune how we apply sanctions filter rules.
One way to reduce costs and become more efficient in sanctions compliance at the industry level would be to pool information among banks in the form of a utility. However, sanctions compliance will be very specific to a bank’s business; there is no ‘one true’ solution for sanctions compliance. Most of the automation tools used by banks for sanctions compliance are very specific to that bank. Some related initiatives are under way or taking momentum, including SWIFT’s KYC Registry.
However, at the end of the day, all these initiatives won’t fly if regulators don’t step out to support them.