The ISO 20022 standard brings many new opportunities for firms to enhance and improve sanctions screening processes. Indeed, most banks are already well underway with - or have already completed - system updates to accommodate the new standard. But as we see firms turn their attention to the downstream impacts - such as the overall sanctions compliance programme – a key question reoccurring is how to practically make the most of these new opportunities.
As sanctions programmes continue to increase in complexity, firms failing to make the most of the changes and opportunities from ISO 20022 stand to be left behind. In this article we touch on three aspects of sanctions screening that firms will need to address to make the most of the opportunities that ISO 20022 brings.
1. Additional data points to screen against
The first, perhaps obvious, aspect is that the ISO 20022 messaging format will provide clearer and more defined data points in payments messages that can be used to screen against. Screening additional data points will lead to more accurate screening, and in turn generate fewer false positives and require less resources to disposition alerts.
But it also means business and compliance teams will need to evaluate and assess these additional data points to determine which, if any, to include to make the screening process more robust. With years of sanctions screening experience behind them, it can often be a challenge to think outside the established box. Hence firms should think thoroughly about how to approach the additional data points to avoid falling into a trap or simply recreating what was there before – a common challenge when it comes to the availability of new data in an established field in our experience.
2. Data sources and data quality
The second aspect is that once any additional data points have been identified for inclusion in sanctions screening, screening systems will need to be updated to consume and screen against these fields. The two areas of focus here are firstly identifying the data source against which to screen; and secondly validating the data and ensuring it has been properly maintained over time.
Addressing the former first, for larger firms, a single golden source of customer data may not exist. Customers may hold multiple (personal and one or more business) accounts across more than one jurisdiction. In addition, these data points may likely be housed in various systems and/or regions. Thus, firms will need to identify which data sources are in scope for sanctions screening and then align the feeds into the screening system.
To address the latter, data location and accuracy, firms should revisit their data management frameworks to identify and validate this new data and ensure it will be maintained as such going forward. Screening against stale customer data will likely have negative impacts on alert generation and dispositioning. Firms may also face consequences from a reputational and client relationship perspective if clients are constantly experiencing delays with their transactions because of inaccurate sanctions screening.
3. Sanctions screening filters
Finally, once additional screening data have been identified and validated, firms will need to rethink their screening system filter settings. At a minimum, screening filters will need to be updated to accommodate the new data points. However, as the accuracy of sanctions screening improves, screening variance thresholds may also change. Any changes then require fine-tuning of the screening filters to find the optimal performance settings to reduce false positives and maximise efficiencies in line with risk objectives.
Conclusion
While the ISO 20022 requirements offer up additional data in payments messages, it is up to the firms to act and incorporate this data into their sanctions screening processes and make the most of it. As the key component, data management best practices are imperative to realising the potential benefits. Identifying screening points and ensuring the quality and maintenance of the underlying data will enable more accurate screening and decrease operational and reputational risk from breaches down the line.
But to accomplish this, compliance, business and technology teams will have to work closely together to identify, design and implement the appropriate changes to enhance the overall sanctions compliance programme.
