Supervision Department - AML/CFT
Training
Sanctions and Asset Freezing - Governance
- An individual of
sufficient authority is
responsible for overseeing the financial
institution‘s adherence to the sanctions regime.
- It is clear
at what stage customers are
screened in different situations (e.g. when
customers are passed from agents or other
companies in the group).
- There is
appropriate escalation of actual
target matches and breaches of sanctions.
Notifications are timely.
- The financial institution believes payments to
sanctioned individuals and entities are
permitted when the sums are small. Without a
license from the Asset Freezing Unit, this could
be a
criminal offense.
- No
internal audit resource
is allocated to
monitoring sanctions compliance.
- Some business units in a
large organization
think they are
exempt.
Examples of GOOD Practice
2
Senior management should be sufficiently aware of the financial institution‘s obligations regarding
financial sanctions to enable them to discharge their functions effectively.
Self-assessment questions:
• Has your financial institution
clearly allocated responsibility for adherence to the sanctions
regime? To whom?
• How does the financial institution
monitor performance? (For example, statistical or narrative
reports on matches or breaches.)
Examples of POOR practice
Supervision Department - AML/CFT Training
Sanctions and Asset Freezing - Risk Assessment
- A financial institution with international
operations, or
that deals in currencies other
than sterling, understands the requirements of
relevant
local financial sanctions regimes.
-
A small financial institution is
aware of the
sanctions regime and where it is most
vulnerable, even if risk assessment is only
informal.
- There is
no process for updating the risk
assessment.
- The financial institution assumes financial
sanctions
only apply to money transfers and so
has not assessed
its risks.
Examples of GOOD Practice
2
A financial institution should consider which areas of its business are most likely to provide
services or resources to individuals or entities on the Consolidated List.
Self-assessment questions:
• Does your financial institution have a
clear view on where within the financial institution
breaches are most likely to occur? (This may cover different business lines, sales channels,
customer types,
geographical locations, etc.)
• How is the risk assessment
kept up to date, particularly after the financial institution enters a
new jurisdiction or introduces a new product?
Examples of POOR practice
Supervision Department - AML/CFT Training
Sanctions and Asset Freezing - List Screening
- The financial institution has considered what
mixture of manual and automated screening is most
appropriate.
- There are quality control checks over
manual
screening.
- Where a financial institution uses automated
systems these can make
‘fuzzy matches’ (e.g. able
to identify similar or variant spellings of names,
name
reversal, digit rotation, character
manipulation, etc.).
- The financial institution screens customers‘
directors and known
beneficial owners on a risk-
sensitive basis.
- Where the financial institution maintains an
account for a listed individual, the status of this
account is
clearly flagged to staff.
- A financial institution only places faith in
other
financial institutions’ screening (such as
outsourcers or intermediaries)
after taking steps to
satisfy themselves this is appropriate.
-
The financial institution assumes that an
intermediary has
screened a customer, but
does not check this.
- Where a financial institution uses automated
systems, it does not understand how to
calibrate
them and does not check whether the number of hits
is unexpectedly high or low.
- An
insurance company only screens when claims
are made on a policy.
- Screening of customer databases is a
one-off
exercise.
- Updating from the Consolidated List is
haphazard. Some business
units use out-of-date
lists.
- The financial institution has
no means of
monitoring payment instructions.
Examples of GOOD Practice
2
A financial institution should have effective, up-to-date screening systems appropriate to the nature, size
and risk of its business. Although screening itself is not a legal requirement, screening new customers and
payments against the
Consolidated List, and screening existing customers when new names are added to the
list, helps to ensure that financial institutions will not breach the sanctions regime. (Some financial
institutions may knowingly continue to retain customers who are listed under sanctions: this is permitted if
the Asset Freezing Unit has granted a license.)
Self-assessment questions:
•
When are customers screened against
lists, whether the Consolidated List, internal watch lists
maintained by the financial institution, or lists from commercial providers? (Screening should take
place at the time of customer take-on. Good reasons are needed to justify the risk posed by
retrospective screening, such as the existence of general licenses.)
•
If a customer was
referred to the financial institution, how does the financial institution ensure the
person is not listed? (Does the financial institution screen the customer against the list itself, or does
it seek assurances from the referring party?)
•
How does the financial institution become
aware of changes to the Consolidated List? (Are there
manual or automated systems? Are customer lists rescreened after each update is issued?)
Examples of POOR practice