Actions against corporates by financial regulators have demonstrated that regulatory compliance is not only the concern of financial institutions. Increasingly, regulators are widening their focus and bringing corporates into the world of financial crime compliance. It is a world in which non-compliance can attract heavy fines and the risk of reputational damage.
Financial crime encompasses a variety of activities, including fraud; electronic crime; money laundering; terrorist financing; bribery and corruption; market abuse and insider dealing; and information security. Even the very suggestion of financial crime can create big headlines. The data leak from Panamanian law firm Mossack Fonseca revealed the extent globally of tax avoidance and evasion as well as circumnavigation of sanctions regulations; this has led to a public outcry and prompted some governments to review their taxation policies.
Regulations to combat financial crime include anti-money laundering (AML) laws, financial sanctions and monitoring of high-risk individuals. Sanctions are among the most challenging of the financial crime regulations for corporations. In addition to jurisdictional issues, operational decisions on matters such as sanctions list management, transaction currency, customer or employee nationality, local employment laws and transaction routing must be considered.
The majority of economic sanctions emanate from the US and Europe. The US Treasury Department’s Office of Foreign Assets Control (OFAC) recently fined a number of firms – including some operating outside of the US – for sanctions violations. For example, of the four entities OFAC fined for sanctions violations between 20 January and 25 February 2016, three were corporations. According to OFAC’s civil penalties and enforcement information, the total amount of the fines imposed during the period was more than US$3.5m. Just as with financial institutions, compliance experts believe that the size and scale of fines for corporates is set to grow.
OFAC administers a number of different sanctions programmes, covering countries such as Syria, Iran and Russia as well as ‘specially designated nationals’ (SDNs) who are defined in almost 60 different lists. The sanctions are either comprehensive or selective, using the blocking of assets and trade restrictions to meet the foreign policy and national security goals of the US.
Other countries, such as the UK and France, have similar bodies to monitor those suspected of financial crime. At the launch of the Office of Financial Sanctions Implementation (OFSI) on 31 March 2016, UK chancellor of the exchequer, George Osborne, said: “Financial sanctions are a hugely important foreign policy and national security tool. Their effective implementation and enforcement are vital to their success.” OFSI will provide “a high-quality service to the private sector, working closely with law enforcement to help ensure that financial sanctions are properly understood, implemented and enforced” .
Corporates playing catch-up
With regulators clearly signalling their intention to take a closer look at corporate compliance with international sanctions, making the assumption that a bank is responsible for protecting its corporate clients against potential violations will not be a mitigating factor when it comes to regulatory action.
The risk of violating a sanctions programme increases as a business expands across borders. Moreover, sanctions cover a variety of targets and can also apply to their off-shore affiliates, so the risks are also complex. Until recently, however, many corporates might not have been fully aware of their regulatory responsibilities. As a result, their internal compliance frameworks may have been less developed than those of financial institutions.
A corporation’s approach to financial crime compliance largely depends on the nature of the industry sector in which it operates. Some sectors will be more highly exposed to potential violations because of the countries in which they operate; others because of the individuals or institutions with whom they do business. Very global industries – such as airlines, logistics, oil exploration and pharmaceuticals – have been relatively proactive, while those companies that operate predominantly in perceived ‘risky’ jurisdictions have likely been sensitised to the importance of compliance.
One of the most effective ways of mitigating the risk of sanctions violations is by screening financial transactions. This has the added benefit that corporations not only assure themselves the transaction is compliant, but they can avoid payment blockages where a query on a single transaction could hold up all the remaining payments in a batch. In this way, transaction screening by a corporate’s treasury department can expedite payments and improve straight-through processing (STP).
Screening a continuous process
However, perhaps the most common way for corporations to address sanctions compliance is the screening of customers and suppliers during the onboarding process. Checks are made against lists issued by various bodies (including OFAC) to ensure that the countries, companies or individuals with whom they deal are not subject to sanctions.
But whilst screening customers and suppliers during onboarding is important, compliance cannot be seen as a one-off proposition. Sanctions list management is in itself a challenging task. The lists change regularly, sometimes daily, with names of entities and individuals being added and subtracted. As such, customer and supplier databases would need to be screened regularly to maintain ongoing compliance.
Moreover, while best practice would dictate that sanctions filters should be updated almost immediately after list updates are published, delays can occur due to the time required to collect and reformat public lists to fit an individual company’s filters. All of which makes the job of managing sanctions lists and updating sanctions filters both complex and time consuming.
Dealing with extraterritoriality
To find the right framework for their response to financial crime compliance, corporates will have to think beyond their own borders. The allegations of corruption at the international football federation, FIFA, highlighted the issue of ‘extraterritoriality’ that the global corporate community must now face.
During the investigation, individuals at FIFA conducting transactions in US dollars (USD) were accused of violating US law, even though they were not US citizens and they were not acting in the US. This revealed a complex challenge that global corporations will have to address: while it is obvious that companies operating in the US must comply with US regulations in their everyday business activities, it may not have been as clear that this obligation also extends to organisations outside of the US that are buying US goods, trading in USD or have US staff on their payroll who are involved in payment processing.
Ultimately, the onus is on corporations – in whichever jurisdiction they may be domiciled – to adapt their systems and processes to ensure they are not breaching US or other regulations.
Creating a framework for the future
It is clear that fighting financial crime will remain a high priority for regulators and governments across the world. Moreover, while regulators and policy makers initially focused on the financial industry, they are now widening their net to include the broader corporate community.
Just as financial institutions did before them, corporates will need to incorporate financial crime compliance into the day-to-day management of their business. Even if it feels intrusive, they will need to know more about their customers, and maybe their customers’ customers; the supply chain is bound to come under increasing scrutiny.
As the direct and indirect cost of regulatory compliance increases, banks are less willing to take risks in unknown jurisdictions or with unproven supply chains. This reduced risk appetite is also likely to have a knock-on impact on corporates as they expand internationally. Corporates that are not able demonstrate a sufficient level of client understanding may face reduced coverage by their traditional relationship banks.
This evolving regulatory environment will have an impact on corporate plans for expansion and resourcing, as well as on IT and operations. Corporations which act now to identify how financial crime regulations will affect them and how they do business – and take appropriate steps to ensure their continued compliance – will be best prepared to prosper in this new business landscape.