As the number and complexity of financial sanctions rapidly multiplies, banks must spend more on people and technology to ensure they comply with the rules.
The recent spate of sanctions imposed by the west on individuals and organisations in China, Russia and elsewhere illustrates the continued importance of sanctions as a tool of foreign and national security policy. It also highlights the immense compliance difficulties they pose for banks.
A case in point is the coordinated action by the EU, UK, US and Canada in March to impose sanctions on officials in China for human rights abuses against Uyghurs. In the EU, they were implemented under the bloc’s new Global Human Rights Sanctions Regime (GHRSR) established last December. The regime also targets, among others, individuals in Russia for “arbitrary arrests and detentions … and systematic repression of freedom of peaceful assembly” and in Libya for “extrajudicial killings and enforced disappearances”.
Anyone listed under the GHRSR is subject to an asset freeze and travel ban in the bloc. In addition, it is illegal for anyone in the EU to provide funds to those listed. As two of these three restrictions concern money, it clearly puts banks and other financial institutions on the front line.
The EU’s GHRSR mirrors the UK’s Global Human Rights Sanctions Regulations established in July 2020, as well as a similar law passed in Canada in 2017. All three are based on the US’s Global Magnitsky Human Rights Accountability Act of 2016, named after the 2009 death of lawyer Sergei Magnitsky in a Russian jail.
Wider sanctions regimes
These Magnitsky-style regimes are just part of much wider sanctions policies operated by Western countries against governments, organisations and individuals, with objectives far beyond stemming human rights abuses. Taken together, they place major compliance burdens on banks.
The European Commission describes EU sanctions as “a foreign policy tool, which, among others, helps to achieve key EU objectives such as preserving peace, strengthening international security, and consolidating and supporting democracy, international law and human rights”. Its Consolidated Financial Sanctions List is published on a dedicated website run in partnership with the European Banking Federation and other banking associations. The current list is 511 pages long.
Angelena Bradfield, BPI
Transacting with anyone on the list comes with severe consequences, as Standard Chartered found in early 2020 when it was fined £20.5m for doing so. The penalty was imposed by the UK’s Office of Financial Sanctions Implementation (OFSI), part of HM Treasury, as implementation and enforcement of EU sanctions is largely the responsibility of EU member states.
Following its departure from the EU, the UK is diverging from the bloc on certain policy areas, a prime example being the human rights sanctions regulations mentioned above. Giles Thomson, director of the OFSI, mentions others. “The UK’s first autonomous sanctions of 2021 recently went live, with four security chiefs listed in the Zimbabwe sanctions regimes for serious human rights violations,” he writes on the OFSI website.
“We have already taken advantage of new legislation to issue our first general licence to enable people to make payments to Crimean seaports out of non-frozen funds.”
Licences allow firms to conduct otherwise prohibited activities: a specific licence has to be applied for in each case, but a general licence allows multiple firms to undertake a range of activities without having to apply. The EU does not issue general licences, but the US — and now the UK — does.
Neil Whiley, director of sanctions at trade body UK Finance, says it is still too early to judge how much the UK will diverge from the EU. “While the spirit of new UK sanctions legislation is the same as the EU’s, there are nuances in the detail,” he says. “For example, the EU’s legislation on the Central African Republic is about 5000 words, but the UK equivalent is nearly 20,000 words.”
Regime rethink
Meanwhile in the US, sanctions policy under President Joe Biden’s administration is likely to differ from former president Donald Trump’s. Mr Biden has been clear that he would like the US to rejoin the 2015 Iran nuclear deal, which it withdrew from in 2018, if Iran fully complies with its obligations. He plans to lift the sanctions that came with that withdrawal.
On the other hand, Mr Biden supports the Hong Kong Human Rights and Democracy Act passed by Congress in 2019 when Mr Trump was in power, which imposes sanctions on Chinese and Hong Kong officials responsible for human rights abuses.
The Biden administration’s review of US sanctions policy is ongoing, with little to be gleaned from Mr Biden’s address to Congress after his first 100 days in office. However, as Mr Whiley points out, speaking to The Banker ahead of the president’s speech on April 28, the US did rejoin the Paris accord on climate change in February and therefore, if the administration applies a similar approach to other key issues, there is hope that the US could resume dialogue with its global partners on sanctions as well.
US penalties for transgressors can be eye-wateringly high. UniCredit, for example, had to pay $1.3bn to the authorities in 2019 for violating sanctions on Iran and other countries.
But Russia and China can impose sanctions, too. The latter imposed them on nine British citizens, including five members of parliament, in March in retaliation for the UK’s measures against Chinese officials for human rights abuses.
The UN Security Council also imposes sanctions. Since 1966 it has created 30 sanctions regimes. They are the most diplomatically acceptable, but getting the necessary consensus among council members — which includes China and Russia — is difficult, and nigh impossible if the sanctions are targeted at security council members.
This is why countries take their own approach and impose “autonomous” sanctions, which become multilateral if they coordinate their actions with close allies.
Compliance headaches
The compliance risks for banks are many and varied. Marina Alvarez, head of international sanctions programmes (compliance) at BBVA, Spain’s second biggest bank by Tier 1 capital, says the complexity is compounded by the sheer number of sanctions programmes that global banks have to manage. “We have to respect every sanctions programme of the countries in which we work, and we usually extend every programme to our worldwide activity,” she says.
The complexity [of sanctions] requires an enormous amount of technical and human resources to analyse and understand the regimes
“This complexity requires an enormous amount of technical and human resources to analyse and understand the regimes, to ensure we are not breaching any of the programmes, and to coordinate our actions across the BBVA group.”
Keeping tabs on every country’s sanctions lists is a complex task, as there are thousands and they are constantly changing. Banks use specialist companies, such as Refinitiv and ComplyAdvantage, to identify “designated” individuals and organisations. Sophisticated tools are used to screen transactions and customers against the lists. “We receive updates and new lists from our provider daily,” says Ms Alvarez.
Marina Alvarez, BBVA
“When a client is included in a sanctions list, usually we try to cancel the relationship,” she says. “But sometimes we are not allowed to stop working with them because local legislation in some countries does not allow banks to close down relationships unilaterally. So, the solution is to restrict the activity available to the client, establish strict controls to monitor each transaction and allow only transactions in local currency.”
It may be straightforward ending a direct relationship with a sanctioned customer, but it can be trickier when it is an indirect relationship via an innocent customer. “Relationship managers can have trouble explaining to customers why we cannot get involved in certain transactions, but usually there is little trouble because it’s very clear why we have to act like that,” says Ms Alvarez.
Which sanctions regime causes the biggest compliance problems? “The US,” says Ms Alvarez.
“Why? Because it’s very broad, it’s constantly evolving and sometimes it’s very open to interpretation. US sanctions have a lot of extraterritorial effect, even in the EU where there is a blocking regulation which prohibits EU businesses and individuals from complying with some of the US sanctions, for example on Iran.”
US sanctions regulations
The Bank Policy Institute (BPI), the Washington DC organisation representing major domestic and foreign banks, including JPMorgan Chase, Citi, Bank of America and Wells Fargo, is calling on the Biden administration to “streamline” sanctions requirements for banks.
“The chain of command for administering sanctions is confused. Ultimate responsibility rests with the president and the Treasury Department through its Office of Foreign Assets Control (OFAC), but battlefield command has been assumed by bank examiners [regulators like the Office of the Comptroller of the Currency],” alleges BPI’s chief executive, Greg Baer. “As a result, banks receive tactical orders that are at odds with the overall mission or strategy.”
For instance, the regulators order banks to screen nearly all foreign and domestic transactions against the OFAC sanctions list, even if it is as small as a $20 payment for a pizza; transactions routed through several banks must be screened by all banks, even though the originating bank knows the customer best; and banks’ screening models have to follow the federal banking regulators’ 2011 Supervisory Guidance on Model Risk Management, which is considered by many to be too prescriptive.
The BPI says this level of screening is unnecessary and diverts resources to less productive activities, a claim borne out by statistics showing that the screening of automated international automated transactions only produces matches in 0.0005% of cases; for domestic transactions using real-time Zelle payment networks it is 0%.
The BPI’s solutions to the problem are given in a report entitled ‘Reforming the US Sanctions Regulatory Regime: How a smarter, risk-based approach can make sanctions more effective’, published December 2020. The most significant is that the OFAC should adopt a rule that “endorses a risk-based approach to sanctions compliance” — effectively one that does not require banks to screen all transactions, but only those deemed to be higher risk. Most domestic transactions would be excluded to allow banks to focus on sanction evaders that are pursuing elaborate means to avoid detection through shell companies and intermediaries.
Angelena Bradfield, BPI’s senior vice-president for sanctions, says banks want to use their compliance resources more effectively. “The sanctions lists are very long and usually the names on them may only be effective for a day or so, after which the designated people and entities use other names or shell companies to get around the sanctions,” she says.
“There is also significant pressure from banking examiners on banks to go to the extreme when it comes to models used to detect sanctions evaders. Banks have to process all the alerts, but the number of true sanctions matches is almost non-existent,” she adds.
Ms Bradfield says it is too early to assess how the Biden administration will respond to BPI’s recommendations, “but Wally Adeyemo, who has now been confirmed as the new deputy secretary of the Treasury, will oversee sanctions and has indicated publicly his commitment to conducting a top-down review of their effectiveness”.
A legal opinion
Stephen Ashley, a sanctions specialist at law firm Stephenson Harwood, says one of the biggest difficulties faced by banks is the overlapping scope and contradictions between sanctions regimes. “An obvious example is the US sanctions position on Iran and the EU and UK blocking regulations, which prohibit EU and UK businesses and individuals from complying with some of those sanctions,” he says.
“It causes enormous headaches — not only because of the contradictory positions, but also because the blocking statutes are unclear in a number of significant respects, and there are various grey areas and little guidance on them, both from the authorities and the courts,” he says.
“Another difficulty is that banks and other financial institutions are in the frontline of sanctions. They are the ones who are enforcing the foreign policies of the different jurisdictions that have imposed the sanctions,” Mr Ashley adds. “The lengths banks have to go to comply have extended enormously over the past few years. Not only do they need to know their customers, but their customers’ customers.”
The lengths banks have to go to comply have extended enormously over the past few years
When a bank is investigated by the authorities for possible violations, one of the first steps is to get external counsel onboard — particularly to protect privileged information, which is a difficult area. Any investigation is likely to include a significant amount of data involving experts brought in by the bank to analyse the data and conduct interviews.
“UK banks and firms in certain other sectors are obliged to report suspected breaches, subject to an exception for privileged information held by lawyers, and voluntary disclosure may be a mitigating factor if any penalty was to be imposed,” says Mr Ashley. “The OFSI has been keen to encourage early reporting, though not necessarily the instant an issue is discovered, as the bank is entitled to assess the situation or seek legal advice before reporting.”
The importance of data
Richard Chalk, a managing director in the forensic and litigation consulting division of FTI Consulting, says when a bank is investigated by sanctions authorities for possible violations, certain priorities must be addressed early on. One of which is instructing legal counsel, who are specialised in the sector. Another is drafting in data specialists.
“Banks should involve independent experts to work with counsel on quantifying the exposure. They will ensure all workflows applied are defensible and can withstand the scrutiny that will come during disclosure.”
He adds: “Using consultants and data analytics experts to implement and validate your controls environment will help reduce risk. We often see investment in technology systems, but frequently process and data elements are overlooked. Failing to integrate the correct data and data of sufficient quality are fundamental failures that often arise.
“The role of data analytics in forensically quantifying the issues is an important one,” Mr Chalk says. “By automating and leveraging the power of machines, humans can focus on the truly challenging parts of the investigation.”
As in so many areas of banking these days, it is all about the data.
