UK compliance consultant Martin Schofield, Director of Financial Crime and Forensics Unit at Complyport, was the panelist of a webinar hosted recently by AGRC. The views and opinions of this AGRC fellow shed light on several fascinating issues connected to regulatory compliance and governance, such as sanctions, training, and financial crime prevention. An excerpt of the transcript – adapted to ease readability – follows below.
Panelist’s Background
Mr. Martin Schofield has worked as a consultant in financial crime prevention for multiple years, having previously held both in-house and independent roles as a regulator. These include, for example, group money laundering reporting officer, group head of financial crime prevention, data protection officer, etc. He has been both a practitioner and, also, a consultant and trainer, an expert “who has been on both sides of the fence.”
The following questions were asked in the webinar:
1) What are some of the major challenges companies face when having to comply with sudden and massive economic sanctions?
2) How can firms undertake searches of sanctioned individuals and companies in an efficient and effective manner? How can companies deal with dual nationalities and a lack of records showing that an individual has in fact two passports?
3) What are some of the other risks for a company that fails to enforce a sanctions order?
4) What is hot these days in the world of AML?
5) What is the role training and executive education plays in helping firms meet their regulatory obligations and establish a strong culture of compliance?
6) Can you tell us what to expect one, two, five years from now in terms of financial crime prevention? Where is this sector headed? Any predictions?
What follows is an adapted excerpt of a webinar transcript that can be viewed in full below. Register with us today in order to read this insightful, valuable webinar or login to your Member’s Portal.
Mr. Schofield’s Answer to Question 1
1) What are some of the major challenges companies face when having to comply with sudden and massive economic sanctions?
Firstly, in the key area of resources:
Firms have been implementing sanctions “of all descriptions” for many years and already have the systems in place to continue implementing this tool of punishment. However, when needing to obey sanctions that have been placed internationally across the board from, not just the UK, not just the UN, but from the US and a smorgasbord of other countries—there is a grand total of more than a thousand sanctions being applied internationally—your standard company simply does not have the resources to deal with the sheer amount of screening needed to be undertaken on a day-to-day basis.
Yes, company resources have been budgeted to deal with day-to-day sanctions involving the same perpetual, black-listed countries, say, Cuba, Iran, North Korea, etc. However, when you’ve suddenly got hundreds and thousands more sanctions added to the daily list, “an exponential” amount of people have to be hired to review the output of screening which, itself, must be more complex.
Internally, you’ve either got to pull people off other jobs within the company, or else train other in-house people to cope with the new work, said Schofield. Alternatively, external people can be brought on board, such as temps, contractors, etc., to deal with the new sanctions tasks.
According to the Complyport director, the problem with these two approaches is that you’re always in “a total state of flux,” no one can tell you when it is going to change, for example, when the sanctions will start to be released, what will drive the release of the same, or whether they will be released “on block, immediately” or phased out over a period of months or years.
Internally, the money laundering regulations officer (MLRO) is requesting more funds to acquire more staff, or train already hired staff, but the first question of several on the lips of the board’s CFO is: How long do you want this extra spend for (that is not in the original budget)? How much are the sanctions going to cost us? From where do we find the money to cover the extra cost of the sanctions?
These are the critical questions all firms are asking first, said Schofield.
Secondly, in the key area of data:
The quality of a firm’s data, and whether that same data can be used for screening purposes, are vital factors to consider for proper sanctions screening, said Schofield. Most firms have legacy systems, which means some of their systems date back to the 1980s, or whenever. However, the way this legacy data was recorded complicates matters for proper sanctions screening because it is data that was never inherently “intended to be screened against sanctions lists.”
When the name on a joint account, for example, is Mr. and Ms. Whomever, no one on the sanctions list may actually be called Mr. and Ms. Whomever, but by other names entirely. Additionally, the right names may not show up due to two factors: the way the data is being held by the system, and the way the data is being displayed on a screen. Further, a certain amount of data is needed to be able to discount a potential match that may not even appear on the screen.
This is “an interesting kind of paradox environment to be in,” said Schofield, because years ago, firms tended to over-collect data. For example, “it was okay [to be in the position of saying:] well, we don’t actually need your national identity number, your national insurance number, or your passport number for you to establish this product, but, hey, if you’re going to give it to us, we’ll keep it because it’s kind of nice.”
This was about the same time when customer due diligence (CDD) was starting to become important, so the general attitude was all about a firm never knowing too much about the customer.
“[I’m] sort of playing devil’s advocate a little bit… [this] was not considered that much of an issue because the more information you had about your customer, the better informed you were, and the more you could identify suspicious and unusual activity. So, firms were very keen to allow this to happen almost because it helped them satisfy money laundering regulations,” said Schofield.
There existed the downside of being accused of an over-collection of data—an unnecessary collection of data—and [Schofield’s guess was that in pre-2018, pre-General Data Protection Regulation (GDPR) times, in the UK, for example] the information commissioner could only fine you up to GBP 500,000.
“So, the kind of trade-off was, well, we can over-collect some data that we may or may not ever need and if we are found wrong for that, then we could face a fine of up to GBP 500,000, but if we did need that data to help determine whether [so-and-so] person was on the sanctions list, then that could stop us getting fines into the millions or billions. So, the potential fine [levied by] the information commissioner was a bit of an acceptable trade-off, almost,” said Schofield.
However, post-2018, post-GDPR, the fine for over-collecting data has gone up to four per cent of global annual turnover, which meant that, suddenly, “it is not so appetizing to keep extra data that you do not need.” As a result, today, for firms who are avoiding that risk, such firms do not necessarily have the level of data required to be able to discount their customers’ names from those on the sanctions list.
“This can be a real issue: the screening, the actual collection of the data in the first place, the design, etc. I do not think any firm can honestly say all of their customer relationship management tools, databases, [etc.,] were built specifically with screening in mind, they are built with a product in mind, they are built with the what-do-we-want-out-of-it [question, firstly]. They never thought about what we do if we need to screen the data,” said Schofield.
Bottom-line, said Schofield, the lesson is that the MLRO, for example, should always be involved in product development right from the start, so that there’s enough natural data content along with an ability to be able to discount matches found from the list of individuals being sanctioned.
Keen on reading more? Sign up to being an AGRC member so that the full transcript of the webinar—available HERE—can be accessed, along with our other membership perks.
1 comment on “AGRC Webinar: A Compliance Consultant’s Views on Sanctions, Training & Financial Crime Prevention”