…until the paperwork is done. And there is more paperwork than you might think.
Of course, if you get a match to an economic sanctions list, there is paperwork that your regulators need. Probably a form that you’ve held some assets or rejected some business, and maybe a periodic report of those held assets (e.g. OFAC’s report needs to detail the current value, including interest, of held assets). And notifying management of the frozen or rejected assets is a best practice, although the timeliness and frequency of such notification is a flexible part of a risk-based program.
What kind of documentation do you produce items you clear through your review process, whether it’s a sanctions match, a PEP match or another match? Shouldn’t you explain why an item is being cleared – or being sent up the chain for another look? Saying “not a match” is not going to impress a regulator (and probably not your external auditor, either).
A good compliance operation also needs reports of screening activity. Statistical reports of the numbers of screened items, number of matches, number of matches ignored by the system, and number of items processed manually – and the trends over time of each – are a good way to show regulators that you monitor the effectiveness of your program. Daily transaction reports and statistics show other useful information – such as which items were escalated past initial triage, or mean cycle time for the day’s items. Not only do such reports help reassure outside third parties, they can also drive continuous process improvement processes.
However, while these steps help document that the daily process runs in an orderly manner, it does not show that the system is set up in a properly risk-aware fashion in the first place. Therefore, there should be documents that explain each system configuration setting and justify the design choices made. A periodic independent review of system settings and design further burnishes the care being shown in the compliance program and is being kept up to date to address the current regulatory environment and the state of the business.
Another related area that is often undocumented and/or insufficiently structured are the false positive reduction (FPR) steps that are implemented. Part of dotting the i’s and crossing the t’s involves having a documented structured process for requesting and justifying a change, approving it, testing it and implementing it. Each of these steps should, of course, produce its own documentation. For example, testing an FPR change should produce test data and the results of testing that data. Both of these should then be kept with the emails and/or documents from the other steps of the process.
Structuring and documenting your watchlist screening program is not just CYA, to be indelicate. It will make working with auditors and regulators easier (in the US, the quality of one’s compliance program is one of those General Factors OFAC looks at) and can help identify issues or opportunities sooner and in a more assured way than waiting for someone to notice them anecdotally.