Last summer, New Zealand aircraftmanufacturer Pacific Aerospace was charged with breaking new UnitedNations sanctions after aircraft it sold to a Chinese company endedup on a runway in North Korea. The company pled guilty. It will besentenced in January; penalties may take the form of substantialfines or imprisonment of up to 12 months for individualexecutives.

Sanctions filtering and “know your customer” are not justbanking problems. Regulations are perpetually becoming morecomplex. Companies are expected to abide by all relevant laws inthe places where they do business. For example, companies doingbusiness in the United States must ensure they're not doingbusiness with any U.S.-sanctioned individuals or entities. Inpractical terms, this means companies should be scanning theircustomers, vendors, and any payments to or from those entitiesagainst the current published government watchlists. Often,companies leave this filtering to their financial institutions, butas Pacific Aerospace can attest, regulatory authorities usuallyfine the actual initiator of the transaction—the corporate—ratherthan the bank.

In today's dynamic geopolitical environment, new traderestrictions and embargoes are emerging with increasing frequency.Sanctions have become an increasingly popular foreign policy toolfor governments. What previously were relatively straightforwardsanctions obligations and outright trade embargoes against personsor territories are increasingly taking a hybrid and nuanced form,permitting some specific types of commercial transactions butoutlawing others. For example, trade may be permitted withcompanies in a specific sector, while trade with similar businessesis against the law.

The short transaction processingtime for increasingly popular same-day and real-time payments can present specifictechnical challenges. Not complying with a certain sanction is arelatively easy mistake for a company to make. And the greater thenumber of countries a business works in, the more varied sanctionsrules it has to comply with—leading to a very trickyenvironment.

A global law firm recently reviewed sanctions-compliance obligations around the world andconcluded that today's sanctions regime for corporates involves“more focus, more fines, and more complexity.” The takeaway warningis that yesterday's compliance processes may not be sufficienttoday.

|

Growing Costs

Companies that may have previously considered themselves securein doing business with low-risk counterparties in non-contentioussectors and territories are now finding that they need to complywith more fluid and complex sanctions rules. Businesses outside thefinancial services sector need to be vigilant about understandingthe ultimate end-user beneficiaries in all their commercialrelationships.

Many organizations are dedicating new attention to keeping up.Recent research from Thomson Reuters revealed that nearly 40 percentof anti-money laundering (AML) professionals view existingprocesses as failing to comply with today's more onerous regulatorydemands. This is a significant concern given today's fluidcompliance landscape and the new Financial Crimes EnforcementNetwork (FinCEN) rules coming into effect in 2018.

The failure to adhere to sanctions compliance regimes around theworld continues to catch corporates out, often with significantnegative impact. The days of regulators focusing solely onarmaments have long since passed, and the penalties fornoncompliance continue to grow. Companies that fail to update theirsanctions compliance procedures find that breaching restrictionscan be costly. One seed company was recently fined $4.3 million forselling flower seeds to distributors with Iranian connections, anda medical company was hit with a $7 million penalty as a result ofselling medical equipment to sanctioned customers in a number ofcountries, including Sudan.

Of course, the ultimate costs of noncompliance are far greaterthan the fines that are imposed. Reputational damage can be severeand prolonged. Regulatory investigations can also place acutepressures on liquidity and can severely damage the company's creditrating.

If an investigation reveals an inadequate complianceinfrastructure, the ramifications may expand rapidly. For example,when a potential watchlist hit is identified by a corporate's bank,the transaction is frozen immediately, and the company may not begiven a specific reason. If payments to suppliers and staff aredelayed, imagine the adverse effects on the company's ability tooperate effectively. Or consider the impact if a company's lines ofcredit are abruptly withdrawn. Such actions might have a dominoeffect on the organization's credit status. And these potentiallydamaging actions might further strain relationships with bankingpartners. A company's credit rating might be severely damaged as aresult of a single incident.

A false-positive watchlist hit can usually be investigated andcleared quickly, but sometimes there are delays of several days, oreven weeks. If the hit is, instead, validated, the transactionremains frozen and is reported to the proper authorities.

These false-positive hits—as well as real sanctionsviolations—can be avoided if the company performs its own filteringin-house before submitting transactions to the banks. The potentialfor problems caused by deteriorating bank relationships, thefinancial and reputational impact of incurring massive fines, andthe negative effects of payment processing delays all providecompelling reasons for companies to review theircorporate-sanctions screening processes. This is especially truefor larger multinationals, where the need to modernize orstreamline processes may be greater.

|

The Role of Corporate Treasury

Corporate treasury should play a leading role in mitigatingsanctions and compliance risks. In the face of these threats, manycorporate treasurers have proactively assessed and implemented newsanctions screening methods. Yet despite frequent reports detailingthe destructive consequences for companies that ignore theircorporate sanctions obligations, there is still a reluctance amongsome treasuries to tackle the risk, due to the cost, the timeinvolved in implementing such projects, or the false thinking thattheir banks have sole responsibility for checking transactions.

This is not a risk that any business can afford to take.Complacency, combined with inadequate corporate structures and acomplex regulatory environment, may result in significant financialpenalties and long-term reputational damage, and may underminebusiness relationships.

Standing at the financial heart of the business, the corporatetreasury function should take the lead in managing a fullrisk-assessment process, ensuring a clear knowledge of the profileof each customer and supplier (KYC). A review of compliance andaudit processes along the full payments lifecycle—includingreal-time screening capabilities—should enable the treasury team tofully mitigate the risks of sending inappropriate payments toblacklisted countries, companies, or individuals.

At the same time, companies that are found to have suitableprocesses and systems in place may be rewarded for any effectivesanctions filtering mechanisms in place. An appropriate approach tosanctions compliance will improve a company's reputation as a goodcorporate citizen of the world. This can lead to enhanced creditstatus, improving access to working capital amongst otherbenefits.

|

Solution Checklist

The first step for a treasury team looking to improve itssanctions compliance is to conduct a review of the complianceprocesses the business currently has in place, as well as thecapabilities it needs. The project team should ask the followingquestions:

• What regulatory authorities does our business fall under?
• What is our current process to on-board new customers?
• What is our current process to on-board new suppliers and othercounterparties?
• When in the process are they checked against sanctionswatchlists (if at all)?
• How frequently are the watchlists updated?
• How do we determine the beneficial ownership of thecustomer/supplier/counterparty?
• Are any executives we do business with listed as politicallyexposed persons (PEPs)?
• What is the current investigation/remediation process forclearing potential watchlist hits?
• Are payment and counterparty details stored in differentsystems? (If so, data from multiple sources needs to go through thesanctions filter.)

Throughout this process, treasury should be empowered to scanall supplier, customer, and employee names, as well as other data,on demand. This should be done on a regular basis, as the datachanges frequently, sometimes even hourly.

Any effort to assess a company's sanctions compliance also needsto include a complete overview of the payments system. Thesanctions screening process needs to serve as a filter between eachpayment being received and being processed—and it needs to beapplied to every transaction that the company initiates. Fromon-boarding to transaction management, compliance checks need to“touch” every payment as it goes through the company. Compliancereviewers need to quickly and easily understand where the paymentcame from and why it is being sent.

There are software solutions available that can automate theseprocesses, comparing names of prospective trading partners againstwatchlists. One challenge with these types of solutions is thatmanaging the alerts can become extremely unwieldy, especially inlarge multinationals that have many thousands of transactions permonth. An automated solution is obviously more efficient thantrying to check every transaction manually.

If a company uses such a solution, treasury staff will stillneed to open a case and investigate each transaction that generatesan alert in the software. The investigation can take just a fewminutes if payment data has been erroneously matched by a softwareapplication—or it can take days if investigators need to contactseveral people around the company to get further details. Onechallenge for the treasury team is that they often don't have theresources to manage investigations as efficiently as possible. Whena company implements a sanctions-compliance solution, it's in theinterests of the project team to configure the system in ways thatminimize the number of false positives, so that it doesn't generatealerts for transactions that aren't actually problematic.

One way to reduce the frequency of false positives is to deploya process or system that reads data in context. For example, SantaClara is a city Cuba as well as a city in California. Sanctionscompliance technologies that are based on a risk score often read“Santa Clara” and stop the transaction, regardless of what otherinformation the payment message contains. Solutions built onartificial intelligence technologies, on the other hand, willrecognize that if the payment is being sent to California, and notto Cuba, the transaction should not be stopped. Machine learningcan also be applied, so that the system learns from the patterns ofactions an operator has taken in the past, improving efficiency onan ongoing basis.

Ideally, a company would reduce the proportion of falsepositives to between 5 percent and 10 percent of all transactions,a level that is considered acceptable for banks. Bringing the falsepositives down to this level can significantly reduce the time abusiness spends resolving issues. Inefficient screening processescan consume so many staff resources that a company's approach tosanctions screening can even be a competitive differentiator.

Another challenge for a treasury team re-evaluting theircompany's sanctions compliance is that they need to ensure thatfinancing arrangements, including insurance and trade contracts,are flexible enough to allow de-risking should new sanctionsobligations come into force that would impact current operations.For example, if the U.S. government issues sanctions against a newcountry or individual, the company needs to be able to stop doingbusiness with that entity.

A serious review of sanctions processes can fit into a widerrisk-mitigation and financial-crimes compliance framework, whichwould also encompass payments fraud and trade-based moneylaundering. While the challenges in these areas can be verydifferent, a unified approach to compliance assurance thatincorporates the ability to prevent payments fraud, together withmoney-laundering detection, can provide additional financialbenefits and reputational security.

Ideally, all of these risk exposures and processes should fallunder one person, such as the corporate chief risk officer orgeneral counsel. It needs to be an executive who can reach acrossdepartments and geographies to gain a full view.

For companies in which sanctions screening compliance today isinadequate, the costs of ignoring this challenge may be severe andprofound. Corporate treasury can and should lead an effort tounderstand the new compliance demands, review existing capabilitiesand systems, and implement future-proofed solutions that may offerboth compliance assurance and a competitive advantage.

Bill North ishead of global sales for Pelican, in which capacity he overseesthe coordination, functional management, and leadership of thecompany's sales initiatives. He has more than 20 years' experienceworking with corporates and banks across the globe in leveragingtechnology to optimize treasury and payment processes. Bill holds aB.S. from the University of Houston.