Regulatory reviews: What’s new?
In July 2022, the Financial Conduct Authority (FCA) indicated that it had begun rolling out a SupTech new analytics-based tool to test the effectiveness of firms’ automated sanctions screening systems. Driving this new approach is the FCA’s desire to ensure firms are effectively implementing sanctions, particularly following the issuing of wide-ranging sanctions on Russia in 2022. The FCA has said the analytics-led approach assesses the effectiveness of sanctions controls by using a synthetic data set of approximately 100,000 entities. Firms will ingest this data into their screening systems to test if they can effectively identify sanctioned entities.
What is driving the change?
The FCA has indicated that the primary driver of the change was the limitations associated with traditional face-to-face and document-led supervisory approaches, which are difficult to implement at scale and resource intensive. To overcome these limitations, the FCA’s new approach likely aims to increase both the scale of testing and its effectiveness.
The Russian invasion of Ukraine has accelerated the pace of change, but even as early as 2019, the FCA signalled that it was turning to technology to fight financial crime, which included looking at a proof of concept for testing sanctions screening effectiveness. This has been part of the FCA’s wider strategic drive to become a digital regulator. The move is in line with similar announcements from sanctions regulators in other jurisdictions, including Jersey and the Netherlands.
The FCA’s new approach suggests a likely increase in regulatory scrutiny of sanctions implementation going forward. Proof of that is the Office of Financial Sanctions Implementation (OFSI) shift to a more ‘proactive’ enforcement model, which includes doubling of its staffing profile and the implementation of a new ‘strict liability’ test for assessing breaches of the UK’s financial sanctions regime.
What does it mean for firms?
Undoubtedly, there are benefits to the FCA’s new analytics-based approach, but there are challenges that need to be considered; the main being that this type of approach is not tailored and specific to each entity and is therefore important to be able to interpret the results and to do that interpretation correctly. Taking the results at face value can lead to the wrong conclusions. So, how can entities prepare? Our experience shows that there are three main areas that entities need to cover:
1) How to prepare for the FCA testing:
It is key that firms are proactive in discovering the potential testing outcomes independently to support them during FCA testing. Independent sanctions screening testing equips firms with a comprehensive overview of potential gaps in their screening set-up, technology nuances impacting screening outcomes and a library of risk-based decisions impacting screening.
2) How to interpret the results
In our engagements with clients looking at their effectiveness within the sanctions screening environment, name matching effectiveness of screening systems was often below 100%. Lower matching scores can sometimes be caused by genuine deficiencies in the systems, leading to under-generation of alerts. In most cases, however, decreased scores are related to technical execution of testing within the systems and can be explained or resolved with a follow-up root cause analysis. Quite often, what may seem to be alert under-generation is fully explainable and within the firm’s risk appetite, especially when fuzzy matching is considered.