On April 12th, the Hong Kong Monetary Authority issued a memorandum relating the feedback from its recent review of Authorized Institutions’ (AI) sanctions screening. Here’s the meat of the feedback – the themes are the top-level bullets (e.g. 1, 2, 3), with the feedback in the subsidiary items (e.g. 1.2, 3.1):
1. AIs’ senior management should consider the risk of sanctions breaches and determine the appropriate level of sanctions screening to manage the risk for the AI
1.1 AIs should be able to demonstrate a proven methodology for determining system settings and performance, and which is consistent with compliance policies and risk appetite. This includes a thorough understanding of the risks, the types of customer the AI has and the geographic regions the customers are operating in. Most AIs as examined in the thematic review were able to articulate their respective choices of system configuration and settings to varying degrees and some in great detail, while a few AIs demonstrated over-reliance on the vendor and were only able to provide a more simplistic response, without being able to provide clear reasons why specific settings had been adopted.
1.2 Where a group-wide policy is in place, AIs must understand and be able to justify, in line with compliance policies and risk appetite, any variations in system settings or configuration adopted locally which impacts performance of the system. This applies to the lists and data which are entered into systems and against which screening is conducted and also the algorithms / rules utilised (referred to as “system filters”). Some variations were observed in the thematic review while a few AIs were unable to adequately demonstrate how any deviation from the group-wide policy would affect the effectiveness and efficiency of its screening system, such as accuracy and number of alerts generated.
1.3 While not included in the review, as additional guidance, Management Information (MI) should provide senior management with adequate information to understand the financial crime risks to which the AI may be exposed. In the context of sanctions risk management, this may include an overview of the sanctions risks to which the AI is exposed, the effectiveness of certain aspects of system performance, such as screening and relevant information regarding volume of alerts, details of false positives, genuine sanctions hits, etc.
2. New systems, or upgrades to existing systems need to be thoroughly tested and tuned prior to deployment, with sufficient levels of reporting and oversight
2.1 A few AIs were not able to demonstrate that adequate testing had taken place before system deployment. As a good practice, AIs should take steps to satisfy themselves the system is appropriate and operating as expected before relying on automated screening systems. If an AI is upgrading an existing screening system, testing should be conducted prior to deployment to check that all system filters work properly and that the new system is an improvement over the old one. AIs should document that testing and analysis have been duly conducted.
3. Ongoing monitoring, tuning and testing should be conducted on all aspects of sanctions screening systems, lists and processes on a regular and frequent basis
3.1 AIs are expected to have an adequate understanding of their obligations under the sanctions regime in Hong Kong and, as applicable, in other jurisdictions in relation to AI’s international operations. Generally, most of the AIs examined in the thematic review had an adequate understanding of the above obligations.
3.2 Most AIs carried out quality assurance work on the effectiveness of their sanctions systems, although frequency and intensity varied. Many AIs had systems validated by external vendors and where this was the case, there was generally a better understanding of system / filter performance and the various factors underpinning such performance. Most AIs in the review exercise expressed that system effectiveness was one of the more challenging areas to test, since it required dummy data to validate the end result. It should be noted that regardless of how testing is performed, the testing process should be independent and provide the level of validation required.
3.3 With regards to frequency of testing, running a test once a year or every few years will not provide sufficient ongoing comfort that best efforts are being made to meet obligations. Testing must be performed frequently to maintain a system which is both effective and efficient, ensuring that latest sanctions list changes are tested and that system filters are operating within expectations.
As revealed in the thematic review, a few AIs which did not carry out frequent testing and tuning internally were unable to demonstrate an adequate understanding of system filter performance and had not collated the necessary information and data to make correct decisions with regards to system settings.
4. AIs are expected to have a clear and demonstrable understanding of the system filters utilised in their screening technology, and to employ / equip staff with the right skills and knowledge to support the deployment of effective sanctions screening systems
4.1 Many AIs as examined in the review had developed appropriate internal training programmes for staff in key roles. During the post-test interviews, these AIs with training programmes and relevant subject matter expertise demonstrated a more thorough understanding of system filter performance. It was apparent in a few other interviews, however, that staff had not been provided with the right skills to support effective system deployment.
4.2 Most AIs in the review exercise were able to clearly describe specific decisions around the lists their system operated and the filters employed. Explanations for each setting within the system should be properly documented. The review also revealed a few AIs that had limited knowledge of system filter performance or whether certain sanctions lists were in scope of the screening system or not.
4.3 There should also be clarity around ownership and accountability of the risk and which functions, compliance or information technology units, should contribute to managing that risk, for example, by ensuring that sanctions lists are kept up to date.
4.4 Suppression (or good guy/false hit) lists should be subject to particularly robust oversight. The reason for the inclusion of each entry should be documented properly, and these lists should be subject to regular maintenance and reviews. Appropriate approval should also be sought with respect to these regular reviews, as well as prior to the inclusion of any entry into these lists.
5. AIs are expected to conduct ongoing tuning of system filters to reduce the level of false positives without compromising effectiveness
5.1 AIs should understand their required level of effectiveness based on risk appetite, but should at the same time tune the system for greater efficiency where possible. Most AIs in the review understood the competing relationship between effectiveness and efficiency of the system and could evidence this understanding through actions such as monitoring levels of false positives. In those AIs where there was proactive and ongoing fine tuning to achieve greater efficiency, there was also a more comprehensive understanding of how the system, and the filters employed, operated. In a few AIs we noted high volumes of alerts, and where there were great dependency on vendor support and a general lack of awareness of the need for system optimization in one or two cases.