Balance? What’s balance?
Balance between the costs of compliance and the potential costs of non-compliance, of course.
But, but, but… doesn’t OFAC sputter about its “strict liability” policy?
Sure, but they also have their Enforcement Guidelines, which informs how they determine how hard to slap a firm’s wrists, if at all.
So, how do we determine where this balance is?
First, the bad news: the balance is where a particular firm is comfortable placing it. It’s not a strictly actuarial equation, especially when it’s fraught with subjective things like the inherent risk in the customer base, the geographies involved, the products offered, the amounts involved, the timing of the last enforcement action against the firm, the current regulatory environment… can I stop now?
As you might imagine, this is one of Mr. Watchlist’s favorite subjects.
The good news: there are ways to enumerate and estimate (if not actually quantify) the costs of non-compliance (or under-compliance, if you prefer – there’s a big difference between an inadequate program due to lack of sophistication or ill-informed decisions and an inadequate program due to willful steps to leave holes in it). Then, once those calculations are complete, firms can then decide how much residual risk is acceptable and how much ongoing operational expense is justified to produce that level of risk (one-time expenses like upgrades to software and hardware should be excluded from such a calculus).
Let’s start with the costs of compliance. A firm should consider the number of items that are being reviewed (really, the number of operator reviews – if 2 matches on a single record causes two separate reviews, it should be counted that way), the number of steps required to clear an item, the average percentage of items that goes to each staff level (e.g. initial review and any escalations or referrals), the time spent at each level for each item, the fully-weighted staff cost of each review at each level. Consider the time spent in research and documentation of each step.
And, of course, consider any differences in the workflow. Are there different staff who review PEP matches, as opposed to sanctions matches? Do different screenings have different business processes than others (e.g. client screening vs. employee screening)?
Now, let’s consider the risk (and cost) of non-compliance. For simplicity, let’s treat all sanctions regulators as if they all managed violations like OFAC does. So, the operative question is not “what’s the likelihood we’d get caught?”, but “what’s the likelihood that our program, as designed, would result in violations that would draw a significant civil penalty?”. To answer that question, you have to consider the OFAC Enforcement Guidelines as reference, where timing of sanctions, total amounts involved, quality of compliance program, and enforcement history, among other things, determine what enforcement actions, if any, result from a given set of violations.
In the light of the flood of recent high-profile enforcement actions, however, perhaps it is more important to know what everyone other than Compliance operations is up to. HSBC, ING, Standard Chartered, etc, ended up with huge fines largely because operations and sales business units went out of their way to bypass any potential Compliance controls.
Beyond sanctions, there are a couple of other questions one ought to consider.
The PEP list, and other lists used as part of an AML/CIP/CDD program, do not identify people who must not be dealt with. They help point out those who are more risky to deal with. One does not draw fines from FinCEN for not identifying someone as a PEP as long as one has a program for identifying them. So, in that case, one must calculate what would constitute a viable PEP screening program that would pass regulatory muster, while not forcing a company to search through excessive hay in order to find those pesky needles that may or may not prick one’s fingers one day.
Lastly, for all other non-sanctions lists, there’s a really simple question: why am I doing this in the first place, given that I am not required to – and how does that inform how I manage this process, if I decide to continue doing it? Is there, in fact, a cost of non-compliance in these instances?
At the end of the day, a firm needs to have a sense of risk tolerance or avoidance that will inform concrete decisions about the inner workings of the watchlist screening program. Does a particular feature need to be watertight, or is the standard of care is that of a “reasonable man”?
Mr. Watchlist’s opinion? For the huge majority of firms – other than those subject to recent enforcement actions (or the subject of a current investigation) – programs could be reconfigured to recognize significant cost savings with minimal, if any, increase in residual risk.
YMMV (your mileage may vary), of course.