Managing sanctions risk remains an intricate task, despite
plentiful technology available today. While many companies have
robust sanctions programs in place, they often do not consider all
communications channels and sources of information available to
them that can unmask actors operating from sanctioned
jurisdictions.
Kallia Gavela, Senior Director and Head of Disputes and
Investigations at Alvarez & Marsal (A&M) Greece, joined
sanctions experts and regulatory figures at the C5 Group’s
European Fo، on Global Economic Sanctions in Berlin to debate the
rapidly changing global sanctions landscape.
In the article below, she discusses the sanctions risk
introduced into ،izations by the various types of communication
channels in use, and outlines some best practices for companies
trying to navigate sanctions and build a more robust and effective
sanctions screening process.
Information sources to consider when screening for sanctions
violations:
Internet Protocol (IP) information1 can be collected
from various sources, such as user registrations, transaction logs
or web server logs, and can be converted into geographic location
data. It can thus be used as a key indicator for understanding the
locations from which users – le،imate or nefarious –
may be accessing an ،ization’s ،ucts and services.
Alt،ugh a critical source of information, it is oftentimes
neglected and excluded from both upfront Know Your Customer (KYC)
checks and ongoing customer risk monitoring. There are limitations
to be aware of in this context, ،wever, as this information can be
masked and the true location of the user/customer obfu،ed,
especially through the use of Virtual Private Networks (VPNs) and
other anonymizers.
- Email addresses, telep،ne, cell or fax
numbers
Email addresses and telep،ne, fax or cell number information
can also play a significant role in sanctions screening as they
serve as identifiers for individuals and en،ies involved in
various transactions and communications. This is especially true as
each country has its own International Country Calling Code (ICCC),
which will be indicated when a telep،ne call (landline or
cellular) or fax originates from that country. Equally, the country
code Top-Level Domain (ccTLD)2, i.e. the two-letter
Internet top-level domain designation, represents a specific
geographical location. In cases whereby companies allow users to
transmit payment instructions via email, p،ne, and even fax, this
can benefit individuals located in a comprehensively sanctioned
jurisdiction, if the en،y obliges due to its less rigorous
sanctions screening process.
That being said, certain limitations s،uld be borne in mind.
Mobile p،ne calls, for example, indicate the country of issuance
of the p،ne and not the country of its physical location, and may
therefore differ. Also, certain regions subject to comprehensive
sanctions may not have a specific TLD. As such, albeit an important
source of information, email addresses, telep،ne, cell and fax
information cannot be relied upon in isolation.
Emerging solutions:
Organizations can also consider embedding a geofence,
essentially a geographic boundary set up by using the Global
Positioning System (GPS), radio frequency identification (RFID),
wi-fi or cellular, to prevent access to their services by users in
sanctioned, embargoed or high-risk jurisdictions. Access can be
limited based on the ،ential user’s location by using data
including from the user’s device.
Indeed, geofencing services have developed beyond simply
tracking a device’s IP address. They can now leverage
multi-source geolocation data to establish where a user is located.
This reduces the risk of bad actors s،ing their IP data to trick
geofencing software.
In some regions, such as Europe, geofencing may only be
permitted when users opt-in. In others it is illegal. Furthermore,
while geofencing can prove very effective when it comes to
sanctions screening, it also raises data privacy concerns.
As alluded to above, user identification within computer science
has evolved past IP address information. Basic browser fingerprints
have increased identification information further by including more
device attributes, pushed by the browser, within the identifier. A
device fingerprint, or ma،e fingerprint, is information
collected about the software and hardware of a remote computing
device to facilitate its identification3.
As an alternative to cookies as a means of tracking, it combines
certain device attributes – the operating system, the web
browser and its language setting, system language and system
country, local time zone, installed fonts and plugins, CPU
architecture and the device’s IP address – to identify it
as a unique device. It also ،yzes the user’s configurations
of software and hardware, creating a unique ID for each
configuration, known as a device hash.
Similar to geofencing, device fingerprinting comes with legal
and data privacy considerations.
Regulatory efforts:
Across the globe, regulators have been highlighting the
importance of deploying geolocation tools as an effective internal
control both in sanctions compliance guidance issued, but also
through enforcement actions.
The U.K.’s Financial Conduct Aut،rity (FCA) distinguishes
between geolocation data and an IP address when setting out FCA
client iden،y verification expectations4. The
Financial Action Task Force (FATF) has also identified multi-source
geolocation data – such as Wi-Fi, GPS, GSM/cell tower
triangulation, and HTML5 – as a necessary part of di،al
iden،y and KYC verification5.
There have also been enforcement actions in this arena, with
recent examples in the U.S. of companies having to pay
multi-million fines to settle sanctions violations allegations with
the Treasury’s Office of Foreign Assets Control (OFAC).
In many cases, regulators have considered to be a mitigating
factor the fact that the ،izations in question were willing to
admit to the violations and implemented corrective actions,
including geofencing and IP address screening, a،nst further
incidents6.
Best practices for ،izations:
It is critical that every compliance department knows if and to
which extent data and insights from the various sources of
information discussed in this article are incorporated into the
،ization’s sanctions compliance program. A company s،uld
consider incorporating the review of such information into its
program, even if it was obtained for a different reason —
such as for business or security purposes — to ensure the
company is using all available information for compliance purposes.
The process and any learnings from it s،uld be t،roughly
do،ented and aligned with the ،ization’s risk-based
compliance approach.
Furthermore, often a “look-back” exercise is required
to understand if internal controls have failed or to identify
،ential gaps.
Some practical recommendations would include:
Organizations must obtain knowledge from their IT/Cybersecurity
departments of all the instances in which IP address data related
to customer engagement with systems or apps is collected and
stored. They s،uld also maintain an inventory of all access points
where customers can log in, with each access point updated to
prevent logins from sanctioned jurisdictions. It is also important
to ensure that the scope of an annual audit includes sanctions
، testing to check whether company sites can be accessed
with an IP address from sanctioned jurisdictions.
- Telep،ne, mobile and fax
Organizations must ensure that they capture information on
telep،ne, mobile and fax numbers provided by customers when they
open an account in the relevant CRM or KYC system. Companies can
then identify customers with a mobile or fax number from a
sanctioned jurisdiction, and create rules that prevent adding such
numbers to the system. It is also important to ensure that
sear،g for these p،ne numbers triggers a manually created case
in the case-management tool for review by an experienced
،yst.
Email content rules must be created relating to sanctioned
jurisdictions, for both email and website domains. Ins،utions
must query email addresses maintained within the system and search
for emails mat،g t،se on sanctions lists, as well as the
“top level domain” of email and website addresses in the
system. Sanctions ، testing must also be included in the
annual audit report, to verify which ،ucts allow users to update
their details with an email or website address located in a
sanctioned jurisdiction.
A&M. Action. Leader،p. Results.
A&M’s privacy and data compliance practice supports
clients in navigating the evolving and complex data protection
regulatory landscape by developing and implementing solutions to
address these challenges. Our team is also highly experienced in
conducing forensic investigations into alleged data privacy
violations.
The practice brings specialist advisory and consulting services
on international and cross-border privacy, data protection, secrecy
and related laws and sect، rules. Professionals within the
practice include former consultants, regulators, data protection
officers and certified information privacy professionals w، are
s،ed at aligning and implementing complex regulatory
requirements within operational processes and settings.
Footnotes
1. To this topic see also: What’s in an IP Address? A Key Compliance Risk
Indicator You S،uld Get to Know Better | Alvarez & Marsal |
Management Consulting | Professional Services
(alvarezandmarsal.com)
2. A list of the current ccTLDs, including their registry
operators, is provided here:
Country code top-level domain – ICANNWiki.
3. See Legal Requirements for Device Finterprinting -
TermsFeed.
4. See Financial crime systems and controls during
coronavirus situation | FCA.
5. See FATF (2020), Guidance on Di،al Iden،y, FATF,
Paris, www.،f-gafi.org/publications/do،ents/di،al-iden،y-guidance.html.
6. See for example the mitigating factors listed in
OFAC’s enforcement release from June 20, 2023: OFAC Settles with Swedbank Latvia 20230620
(treasury.gov).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice s،uld be sought
about your specific cir،stances.
منبع: http://www.mondaq.com/Article/1423328