It’s 5 p.m., and I’m celebrating. Not because a project was completed or the workday is over, but because I have just reviewed the ten-thousandth false positive in our company’s sanctions lists screening software. In doing so, I’ve contributed to the business’ smooth operations and carried out rigid compliance against our master data, looking for sanctioned persons or entities.
Despite assumptions to the contrary, sanctions lists screening is not mandatory except for regulated entities, like financial institutions. However, any business relationship with a sanctioned third party is prohibited, and companies risk fines in the case of violations. As most multinational corporations have hundreds of thousands of debtors and creditors stored in their master data, they have to purchase sanctions lists screening software and run it monthly, weekly, or daily in their Enterprise Resource Planning (ERP) system.
One challenge is determining which sanctions lists are relevant for the company, bearing in mind that several sanctions lists have extraterritorial effect, such as the UK consolidated list of financial sanctions or the U.S. OFAC list. This means that, in practice, any entity trading in U.S. dollars falls within the scope of OFAC.
To add complexity, some sanctions are more overtly politically motivated than others (such as sanctions resulting from the U.S.-China Trade War) or are not internationally aligned. For example, in 2018, the U.S. decided to withdraw from the Joint Comprehensive Plan of Action (better known as the Iran nuclear deal) and announced the re-imposition of sanctions on Iran. In response, the EU updated its 1996 blocking statute, which protects EU operators from the extraterritorial application of third-country laws. In practice, this means that some EU businesses can maintain legitimate trade and economic relations with Iran despite the extraterritorial effect of the OFAC sanctions.
Technical difficulties also constitute a challenge despite advancements in screening software. For example, not all screening software identifies first, second, or even third level ownership structures. However, tracking down ultimate beneficial ownership can be a legal requirement, especially in the financial sector. In particular, screening software is not always capable of identifying a non-listed entity, which a sanctioned company owns to some extent.
Another challenge is the large number of false positives generated by search algorithms, which commonly identify a “hit” as a record with at least 80 percent similarity in terms of names and addresses of entities. Even in case of minor configuration errors, companies might face paying penalties if the screening software applied cannot identify sanctioned entities because of special characters not used in the English alphabet. For example, Apple unwittingly committed 47 sanction violations in 2019 as their screening tool failed to match different upper case and lower case characters.
When it comes to privacy when screening employees, the U.S. and EU approaches are different again. Based on articles 6 and 9 of the European Union’s GDPR, screening of personal data against EU sanction lists within the EU can be based on legal obligation and is legitimate for reasons of substantial public interest. In contrast, there is no generally applicable U.S. federal privacy law or safe harbor. Hence, no federal law exists clarifying the potential legitimacy of screening sensitive employee data in the U.S. against U.S. sanction lists.
However, comparing penalties paid by companies for sanction lists violations against data privacy breaches, it seems that being fined for a data privacy violation would be far less damaging for the company’s budget.
By comparison, Paris-based BNP Paribas paid $9 billion in 2015, Paris-based Société Générale paid $1.3 billion in 2018, and French bank Crédit Agricole paid $787 million in 2015 to settle U.S. sanctions offenses.
Despite the expense, time, and technical challenges — not to mention the financial penalties — it’s far better to have ten thousand false positives to review than allow one real hit to get missed.
So here’s to the next ten thousand false positives and the continuous effort it takes compliance professionals to keep their organizations protected.