Validating Real-Time Sanctions Screening Systems: Critical Considerations



Similar documents
SEC FLASH REPORT. June 28, 2011

Our Point of View. Protiviti 2

PROTIVITI FLASH REPORT

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Internal Audit Charter and operating standards

Succession Planning & Leadership Development: Your Utility s Bridge to the Future

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future

Considerations for Success in Workflow Automation. Automating Workflows with KwikTag by ImageTag

Integrate Marketing Automation, Lead Management and CRM

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

THOMSON REUTERS C-TRACK CASE MANAGEMENT SYSTEM SOFTWARE AS A SERVICE SERVICE DEFINITION FOR G-CLOUD 6

Presentation: The Demise of SAS 70 - What s Next?

TO: Chief Executive Officers of all National Banks, Department and Division Heads, and all Examining Personnel

March 1, VIA to

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

MANITOBA SECURITIES COMMISSION STRATEGIC PLAN

An Oracle White Paper January Comprehensive Data Quality with Oracle Data Integrator and Oracle Enterprise Data Quality

Revised October 27, 2011 Page 1 of 6

IN-HOUSE OR OUTSOURCED BILLING

expertise hp services valupack consulting description security review service for Linux

POSITION DESCRIPTION. Classification Higher Education Worker, Level 7. Responsible to. I.T Manager. The Position

Corporate Standards for data quality and the collation of data for external presentation

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Performance Test Modeling with ANALYTICS

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Standardization or Harmonization? You need Both

White Paper for Mobile Workforce Management and Monitoring Copyright 2014 by Patrol-IT Inc.

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

This report provides Members with an update on of the financial performance of the Corporation s managed IS service contract with Agilisys Ltd.

UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES

System Business Continuity Classification

Duration of job. Context and environment: (e.g. dept description, region description, organogram)

Using PayPal Website Payments Pro UK with ProductCart

Integrating With incontact dbprovider & Screen Pops

CONTENTS UNDERSTANDING PPACA. Implications of PPACA Relative to Student Athletes. Institution Level Discussion/Decisions.

Optimal Payments Extension. Supporting Documentation for the Extension Package v1.1

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

The AppSec How-To: Choosing a SAST Tool

FINANCIAL SERVICES FLASH REPORT

The Importance of Market Research

WHITE PAPER. Vendor Managed Inventory (VMI) is Not Just for A Items

How much life insurance do I need? Wrong question!

In connection with the SEC's Money Market Reform proposal, DST Systems, Inc. respectfully submits our comments for your consideration.

An employer s Guide to engaging an occupational health physician

Clinical Data Collection - Paper vs. Electronic Data Capture (EDC)

Getting Started Guide

CCPRF. Request for Proposals. Monitoring Services. November 25, 2009

Mobile Workforce. Improving Productivity, Improving Profitability

CHECKING ACCOUNTS AND ATM TRANSACTIONS

Data Warehouse Scope Recommendations

Basics of Supply Chain Management

HP Point of Sale FAQ Warranty, Care Pack Service & Support. Limited warranty... 2 HP Care Pack Services... 3 Support... 3

Delivering Business Value Through IT Cost Transparency Using IT CMF

VCU Payment Card Policy

In addition to assisting with the disaster planning process, it is hoped this document will also::

How To Write Insurance Quotation Software For Gthaer Vericherungen Insurance Prducts

Credit Work Group Recommendation

HIPAA 5010 Implementation FAQs for Health Care Professionals

101 E-Commerce Start-up Checklist

ITIL Service Offerings & Agreement (SOA) Certification Program - 5 Days

Data Protection Act Data security breach management

Mobilizing Healthcare Staff with Cloud Services

Economic Justification: Measuring Return on Investment (ROI) and Cost Benefit Analysis (CBA)

Lean Continuous Process Improvement Training Strategy and Capacity Building Efforts at EPA

Research Report. Abstract: Security Management and Operations: Changes on the Horizon. July 2012

PAYMENT GATEWAY ACCOUNT SETUP FORM

Equal Pay Audit 2014 Summary

Data Abstraction Best Practices with Cisco Data Virtualization

SCAN BASED TRADING SBT FOR RETAILERS

Vulnerability Management:

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

Cloud Services Frequently Asked Questions FAQ

Disk Redundancy (RAID)

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

Getting Started Guide

Business Intelligence represents a fundamental shift in the purpose, objective and use of information

BT Applications Assured Infrastructure (AAI) Application Optimisation Service (AOS) Optimising business performance

SECTION J QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

ISO Management Systems. Guidance on understanding the benefits of an ISO Management System

Transcription:

Validating Real-Time Sanctins Screening Systems: Critical Cnsideratins Issue The majrity f financial institutins tday rely n third-party screening systems t perfrm sanctins screening. Banking rganizatins that prvide funds transfer services t their custmers are under increased scrutiny t perfrm real-time scanning against varius sanctins lists f all payments ging ut and cming in n behalf f their custmers. Similar t the trend we have seen with anti-mney laundering (AML) transactin mnitring systems, regulatrs expect financial institutins t be able t demnstrate that sanctins screening systems are cnfigured crrectly. The challenge fr financial institutins is finding the right balance between being able t detect sanctins vilatins and prcessing payments fr their custmers withut unnecessary delay. T meet this challenge, it is imprtant that financial institutins understand their screening envirnments better and cmprehensively validate and tune their sanctins screening systems t make sure that they are effective, efficient and prvide the required cverage frm a regulatry perspective. Challenges and Opprtunities Financial institutins are presented with a multitude f challenges when it cmes t validating and tuning a third-party sanctins screening system successfully. These include: A large number f transactin types. Typically, banks in the U.S. use either the Fedwire Funds Service r the Clearing Huse Interbank Payments System (CHIPS). These are the tw primary dmestic whlesale payment systems used fr interbank funds transfers. Fr crss-brder funds transfers, a messaging infrastructure called Sciety fr Wrldwide Interbank Financial Telecmmunicatin, r SWIFT, is used. In additin t custmer and bank funds transfers, SWIFT is used t transmit freign exchange cnfirmatins, debit and credit entry cnfirmatins, statements, cllectins and dcumentary credits. These transactin types are defined in mre than 100 different frmats, each denting a different transactin type. Fr example, SWIFT MT1nn is used fr custmer payments whereas an MT2nn frmat indicates a financial institutin transfer. Each message frmat has unique placehlders fr capturing the varius data items applicable t that transactin. Identifying these data fields and mapping them accurately t watch lists can be challenging, given the number f different frmats. Miscnfigured watch lists. Banks als struggle with chsing the right watch lists fr their realtime transactin screening prcess. Typical prblems are scanning against inapplicable watch lists ffered by the third-party vendr, scanning against mre lists than necessary, and nt scanning against relevant lists. These situatins can happen if the bank has failed t perfrm adequate analysis and cnfiguratin during the implementatin f the third-party system. Sme cmmnly used sanctins lists include the United Natin s al-qaeda sanctins list; the Specially Designated Natinals list issued by the U.S. Office f Freign Assets Cntrl (OFAC); the cnslidated list f Persns, Grups and Entities Subject t EU Financial Sanctins; and the 2014 Prtiviti Inc. An Equal Opprtunity Emplyer M/F/D/V. Prtiviti is nt licensed r registered as a public accunting firm and des nt issue pinins n financial statements r ffer attestatin services.

Financial Sanctins list f HM Treasury (UK). Since many f the natinal sanctins lists are based n sanctins impsed by the UN, names appearing n UN lists can als appear n the lists issued by the EU, OFAC and HM Treasury. Using these watch lists redundantly can result in unnecessary false psitives, which can create additinal wrk fr investigatrs and delay payments. On the flip side, nt using all the lists that are mandated may result in false negatives, causing transactins invlving sanctined entities t g undetected. Cmplex prprietary matching algrithms. Many third-party systems cme bundled with cmplex name-matching algrithms that are difficult fr banks t understand. Typically, these algrithms emply varius matching techniques t identify recrds frm tw surces the bank s systems and the third-party watch list that cntain infrmatin abut the same entity. These algrithms are ften prprietary, and the underlying surce cde is nt available t financial institutins t help them understand the underlying methds. Lack f an in-depth understanding f the system negatively impacts the validatin strategy and results in financial institutins perfrming black bx testing, which desn t accmplish the cmprehensive validatin required frm regulatrs. These challenges ntwithstanding, a cmprehensive validatin, testing and tuning prcess f the sanctins screening system is bth necessary and pssible, with the fllwing benefits t the financial institutin: Meeting regulatry expectatins. Peridic testing and tuning f the sanctins screening system allws financial institutins t determine the level f cverage prvided by these systems and demnstrate t regulatrs that their systems and prcesses are cnfigured in line with regulatry expectatins. Reductin in false psitives. Regular testing and tuning helps reduce the false psitives the system generates. This imprves the efficiency f the sanctins screening prcess by reducing the number f ptential matches an analyst needs t research, increasing prductivity and minimizing the risk f delaying a custmer s payment. Maintaining cntrl. Capturing and reviewing key metrics as part f an nging tuning prcess allws financial institutins t maintain cntinuus cmpliance. Fr example, as a financial institutin s risk prfile changes (with the additin f new prducts and service fferings r with changes in the custmer base), the system will be expsed t mre and different transactins. By tracking key metrics, such as the hit rate (i.e., the number f ptential sanctin matches), financial institutins can see trends and detect spikes r drps in the hit rate which may be an indicatr that the system needs t be retuned r that a data quality issue exists. Our Pint f View Validating and tuning a sanctins screening system that scans real-time transactins is a multistage prcess requiring significant time and effrt. Based n ur experience, we have identified the fllwing key steps t this prcess: Perfrming a data integrity audit. Mst rganizatins stre their data in multiple lcatins in a variety f frmats. In rder t perfrm the required validatin, financial institutins must ensure that the sanctins screening system is able t access all these different systems and autmatically integrate the data surced frm them. Fr example, payment transactins typically are surced frm the institutin s inhuse payment system, while the watch lists are surced frm external list prviders; data anmalies r missing data in either f these surces can negatively impact the results f the testing. Thus, auditing all data and checking it fr incnsistencies are crucial prerequisites t the validatin prcess. Identifying transactin types t be scanned. T begin the validatin prcess, financial institutins must identify the varius transactin types they use in rder t ensure prper cverage fr the sanctins screening prgram. Based n their prducts and service fferings, financial institutins can use any number f SWIFT message frmats t prvide transactinal services t their custmers. Prtiviti 2

The fllwing table, which is intended t be illustrative and nt all-inclusive, lists sme f the cmmnly used messages and the scanning requirements fr them. SWIFT Message Descriptin Scanning Requirement MT0nn System messages N MT1nn Custmer payments Yes MT2nn Financial institutin transfers Yes MT3nn MT4nn Treasury markets Cllectin and cash letters Yes, if used fr currency exchange and security trades Yes, if used t purchase a mnetary instrument MT5nn Securities market Yes, if used fr security trades MT6nn Treasury markets metals and syndicatins Yes, if used fr security trades MT7nn Dcumentary credits and guarantees Yes, if used fr letters f credit MT8nn Traveler s cheques Yes MT9nn Cash management and custmer status Yes, if used fr a wire transfer Identifying and mapping the critical transactin data fields. The data fields f varius frmats must be matched accurately t ensure prper validatin. Funds transfers present an increased degree f risk fr financial institutins due t the number and dllar vlume f transactins, the gegraphic lcatins f riginatrs and beneficiaries and the fact that nt all riginatrs and beneficiaries are bank custmers. Typically, internatinal funds transfers are perfrmed using ne f the glbal SWIFT frmats (e.g., MT103, MT202), and the dmestic funds transfers are perfrmed using the Fedwire frmat. Regardless f the frmat f the transactin, the fllwing data fields are critical and need t be mapped accurately fr testing: Originating party s name Originating party s cuntry and address lines Originating bank Originating bank s cuntry and address lines Intermediary banks invlved in the transactin (first, secnd and s n) Beneficiary bank Beneficiary bank s cuntry and address lines Beneficiary party s name Beneficiary party s cuntry and address lines Selecting test samples. A watch list sample set cnsisting f bth gd and bad samples needs t be created fr varius systems and cmparisns testing. The gd sample shuld cnsist f names which have a very lw prbability f recnciling t a regulatry watch list. Typically, these are the financial institutin s actual custmers wh are knwn t be lw risk. The bad sample shuld cnsist f a statistical sample f names and/r ther supprting fields frm all the regulatry watch lists that are in use by the third-party system. Applying name-masking algrithms. The bad sample shuld be further expanded t include several variatins f a single name. This is dne in rder t test the capability f the system t apply fuzzy lgic Prtiviti 3

t match the altered names against the same entity in the watch list. Sme cmmnly used algrithms include: Sundex. Sundex is a phnetic algrithm fr indexing names by sund, as prnunced in English. The gal is fr names that are prnunced similarly t be encded t the same representatin s they can be matched despite differences in spelling. Fr example, Mary can be matched t Marie, and Carmen can be matched t Carman. The purpse f this test is t verify whether the system is rbust enugh t recgnize a misspelling f a name based n prnunciatin. Cntainment. The bjective f the cntainment algrithm is t prvide nly a prtin f the name while perfrming the list matching. Fr instance, Matthew can be truncated t Matt, Rbert t Rb, etc. The purpse f this algrithm is t ensure that the sanctins screening system is able t identify a custmer based nly n a prtin f the name. Extraneus characters. The purpse f this algrithm is t intrduce stray characters int the name and test whether the system is able t bypass these extraneus characters and match the name against entries in the watch list. Fr example, the system shuld be able t match ODnnell and O Dnnell. Permutatins. Permutatins are achieved using varius cmbinatins f first, middle and last name. Fr example, switching the last and first name while leaving the middle (if applicable) the same is ne pssible variatin. Anther ne is taking the first initial f the first name and leaving the rest f the name unchanged. Tuning. Tuning is the essential and crucial next step in the validatin prcess. The results frm the iterative testing prcess shuld be used as an input t the tuning prcess. A sensitivity analysis shuld be perfrmed by executing abve-the-line and belw-the-line testing. This is dne by changing the scre threshlds abve r belw the current settings t arrive at the ptimal scring threshld t which t cnfigure the system ne where an acceptable balance exists between true and false psitives. Test Envirnment. Last but nt least, a fully functinal test envirnment is key t any enterprise system testing. Because autmated batch prcessing is the mst efficient way t test sanctins screening systems, the test envirnment shuld be cnfigured t allw fr that. Fr example, a sample f transactins with Sundex name variatins fr the riginating parties culd be gruped int a single batch and executed as ne test. Hw We Help Cmpanies Succeed Our AML prfessinals and ur team f mdeling experts, including Ph.D.-level prfessinals with deep quantitative skills, help institutins perfrm rbust, independent validatins f their sanctins screening systems. Cllectively, we help financial institutins ensure that the cnfiguratin f their sanctins screening systems is based n the institutin s specific sanctins screening strategy and is in line with its risk prfile. We have experience with a number f AML sanctins screening systems n varius platfrms, including, but nt limited t, Actimize, FircSft, Sydel, OFAC Watch, Equifax, TransUnin and Thmsn Reuters Accelus, as well as a number f hmegrwn systems. Our sanctins screening services include: Cmprehensive independent testing f the sanctins screening system Filter validatin Watch list selectin Data validatin Lkback Prtiviti 4

Filter tuning methdlgy and apprach design Threshld setting and tuning Example 1: Independent Validatin f a Third-Party Sanctins Screening System A large freign bank with peratins in the U.S. engaged Prtiviti t assist with independent validatin f its sanctins screening system supplied by a third party. We develped a systematic testing methdlgy that tk int accunt the transactin feeds frm the cre banking applicatin and the varius U.S.- required watch lists, as well as the watch list required by the bank s hme cuntry. We created mre than a thusand test cases t scan fields n the real-time Fedwire and SWIFT transactins against sanctined entries n the watch lists. This level f detail allwed us t effectively challenge the system beynd the basic name-matching functin and validate the cnsistency and accuracy f the screening prcess. We applied masking t intrduce variatins t names and ther elements within the bank s transactins, enhancing the validatin tests beynd the basic actual-t-actual match. We als develped a systematic threshld setting and tuning methdlgy that invlved perfrming threshld sensitivity analysis t arrive at the right threshld setting fr the matching algrithms used by the sanctins screening system. At the end f ur engagement, we delivered t ur client a reprt with identified gaps and ther findings, alng with recmmendatins fr enhancing the bank s sanctins screening prgram. Our final deliverables included the detailed testing prcedures, the threshld setting methdlgy and the recmmended threshlds fr achieving the right balance between true psitives and false psitives. By leveraging ur services, the bank was able nt nly t address critical gaps in its sanctins cmpliance prgram but als t create a radmap fr future implementatin f the recmmendatins and best practices we prvided. Example 2: Mdel Validatin f Multiple Sanctins Screening Systems A tp-25 U.S. bank engaged Prtiviti t perfrm a mdel validatin f the quantitative aspects f its sanctins screening mdels. The validatin scpe cnsisted f eight different list screening systems used acrss multiple business segments within the bank. We develped a scenari-based methdlgy, which utilized fuzzy matching techniques, gd and bad samples and varius cmbinatins f regulatry watch lists t test the perfrmance f each system n a stand-alne basis and relative t ther systems. Fuzzy matching techniques were used t mask names and ther transactin details t assess the ability f each system t detect small variatins f regulatry watch list entries. Our deliverables cnsisted f a reprt with gaps and findings, alng with recmmendatins fr tuning the current scre threshlds within the bank s sanctins screening systems. In the reprt, we identified which transactin cmpnents are mst predictive f true psitives n a system-by-system basis (by matching multiple fields, such as name, address and date f birth, rather than a single field). In additin, we uncvered ptential cst savings fr the bank by identifying which systems had very similar scring mechanisms and culd be cnslidated t reduce screening effrts. Our reprt included the detailed testing prcedures, validatin methdlgy, and analyses f scring threshlds within each system in terms f true psitive and false psitive rates. Leveraging ur findings and recmmendatins, the bank was able t address critical gaps in its sanctins cmpliance and imprve the efficiency f its prgram. Prtiviti 5

Abut Prtiviti Prtiviti (www.prtiviti.cm) is a glbal cnsulting firm that helps cmpanies slve prblems in finance, technlgy, peratins, gvernance, risk and internal audit, and has served mre than 40 percent f FORTUNE 1000 and FORTUNE Glbal 500 cmpanies. Prtiviti and its independently wned Member Firms serve clients thrugh a netwrk f mre than 70 lcatins in ver 20 cuntries. The firm als wrks with smaller, grwing cmpanies, including thse lking t g public, as well as with gvernment agencies. Prtiviti is a whlly wned subsidiary f Rbert Half (NYSE: RHI). Funded in 1948, Rbert Half is a member f the S&P 500 index. Cntacts Carl Beaumier +1.212.603.8337 carl.beaumier@prtiviti.cm Luis Caneln +44.20.7024.7509 luis.caneln@prtiviti.cm Bernadine Reese +44.20.7024.7589 bernadine.reese@prtiviti.cm Chetan Shah +1.704.972.9607 chetan.shah@prtiviti.cm Shaheen Dil +1.212.603.8378 shaheen.dil@prtiviti.cm Amith Satheesh +1.704.998.0792 amith.satheesh@prtiviti.cm 2014 Prtiviti Inc. An Equal Opprtunity Emplyer M/F/D/V. Prtiviti is nt licensed r registered as a public accunting firm and des nt issue pinins n financial statements r ffer attestatin services.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information