Economic and money-laundering sanctions have long been a part of corporate compliance — but with each passing year, both have become more important to a successful compliance program. Governments in Europe and the United States now use sanctions as a geopolitical tool so often (especially since Russia invaded Ukraine earlier this year) that corporations must give sanctions compliance the high attention it deserves.
At the heart of sanctions compliance is screening: checking to see whether your customers, suppliers, or other business partners are on government sanctions lists, which means your company cannot do business with them.
Conceptually, sanctions screening is similar to the due diligence that anti-corruption compliance programs have done for years. In practice, however, sanctions screening is a more complicated process. It depends on thoughtful policy and procedure, as well as astute use of technology.
Let’s take a close look at how sanctions screening should work, and what regulators have said about the process that compliance officers should use as the foundation for their sanctions compliance program.
What is sanctions screening?
As we said, sanctions screening is checking to see whether your customers, suppliers, or other business partners are on government sanctions lists. If they are on such lists, a company can face severe financial penalties for continuing to do business with them.
Sanctions screening is a complicated process for several reasons.
First, multiple governments and groups maintain sanctions lists, and global businesses must comply with all of them. In the United States, the primary sanctions authority is the U.S. Office of Foreign Assets Control. The European Union maintains its own set of “restrictive measures” (that is, sanctions) which individual member states must implement. The United Kingdom, the United Nations, Canada, China, Russia, and other governments all maintain their own lists too.
Second, sanctions lists change often. Since Russia’s invasion of Ukraine, for example, U.S. and EU authorities have added persons and companies to their sanctions lists almost every day. It’s also possible for sanctioned entities to come off those lists, such as when a government decides some person or group is no longer a criminal or terrorist threat.
Third, both people and businesses can be on sanctioned lists, and companies must screen for both. For example, a supplier to your business might not be a sanctioned company, but one of its owners might be a sanctioned individual — which would still leave that supplier off-limits to you. So your sanctions screening must check corporations and their owners, as well as individual people.
Why do I need a screening tool?
That’s easy: because effective sanctions screening is impossible to do manually. There are simply too many lists, changing too often, with too many names of corporations and individuals.
A screening tool automates sanctions screening. Not only does that accelerate the whole process of screening; it also gives your business more confidence that, yes, you’ve performing screening in a rigorous and disciplined manner. For example, you can configure your screening tool to search multiple name combinations — “John H. Smith,” “J.H. Smith,” and “JH Smith” — and know that every time you screen a person, the tool will search all those variations.
As a practical matter, most businesses use an outside vendor for their sanctions screening. The vendor keeps track of changes to sanctions lists, and performs the actual work of comparing your customer, supplier, or business partner’s name against those lists.
What do regulators say about screening tools?
The U.S. Office of Foreign Assets Control (OFAC) has been clear that it expects companies using sanctions screening software to use that technology properly. OFAC published guidance in 2018 explaining what it wants to see in effective sanctions compliance programs, and devoted an entire section to talking about how sanctions screening can go wrong. Some of the more common problems:
- Failing to screen against the most recently updated sanctions watch lists;
- Failing to include relevant identifiers, such as SWIFT business identifier codes for financial transactions;
- Overlooking alternative spellings for names or prohibited countries (such as “Habana” instead of “Havana” or “Smyth” instead of “Smith”).
Moreover, OFAC has taken enforcement actions against companies for fumbling their sanctions screening efforts. For example, in 2018 OFAC fined a Virginia electronics company for failing to catch that one of its subsidiaries was selling goods to sanctioned businesses in Russia. The Virginia company screened its customer, Almaz Antey Telecommunications, which came back clear; but the customer’s parent company, Almaz-Antey, was on U.S. sanctions.
The error: the Virginia company had only screened for matches of full names, not partial names. So it missed “Almaz-Antey” — a mistake that cost the company $87,500.
How should my screening effort work?
Every business will need to find its own path to effective sanctions screening, depending on your industry, customer base, and business processes. That said, a few best principles will always apply to all businesses trying to get your sanctions compliance program into good shape.
Visibility into third-party risk matters. You cannot screen your customers and third parties against sanctions lists if you don’t know who your third parties are. Compliance teams must have visibility into procurement, accounts payable, and sales functions to see all the third parties in your company’s orbit; and then feed those names into your screening tool.
Your screening technology matters. Find a reliable, reputable screening partner. Confirm that the vendor can search multiple name spellings (especially important for names translated from languages that don’t use the Roman alphabet). Confirm that it can screen fields related to international wire transfers, such as SWIFT banking codes. Test the vendor’s screening technology for accuracy and configuration.
For example, just last week the U.S. Securities and Exchange Commission fined Wells Fargo $7 million for anti-money laundering failures, where the bank failed to cross-reference country codes used on a money-laundering watchlist with the country codes used to process wire transfers. The bank hadn’t configured and tested its screening technology properly.
Tie your screening to other due diligence efforts. Effective sanctions compliance goes beyond screening; it should be part of a larger due diligence effort that helps your company to avoid doing business with unsavory third parties. For example, your company should perform due diligence on all customers to see whether they serve on the boards of sanctioned businesses. You should design customer in-take procedures so that employees ask such questions of sales prospects (even knowing that sanctioned persons will probably lie about it).
In short, screening is one part of a larger process of third-party risk management that every business should develop.
Don’t perform sanctions screening in a vacuum, simply because regulators require it; screening should fit within the larger goals of managing the risks that third parties pose to your company and running an ethical business. The benefits — financial, operational, legal, reputational — will be well worth the costs.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.