Financial institutions employ screening—using lists of names, entities, persons, or countries derived from various sanctions or prohibited persons lists to identify possible legal restrictions (e.g., sanctions), fraud, or other concerns with respect to a relationship or transaction—as an essential part of an effective financial crimes compliance (FCC) program.
Screening is dependent on data sets and lists of sanctions indicators. These lists, which incorporate records generated by governmental agencies as well as internal lists that reflect the financial institution’s knowledge about its own exposure to sanctions risks, must be accurate, reliable, up to date, refreshed frequently, and relevant to the institution’s unique risks. Rigorous management of these lists promotes screening consistent with the institution’s risk appetite, including the identification of potential prohibited targets.
According to the Wolfsberg Group’s guidance on sanctions screening, “list management refers to the end-to-end process of determining and managing regulatory and internal lists used for screening.” Although most advice on list management rightfully focuses on regulatory lists, this often means that the maintenance of internal lists remains an afterthought and often becomes challenging due to factors such as competition over resources and a lack of documented procedures outlining expectations. In some instances, for example, it may seem overwhelming to review hundreds of entries in internal lists that may have been created years ago. Yet, without doubt, institutions that regularly maintain such lists will see clear benefits.
Internal Lists: Why So Important?
Financial institutions develop and retain internal lists based on in-house reviews of their own risk appetites. These lists usually take the form of a “Bad Guys” list, an inventory of parties identified by the institution as requiring monitoring; and a “Good Guys” list, an inventory of parties that either create false hits against parties on known watchlists, or that are on certain watchlists but have been deemed to be acceptable to do business with by the institution.
Both lists serve a purpose within the screening process:
- Bad-Guys lists ensure that an alert is generated for prohibited parties so that the transaction can be reviewed for proper disposition before executed (“a priori”). If certain parties on this list are no longer prohibited, this becomes an added burden on the alert management team to work, dispose, and close out these unnecessary alerts.
- Good-Guys lists ensure that obvious false positive alerts are not repetitively generated and as such help the alert management team to stay focused on the potential match’s review. If entries in these lists are not up to date and/or created accurately, there is a potential to miss alert(s) containing prohibited parties.
Maintenance of the lists is crucial for ensuring that they are working as expected and are effective within the broader FCC program.
Effective Internal Lists Maintenance
With strategic planning and a best-practice-based list management process, financial institutions can ensure that their internal lists are less overwhelming to manage.
- Keep the internal lists up to date. The most time-consuming task is ensuring that the lists are kept up to date. To accomplish this, an institution should implement a periodic review plan that outlines the standards, protocols, and timeline for the review of its internal lists.
- The plan should clearly establish the frequency of the review (i.e., quarterly, bi-annually, or annually). To ensure the review is performed, many institutions make the review a part of their annual model validation exercise.
- The plan should detail what entries should be selected for each review, such as a specific type of entry (e.g., all individuals or all entities), a certain coverage period (e.g., the parties added during a certain date range), or a particular characteristic (e.g., parties that were added because they were a part of targeted AML investigations or were added in bulk based on geography and/or industry specific monitoring).
- If in between review cycles it is determined that certain parties do not require any further tracking, institutions should move forward with disabling and/or deleting the entries immediately after such a decision is made. Documenting these decisions and clearly identifying the authorized parties who made them (such as AML/BSA officers or sanctions advisories and/or committees) is crucial, as this will prevent future false alerts from being generated and keep the needed audit trail.
- Institute enhanced controls around the addition and deletion of entries. Boosting controls during the addition, disabling, and/or deletion of entries will ensure that such updates do not happen inadvertently. These controls may be as simple as adding a “four eyes” check and having a formal approval process before any change can be made. The addition and deletion of entries should be also tested before moving into production to ensure non-regression and that changes are working as planned.
- Inventory and track relevant information. Keeping the lists in order with all pertinent information—including when the entry was created, the requesting party, the reason for monitoring, and what steps need to be taken if there is a potential match—is critical for ensuring the information remains organized and intact during any period of transition. This will also help to ensure the lists can be sorted in any order of preference to carry out necessary periodic reviews. In addition, having this data easily accessible to analysts reviewing the alerts makes the alert review process more fluent and efficient, while reducing escalations.
- Conduct periodic testing to ensure lists work as planned. It is important to ensure that the current lists are functioning properly and creating or suppressing alerts as intended. Such testing, based on a clear and outlined testing methodology, should be incorporated into the periodic review plan. Another way to incorporate this testing is to address it during the annual model validation exercise.
- Document the list management process. It is important to clearly record the steps needed to be followed when supporting an internal list maintenance process. This procedural document should include (a) any protocols to follow during technical matters and list upload/management issues; (b) the key internal stakeholders and their roles (e.g., FIU/AML teams and sanctions advisory teams); and (c) the key team conducting and documenting the actual list upload and maintenance (e.g., compliance technology and/or list management teams).
To have a successful overall sanctions list management and screening framework, it is important for financial institutions to ensure that their internal list management process is efficient and is viewed as an important component of the framework, with recognized downstream affects.
By establishing best practices, implementing strategic planning, and taking simple yet essential steps as discussed, this crucial process, which sometimes may be overwhelming, can become straightforward and manageable.