Neterium SRL

FCC Essentials

FCC Essentials

With each article, we shed light on a specific aspect of FCC and try to deliver valuable insights based on the experience of our team. As we know you are busy and we are very conscious of your time, we provide high content density in a short format.

We hope you’ll enjoy it and learn something new with each article.Also listen to the FCC-7 Podcasts for additional insights

Discover our first FCC Essential article, where Christopher Stringham, Global Account Manager at Neterium, shares his passion for Financial Crime Compliance (FCC).

Today, we deep dive into a report from the UK's Financial Conduct Authority (FCA) on their assessment of regulated firm's sanctions compliance processes.

The UK's Financial Conduct Authority says firms are over-reliant on third party sanctions screening tools! The FCA has recently conducted assessments of firms’ sanction systems and controls based on the guidance in the FCG and other sources. The report of the key findings was released on 6th September.

The FCA based their assessment on previously issued guidance such as their Financial Crime Guide. For example, section 7.2.3 of the FCG states that, "A firm should have effective, up-to-date screening systems." The FCG offers numerous examples of good practice and also provides very informative examples of poor practice. Such as: "Where a firm uses automated systems, it does not understand how to calibrate them and does not check whether the number of hits is unexpectedly high or low."

Despite the guidance, the FCA still found, "poorly calibrated or tailored screening tools, with some firms also too reliant on third party providers with ineffective oversight over them." Additionally, "there were instances where calibration had not been adequately tailored. This resulted in it either being too sensitive, causing a high number of false positive names (…), or not sensitive enough, meaning that even minor variations in names led to sanctioned individuals not being detected. This delicate balancing act shows the importance of firms understanding how their systems work and how they are calibrated." 

De Nederlandsche Bank issued a similar report a few months ago and had similar findings. They also found that:"(M)any institutions trust that their (external) screening systems function adequately, and that they do not carry out their own periodic assessments, such as spot checks."

Interestingly, while the FCA raises the risks associated with third-party solutions, the most recent fine in the UK relating to sanctions screening involved the use of an in-house screening system. In this case, the firm’s third-party data provider quickly delivered the updates to the sanctions lists and the in-house screening system correctly generated a possible match. Unfortunately, the system generated so many false hits that analysts were not able to process the alerts in a timely manner. This led to a company policy where accounts were ‘suspended’, transfers were prohibited, but debit cards associated with the account were not blocked. And in this particular case, the debit card of a designated national was only blocked five days after listing and a withdrawal was made.

Legacy screening systems have typically functioned as black boxes. It is difficult to know what the system is doing and why. This limits the ability to conduct testing and tuning. Also legacy systems are often very inflexible. Even with significant testing, tuning is often just not possible or very limited.

Development of 'name matching algorithms' and ‘sanctions screening systems’ is not the primary business of financial service firms. The use of third-party solutions is therefore very natural. These are normally better than in-house systems due to the ability of the providers to specialise and receive feedback from a number of customers. Still, not all solutions are equal. Regulators justifiably require transparency, so it is critical to look for a provider that offers a glass box to understand in detail the results that you are getting and also provides the flexibility to actually tune the results effectively.

Explore our latest FCC (Financial Crime Compliance) Essential article as Christopher Stringham, Global Account Manager at Neterium, delves into his fervor for Financial Crime Compliance (FCC).
In this edition, we’re looking into the proactive steps taken by the Financial Intelligence Unit of the Netherlands (FIU) in response to Russia's invasion of Ukraine. By promptly alerting regulated entities to potential risks, the FIU, in this specific context, successfully thwarted the exportation of dual-use goods. Join us as we dig deeper into this unprecedented measure.

Following the invasion of the Ukraine by uniformed troops from the Russian Federation and the imposition of new sanctions on Russia in February and March of 2022, the Financial Intelligence Unit of the Netherlands took steps to inform obliged entities of potential risks. Information sharing between the private and public sectors proved beneficial for both sides as significant reports of unusual and suspicious transactions were submitted. In the FIU’s Annual Review for 2022, they outlined the measures taken and highlighted some specific successes. Based on information gathered by the FIU, authorities in another country were able to prevent the exportation of dual use goods, millions of Euros connected to a sanctioned person were seized, and a person connected with evading sanctions relating to microchips was arrested.

That final point is particularly interesting since the person was recently convicted and the court judgement provides very interesting insights into his schemes. The issue was the shipment of various circuits in violation of Annex VII of Regulation 833/2014 and the court kindly provides details about the specific chips that were sold and exported. For example, they mention an invoice for a “Monolithic Inertial Sensor Digital Output of the brand/type ADIS16445BMLZ”. A quick internet search shows online traders who offer this product and helps find the relevant TARIC codes (8542399000). After converting the number to the CN code format, the first 6 digits, (8542 39), then it is easy to search for the number in the list of goods which may not be sold to any entity in Russia. By converting the number to the ECCN code format, it is also possible to confirm that this type of chip, it is also on the US’s Commerce Control List.

This exercise really highlights the difficulty of identifying restricted goods including dual-use goods. Invoices may provide part numbers or product names, but manual work is necessary to connect those product descriptions with the necessary codes used in official lists.

The court decision also provides an interesting insight into the approach of the defense in this case. The defense claimed that it wasn’t sufficient to consider just invoices and other documentation; they insisted that the goods themselves should have been investigated. The court rejected this on the basis that there was no indication that the goods delivered were different than those specified on the invoice. From a practical perspective, it is hard to say how Dutch prosecutors could have obtained the goods to inspect them as they had already been exported. Had the court agreed to this logic, it would have made prosecutions an impossibility.

One of the biggest topics in financial crime compliance circles is the usefulness of Suspicious Transaction Reports. Millions of reports are filed every year, but feedback is very rare. In this case, however, we have an example where the FIU was able to take the information received from an obligated entity, initiate an investigation, and obtain a conviction.

Netherlands FIU report 2022 Annual review of FIU-the Netherlands (fiu-nederland.nl)

Press Release about arrest Aanhouding in onderzoek naar overtreding sanctiewetgeving | FIOD

Court Decision: ECLI:NL:RBROT:2023:10072, Rechtbank Rotterdam, 83-235373-22 (rechtspraak.nl)

Council Regulation (EU) No 833/2014 of 31 July 2014 EUR-Lex - 02014R0833-20231001 - EN - EUR-Lex (europa.eu)

Explore our latest FCC (Financial Crime Compliance) Essential article as Christopher Stringham, Global Account Manager at Neterium, delves into his fervor for Financial Crime Compliance (FCC).

In this third edition, our focus delves into instances of violations of UN arms embargoes. These embargoes, mandated by the United Nations Security Council, serve as measures to curtail the provision of weapons and military equipment to specific countries or entities. They are enacted in response to concerns regarding conflicts, human rights abuses, or threats to international peace and security.

While much attention has rightly been given to unilateral sanctions programs, it is crucial to underscore the significance of multilateral sanctions imposed by the United Nations. These measures are not to be overlooked, as they are initiated and collectively agreed upon by the Security Council, comprising parties that may often find themselves in disagreement. Given the diverse composition of the Security Council, the enforcement of these multilateral sanctions should be amplified, making them more effective.

This article will delve into the accuracy of this perspective, examining whether the enforcement of UN multilateral sanctions is indeed proportional to their potential impact.

===

Much attention has been paid, justifiable, to unilateral sanctions programs. That does not mean however that multilateral sanctions from the United Nations are unimportant. Considering that these programs are initiated and agreed upon by the Security Council, including parties that are otherwise frequently at odds with each other, these regimes should be subject to greater enforcement and therefore more effective. This is unfortunately not often the case. In 2011, following the outbreak of the Libyan civil war, the Security Council passed Resolution 1970. In addition to asset freezes and travel bans against members of the Gaddafi government and family, the resolution also enacted an arms embargo to prevent the exportation of weapons to Libya. Unfortunately, the Panel of Experts called this embargo "totally ineffective" in 2021.

The annual Panel of Expert reports provide amazing information regarding the efforts and methods for evading and circumventing the embargo. These also highlight the challenges faced by both the public and private sectors regarding conducting due diligence, identifying potential crimes and eventual bringing criminal proceedings. One of the cases highlighted in the 2021 Final Report relates to the "Project Opus" private military intervention. This involved a well-funded private military company that was controlled and managed by persons from Australia, the UK and South Africa. One of the goals of the operation was to procure military goods, such as aircraft and surveillance equipment, for General Khalifa Haftar, a warlord described as the "biggest single obstacle to peace in Libya."

To accomplish this, the group established at least three shell companies in the United Arab Emirates and attempted to procure surplus military helicopters from Jordan. However, Jordanian officials learned of the plan and suspended the auction for the aircraft prompting the group to search for alternatives. In addition to helicopters procured from South Africa and the UAE, three fixed wing aircraft were also purchased from companies based in Bermuda, Bulgaria and Austria. All three of these companies were controlled by a single American citizen, who was resident in Austria. This American was previously known for his involvement with other private military companies, specifically in Iraq, and his sister was a member of Donald Trump's cabinet. The UN experts were able to determine that he had been involved in making the group's proposal to General Haftar and was directly involved with and knowledgeable of the Project Opus operation.

Despite the teams' efforts to obtain equipment for General Haftar, he was "unimpressed with the replacement aircraft procured for the operations and made threats against the team management." This resulted in a Hollywood-style evacuation of twenty of the group's operatives. The evacuation resulted in a 36-hour, 350 nautical mile trip from Benghazi to Malta on two rigid hulled inflatable boats, one of which needed to be abandoned during the trip. They landed in Malta at 13.00 and told Malta police that they "were from an oil field operation and needed to leave Libya quickly because of deteriorating security concerns."

The efforts used typologies that will be recognizable to AML specialists. In addition to founding multiple companies, these were used in ways to increase the "opacity of the operation" such as contracting goods and services with one company and paying invoices with another. In a later UN report, the experts mention an interview where someone close to the American explained that he "protected himself from litigation by not owning companies, and by controlling them through debt ownership or security pledges he would receive material or financial benefits in other ways." The team also prepared counterfeit documentation to help justify and support the shipments of the equipment, but these were often obviously "cut and paste".

While the UN gave this case a significant amount of attention in their reports, it was a 2016 investigative news report about the American and his activities in Austria that led to legal action. According to the report by The Intercept, the American had taken a 25% ownership stake in a specialist aviation company near Vienna. The employees at the company would refer to him as "Echo Papa" and they would make extremely specific modifications to aircraft, such as adding surveillance and targeting equipment, armoring the engine block, adding bulletproof windows, and added mounting points for machine guns. In the case documented here, the aircraft was exported from Austria and was sent to South Sudan. Despite the military modifications, the export took place without the necessary government approvals required for military equipment. And the documentation stated that the destination was Kenya.

Seven years after the report, the American is now on trial in Austria for exporting war material without a license. According to his defense attorney, the 'military' modifications are not sufficient to qualify the aircraft as 'military goods' because they were too weak and nonsense. Also, the true destination was really Kenya, and the plane only landed in South Sudan due to technical problems. While some of the participants are finally going to trial, journalists and official bodies have documented this story for years. And authorities in Malta brought charges against persons involved in this case in 2020, though they were eventually acquitted.

This case highlights the efforts that people will make to disguise their activities, but it also shows that journalists and investigators are still capable of uncovering the truth. This information helps the public sector take actions and bring prosecutions, and helps the private sector conduct due diligence to avoid supporting potentially illegal activity.

UN Resolution 1970 https://documents-dds-ny.un.org/doc/UNDOC/GEN/N11/245/58/PDF/N1124558.pdf?OpenElement

UN Press Release 2021 https://news.un.org/en/story/2021/03/1087562

Panel of Exprt Reports https://documents-dds-ny.un.org/doc/UNDOC/GEN/N21/037/72/PDF/N2103772.pdf?OpenElement

Newsweek article https://www.newsweek.com/khalifa-haftar-isis-libya-muammar-el-qaddafi-483246

Panel of Expert Report 2022 https://documents-dds-ny.un.org/doc/UNDOC/GEN/N22/334/41/PDF/N2233441.pdf?OpenElement

The Intercept Report https://theintercept.com/2016/04/11/blackwater-founder-erik-prince-drive-to-build-private-air-force/

AP News Report: https://apnews.com/article/austria-aircraft-export-trial-prince-blackwater-f2042f2ae0a3b2df5c3d15c17923f51a

Der Standard News Report https://www.derstandard.at/story/3000000195428/prozess-um-blackwater-gruender-prince-startet-in-wiener-neustadt

Time of Malta reports https://timesofmalta.com/articles/view/military-contractors-left-malta-for-secret-mission-to-libya.794309

and https://timesofmalta.com/articles/view/blunders-led-acquittal-libya-mercenaries-case.994317

Explore our latest FCC (Financial Crime Compliance) Essential article as Christopher Stringham, Global Account Manager at Neterium, dives into his strong dedication to Financial Crime Compliance (FCC).

In this fourth edition, Christopher dives into a series of case studies of the Office of Foreign Assets Control (OFAC), the financial intelligence and enforcement agency of the U.S. Treasury Department. In 2023, OFAC's sanctions highlighted the critical role of location, with many fined entities neglecting effective geolocation checks. Despite possessing valuable information, firms failed to leverage geodata for identifying sanctions risks, often due to inadequate capture of country data.

===

Sanctions are a valuable tool of geopolitics, and therefore, it is unsurprising that location plays an especially significant role. If we consider the various fines issued by OFAC in 2023, location is involved in every case, and OFAC explicitly raised the lack of inadequacy of geolocation checks in many cases. Consideration of the various OFAC enforcement actions in 2023 provides numerous examples from which to learn.

Quite often, a sanctions compliance program will consist of screening the names of customers and partners against lists of designated persons. However, not all sanctions programs involve solely specific names. Information about location can also provide an excellent way of identifying risk. In the various OFAC enforcement actions this year, there are many examples of firms failing to use this geolocation data effectively.

Many of the entities subject to fines this year collected information that could have been, but was not, used to identify the sanctions risk. One theme that appears in multiple cases relates to the way country data was captured.

  1. In one example, a California-based MSB provided a drop-down menu from which new users could accept their country of residence. It was possible for the users to select a non-sanctioned jurisdiction, and then provide their actual address in a sanctioned jurisdiction in a free text field. No comparison was made between the two fields and the free text field was not used in the sanctions screening process. Additionally, the screening process did not consider if the user provided an identification document from a sanctioned jurisdiction.

31 March 2023: https://ofac.treasury.gov/media/931556/download?inline

  1. In another case, a large US technology company did not collect complete and accurate information about the identities of the end customers. The screening system also did not aggregate or consider data that was collected such as names, addresses and tax identification numbers which would have helped identify blocked persons. The reference data didn’t include the entities subject to the 50% rule or the native character alias of the lists entities.

6 April 2023: https://ofac.treasury.gov/media/931591/download?inline

  1. IP addresses have come up frequently this year. A US based trading platform monitored these and even would conduct extra due diligence when a connection to sanctioned jurisdictions was identified. But it did not automatically block payments. Also, it had implemented a sanctions compliance program after going live but did not retroactively screen existing customers.

1 May 2023: https://ofac.treasury.gov/media/931701/download?inline

  1. A Californian cosmetics company entered into an exclusive distribution agreement with and Iranian distributor to sell the companies goods in the Middle East. After sanctions against Iran increased, a new distribution agreement with the CEO of the Iranian Distributor was signed (using a legal entity in the United Arab Emirates). At one point, the California company received an email describing the process for shipping to Tehran. While this led to an instruction to stop exports to Iran, this was not actually implemented. It was not until the cosmetic company's bank started making inquiries that exports finally were halted.

17 May 2023: https://ofac.treasury.gov/media/931761/download?inline

  1. A Nordic bank onboarded a shipping Company in Crimea prior to 2014. This company owned three special purpose companies, and established bank accounts for each. The KYC records indicated the connection to Crimea with addresses, telephone numbers and statements on the customer questionnaire. The bank's e-banking platform was accessed from IP addresses located in Crimea. When a transaction was blocked by a US correspondent bank, the Nordic bank contacted its customer and was falsely assured that none of the transactions involved Crimea. The Nordic bank then rerouted the transaction to another bank.

20 June 2023: https://ofac.treasury.gov/media/931911/download?inline

  1. A US manufacturing company was approached to supply license plate sheeting to a German company and believed that the customer would transform the sheeting into blank license plates for export to Iran. The scope of the project was misunderstood, the German company intend to directly reexport the sheeting to Iran. Even after the true scope became apparent, internal documents continued to state the purpose as conversion to blank license plate to avoid further scrutiny. The US company screening process did not identify the risk, because only the name of the German company was screened, not the Iranian end-user. The issue was only identified after the expiration of a general license triggered a full review of all Iran related businesses.

21 September 2023: https://ofac.treasury.gov/media/932161/download?inline

  1. An Illinois payments firm manages prepaid rewards card programs. Upon receiving a list of authorized users from the client, the (Illinois payments firm) would send those persons a token for a card. This process involved the collection of the persons' names, addresses and email addresses. It was not possible to select an address in a sanctioned jurisdiction. During a compliance review, it was discovered that users with IP addresses in sanctioned jurisdictions had used its services to redeem cards over twelve thousand times. While the company started blocking based on IP addresses, the company later discovered that additional cases where users were providing email addresses with top-level domains from sanctioned jurisdictions.

6 November 2023: https://ofac.treasury.gov/media/932276/download?inline

  1. A virtual currency exchange permitted customers to identify themselves as being in a sanctioned jurisdiction but did nothing with that information. Even when the decision was made to off-board these customers, the users were still able to use the platform months later. While the platform would screen IP addresses, users could change their IP address with a VPN and access services even after failing the KYC screening. To appear compliance, management seemed to push for the use of VPNs to hide connections to the US and would also ask for non-US documents. The company was able to identify the locations of users via KYC questionnaires, phone numbers, documents, and IP addresses, but did not use these.

21 November 2023: https://ofac.treasury.gov/media/932351/download?inline

  1. Another virtual currency exchange implemented a KYC and sanctions screening process which included IP address monitoring. Also, if a user presented an identification document from a comprehensively sanctioned jurisdiction, the application would be blocked. However, users were able to provide a 'country of residence' that differed from their actual address. For example, they could enter that they were living in 'Russia', but other fields would show that they were in Crimea. The screening solution focused only on the name of the country and failed to recognize 'Crimea' or city names in Crimea.

13 December 2023: https://ofac.treasury.gov/media/932406/download?inline

Explore our past FCC articles by clicking here.

Explore our latest FCC (Financial Crime Compliance) Essential article as Christopher Stringham, Global Account Manager at Neterium, dives into his strong dedication to Financial Crime Compliance (FCC).

In this fifth edition, Christopher breaks down the key points of the recent European Banking Authority (EBA) consultation paper, offering insights into its significance for industry professionals.

On 21 December 2023, the EBA released a consultation paper on internal policies, procedures, and controls to ensure the implementation of Union and national restrictive measures. This is a welcome set of guidelines for financial institutions and complements private sector guidance from organizations such as the Wolfsberg Group, a non-governmental association of thirteen global banks.

Some interesting points are required and will hopefully receive additional clarification before the final guidelines are released.

The most jarring recommendation relates to the question of which transfers should be subject to screening and when. Section 20 of the guidelines, on page 36, states: “PSPs should screen ALL transfers of funds before their completion.” This conflicts with current industry practices, which foresee the screening of some, but not all, transfers. As stated in the Wolfsberg guidance on sanctions screening, "screening cross-border payments before completing the transaction is common practice (...). By contrast, screening domestic payments in real-time may be unnecessary (...).” The EBA guidelines also seem to conflict with the new proposed regulation regarding instant credit transfers. Article 5(d)(2) states: “during the execution of an instant credit transfer, the payer's PSP and the payee's PSP involved in the execution of such transfer SHALL NOT verify if the payer or payee (...) are listed persons or entities (...).” This regulation requires daily screening of all clients rather than screening only at the time of a transfer. The EBA should take this into account and provide additional clarification on this topic to ensure alignment with EU legislation and to ensure that institutions have policies in place to avoid over-screening.

The EBA has included numerous sections which assume the availability of information and it makes sense for financial institutions to consider reputable and reliable information as part of their sanction's compliance process. Consider section 23(e)(a)(ii), page 19, which states that financial institutions should identify and assess geographic risk to the extent to which those jurisdictions are exposed to or known to be used to circumvent restrictive measures. Direct exposure to sanctions is a well-known risk factor that is considered already in Section 21.7 of the EBA's final guidelines on customer due diligence. However, knowledge about jurisdictions used to circumvent sanctions is more challenging. As potential sources, the consultation paper mentions “information from international bodies, government, national competent authorities, etc.” in section 24b. However, there is very little on this topic from the EU or member states, and the most directly relevant documentation on this topic is a compliance note from OFAC. Hopefully, the foundation of the EU's Anti-Money Laundering Authority, which will also oversee sanctions enforcement, will see the production of relevant, quality guidance.

The EBA does mention other potential sources. Section 24c states that FIs should include information from credible and reliable open sources such as reputable newspapers. While it is great to see an EU regulator highlight the importance of newspapers and media sources, there are limitations here. The (proposed) EU Media Freedom Act offers a very restrictive definition of media sources. If the EBA applies the same definition, this would not include the use of think-tank reports, academic research, or even the work of renowned freelance journalists. It would make sense for the EBA to highlight these other sources as well. Also, the proposed Anti-SLAPP (strategic lawsuits against public participation) directive, while a step in the right direction, arguably does not do enough to prevent the misuse of liable and data protection laws to restrict the publication of information relevant to the adequate assessment of circumvention risks. Without protections in place, the subjects of restrictive measures can create a chilling effect by targeting the authors of relevant material.

Finally, the proposed guidance includes several points that should be considered when designing or evaluating a sanctions compliance program. Here are some highlights:

  • 4.1.1 Choice of screening system, page 34, FIs 'should regularly review the performance of the screening system to ensure that it remains effective.' Unfortunately, this section does not refer to efficiency. Effectiveness and Efficiency are two sides of the same coin, as every false positive cost time that an analyst could be using to look at a true positive.

  • 4.1.2 List Management, page 34, FIs should have a process in place for identifying relevant restrictive measures and to update reference data when new restrictive measures are adopted or altered.

  • 4.1.6 Calibration, page 37: this section refers to both 'the appropriate percentage of matching' and discusses separately 'fuzzy matching techniques.' It does not mention what the difference is between these two terms. This section also does not consider that different target populations within the customer base may require different settings to achieve adequate results.

  • 4.2.1 Policies and procedures, page 38, should include steps for processing alerts and different levels of review, such as a four-eye process for discarding false positives. Considering the number of false alerts generated by some systems, this could require a significant increase in resources.

  • 4.2.2, alert analysis, page 39: section 35 states that policies should include procedures for 'cases where it is not possible to conclude with certainty (...) that a match is a true positive match, a false positive match or a situation of homonyms.' Everyone with experience in name screening knows the difficulty of ensuring confident matches and FIs need to provide their analysts with appropriate guidance.

** Additional Links: **

EBA Consultation Document: https://www.eba.europa.eu/sites/default/files/2023-12/55f8b825-dea4-48e9-82f4-f81a11cb4e47/Consultation%20paper%20on%20Guidelines%20restrictive%20measures.pdf

Wolfsberg Group Guidance on Sanctions Screening: https://db.wolfsberg-group.org/assets/4b6c2db6-696d-492e-bdd5-c51552708597/Wolfsberg%20Guidance%20on%20Sanctions%20Screening.pdf

Proposal for Regulation regarding instant credit transfers: https://data.consilium.europa.eu/doc/document/ST-15764-2023-REV-1/en/pdf

Proposal for a directive protecting persons who engage in public participation from manifestly unfounded or abusive court proceedings: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52022PC0177
EBA final guidelines: https://www.eba.europa.eu/sites/default/files/2024-01/a3e89f4f-fbf3-4bd6-9e07-35f3243555b3/Final%20Amending%20%20Guidelines%20on%20MLTF%20Risk%20Factors.pdf

EU Guidance on Russian Sanctions Circumvention: https://finance.ec.europa.eu/system/files/2023-12/guidance-eu-operators-russia-sanctions-circumvention_en.pdf

Proposal for a Regulation on Media Freedom: https://finance.ec.europa.eu/system/files/2023-12/guidance-eu-operators-russia-sanctions-circumvention_en.pdf

Compliance Note on Evasions of Russian Sanctions: https://ofac.treasury.gov/media/931471/download?inline

Explore our latest FCC (Financial Crime Compliance) Essential article as Christopher Stringham, Global Account Manager at Neterium, dives into his strong dedication to Financial Crime Compliance (FCC).

In the sixth edition, Christopher revisits Tuesday's announcement regarding a groundbreaking regulation passed by the European Council. This regulation aims to enhance security in instant payments, while also promoting greater efficiency and innovation in financial services. The new measures promise to facilitate faster cash flow mobility by allowing intra-EU transfers to be completed within 10 seconds. This significant development reflects the EU's commitment to staying ahead in financial technology and ensuring seamless transactions within its borders.

====

The EU Council has agreed to the proposed Instant Payments Regulation. This regulation is designed to increase the usage of instant payments within the EU and has implications for financial crime and sanctions compliance.

To foster greater trust between parties involved, the new regulation will require PSPs to offer their users the ability to verify the account number and name of the payee. This is a simple step for helping avoid invoice fraud. Today it is all too easy to write an invoice that looks like it comes from a well-known company. With account verification, users will be able to see that the account belongs to the person that they intend to transfer money to. Importantly, the regulation requires the ability to use unambiguous identifiers such as fiscal numbers or legal entity identifiers where the payee is a legal person. This will help reduce the need to conduct name matching. The regulation also includes a provision requiring that PSPs maintain processes for ensuring that the information of their users is correct and up to date. In fact, these provisions offer a great advantage for financial institutions about sanctions and AML compliance as they can be more confident of the information used in their risk detection processes and will be able to gain more reliable data relating to the payees of their clients' transactions.

This regulation also has explicit provisions regarding the way FIs should conduct sanctions screening; specifically, the PSPs should not screen individual transactions for sanctions risk. Rather, PSPs offering ICTs must "verify whether users are subject to targeted financial restrictive measures." This verification must happen immediately after the entry into force of any new measures or when amendments are made or at least once every calendar day. In other words, PSPs should conduct daily sanctions screening of all their users. It is remarkably interesting to see how this passage developed during the legislative process. If we consider an earlier draft from 2022, an important paragraph was removed from the final draft.

The removed paragraph stated that a PSP would be liable to the other PSP for any fines or penalties if it fails to verify its users and an instant credit transfer is executed in violation of restrictive measures. This provision could have played a significant role in increasing trust between PSPs and to help avoid a situation in which two different institutions conduct redundant work by each checking both parties to a transaction. The reason for its removal is hinted by the inclusion of another passage in the final draft that was not in the earlier proposal.

The final draft has a clarification that this provision does not apply to compliance with restrictive measures issued by authorities other than the EU. This means that PSPs may/must continue to screen payments to identify risks regarding restrictive measures issued by member states or other jurisdictions such as the United States. In practice, this puts PSPs in a potentially tricky situation. It is important to note that this regulation has strict time requirements regarding the execution of payment orders. The payer's PSP must 'immediately' process orders and send the payments to the PSP, though the relevant passage also states that the payer's PSP must 'immediately' verify if the conditions for processing, such as sufficient funds, are fulfilled. Theoretically, this 'verification' could also include sanctions check. On the side of the payee's PSP, there is a ten second period in which the payment must be posted to the payee's account.

From a sanction's compliance perspective, the initial proposal would have reduced redundant screening, helped improve processing times and clearly established liability. The final draft does none of these. PSPs will implement increasingly sophisticated systems to identify when screening should occur, to apply highly configured rules for specific situations, and to conduct the screening in a much more expedient manner.

(#1) Final Document: https://data.consilium.europa.eu/doc/document/PE-76-2023-INIT/en/pdf (#2) Draft from 2022: https://ec.europa.eu/finance/docs/law/221026-proposal-instant-payments_en.pdf

Explore our latest FCC (Financial Crime Compliance) Essential article as Christopher Stringham, Product Manager at Neterium, dives into his strong dedication to Financial Crime Compliance (FCC).

In the seven edition, Christopher dives into the history of European autonomous sanctions. It began with the European Community's measures against the Soviet Union following the 1979 invasion of Afghanistan. The effectiveness of sanctions has been debated, with enforcement being a critical element, as highlighted by a 2004 UN Report and intensified by the EU's 2018 Sanctions Guidelines. The EU's recent Directive (EU) 2024/1226 aims to harmonise criminal penalties for sanctions violations, setting minimum standards for offenses and penalties across member states. Despite these efforts, significant flexibility remains in implementation, which could lead to continued discrepancies and forum shopping within the EU. Read to discover more about the evolution and challenges of European autonomous sanctions and follow Neterium for regular updates on the Financial Crime Compliance.

=======

The history of European autonomous sanctions begins with the measures of the European Community against the Soviet Union for the illegal invasion of Afghanistan in 1979. At the beginning of 1980, the EEC decided to support the US grain embargo by prohibiting the increase of exports to the USSR as well as the suspension of future sales of subsidized sugar.i These limited measures proved ineffective and international coalition supporting them fell apart quickly.ii

Effectiveness of sanctions has remained a key topic relating since that time and not only in the context of unilateral sanctions. A United Nations Report in 2004 bemoaned the failure of sanctions when member states failed to enforce the measures.iii But with return of polarization in the UN Security Council, the primacy of unilateral sanctions is clear.

Sanctions are issued for a variety of reasons. The most cited justification is as a tool of compellence. According to the General Framework for EU Sanctions, restrictive measures (sanctions) are imposed for the purpose of compelling "a change of Policy or activity” by a third-countries or non-state actors.iv According to a Report by the European Parliamentary Research Service, "Judged by this criterion, sanctions more often fail than not." In the case of the sanctions against the USSR relating to Afghanistan, the multilateral coalition disintegrated very quickly and did not play any role in the eventual withdrawal.v

As mentioned in the 2004 UN Report, enforcement is a key element of ensuring the effectiveness of programs. In the European Union, discussion of enforcement and effectiveness intensified in 2018 with the publication of the Sanctions Guidelines by the Council of the European Union. This stated, "The effectiveness of EU restrictive measures – and also the EU’s credibility – hinges to a large degree on restrictive measures being implemented and enforced promptly and without exceptions in all Member States."vi Additionally, a report by Eurojust in 2021 noted, "Although there is a real interest amongst EU competent authorities in pursuing actions against individuals and corporations violating the EU-imposed sanctions regimes, the number of enforcement actions within the EU during the past few years remains minimal."vii

Discussions of sanctions enforcement typically focuses on the actions of the United States. Consider the case of a large European bank that reached a massive settlement with OFAC in 2014 regarding potential violations of US sanctions between 2004 and 2012.viii While the Americans acted quickly and publicly, investigations by the bank’s domestic authorities regarding potential violations of UN sanctions against Rwanda in the mid-90s were only opened after NGOs brought a compliant to public prosecutors in 2017ix. The case does not seem to have progresses since then, and there do not seem to be any public statements regarding the reasons.x In fact, few Member States publish information or statements regarding sanctions investigations or enforcement activity.

Overall, the EU has been under pressure to "to improve its sanctions implementation record."xi And one point that has frequently been raise is that implementation and enforcement is decentralised, while decision making is centralised in the EU Commission. There are more than 160 designated competent authorities; one member state (Latvia) has 27 different agencies. Additionally, it is up to the member states to implement criminal penalties and has resulted in a situation where there are widely different punishments throughout the bloc.

As an example of the divergence in penalties, the maximum period of imprisonment varies from six months in Greece to twelve years in Italy and Malta. And the maximum fine for individuals varies from €1.300 in Estonia to €5 Million in Malta. In two states, violations are seen as purely administrative.xii

To address these concerns and Limitations, the European Union has been working on passing a few reforms. First, the new Anti-Money Laundering Authority should take a role in creating “a common supervisory approach to verification of compliance with sanctions-related requirements.”xiii The specifics will be apparent once the final draft of the proposals have been passed and published. Secondly, the EU has proposed, and recently passed, Directive (EU) 2024/1226 on the definition of criminal offences and penalties for the violation of Union restrictive measures. The Directive was published in the Official Journal of the European Union on April 29, 2024.

This directive is heavily influence by Directive (EU) 2018/1673 on combating money laundering by criminal law. It seeks to harmonise criminal penalties across the EU for violating sanctions by establishing minimum standards.

Article 3 outlines the offenses that Member States are required to classify as criminal acts. These include:

  • Directly or indirectly providing funds or economic resources to designated persons.
  • Failing to freeze funds or economic resources belonging to designated persons.
  • Engaging in trade of sanctioned goods or conducting transactions with states or designated persons.
  • Offering financial services or conducting financial activities that are prohibited or restricted.

This section also provides a definition of 'circumvention' which includes:

  • using a Shell or front Company to conceal that the true beneficiary of the transaction is a designated Person.
  • providing false or misleading Information to conceal that the true beneficiary of the transaction is a designated Person.
  • failing to report on funds of designated persons which have been frozen.

Interestingly, the definition of money laundering in Directive (EU) 2018/1673 doesn’t explicitly mention the use of front companies or providing false information. The definition of money laundering is more generic: “he concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property, knowing that such property is derived from criminal activity”. Since Directive (EU) 2024/1226 reforms the earlier directive to include the violate of EU restrictive measures as a predicate offense, using a shell company to conceal or disguise the true nature of the transaction would count as both sanctions' circumvention and money laundering.

Article 5 sets the minimum requirements relating to penalties for natural persons. These are very detailed, with various lengths of imprisonment, starting from at least one year, depending on the specific Violation and the amount of funds involved. As an example, the failure to freeze the funds of a DP, when the value is at least €100k, should have a maximum imprisonment term of at least five years. This provision sets the minimum level that the Maximum Penalty must be. Greece, which currently has a maximum imprisonment of 6 months, will therefore have to increase this to 5 years. Italy and Malta, which have maximum terms of imprisonment of 12 years will not have to change their penalties. The directive does not set Minimum Penalties, so it is still possible that courts can impose sentences of less than the five years in accordance with the national sentencing laws and guidelines.

Articles 6 and 7 cover the liability of legal persons. Here an important restrictive element is included. Liability depends on the actions of persons within the Organisation who have a "leading Position." This means that legal persons will only be liable when a leading Person either makes an active decision to violate EU sanctions or where a "lack of supervision" by the leading person makes the violation possible. When a violation occurs, penalties can include such consequences as exclusion from public tenders or disqualification to conduct business/winding-up. The maximum fine must be at least 5% of total worldwide Turnover or €40 million.

Regarding limitation periods, member states must ensure that prosecutions may be initiated for at least five years following the offense. Member states could impose a shorter period (three years) where such period may be interrupted or paused. Contrast this with the changes implemented by Section 3111 of H.R. 815 (Public Law 118-50) which increases the Limitation period for the Violation of US sanctions to 10 years from the date of the latest Violation.xiv

In Article 12, minimum standards of jurisdictions are set. There are three mandatory situations where a member state must ensure that it has jurisdiction. Two of these are the same as in the money laundering directive: when the criminal offense is committed within the territory of the member state and when the offender is a national of the member state. The sanctions directive adds that jurisdiction should also exist when the crime is committed on board a ship or aircraft registered in the member state or flying its flag. There are also some situations in which a member state could also elect to impose jurisdiction and would then be required to inform the commission.

The most interesting point, which was also in the money laundering directive, is that jurisdiction may be extended when the “the offence is committed for the benefit of a legal person established on its territory.” Currently, subsidiaries of EU companies in third countries are not required to follow EU sanctions.xv This is due to the EU’s long-standing objection to the extra-territorial application of sanctions, by the US.xvi However, if member states were to exert jurisdiction where the actions were made for the benefit of EU legal persons, then this also apply to third-country subsidiaries. This provision is copied directly from the previous directive, so it isn’t a conscious attempt to move towards explicit extraterritoriality, but it does open the door in an area where the EU was previously hesitant.

Overall, the immediate impact of this directive will be limited. It only sets “minimum levels for the maximum term of imprisonment” and does not set any minimum terms of imprisonment. As a directive, member states still have significant flexibility in implementing it. That means that there could still be substantial variance between member states and contribute to continued forum shopping. This directive does not affect enforcement, and there will likely be variation in enforcement. Still, this is an interesting step in the European Union’s ongoing efforts to ensure that sanctions are an effective and useful tool.

Sources

[1] Delegation of the Commission of the European Communities to the United Nations. 1980. "EC Statement Condemns Soviet Union's Invasion of Afghanistan Seeks Immediate Withdrawal." http://aei.pitt.edu/60299/1/ECN_1980.pdf

[1] Nossal, Kim Richard. “Knowing When to Fold: Western Sanctions against the USSR 1980-1983.” International Journal, vol. 44, no. 3, 1989, pp. 698–724. JSTOR, https://doi.org/10.2307/40202621. Accessed 13 May 2024.

[1] United Nations. A more secure world: our shared responsibility. 2004 https://www.un.org/peacebuilding/sites/www.un.org.peacebuilding/files/documents/hlp_more_secure_world.pdf

[1] General framework for EU sanctions. (2023, May 5). Retrieved from EUR-Lex: https://eur-lex.europa.eu/EN/legal-content/summary/general-framework-for-eu-sanctions.html

Also Section 4 of: General Secretariat of the Council. 2018. "Sanctions Guidelines – update." Brussels. https://data.consilium.europa.eu/doc/document/ST-5664-2018-INIT/en/pdf.

[1] European Parliament, Policy Department, Directorate-General for External Policies. "Implementation and monitoring of the EU sanctions’ regimes, including recommendations to reinforce the EU’s capacities to implement and monitor sanctions." October 2023. https://www.europarl.europa.eu/RegData/etudes/BRIE/2018/621870/EPRS_BRI(2018)621870_EN.pdf

[1] General Secretariat of the Council. 2018. "Sanctions Guidelines – update." Brussels. https://data.consilium.europa.eu/doc/document/ST-5664-2018-INIT/en/pdf.

[1] Secretariat, EUROJUST - Genocide Network. 2021. "Prosecution of Sanctions (Restrictive Measures) Violations in National Jurisdictions." The Hague. https://www.eurojust.europa.eu/sites/default/files/assets/genocide_network_report_on_prosecution_of_sanctions_restrictive_measures_violations_23_11_2021.pdf.

[1] Department of Justice - Office of Public Affairs. 2014. "Press Release - BNP Paribas Agrees to Plead Guilty." June 30. https://www.justice.gov/opa/pr/bnp-paribas-agrees-plead-guilty-and-pay-89-billion-illegally-processing-financial.

[1] SHERPA. BNP Paribas case in Rwanda. Retrieved May 14, 2024, from https://www.asso-sherpa.org/bnp-paribas-case-in-rwanda

[1] See note vii.

[1] See note iv.

[1] See not vii.

[1] European Commission. “Frequently asked questions about the new EU Anti-Money Laundering Authority (AMLA)”. https://finance.ec.europa.eu/financial-crime/amla/frequently-asked-questions_en.

[1], US Congress. H.R.815 - Making emergency supplemental appropriations for the fiscal year ending September 30, 2024, and for other purposes. Retrieved from https://www.congress.gov/bill/118th-congress/house-bill/815/text#toc-HB2D5FCAE5F8A4A60BD602BF00174830E

[1] European Commission. "Frequently Asked Questions - RELATED PROVISION: ARTICLE 5b; ARTICLE 5c; ARTICLE 5g OF COUNCIL." https://finance.ec.europa.eu/document/download/a2f66733-09b6-43ec-b8f5-c594a55ca997_en?filename=faqs-sanctions-russia-deposits_en.pdf+.

[1] European Communities: Comments on the US Regulations Concerning Trade with the USSR (1982) 21 International Legal Materials 891, para 8

The information provided has been researched and written with due diligence to offer insights and perspectives on the subject matter. However, it is important to note that this content is for informational purposes only and should not be construed as legal, regulatory, financial, or professional advice of any kind. Readers are urged to consult with qualified experts, advisors, or professionals relevant to their specific circumstances and needs before making any business, legal, or financial decisions. The content presented here may not be comprehensive or up-to-date, and the laws, regulations, and business environments can change rapidly. The authors, contributors, and our organization do not assume any liability for errors, omissions, or inaccuracies in the content, or for any actions taken based on the information provided in this thought leadership piece. Reliance on this content is solely at the reader's discretion. By accessing and reading this content, you agree to hold our organization and its authors harmless from any claims, losses, liabilities, or damages arising from the use or reliance on the information contained herein.