Sanctions screening was, is and always will be one of the main challenges that compliance officers face. The major difficulties they come across can be demonstrated by the following equation that has no one universal solution. The first part of the equation is that breaching sanctions regimes will undoubtedly trigger a sequence of actions with serious consequences. At the same time, and this is the second part of the same equation, organisations are struggling to find ways to reduce the operational overhead related to sanction alert reviews and other operational inefficiencies related to maintaining sound systems.
Where should an organisation draw the line between compliance and cost? As demonstrated by our recent efforts, at PwC we are constantly looking for solutions. In a series of blog posts, together with my colleagues from the Financial Crime Advisory team and network, we will be looking at ways to strengthen compliance (e.g. Sanctions, AML/CFT, Fraud) while ensuring balance between compliance and the associated costs.
We oftentimes hear that “there’s no hope as our sanctions screening system is a black box”. Our aim is to turn the perception of a “black box that you need to trust and hope it works” into a crystal clear set of processes, data and functions. This will allow you to safely apply a well-defined risk-based approach and, at the same time, set an appropriate fuzzy matching threshold, optimise the number of false positives, create capacity planning or adequately monitor the associated operational KPIs. In other words, redesigning the controls.
How can this be achieved? Here’s a preamble following our framework which reflects the recent Wolfsberg insights that provides guidance on the importance of implementing sound sanctions screening technologies and adjusting them to fit the risk profile of an organisation. In the same context, we are working to push the boundaries of Financial Crime Compliance programs to new dimensions.
- Assess adequacy and implementation
- Optimise the screening system(s)
- Optimise the operations
These three points require more than just “another procedural review”. They require that we go deeper into the heart of the screening models. Though important layers of the Sanctions Compliance Control Systems, policies and procedures are, in this case, the input for transforming these systems into elements driven by technology and analytics.
The following steps summarise the lifecycle of the optimisation exercise supported by analytics.
0. Detailed risk assessment and defined risk appetite
1. Completeness adequacy assessment
The objective of the first step is to answer three essential questions:
- Whether all relevant records are screened;
- Whether the records are modified before the screening;
- Where the records are of the quality required for the screening.
A number of tests should be performed that cover the data flow, processing and transformation steps performed before the records reach the sanctions screening system.
2. Sanctions business configuration testing
Independently test the sanctions screening system to indicate:
- The effectivity of screening, i.e. how good is the system at identifying sanctions;
- The efficiency of the screening by calculating the level of false positives (or true negatives);
- The sanctions list coverage and the usage of the latest version of the lists.
3. Detection model optimisation
The aim of the analysis is to decrease the detection ratio, (i.e. decrease the number of false positives) and to prevent the review of irrelevant alerts.
Exploratory data analysis of historical performance of the screening system is used for this step which provides insights into:
- The configuration of the system;
- Its usage; and
- The main reasons for the high number of detections.
4. Operations planning
The previous steps of the optimisation lifecycle introduced changes to the system and the overall setup of the sanctions teams. Your capacity planning model should provide clear estimates for the number of reviewers needed to deal with a particular backlog or the number of reviewers needed for real-time screening.
The model should be able to calculate and consider a number of features such as average number of alerts per day, peak hours, time spent on alert, etc.
5. Performance monitoring
Comprehensive sanctions dashboards should consist at least of the two major views:
- Dashboards focusing on the operational KPIs and the status of the investigations.
- Dashboards designed to support optimisation efforts and to evaluate the performances and effectivity of the system.
The first two steps focus on the comprehensive assessment of the adequacy of the sanctions screening system in order to first ensure that all risks are properly covered. It is worth mentioning that an appropriate risk assessment is one of the key inputs for the whole exercise (only 1 out of 5 organisations have a sanctions risk assessment).
Steps two (Sanctions business configuration testing; only 1 out of 5 organisations perform any sanctions testing) and three (Detection model optimisation) represent the system optimisation. Such optimisation can’t only focus on reducing the number of alerts to investigate. The optimisation should be designed to find the right balance between the number of alerts and appropriate coverage of sanctions risks (i.e. the system still has to stop the bad guys). As part of the analysis, a comprehensive definition of risk appetite is created and fuzzy matching threshold is not set according to the well-known rule “I believe that the right number is 80” or the other well-known rule “The other bank uses 82” but based on data analysis and clear evidence.
Optimisation of the operations includes changes to policies, procedures, operational model but also tasks that can be driven by data analytics – capacity model planning and full performance monitoring capabilities – that form the holistic and sustainable sanctions model.
Our next post will focus in detail on a comprehensive assessment of the sanctions model as the main pre-requisite for successful optimisation.
Senior Manager, Financial Crime Technology & Analytics