Last summer, New Zealand aircraft manufacturer Pacific Aerospace was charged with breaking new United Nations sanctions after aircraft it sold to a Chinese company ended up on a runway in North Korea. The company pled guilty. It will be sentenced in January; penalties may take the form of substantial fines or imprisonment of up to 12 months for individual executives.
Sanctions filtering and “know your customer” are not just banking problems. Regulations are perpetually becoming more complex. Companies are expected to abide by all relevant laws in the places where they do business. For example, companies doing business in the United States must ensure they’re not doing business with any U.S.-sanctioned individuals or entities. In practical terms, this means companies should be scanning their customers, vendors, and any payments to or from those entities against the current published government watchlists. Often, companies leave this filtering to their financial institutions, but as Pacific Aerospace can attest, regulatory authorities usually fine the actual initiator of the transaction—the corporate—rather than the bank.
In today’s dynamic geopolitical environment, new trade restrictions and embargoes are emerging with increasing frequency. Sanctions have become an increasingly popular foreign policy tool for governments. What previously were relatively straightforward sanctions obligations and outright trade embargoes against persons or territories are increasingly taking a hybrid and nuanced form, permitting some specific types of commercial transactions but outlawing others. For example, trade may be permitted with companies in a specific sector, while trade with similar businesses is against the law.
A review of compliance compliance processes along the full payments lifecycle should enable treasury to fully mitigate the risks of sending payments to blacklisted countries, companies, or individuals.
The short transaction processing time for increasingly popular same-day and real-time payments can present specific technical challenges. Not complying with a certain sanction is a relatively easy mistake for a company to make. And the greater the number of countries a business works in, the more varied sanctions rules it has to comply with—leading to a very tricky environment.
A global law firm recently reviewed sanctions-compliance obligations around the world and concluded that today’s sanctions regime for corporates involves “more focus, more fines, and more complexity.” The takeaway warning is that yesterday’s compliance processes may not be sufficient today.
Companies that may have previously considered themselves secure in doing business with low-risk counterparties in non-contentious sectors and territories are now finding that they need to comply with more fluid and complex sanctions rules. Businesses outside the financial services sector need to be vigilant about understanding the ultimate end-user beneficiaries in all their commercial relationships.
Many organizations are dedicating new attention to keeping up. Recent research from Thomson Reuters revealed that nearly 40 percent of anti-money laundering (AML) professionals view existing processes as failing to comply with today’s more onerous regulatory demands. This is a significant concern given today’s fluid compliance landscape and the new Financial Crimes Enforcement Network (FinCEN) rules coming into effect in 2018.
The failure to adhere to sanctions compliance regimes around the world continues to catch corporates out, often with significant negative impact. The days of regulators focusing solely on armaments have long since passed, and the penalties for noncompliance continue to grow. Companies that fail to update their sanctions compliance procedures find that breaching restrictions can be costly. One seed company was recently fined $4.3 million for selling flower seeds to distributors with Iranian connections, and a medical company was hit with a $7 million penalty as a result of selling medical equipment to sanctioned customers in a number of countries, including Sudan.
Of course, the ultimate costs of noncompliance are far greater than the fines that are imposed. Reputational damage can be severe and prolonged. Regulatory investigations can also place acute pressures on liquidity and can severely damage the company’s credit rating.
If an investigation reveals an inadequate compliance infrastructure, the ramifications may expand rapidly. For example, when a potential watchlist hit is identified by a corporate’s bank, the transaction is frozen immediately, and the company may not be given a specific reason. If payments to suppliers and staff are delayed, imagine the adverse effects on the company’s ability to operate effectively. Or consider the impact if a company’s lines of credit are abruptly withdrawn. Such actions might have a domino effect on the organization’s credit status. And these potentially damaging actions might further strain relationships with banking partners. A company’s credit rating might be severely damaged as a result of a single incident.
A false-positive watchlist hit can usually be investigated and cleared quickly, but sometimes there are delays of several days, or even weeks. If the hit is, instead, validated, the transaction remains frozen and is reported to the proper authorities.
These false-positive hits—as well as real sanctions violations—can be avoided if the company performs its own filtering in-house before submitting transactions to the banks. The potential for problems caused by deteriorating bank relationships, the financial and reputational impact of incurring massive fines, and the negative effects of payment processing delays all provide compelling reasons for companies to review their corporate-sanctions screening processes. This is especially true for larger multinationals, where the need to modernize or streamline processes may be greater.
The Role of Corporate Treasury
Corporate treasury should play a leading role in mitigating sanctions and compliance risks. In the face of these threats, many corporate treasurers have proactively assessed and implemented new sanctions screening methods. Yet despite frequent reports detailing the destructive consequences for companies that ignore their corporate sanctions obligations, there is still a reluctance among some treasuries to tackle the risk, due to the cost, the time involved in implementing such projects, or the false thinking that their banks have sole responsibility for checking transactions.
This is not a risk that any business can afford to take. Complacency, combined with inadequate corporate structures and a complex regulatory environment, may result in significant financial penalties and long-term reputational damage, and may undermine business relationships.
Standing at the financial heart of the business, the corporate treasury function should take the lead in managing a full risk-assessment process, ensuring a clear knowledge of the profile of each customer and supplier (KYC). A review of compliance and audit processes along the full payments lifecycle—including real-time screening capabilities—should enable the treasury team to fully mitigate the risks of sending inappropriate payments to blacklisted countries, companies, or individuals.
At the same time, companies that are found to have suitable processes and systems in place may be rewarded for any effective sanctions filtering mechanisms in place. An appropriate approach to sanctions compliance will improve a company’s reputation as a good corporate citizen of the world. This can lead to enhanced credit status, improving access to working capital amongst other benefits.
The first step for a treasury team looking to improve its sanctions compliance is to conduct a review of the compliance processes the business currently has in place, as well as the capabilities it needs. The project team should ask the following questions:
- What regulatory authorities does our business fall under?
- What is our current process to on-board new customers?
- What is our current process to on-board new suppliers and other counterparties?
- When in the process are they checked against sanctions watchlists (if at all)?
- How frequently are the watchlists updated? How do we determine the beneficial ownership of the customer/ supplier/ counterparty?
- Are any executives we do business with listed as politically exposed persons (PEPs)?
- What is the current investigation/remediation process for clearing potential watchlist hits?
- Are payment and counterparty details stored in different systems? (If so, data from multiple sources needs to go through the sanctions filter.)
Throughout this process, treasury should be empowered to scan all supplier, customer, and employee names, as well as other data, on demand. This should be done on a regular basis, as the data changes frequently, sometimes even hourly.
Any effort to assess a company’s sanctions compliance also needs to include a complete overview of the payments system. The sanctions screening process needs to serve as a filter between each payment being received and being processed—and it needs to be applied to every transaction that the company initiates. From on-boarding to transaction management, compliance checks need to “touch” every payment as it goes through the company. Compliance reviewers need to quickly and easily understand where the payment came from and why it is being sent.
There are software solutions available that can automate these processes, comparing names of prospective trading partners against watchlists. One challenge with these types of solutions is that managing the alerts can become extremely unwieldy, especially in large multinationals that have many thousands of transactions per month. An automated solution is obviously more efficient than trying to check every transaction manually.
If a company uses such a solution, treasury staff will still need to open a case and investigate each transaction that generates an alert in the software. The investigation can take just a few minutes if payment data has been erroneously matched by a software application—or it can take days if investigators need to contact several people around the company to get further details. One challenge for the treasury team is that they often don’t have the resources to manage investigations as efficiently as possible. When a company implements a sanctions-compliance solution, it’s in the interests of the project team to configure the system in ways that minimize the number of false positives, so that it doesn’t generate alerts for transactions that aren’t actually problematic.
One way to reduce the frequency of false positives is to deploy a process or system that reads data in context. For example, Santa Clara is a city Cuba as well as a city in California. Sanctions compliance technologies that are based on a risk score often read “Santa Clara” and stop the transaction, regardless of what other information the payment message contains. Solutions built on artificial intelligence technologies, on the other hand, will recognize that if the payment is being sent to California, and not to Cuba, the transaction should not be stopped. Machine learning can also be applied, so that the system learns from the patterns of actions an operator has taken in the past, improving efficiency on an ongoing basis.
Ideally, a company would reduce the proportion of false positives to between 5 percent and 10 percent of all transactions, a level that is considered acceptable for banks. Bringing the false positives down to this level can significantly reduce the time a business spends resolving issues. Inefficient screening processes can consume so many staff resources that a company’s approach to sanctions screening can even be a competitive differentiator.
Another challenge for a treasury team re-evaluting their company’s sanctions compliance is that they need to ensure that financing arrangements, including insurance and trade contracts, are flexible enough to allow de-risking should new sanctions obligations come into force that would impact current operations. For example, if the U.S. government issues sanctions against a new country or individual, the company needs to be able to stop doing business with that entity.
A serious review of sanctions processes can fit into a wider risk-mitigation and financial-crimes compliance framework, which would also encompass payments fraud and trade-based money laundering. While the challenges in these areas can be very different, a unified approach to compliance assurance that incorporates the ability to prevent payments fraud, together with money-laundering detection, can provide additional financial benefits and reputational security.
Ideally, all of these risk exposures and processes should fall under one person, such as the corporate chief risk officer or general counsel. It needs to be an executive who can reach across departments and geographies to gain a full view.
For companies in which sanctions screening compliance today is inadequate, the costs of ignoring this challenge may be severe and profound. Corporate treasury can and should lead an effort to understand the new compliance demands, review existing capabilities and systems, and implement future-proofed solutions that may offer both compliance assurance and a competitive advantage.
Bill North is head of global sales for Pelican, in which capacity he oversees the coordination, functional management, and leadership of the company’s sales initiatives. He has more than 20 years’ experience working with corporates and banks across the globe in leveraging technology to optimize treasury and payment processes. Bill holds a B.S. from the University of Houston.