Part II: Software-based sanctions compliance
While many areas are still discussing and trying out how software-based compliance tools can be used sensibly, software in the area of sanctions compliance has already been indispensable for years. With the imposition of far-reaching financial sanctions by the EU in the context of the Russian war of aggression on Ukraine, its importance has increased again significantly since 2022. In the almost endless selection of available software solutions for sanctions screenings, there is something for (almost) every company. However, the use of these solutions also entails legal risks and challenges for the business process, which we would like to highlight here.
What is software-based sanctions screening?
Many sanctions regulations contain so-called financial sanctions to enforce a common foreign and security policy. They order that those persons, groups and entities (collectively "persons") listed in the annex to the respective regulation be subject to financially-related restrictive measures. This means that assets, property and economic resources of those persons or entities controlled or held by such persons are frozen. Furthermore, funds and economic resources may neither directly nor indirectly be made available to them or benefit them.
In order to comply with these requirements and prohibitions, it must be ensured in each transaction that the business partner concerned is not listed in the annex of a sanctions regulation. It is therefore necessary to compare the name of the person concerned with the entries in the sanctions regulations of the applicable regimes - a real Sisyphean task when one considers how many transactions are carried out in a company every day, how many sanctions lists there are, how many persons are recorded on the individual lists and how often regulations are adjusted:
- Approx. 30 sanctions regimes under EU law, with 1,700 sanctioned persons under the sanctions against Russia alone,
- approx. 76 regimes under US law,
- approx. 40 regimes under UK law,
- approx. 15 regimes of the UN and
- other regimes of other countries, such as Switzerland, Australia, Japan, etc.
The lists of sanctioned persons are regularly adjusted. At the beginning of the sanctions against Russia, for example, there were sometimes daily changes.
In order to facilitate the comparison of business contacts against the sanctions lists, for years various software providers have been offering programmes that perform this comparison semi-automatically or even automatically. Although there is no legal obligation to use these programmes, they do considerably simplify the work. The data of the person to be checked, in particular the name, is entered into the software either manually or via an interface to the company's internal ERP system, and the software displays potential matches ("hits") after comparing the data against the sanctions regulations.
Operational challenges when using screening tools
The first operational challenge when using screening tools is often the selection of the right software solution. The range of software on offer is large and constantly growing. It is often difficult for companies to know which product is the right solution for them. The main difference between the products – besides the number of possible user licences – is, in particular, the database used for the comparison. Companies should therefore at least ask themselves the following questions:
- Which sanction regimes must the software cover? Depending on the company structure, business activity, corporate policy and nationality of the employees, various sanction regimes may be applicable. The screening tool must be able to cover a comparison against the current lists of these regimes.
- Does the company need a tool that also covers ownership structures? If a person is on a sanctions list, the prohibitions and restrictions apply not only to this person's economic resources, but also to the resources of companies that are majority-owned by the listed person. Depending on how many contacts need to be checked and how risky the transactions are, it may make sense to invest in a tool whose database contains company law structures and which displays hits for corresponding ownership structures. A further alternative possibility is to use the data on corporate structures to check owners as a separate process in the tool.
- Is one tool enough? Errors are always possibilityin sanctions screening, for example, when the tool wrongly recognises a person as sanctioned ("false positives") or - much more problematic – fails to recognise them. Therefore, there are companies that invest in several tools in order to compare their results. This reduces the risk of sanction violations, but can significantly slow down business processes.
- How many people does the company need to use the tool? Companies also have to decidehow many people may check examination results, including "false hits", as this also determines the number of licences required. These people need to be carefully selected and trained.
- How often should screenings be carried out and how much can be automated? Several screening tools can screen fully automatically. Depending on the volume of business contacts and transactions, it may make sense to have a certain number of people routinely screened automatically and to only enter manually any new transactions.
- How do you deal with a hit?
First of all, companies should clarify whether this hit is only a "false positive", which is indeed often the case.
However, even if the hit is real, it still has to be assessed, as sanctions are structured in a very differentiated manner and therefore not every transaction is automatically prohibited. Questions arise, in particular, about their geographical and factual scope. The significance of a hit therefore still has to be legally analysed. This can be very demanding in individual cases and cannot be done by the screening tool.
To answer these questions, a risk assessment of the business activity always has to be carried out in advance. The screening tool is part of the internal compliance system and must therefore be an effective and appropriate measure in relation to the individual company-specific risks. Depending on factors such as size, structure, business scope, client portfolio, type of goods and business activity carried out, companies are exposed to sanctions compliance risks in different ways. The selection and use of the tool must always be determined on the basis of these risks.
Legal guard rails when using screening tools
The use of a sanctions screening tool is not the “be-all and end-all”. Several legally relevant aspects of financial sanctions cannot - to our knowledge - be covered by screening tools to date. In addition, the selection of the tool, the input of the data and the evaluation of the results presupposes the necessary know-how. Companies should therefore not rely exclusively on software solutions to ensure compliance with financial sanctions.
If a person is on a sanctions list, the prohibitions and restrictions apply not only to the economic resources of this person, but also to the resources of companies that are majority-owned by the listed person or – in all events according to the sanctions of the EU and UK - controlled by such person. In the view of the EU Commission, it is even sufficient that several sanctioned persons cumulatively hold more than 50% of the ownership shares ("aggregated ownership"). This regulation poses a considerable challenge for the compliance of companies with sanctions and cannot yet be reflected in some screening tools.
There are some tools in whose databases corporate law structures are stored, which means that a hit is also displayed if a company is owned by a listed person. However, to our knowledge, the criterion of control and aggregated ownership is not yet displayed in any tool so far. This means that it might not be displayed as a hit even though the business partner checked is under the control of a person sanctioned under EU or UK law or, according to the cumulative calculation, is majority-owned by sanctioned persons and the financial sanctions therefore also apply to it. The sanctions tool cannot therefore perform this check.
Furthermore, one also cannot rule the possibility of hits not being displayed correctly, for example due to missing updates. Most recently, when the 11th sanctions package against Russia was enacted at the end of June 2023, it took over five days for the more than 100 sanctioned persons to be included in the databases of some electronic sanctions lists. If a screening tool used a corresponding database, erroneouslyno hit was displayed during this time. This can have serious consequences for a company, because of the following:
If a company breaches a financial sanction, it cannot claim exemption from punishment on the basisthat this was caused by an error in the screening tool. The appropriate use of a screening tool based on a correct risk assessment can only mitigate a penalty.
For the sake of completeness, we would like to briefly mention the data protection aspects of screening without exhaustively addressing this issue in this article. Screening involves the use of personal data and, accordingly, the screening and the evaluation of hits must meet data protection requirements, for example with regard to questions concerning access to the data, their safe storage and the deletion of data. In this context, one should also consider which persons are to be subjected to screening. For example, there are business contacts who, at least at the time in question, are not provided with any economic resources (for example, when visiting a service provider who wishes to bid for a contract). Subjecting them to screening would be problematic under data protection law, as the purpose of the screening cannot be achieved.
What does the future hold?
Of course, no one can foresee with certainty how sanctions screening will develop in the future. One thing is certain, however, namely that it will continue to gain in importance as the instrument of financial sanctions is increasingly used to enforce foreign and security policy interests.
It is anticipated that the systems will be updated even faster in the future and that the databases will possibly also better cover the aspects of control and aggregated ownership. However, also in the future, digital sanctions screening can still only be a tool and that the structure of the screenings and the evaluation of the results of a screening will still require expert assessment.