If you watch business television, chances are you’ve seen Daniel Tannebaum, Partner – America’s Anti-Financial Crime Practice Leader and Global Head of Sanctions at Oliver Wyman, sharing his expertise. We’re thrilled to welcome him for this Q&A session as part of our thought leadership series with industry experts and regulators.
GeoComply: What are the top challenges facing financial institutions, including crypto and digital asset firms, for AML (Anti-Money Laundering) and sanctions compliance?
Dan: There are a few different ways of thinking through the challenges facing financial institutions with respect to financial crime compliance. First, you have the external threat landscape: staying ahead of bad actors who are using good institutions as conduits for fraud or crime.
Second – and this is where many institutions truly struggle – is managing the expectations of external stakeholders, such as regulators, and articulating whether a compliance program is designed and operating effectively. For nearly two decades, a risk-based approach has been the primary method with which U.S. financial institutions (FIs) were advised to manage financial crime risks. However, many FIs have struggled to identify those risks, manage them, and articulate their approach in a way that clearly satisfied regulatory expectations.
For many institutions under enforcement action, the objective tends to be to satisfy commitments and milestone closures versus focusing on risk identification and mitigation. I don’t write this to be inflammatory to suggest that firms aren’t focused on managing risk, because I do believe they are. What I’m stating is that our focus on outcomes of program management may be missing the point at times. The question should always be: “How is this making us better equipped to manage financial crime risk?”
GeoComply: In its virtual currency guidance for sanctions compliance, the Office of Foreign Assets Control (OFAC) highlighted geolocation tools and IP address blocking controls as a best practice for sanctions compliance. Why do you think OFAC has emphasized the importance of these technologies?
Dan: For many firms, ensuring they had a system capable of screening static data and transactions against watchlists was enough. Truthfully, it’s never been enough to just screen names on a list; however, technology solutions capable of geolocation weren’t as available to a wider swath of firms in a cost-effective manner until the last few years. The right type of geolocation screening has been done by larger FIs for years, but smaller players may not have had access to the same tools.
I think that OFAC’s guidance was done as a reminder that despite your product offering being different from traditional financial institutions – such as digital assets – you must still use the available technology to assist in your risk mitigation. This is particularly true for a virtual business environment, where it’s more challenging to know where your customer is located.
GeoComply: As a follow up to that, what role do you think these tools serve in helping FIs meet their AML and sanctions obligations?
Dan: Ensuring that FIs understand where their clients are operating is a critical component of their country’s risk management framework. There are certain regions that, from an AML standpoint, may be beyond the organization’s risk appetite to conduct transactions. From a sanctions standpoint, it may be even more black and white: A firm may be legally unable to transact, and without tools to ascertain location of the transacting party, it makes it difficult to manage that risk.
GeoComply: Looking ahead, what types of new and innovative solutions can FIs use to improve their compliance with AML and sanctions rules?
Dan: So much focus is placed on technological solutions and their assistance in mitigating financial crime risk, but I’d use this opportunity as a reminder to ensure that your basic, fundamental controls are sound. You can have the best tech and analytics platform in the world, but if your underlying process is flawed – for Know Your Customer (KYC), sanctions screening, or transaction monitoring – then there may be other efficiency opportunities missed.
I would advocate that newer technologies have an ability to also help manage the noise of “bad” alerts, be it for transaction monitoring or sanctions. Using more innovative solutions, firms can increase alert-to-case ratios to better use human capital to identify alerts, for example. I’m not necessarily talking about alert suppression. Rather – and I’m talking from a sanctions standpoint here – it’s more about preventing the alert from being flagged in the first place. This is possible when firms can better identify truly anomalous activity using more realistic name/country matches.
GeoComply: In your experience, what are the top indicators – key data points – you see that could be indicative of potential sanctions violations?
Dan: As we’ve explained, sanctions are more than just names on a list. What are you doing with your geographic risk data? Are you understanding exposure to sanctioned countries through dealings in neighboring jurisdictions? Are you capturing client geographic data not just where they are, but where they trade and conduct business with counterparties? Country risk data as it relates to sanctions is of critical importance; the question is: Do you have enough of it to really understand your direct and indirect sanctions risks?