Sanctions in FinTech – a defence, not a puzzle

We explore how to turn necessary compliance into robust protection

Sanctions compliance may seem a complex challenge for fintechs seeking to develop and implement a risk-based approach that detects, prevents, and manages sanctions risk effectively.  We think it’s also an opportunity.  As experts in financial crime and compliance and all aspects of client on and off-boarding and anti money laundering, we always advise fintechs to use the requirement to comply as the opportunity to build a tailored, robust wall of defence that actively benefits your business, as well as satisfying regulatory rules.

Of course, the effective implementation of any compliance programme must always be targeted and tailored to the firm’s precise requirements and existing approach.  But while there may be no ‘one-size fits all’, any sanctions programme should always incorporate these six key building blocks:

  1. Policies and procedures: you should have documented policies and procedures in place, which clearly set out your approach to complying with your legal and regulatory requirements in relation relevant sanctions programmes (such as OFAC).
  2. Responsible persons: the key decision makers within your alert review process must have the appropriate skills and experience to understand the complex nature of sanctions requirements for which they are responsible, and how these may affect the screening process. Additionally, your wider senior management should be involved in approving and taking responsibility for such policies and procedures.
  3. Risk assessment: you should conduct a thorough assessment not just of your customers but of your entire supply chain, including intermediaries, counterparties, products, services and geographic locations to identify potential sources of sanctions-related risk.
  4. Internal controls: you need to develop appropriate internal controls, including policies and procedures designed to detect and report potential sanctions violations.
  5. Testing and auditing: you should test your policies, procedures and systems regularly ensuring you update them to address any weaknesses the tests identify.
  6. Training: all relevant employees should receive training on the your sanctions compliance policies and procedures at regular intervals of no more than a year.

In addition, we always advise fintechs that:

  • You should have a system in place to screen customers during on-boarding, through the life cycle of the customer relationship and their transactions. (Screening is the comparison of one string of text against another to detect similarities which would suggest a potential match. It should compare data sources from the firm’s customer and transactional record against relevant lists such as UN or OFAC.)
  • You must assess your own risk to understand how and to what extent screening is employed, clearly defining the sanctions risk that the organisation is trying to prevent or detect. You will need to evaluate the inherent risk posed by products, services, and customers where all account holders are required by law to be compliant with that jurisdiction’s sanctions and KYC requirements.
  • You should have a documented understanding of how risks are managed through screening, including set up and calibration to understand its effectiveness. For example, list-based programmes focus on the sanction parties name, which can be detected through the screening of customers and transactions; whereas sectoral sanctions programmes define activities that are prohibited, and screening payments for targeted parties will not detect the sectoral sanctions risk without further additional information about the specific underlying activity and, therefore, may be neither appropriate nor effective.
  • Finally, you need to assess whether information is available in a format conducive to screening. For example, a firm may identify that the information within its operations is insufficient to assess a screening alert and distinguish a true match from a false match. In these cases, the firm may need to consider alternative controls or adopt new business processes. Additionally, fintechs may take the decision not to screen a category of information because, although the information is conducive to screening, it is not actionable to effectively manage the risk and therefore the organisation should implement alternative controls.

If you would like advice or guidance about any of the points above, or in relation to any aspect of regulatory compliance or financial crime prevention, please contact us.

You can also download our related whitepapers:

About the author

I specialise in helping FinTech and Virtual Asset Service Providers execute and assure financial crime compliance objectives