April 8, 2014
Recent events in Ukraine highlight the need for U.S. financial institutions and their foreign subsidiaries and affiliates to have a standardized, proactive process in place to respond to geopolitical events that could affect compliance with the Bank Secrecy Act (BSA), other anti-money-laundering (AML) requirements, and economic sanctions enforced by the Office of Foreign Assets Control (OFAC) – rather than take an ad hoc, “fire drill” approach to each new event.
U.S. regulators expect BSA/AML compliance programs to be responsive to significant worldwide events such as the imposition of sanctions by the U.S. and European Union on Bank Rossiya, a Russian bank, in response to Russia’s incursion into the Crimean region of Ukraine.
When a geopolitical event results in consequences that could affect compliance, banks and other financial institutions must be prepared to quickly assess their resulting exposure and identify the adjustments to the compliance program that will mitigate the risk. A financial institution can accomplish this goal by taking the following steps:
- Reassess the country risk ratings for the affected countries or region. A geopolitical event could affect one or more of the factors that determine whether a country rates as high, medium, or low risk. A higher risk rating will, of course, necessitate stronger measures for managing the risk and complying with BSA/AML requirements.
- Adjust screening system thresholds for clients and sanctions in the affected countries or region. A financial institution should perform a one-time screen using modified thresholds to identify customers and transactions with exposure. It also might be advisable to establish ongoing client and transaction screening with modified thresholds for as long as the event continues. Exposure is not limited to the specific country involved, however; the bank should also reassess its ratings for border-adjacent countries as well as countries with significant trade relationships or political affiliations with the sanctioned country.
- Reassess customer risk ratings and incorporate the results of the above steps. If a customer is located or does business in the affected country or countries, that customer’s individual risk rating might change. A customer in Ukraine might have had the same risk rating as a customer in the United Kingdom just six months ago, but the Ukrainian customer’s rating is probably higher now.
- Perform greater due diligence on customers, including beneficial owners, with direct and indirect exposure to the affected region. The financial institution should perform additional reviews of the customers and transactions identified in the steps above. Reviewing beneficial owners, who otherwise might go unnnoticed, could require special effort because the relevant information isn’t readily available electronically.
- Update senior management. If the preceding steps identify new risks that require the financial institution to take special action, senior management should be informed about the actions taken and the results. Regulators expect senior management and the board of directors, who are responsible for managing compliance risk, to be on top of such information.
In today’s turbulent times, financial institutions can’t afford just to cross their fingers and hope for the best. Instead, they need to establish a framework so they are prepared to reassess their customers, products, and services as necessary and take the appropriate proactive steps to manage the associated risks.
Troy La Huis
Principal, Risk Consulting Services