The material contained in this post is provided for informational purposes only and should not be construed as legal advice on any matter. The information may not reflect the most current legal developments and the content and interpretation of the law addressed should be independently verified and may be subject to revision. Innovative hereby disclaims all liability in respect to actions taken or not taken based on any or all the contents of this post to the fullest extent permitted by law. Do not act or refrain from acting upon this information without seeking independent, professional legal counsel.
Missed true hits happen – are you and your organization prepared for it? It can occur for a multitude of reasons such as bad data, changing sanctions, incorrect analyst review, insufficient training, or poor configuration of your software. The actions required can be different too – while you still may be able to maintain a commercial relationship with an individual on a PEP list, you won’t legally be able to conduct business with any sanctioned party.
But no matter the cause or type of missed true hit, the consequences can be significant in terms of breaching your compliance obligations and negative media coverage. You need to move quickly to address the situation.
The best time to prepare for a missed true hit is right now.
Your response to missing a true hit should never be defined in the moment. From the second you identify that something has gone wrong, your team should be following a set process.
The procedures should be clear, simple, and have roles clearly defined, including awareness from senior management as to the company’s obligations regarding financial sanctions. Without a set plan, your response can not only fail to limit the damage – but actively amplify it.
1. Report it internally
One crucial factor that many people overlook when it comes to effective crisis response is culture. You want people to feel comfortable reporting problems, even if they are at fault. Make sure your employees know that while the goal is to never miss a true hit, it is crucial to identify the root cause and improve processes if it does.
Having clear lines of communication and a set process to address the issue are important factors for countering the feelings of embarrassment and worry of career repercussions that could stop someone from reporting the issues to the Head of Compliance or MLRO.
Once the missed true hit has been identified, the priority becomes confirming that the problem is real and deciding whether it needs to be escalated. This initial internal reporting needs to be conducted properly and thoroughly as it will define a lot of what follows. There may already be some retroactive actions that you can take to minimize the chance of something similar occurring in the future.
2. Investigate the situation thoroughly
Successful investigations require leveraging expertise from across your organization. Look to include IT, Risk and Compliance, Legal, Management, and anyone else that is relevant to your cross-functional team. You may also need to bring in external consultants, subject matter experts, or technology specialists should the need arise. Again, having an open, receptive culture that is focused on solving the issue rather than allocating blame is crucial to being able to identify the support you need.
The investigation should look to provide answers to the following questions:
Was there a problem with your data, processes, people, or systems that resulted in missed names, insufficient data collection, a poor manual review process, poor match results, or a failure to update sanctions lists?
What went wrong and how exactly did it go wrong?
When did it go wrong? This is an important consideration because you need to understand whether the fault became an issue recently or has been a problem that should have been identified during a previous monitoring period.
Is the issue a one-off or indicative of wider issues? There have been a number of cases where regulators have asked companies to provide evidence that they have reviewed all other cases to make sure no other issues occurred.
The final point is important as there are many ways that a single missed true hit could provide you with insight into ways your existing processes could be improved. For example, if human error is the cause, it may be because there are gaps in your analyst’s understanding of the procedures around particular types of sanction hits. This would allow investigators to work backwards, identifying other transactions and customers that fall under the same requirement and may also have been treated incorrectly.
3. Escalate the issue externally
The escalation process should be clearly stated in your sanctions compliance program’s policies and procedures. Knowing exactly when and if you need to contact third parties such as regulators and law enforcement is critical to the success of your response effort.
Here you should bring in your legal and compliance teams. They will be able to advise you and will likely be the function reporting to external parties too. They may decide to use outside counsel if they believe it will be beneficial. They will also help you understand how you should conduct your business relationship with the offender. This will be driven by the type of true missed hit you are dealing with – but also the specific instance. For example, a missed PEP is purely a risk issue and requires no external reporting. However, in some scenarios where you need to close an account due to suspicious activity, authorities may require you to continue to interact with a customer or allow transactions to continue. This will enable them to trace the activity. Sanctions regimes, on the other hand, do not allow continued activity in the case of a hit, and they will probably require you to freeze specific assets. Again, your compliance and legal teams should take the lead on what actions are appropriate and required in different instances.
When sharing information with third parties, you need to ensure your systems are set up to facilitate this. Regulators and law enforcement agencies need to access this information in order to successfully investigate and potentially prosecute. Your policies should incorporate data availability as well as guidelines on the level of disclosure. Again, your legal and compliance teams will need to advise on what information is relevant, what can be shared, and what should not be shared. They will also advise you on the mechanisms law enforcement should use for requesting information.
The kind of missed true hit you are dealing with will also impact the kind of escalation process you need to take. Local reporting and escalation protocol will also play a part in what you are required to do. For example, a missed hit on a PEP or adverse media list may not require any external reporting and may simply lead to the individual being placed in a heightened risk category. For transactions, the picture is more complicated. A suspicious activity transaction is different from a missed transaction from someone on a sanctions list. Sanctions hits need to be reported via SARs only if the activity would be deemed suspicious (regardless of the sanctions hit). If not, a requirement under US law is to make a report to OFAC. Clearly, specific jurisdictional requirements must always be considered.
4. Fix the problem
Now that you know the source of the issue and have escalated it in the appropriate manner, your priority is to implement a long-term fix. The aim here is to not just address the mistake but to improve your processes for the future too.
There are four broad categories that you may need to address:
Data
There are several potential issues relating to the data you are using for your AML and sanctions screening that could negatively affect your outcomes. The first is poor data quality. You need to make sure that your data is standardized. This means using a system and processes that properly cleanse and prepare the data to improve the quality of your matching and therefore minimize the chances of missing a true hit. The second core issue is incomplete or inaccurate data, which can be controlled through an effective list management service or process. This ensures that you screen against the most up-to-date list data and that relevant changes in customer information are always included.
Technology
If the problem relates to your technology, you should start a conversation with your vendor about potential fixes, updates, and upgrades. You need to assess whether your current configurations are suited to your needs – particularly with the way your matching technology deals with spelling variations, hidden names, and different cultures. Of course, if existing systems are not sufficient, you will need to look for new technologies and create manual workarounds until the system can be repaired or replaced.
Processes
Missing a true hit casts a spotlight on whether your AML sanctions program is robust enough to cover all your obligations. You may need to strengthen your initial onboarding, screening, or ongoing risk management processes. Either way, you are likely to require senior management involvement to begin taking the necessary steps to improve your capabilities. You may also need to introduce control mechanisms such as randomized case reviews and spot checks to ensure processes are performed correctly.
People
If human error has been identified as the primary cause, focusing on developing the knowledge and capabilities of your team is your next step. You may need better internal training or process reviews and improvement, or the solution may involve providing your teams with access to information that can help them make the right decisions.
5. Leveraging technology to lower risk
Digital transformation is changing the game when it comes to creating more effective AML compliance programs as well as an organization’s ability to respond quickly and effectively to any issues. Choosing the right AML solution provider is an important cornerstone for creating a truly robust screening and compliance program. You want a solution that not only provides you with a consolidated view of the global sanctions lists of your choice, but one that automatically optimizes and updates your data too. Without this, it is much harder to have full confidence that your AML screening program is really as effective as it could be.