In the fast-changing world of financial regulation, compliance is integral to ensuring stability and integrity. Financial institutions are obliged to diligently screen their clients to ensure they are not engaging with sanctioned individuals or entities. The Cyprus Securities and Exchange Commission (CySEC), between April and November 2024, conducted a comprehensive assessment of the sanctions screening systems used by its regulated entities; this included Cyprus Investment Firms (CIFs), Administrative Service Providers (ASPs), Funds and Fund Managers, and Crypto Asset Service Providers (CASPs). The objective was to determine whether these entities were maintaining adequate compliance frameworks in line with regulatory expectations.
CySEC’s review highlighted various deficiencies in firms' approaches to sanctions screening. While some entities had policies in place, sufficient implementation of such policies often fell short of expectation.
Weaknesses Identified Pertaining to Sanctions Compliance
Limited Understanding of Screening Tools
Many entities had implemented third-party sanctions screening tools without fully understanding its functionality or in other cases the screening tool was being used with inappropriate configuration settings. Without a clear grasp of a system’s capabilities and limitations, firms risk inefficiencies and potential compliance failures.
Reliance on Manual Screening
CySEC found that some firms were still conducting manual screening, thus increasing the likelihood of human error. While manual processes may be feasible for smaller firms taking into consideration their scale and complexity, larger entities should leverage automation to ensure consistency and accuracy in their screening procedures.
Outdated Screening Practices
Some firms had not updated their screening systems to reflect the latest international sanctions. This lack of regular updates and testing left firms vulnerable to regulatory breaches and reputational damage. Additionally, in some cases too many or not enough sanction sources were being screened against.
A large number of regulated entities performed re-screening of high-risk clients on a periodic basis, ranging from monthly to quarterly to annually; CySEC wishes to reinforce that such periodic sanction screening is not considered to be part of a risk-based approach. It is therefore essential that all regulated entities ensure that all business relationships are screened against relevant sanction lists in real time and that applicable measures are undertaken without undue delay.
Insufficient Auditing and Testing
Regular system testing and audits are essential for maintaining compliance effectiveness. However, CySEC found that some firms were not conducting adequate reviews, which could lead to undetected risks within their sanctions screening frameworks.
Best Practices Identified in Sanctions Compliance
While some firms demonstrated weaknesses, others demonstrated best practices that set a high standard for compliance. The following approaches contributed to a strong and effective sanctions screening process:
Implementing Automated Systems
Firms that implemented automated sanctions screening significantly reduced human error and improved efficiency. Automated systems provide real-time updates and ensure consistent screening, reducing the likelihood of omissions.
Rigorous Testing Before Implementation
Proactive firms conducted thorough testing and fine-tuning of their screening systems before implementation. This approach ensured that tools were effective and aligned with regulatory requirements.
Staying Up to Date with Sanctions Lists
Staying up to date and subscribing for the relevant alerts from sanctions lists from major authorities such as the EU, UN, US, and UK ensuring that the firm maintained compliance with evolving regulatory expectations.
CySEC’s Recommendations for Strengthening Sanctions Compliance
To enhance the effectiveness of sanctions screening, CySEC outlined key expectations for regulated entities. Firms should consider the following measures to reinforce their compliance frameworks:
Involvement of Senior Management
Management should actively oversee and support compliance initiatives, ensuring that sanctions screening is prioritised within the organisation. Furthermore, there should be appropriate oversight and responsibilities as well as accountability in cases of non-compliance regarding sanctions.
Establishing Clear and Documented Policies and Procedures
Sanctions screening policies and procedures should be well-documented, formally approved, and regularly reviewed to align with evolving regulatory requirements. CySEC also highlights the importance of adequate internal escalation processes for alerts of sanctioned persons. It was noted that all employees should receive sufficient and ongoing training related to sanctions. Furthermore, internal policies and procedures should include sanction related obligations such as freezing of funds/assets of designated persons and identifying and reporting sanctions violations.
Allocating Sufficient Resources
Firms should invest in both human and technological resources to manage their screening obligations effectively. A compliance culture must be promoted and treated as an integral part of risk management.
Regular Testing and Auditing
Sanctions screening systems should undergo frequent testing and audits to identify potential weaknesses and improve overall effectiveness. Continuous review ensures that firms remain compliant and adaptable to regulatory changes. All Regulated Entities are expected to understand their screening systems capabilities and limitations through product data testing and synthetic data testing. Applying the synthetic data testing doctrine to sanction screening enables published records to be included in the test in order to identify whether the screening system raises alerts against known sanction records. CySEC notes that a best practice would be to apply both testing techniques.
Embedding Compliance into Corporate Culture
CySEC understands that effective and efficient screening of all sanction lists is a complex process, however, sanctions compliance is more than a regulatory requirement, it is a fundamental component of responsible financial operations. Firms that integrate automation, testing, and ongoing updates into their compliance strategies will not only meet regulatory expectations but also safeguard their reputations. Sanction screening measures should be applied together with other measures such as effective due diligence measures, management commitment, continuous training and sanctions risk assessments, et cetera. Proper ongoing screening is expected to be implemented by all Regulated Entities irrespective of its scale, complexity, business activity or industry. It is further reiterated that the sanction screening system used should be part of an effective and comprehensive Sanction Compliance Program. By fostering a culture of vigilance and due diligence, financial institutions can ensure they remain resilient and well-prepared in an increasingly complex regulatory environment.
Written by Andie Henderson, Legal and Compliance Associate, FAI Comply