Sanction control in payment transactions

The supposed certainty of "never again war in Europe" has been shattered by the bitter reality of Russia's attack on Ukraine. In response, the EU member states have already issued eleven sanctions packages against Russia by June 2023, which include individual sanctions against persons, sanctions against certain organizations, general economic sanctions, sanctions against the financial sector and more.¹ A total of 36 countries, including the USA, Australia and Japan, have issued additional sanctions in response to the war in Ukraine.²

However, the fight against international terrorism and the prevention of money laundering have also led to a further increase in regulatory requirements for payment transactions in recent years.

In response to these increased requirements, many companies are reacting by bundling the issue of sanctions control in payment transactions in a central unit, which is often part of the treasury department.

All companies are subject to the obligation to check sanctions lists, regardless of their area of activity, turnover or whether they have international business activities.³ There is an obligation to carry out a check against the relevant sanctions lists for every business contact. This means that no company can now afford to ignore a sanctions check altogether. In the event of non-compliance, companies can be targeted by authorities, BaFin, the United Nations, the EU or the USA. There is a threat of inspections, strict conditions or fines being imposed. If no agreement is reached, the US authorities will use extraterritorial criminal prosecution as a last resort, including the companies themselves on the US sanctions lists.

Apart from the legal consequences, companies also fear a loss of image or the public outrage that can result from publicizing violations.

In Germany, compliance is ensured through audits or via customs. It remains to be seen to what extent controls will be tightened in the context of Russia's attack on Ukraine. To date, the focus of the controls has been on checking whether the relevant regulations comply with the legal requirements, without any downstream screening of the payment files carried out. However, if the company becomes aware of such a violation and a corresponding payment has already been made irrevocably, it has the option of mitigating a potential risk of proceedings by making a voluntary disclosure.

Today, most software providers for system solutions in payment transactions offer automated solutions for sanctions screening of master data or generated payment files as standard. While the screening procedure differs between the treasury management systems or payment transaction modules, there is a standardized procedure at the beginning of the process. It is possible to import sanctions list data into the system via an automated upload. SAP Business Integrity Screening offers this function as a successor to SAP Fraud Management. TIS RiskOptix relies on a purely cloud-based solution that includes the daily update of EU and UN sanctions lists. This function can be integrated into Omikron's MultiCash solution via the Denied Party Check module for monitoring payment transactions. Given the high volume of payments made, non-automated solutions are impractical and cannot ensure sufficient compliance.

Sanctions list data in a processed form and its provision via an interface are offered as a service by various service providers. Mendel Verlag, for example, offers the provision of individually compiled sanctions lists on a daily basis.⁴

Based on this, companies can then check their payment files or master data for the existence of sanctions against countries, banks, individuals, companies, accounts or for certain keywords in the intended use. Mathematical procedures such as the Levenshtein distance are often also used here to ensure that minimal deviations between the sanction value and the check value still generate a hit. For example, it can be ensured that umlauts written out in full are still taken into account. The system ensures that the corresponding payment is not immediately sent to the executing office in the event of a sanction hit. Particularly in the case of a collective transfer, it is advantageous if the payment files can be split so that only payments with a sanction hit are prevented from being forwarded to the bank.

Following an automatically ejected sanction hit, a manual assessment or post-processing is often required in order to exclude so-called "false positive" hits. For example, a supposed sanction hit against a beneficiary of a transfer can be verified by comparing the data of birth or nationality, although this often requires additional information that is not included in the transfer.

Master data management or at least the handling of payment processes should be organized centrally, as this allows screening to be standardized across the group. Although it is also conceivable to implement screening solutions along the lines of decentralized master data management at individual subsidiaries, this increases the respective implementation and operating costs. Practical experience therefore shows that decentralized approaches often do not guarantee a uniform procedure and that group requirements in this regard result in considerable additional work for local departments.

It remains to be seen how the geopolitical situation will develop. It is currently difficult even for experts to make predictions. The hope for lasting peace in Ukraine and international cooperation in the fight against terrorism remains honorable. However, it cannot be assumed that regulatory provisions for screening payment transactions at companies will be relaxed as a result. It remains to be feared that legislators will continue to enact laws and regulations on payment transactions with little lead time. Companies should prepare themselves for this by establishing clear responsibilities and guidelines in a sanction screening concept. By using software solutions, a high degree of automation can be achieved, which is essential in view of the volumes involved in payment transactions.

Source: KPMG Corporate Treasury News, Issue 140, January/February 2024

Authors:

Börries Többens, Partner, Finance and Treasury Management, Corporate Treasury Advisory, KPMG AG

Marvin Berning, Manager, Finance and Treasury Management, Corporate Treasury Advisory, KPMG AG

______________________________________________________________________________________________________________

¹ Cf. https://www.bundesregierung.de/breg-de/schwerpunkte/krieg-in-der-ukraine/eu-sanktionen-2007964.

² Cf. https://www.produktion.de/schwerpunkte/industrie-politik/neben-usa-und-eu-wer-russland-noch-sanktioniert-195.html.

³ Cf. https://www.security-insider.de/sanktionslistenpruefung-fuer-unternehmen-a-84ed8a42dfd01d427b41ef6b94afe7e9/.

⁴ Cf. https://www.mendel-verlag.de/produkte/data-content/sanktionslisten/.