Managing the challenges of sanctions screening in your third-party risk programme

International sanctions affect companies in any industry, and – as recent enforcement action has shown – companies of varying sizes. As such, sanctions are one of the most important risk factors to consider in any compliance programme. No one wants to be found to have business ties to a sanctioned entity given the potential for significant financial penalties and reputational damage. As a result, sanctions screening has for a long time been the bedrock of any compliance programme that has to consider large numbers of third parties.

How does sanctions screening fit into a risk-based approach

We work with many types and sizes of companies with varying global footprints. One question that comes up time and again is whether an organisation needs to check all the third parties it is working with (or planning to work with) against sanctions lists or whether the application of sanctions screening could, or should, be determined based on risk. Many of our clients choose to run simple sanctions screening against all their third parties as a bare minimum. It is simply not worth running the risk of going into any relationship blind and accidentally breaching sanctions. And with about a hundred anti-terrorism or other economic sanctions lists around the world with varying degrees of significance and application it is an impossible task to check them without the help of a specialised screening solution.

The dangers of indirect or hidden links

Another challenge to be aware of with sanctions is indirect or hidden sanctions risk. The US, EU and UK dictate that companies which are 50% or more owned by one or more sanctioned entity or person are considered sanctioned themselves but they do not provide separate comprehensive lists of these entities, leaving the onus on you to find out.

Why screening, alone, is not sufficient

Third parties can also have surprising connections that pose a sanctions risk. An entity registered in the UAE can still have links to sanctioned entities in Iran, for example. In 2018 US-based electronic manufacturer Epsilon Electronics Inc agreed to pay $1.5m to settle an OFAC (Office of Foreign Assets Control) enquiry into business transactions made with a Dubai-based distributor that then sold the goods in Iran. While OFAC’s investigation could not find direct proof of Epsilon’s products being shipped to and distributed in Iran it found enough indication on the Dubai distributor’s website of links to Iran and goods being distributed there via an affiliate, to show intent to redistribute to Iran. As a result, not having sufficient information on affiliations or a good understanding of a third-party’s footprint and operations could expose you to inadvertent sanctions breaches. This kind of indirect link would not be captured through sanctions screening alone, so for your higher risk third-party relationships more enhanced due diligence is needed.

Human-led due diligence which involves researching public records and the media, and sometimes discreet reference checks with people with a perspective on the diligence target, is an important consideration for your higher risk third parties for other reasons. Alongside sanctions, screening databases are products focused on Anti-Money Laundering and Counter Terrorist Financing (AML/CTF) specifically, and the media results they contain have this primary focus. Furthermore, to be included in the database, a media reference must meet very precise parameters - for example wrongdoing has been proven or enforcement action has been taken - within a particular set of categories and subcategories delineated by the provider. It is therefore important not to confuse the media-based searches in any of these sanctions database providers with broader anti-bribery and -corruption compliance-driven, reputational, or ESG due diligence. If you are considering a relationship from a reputational perspective or need to capture sector-specific concerns or any other indicators of potential wrongdoing, you will need to conduct human-led due diligence research.

Sanctions lists are constantly changing

Sanctions lists are not static. People and companies can be added or removed from them at any time. Without continuous monitoring of those lists, one of your third parties or their affiliates could be added to a list, putting you in immediate danger of sanctions breaches, even if you checked them before signing your contract. If you have a large third-party population, it is simply not feasible to check the lists regularly and cross-reference against your third parties, nor is it time- or costeffective to rescreen all your third parties as frequently as needed.

Adjudicating false positive results

The idea of relevant hits brings us on to another major challenge for compliance teams: false positive analysis. How can you reliably determine whether a sanctions, or any other hit returned in a screening tool, relates to your third party and not another with a similar name? This can be an incredibly time-consuming exercise and is one of the major pain points of many of our clients. Some screening solutions, such as ours, use leading matching technology to draw on additional identifiers such as country, address, and registration number for companies or date of birth for individuals. This allows the search to provide more accurate results and reduce the false positive noise. Our solution also provides a match score based on these criteria, which can help you quickly identify those hits most likely to relate to the entity or person you are interested in.

This is not always enough to make a definitive assessment and additional research needs to be conducted to raise your confidence. You first want to look for any indication that it is not a positive match; consider the country context and whether this is a very common name; look at any unique identifying information, such as date of birth or residential address, in the screening result; and see if that could rule out the hit. After that, some general online research can typically gather enough information to determine whether a hit is likely to relate to your company or individual of interest. For a company, a website is a good place to start with online research, using information such as office locations (bearing in mind this could have moved since you were given an address), the business activity it describes, and the names of key personnel that may be mentioned in the hit. For an individual, you might be able to find a photo that you could match against the screening information. Other times, and particularly in high-risk scenarios, you may need to go back to your main point of contact at the third party itself to ask for identifying information you have not been able to find through your own research to definitively rule out a hit.

Depending on the profile of jurisdictions and sectors you operate in, and the kinds of third parties you need to engage, you may find you get a higher or lower amount of potential hits when you conduct screening. For some of our clients, this is a straightforward task they can comfortably manage in house, for others this task is simply not manageable with a small and overstretched compliance team with limited foreign-language capabilities.

Sanctions screening is the bear minimum check for third parties, though any compliance programme will benefit from a risk-based approach, whether  this is running screening with different configurations for different risk levels or knowing when to escalate to a deeper level of due diligence. However, you choose to run your screening programme, make sure you think about how you will manage the challenges of hidden risk through sanctioned affiliates; stay up to date with any changes to sanctions designations; and conduct false positive and negative reviews to make sure you are focused on what is relevant.