Data Matching for Sanction Screening

Sanctions screening is a process where companies match their data against sanctions lists provided by international sanctions bodies to meet sanction compliance policies. This is to ensure that companies don’t accidentally trade with sanctioned criminals, individuals, entities, or regions; failing which they could risk severe penalties.

Because sanctions screening deals mainly with varied data, it is necessary to have a data management framework in place that emphasizes keeping data updated for sanctions screening & adopting a proactive measure to sanction compliance.

The importance of sanctions screening is related to governments around the world imposing restrictions or ‘sanctions’ on certain territories, countries, individuals, and entities that are engaged in criminal activities and have broken international law. Crimes that trigger a sanction include human trafficking, money laundering, war crimes, terrorism, and many other criminal acts that affect international law and order.

These restrictions are recorded in what is called a sanctions list and are governed by sanctions regulatory bodies. These lists are collated either by government bodies or by international bodies such as the UN and the European Union. Businesses are required to keep up with these lists to ensure they do not engage in any trade or contact with the names on the list.

Failing to stay updated with a sanctions list could lead to:

• Fines ranging up to $20 million
• Prison terms can be as long as 30 years
• Hefty sums of settlements (depending on several mitigating factors)

The consequences of poor sanctions screenings have become more punitive than ever with the current world situation with countries like Russia, North Korea, and Iran facing tough violations, the consequences of which are often grave for businesses.

Recent news of the logistics company Toll, having to reach a settlement of $6.1 for nearly 3,000 transactions for shipment made by Toll or its affiliates through sanctioned regimes, thereby, violating the US’ Office of Foreign Assets Control (OFFAC) regulations. As per the company, ‘failure to implement strict compliance controls,’ led to accidental trading with sanctioned entities in Iran by Toll and its affiliates.

Cases of banks and businesses being fined in millions are hardly new.

In the past, banks like BNP Paribas and Societe Generale suffered huge penalties, paying $8.9 billion and $1.3 billion respectively in fines.

Just in 2020, Warren Buffett’s Berkshire Hathaway Inc was also fined $4.2 million after a subsidiary based in Turkey deliberately violated OFAC sanctions against Iran!

Financial institutions and businesses across the globe are fined millions for violating sanctions regulations, which is only getting harsher by the day.

You should care because if you don’t have a sanctions screening process in place, not only will you lose money and reputation, but you will also get in trouble with governments and international laws.

There is a lot to lose for not being vigilant with sanctions screening!

Companies need to consider different sanctioning bodies depending on their trading territories, the currency they are trading in, and their partnerships with entities and organizations. Some governments have their own sanction lists which do not necessarily have to be the same across the board. Therefore, it’s important that you are fully aware of the governing bodies you’re answerable to if you’re engaged in global trading.

The four main types of sanctioning bodies to consider are:

The US Office of Foreign Assets Control (OFAC)

The OFAC administers and enforces economic sanctions against countries, entities, and individuals that it deems as terrorists or criminals. Trade restrictions, asset blocking, and other dealings are prohibited unless authorized or expressly exempted by statute. The list applies to:

• All US citizens and permanent residents regardless of where they are located
• All entities and persons within the US
• All US incorporated entities and their foreign branches
• Any entity that trades in US dollars uses US goods, has a US parent, subsidiary, or affiliate
• Anyone that works through a local agent or supplier with a US connection

The names of prohibited individuals and entities are listed in the OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN list, available on OFAC website), against which companies are required to tally their data to ensure they are not trading with the listed individuals.

As of now, there are some 6,400 names of companies and individuals on the SDN list who are connected to sanction targets. OFAC also maintains another sanctions list that holds specific prohibitions against these names.

EU Consolidated List of Sanctions

Similar to the OFAC, the EU has a consolidated list of sanctions that apply to all EU citizens and corporate entities wherever they are located in the world. The EU has over forty different sanctions regimes in place, some of which are mandated by the United Nations Security Council while others are adopted autonomously by the EU. Sanctions are imposed through arms embargoes, travel bans, asset freezes, and other economic measures such as restrictions on imports and exports.

EU sanctions also have an effect in non-EU countries as they are a foreign policy tool, however, the measures apply only within EU jurisdiction.

Companies can use the EU sanctions map to determine regions where sanctions apply.

The HM Treasury Sanctions List

Businesses and entities belonging to or operating within the UK’s territories have to follow the HM Treasury Sanctions List, administered by the Office for Financial Sanctions Implementation (OFSI) in the UK.

The list is available in downloadable formats where information from each file is broken into several fields that record personal details, addresses, and other supplementary data.

The UN Security Council Consolidated List Search

The UN’s security list consists of all individuals and entities subjected to measures imposed by the UN Security Council. The list is made up of approximately 700 individuals and 253 entities or groups belonging to countries like Afghanistan, Central African Republic, Congo, Iran, Libya, North Korea and many others. Sanctions can either be:

Diplomatic: Termination of all diplomatic bounds such as embassies, councils, and cultural events.

Economic: Trade restrictions and barriers such as import/export.

Travel: Bans and restrictions for nationals of the respective territory or country.

Sport: Disqualification from participating in international events.

The consequences of breaching UN sanctions vary from security breaches to stolen funds, regulatory fines to civil and criminal penalties.

In order for businesses to establish an effective sanctions compliance program, they must first start with maintaining a sanctions screening process – which is highly dependent on error-free, well-managed databases.

Here’s how a basic sanctions screening process works and how effective data management lies at the forefront of the sanctions screening compliance program.

According to Deloitte, the sanctions screening process can be summarized as internal and external data sources being matched against each other using a matching engine that detects similarities, indicating a possible match.

Once a match is identified; an alert is then generated for the compliance officer to review and assess whether the alert is a true match or a false positive.

Note: The data matching performed for sanctions screening is hardly simple. Because names can contain non-Latin letters, aliases, abbreviations, and even information from disparate sources, the engine needs to have advanced functionalities to detect similarities.

This whole sanctions screening process depends on two critical factors to work well:

1). Data Management

2). Data Matching

Without updated, consolidated internal data, you will have a hard time matching it against the sanctions list data. And without a robust data matching engine, you’ll have a hard time getting accurate results.

The scope of data management goes beyond internal operations or business processes. Security, privacy, and sanction compliance are some of the toughest challenges businesses are facing with data management.

In the context of sanction compliance, having a data management strategy can help with:

• Keeping customer data organized, updated, and maintained
• Setting data quality standards that can ensure consistency & reliability of the data
• Managing disparate data sources and consolidating data for screening as needed
• Saving time and effort and enabling businesses to have a proactive approach
• Improve operational effectiveness and enable teams to be prepared
• Keeping up with a rapidly growing sanction list and complex sanctions updates

You cannot establish an effective sanction compliance program without investing in a data management program that includes training employees, making changes to business processes, and establishing controls so your data can be more agile.

When creating a data management strategy, you must take into consideration three key areas:

1). Data Architecture: This refers to the framework, guideline, and approach for building the data management environment. It will consist of tools, policies, roles, vendors, platforms, processes, and procedures you need to manage enterprise information.

2). Data Governance: The policies and guidelines for employees, vendors, and internal and external stakeholders to ensure everyone abides by the rules.

3). Data Quality: Ensuring your data meets data quality standards as given below.

So why is data management important for sanctions screening?

The Wolfsberg Group has surmised it well:

“Sanctions screening is used in the detection, prevention and disruption of financial crime and, in particular, sanctions risk. It compares data sourced from a financial institution’s operations, including as customer and transactional records from structured (KYC) as well as unstructured (product documentation, client notes) sources, against lists of sanctioned names and other indicators of sanctioned parties or locations”.

Almost every business today operating at a global level processes large volumes of customer data and transaction data on a daily, minute-by-minute basis. Screening this data against a sanctions list can be a challenging task if there are no frameworks or processes put in place.

Normally, you have three types of data to ‘manage’ for a sanction screening: customer data, transactional data, and other business-sector-specific customer information. Most of this data is spread across multiple systems and must be identified and then consolidated in order to determine which elements are needed for the screening.

You would need a holistic, 360-degree view of the data to identify and understand the connections between multiple sources. This view is critical to point out partnerships with sanctioned names that would otherwise go unnoticed if the data is treated in isolation.

To get this view though, you will have to:

1. Identify data sources you want to process
2. Profile the data to identify common errors and issues
3. Clean the data by removing duplicates, fixing errors etc
4. Standardize and normalize the data to ensure consistency
5. Deduplicate data that occurs after a merging data sets
6. Get a clean, holistic, transformed view of your data

Traditionally, you would have to implement an ETL process via complex programming to achieve these results. It would take days and months to clean, transform, and load data. But tools like WinPure can help businesses achieve this task in literally a day – so long as you have a strategy and know exactly what kind of data you want to treat.

Related: See how WinPure works by cleaning and transforming data:

This process will ensure that your data is complete, accurate, and meets the quality standard. In fact, it ensures that the data can be tested, documented, and monitored on a regular basis without spending too much time making fixes.

Lastly, sanction lists may ‘seem’ simple, but with large amounts of complex, peripheral, and varied data involved, it’s a necessary approach to implement strict controls and clearly define who is responsible for the delivery and maintenance of sanction lists.

Another critical aspect as rightfully pointed out by Deloitte is the use of regulatory websites.

According to Deloitte: financial institutions relying solely on sanction lists from regulatory websites must ensure that their process should involve consolidating data from multiple sources, which may be in different formats. In addition, some individuals/entities will be included in more than one list, so it is necessary to remove duplicates as not doing so may cause an alert to be generated twice. In such cases, the financial institution should consider implementing a sanction list management system to clean, parse and format the list data in order to improve matching accuracy and reduce the number of false positives.

Data matching is a critical function of sanction screening. You need to match all kinds of varied information against the data available on the sanctions list – and most of this data is semi-structured or range in formats.

For instance, Bob may be an alias for Robert or the spelling for Shaun and Sean may be different even though they indicate the same person.

You would need a powerful fuzzy-matching tool to be able to detect similarities from this varied data and deliver results based on phonetic, numeric, and non-exact matches.

So what exactly is fuzzy matching?

It is a matching algorithm that catches non-exact matches. It is used when there are nuances in an attribute (such as mistakes in a name, missing a number in the date of birth etc) so you don’t miss out on data that you would generally miss using exact matching.

You are in control with fuzzy matching where you set the matching to be as wide or as narrow as you’d like it to be. With a combination of fuzzy and exact matching, you can identify information even if there are typos or missing elements.

A data matching tool with the highest accuracy level will be able to identify:

• Different versions of a spelling, for e.g, Catherine instead of Kathryn
• Shortened names, for e.g, Lizzie instead of Elizabeth
• Odd characters and spaces within fields
• Punctuation marks within fields
• Numbers within text fields
• Abbreviations and inconsistencies
• Name reversals and variations
• Duplicate entries

Accurate data matching relies upon non-exact matches – meaning your data doesn’t have to have the same spellings to result in a match. This kind of fuzzy algorithm is not supported by Excel and would take ages to implement with coding programs with little chance of being accurate.

Related: Watch this to see how WinPure’s fuzzy matching works.

The more advanced and intelligent a fuzzy matching program, the better it will catch similar or near-similar matches, thus, lowering false positives and false negatives.

False positives are one of the biggest challenges with sanction screening. There have been multiple instances where real people were flagged at airports simply because the system returned a match that was a false alarm. In a false-positive result, a supposed ‘positive’ match is produced but turns out to be false upon further investigation. An instance of this could be two people having the same family name, but only one of them is actually on the sanctioned list.

The only way to overcome a false positive is to ensure your data is accurate before the screening process. This is because inaccurate data not only affects the outcome but also results in significant administrative work for your team.

False negatives, on the other hand, show there is no match, when in fact there is. Two records are of the same entity, but the system claims they are not a match. A false negative is potentially dangerous and can increase your risk of breaching compliance because it doesn’t trigger an alert.

Related: You can learn more about fuzzy matching techniques to see how fuzzy matching algorithms work.

Businesses and banks do not have the time or the capacity to take charge of their data for sanction screening.

In fact, most of them just do the bare minimum.

It’s costly to get started with data management, then hire experts to set up sanction compliance programs and vendors to do the job. Companies sometimes just can’t afford to take up sanction compliance because they easily get overwhelmed by the incessant challenges that lay ahead.

The good news is you can get started by fixing your data – and you don’t really need a million dollars for this. A fuzzy data matching tool like WinPure can help you improve the process and take charge of your data without spending on new talents or systems.

When your data is ready, you can then take the next steps of implementing a compliance framework.

Your first steps can be:

1. Identify your data source and type: Do you want to assess customer data or transactional data? Or do you want to assess departmental data? Upon identifying the data source, you can then proceed to profiling your data for errors.
2. Catching errors with a profiling feature: All best-in-class data matching platforms have a data profiling feature that scans your data for common errors such as typos, missing information, duplicates, and other oddities. Profiling will allow you to see errors at a granular level that you would otherwise not catch in Excel or SQL.
3. Clean your data: And by cleaning, it should be a one-click process. You’re not required to write long lines of codes to clean the errors diagnosed during the profiling process. With WinPure, for e.g, you can clean multiple sources of data in a single click.
4. Dedupe data: Duplication means multiple entries of the same entity across different data sources. You could have two or three phone numbers of the same person, or you could have multiple addresses. It’s important to connect these multiple data sources and ensure you have the most updated version of the data. WinPure’s deduping function matches multiple data sources, highlights duplicates, and allows you to create a new record with consolidated data.
5. Match against sanctions list: Once you’ve got your data in order, you can use WinPure’s fuzzy matching function to match names, addresses, dates, and identifiers across multiple lists. WinPure uses several fuzzy matching techniques to help you get the best match possible.
6. Create your own expressions: Sometimes, you need more from a tool than just a set of default actions. WinPure lets you create your own expressions and definitions of words, that can be used to further match and treat your data.
7. Automate data cleaning + screening: For a sanction screening to be effective, automation is key. You cannot afford to have outdated data plague your database for months and years only to end up causing a bottleneck in your administrative processes. WinPure has an automated cleaning schedule option that lets you schedule data cleaning routines which means you can stay on track without having to do much.

Whether you’re an entity or an individual, it’s important to have efficient data matching software in your business toolset. It will not only safeguard you from potential risks but will also help you clear any confusion with foreign names or doubtful organizations.

High-level money laundering, now especially prevalent with crypto and other new fintech trends has placed a significant burden on all traders, businesses, and financial institutions. Making it worse are the increasing government regulations and evolving sanction listings that are hard for businesses to keep up with.

With a data matching platform, you can at the least, start managing your data. You can get rapid insights into errors with data profiling features, use that to weed out duplicate and flawed data, and regularly screen customer data accurately.

To know more about how you can use our tool to prepare your data for sanction list screening, feel free to give us a call and get a consultancy!