With ongoing conflicts and tensions around the world, the application and accurate implementation of sanctions have become increasingly relevant. In the spring of 2023, twenty financial institutions participated in KPMG Forensics’ survey on sanctions compliance. Topics in the survey stretched from governance and culture to current developments, filtering solutions and alert handling. The majority of responses came from banks. Additionally, insurance companies, trust offices and payment service providers participated in the survey. Almost all responses came from the second line of defence.
This blog is the first part of a trilogy and highlights the results of the survey that are related to the governance and complexity of sanctions compliance. 

Complexity of requirements and solution configuration are big challenges

The foremost challenge that the surveyed entities encounter in their quest for sanctions compliance within their organization is the complexity of the requirements. Achieving sanctions compliance demands a high degree of vigilance and attention to detail, as the regulations are constantly evolving and subject to interpretation. The aforementioned issue is compounded by the challenge of acquiring and retaining the necessary knowledge and expertise, which almost half of the participants face.

Figure 1: responses of survey participants to the question (multiple options possible) What do you think is the biggest challenge with respect to sanctions compliance for your organization?

The complexity of the configuration of screening or filtering solutions is also perceived as one of the biggest challenges in achieving sanctions compliance within their organization, as is depicted in Figure 1. This is understandable, given the developments in recent years to reduce the number of false positives while making the solutions more effective. However, the high volume of low-quality alerts is still a challenge. Configuring screening or filtering solutions to ensure compliance with sanctions regulations is a complex task that requires entities to navigate through multiple layers of data and apply sophisticated algorithms. The process can be further complicated by the need to integrate screening solutions with existing IT systems and manage large volumes of data. The results show that technology, data, and analytics are not used effectively.

Room for improvement of sanctions risk assessments

Out of the participants in the survey, sixty percent indicated that the sanction risk assessment includes an assessment of risks related to products, services, geographies, and clients. According to the survey results, the other forty percent of the financial institutions perform a sanction risk assessment at a high level. According to the Office of Foreign Assets Control (OFAC), conducting a sanctions risk assessment is a fundamental element of a sound sanctions compliance program. Institutions are divided about the allocation of the responsibility for performing a sanctions risk assessment. For the majority of institutions, the first line of defence, which is typically responsible for Figure 1: responses of survey participants to the question (multiple options possible) What do you think is the biggest challenge with respect to sanctions compliance for your organization? client onboarding and transaction execution, is also responsible for performing a sanction risk assessment. However, forty percent of the institutions that participated in the survey indicated that the second line of defence is responsible for performing the sanction risk assessment. 

Divided views on responsibilities for creating procedures and work instructions

When asked about whether responsibilities are allocated to either the first line of defence (1LoD) or the second line of defence (2LoD), the answers of the respondents were divided. About half of the respondents (55%) indicate that the responsibility for creating procedures based on defined policies is assigned to the second line of defence, as shown in Figure 2. For thirty percent of the financial institutions, even more responsibility is taken in the second line of defence, as they are indicated to be responsible for creating the work instructions as well. The allocation of the aforementioned responsibilities may also be the result of the fact that twenty percent of the respondents indicate that the alert handling is also performed in the second line of defence. Not allocating the responsibility of alert handling to the first line of defence could limit the second line in its role to effectively monitor and review the operational activities performed.

Figure 2: responses of survey participants to the question Please indicate whether the responsibility for the following activities lies with the 1st line of defence or the 2nd line of defence.

Consensus on applying a 4-eyes principle

The vast majority of the surveyed entities indicate that they apply a 4-eyes principle when handling sanctions client screening and transaction filtering alerts, as depicted in Figure 3 and Figure 4. Applying a 4-eyes principle in the handling of sanctions alerts helps to ensure a higher level of accuracy and reliability in the decision-making process, as the likelihood of errors, oversights or biases is reduced. Moreover, independent review by two individuals helps to minimize the possibility of missed alerts, ensuring a more robust risk management process, and mitigating the potential risk. 

Figure 3: responses of survey participants to the question Do you apply a 4-eyes principle when handling client screening alerts?
Figure 4: responses of survey participants to the question Do you apply a 4-eyes principle when handling transaction filtering alerts?

Other than that, the 4-eyes principle encourages collaboration and knowledge sharing within the organization. When two individuals independently review the same alert, they can share insights, perspectives, and expertise. This collaboration fosters a deeper understanding of risks, encourages continuous learning, and improves the overall effectiveness of the screening process.

Therefore, by incorporating these principles into their processes, organizations can strengthen their risk management capabilities and enhance their ability to detect and prevent potential financial crimes.

How KPMG can help

KPMG supports clients to (pro)actively design, implement and monitor sanction measures. Our team combines technical expertise with experience with financial institutions and compliance. KPMG has designed a global methodology used within the field of sanction model validations in accordance with the legal requirements, legal expectations of regulators and our experience within the sector. We can support institutions with our knowledge and expertise.

This blog is the first part of a sanctions blog trilogy. In the coming blogs, the themes of Recent developments and Sanctions Screening and Filtering Solutions will be further explored.

If you have any further questions or if you are interested in further insights or information, please do not hesitate to reach out to
Renske van Hooff (Partner at KPMG Forensic Technology – VanHooff.Renske@kpmg.nl) or Monica van Santbrink (Manager at KPMG Forensic Technology – VanSantbrink.Monica@kpmg.nl).

We will keep you informed by email.
Enter your preferences here.