The UK Financial Conduct Authority (FCA) signalled that it will continue its focus on sanctions systems and controls over the next year in its new business plan, published in late March. This should not be a surprise, given the significant deficiencies that the regulator found in watchlist data management and other areas in its September 2023 review. Firms with challenges in their watchlist data management should move quickly to improve their data governance frameworks to reduce potential compliance risk over the next 12 months, including fines and negative headlines.

Watchlist data challenges

The FCA has had sanctions systems and controls in its sights for a year already, as this area was also a priority in last year’s business plan. The September 2023 review, Sanctions systems and controls: firms’ response to increased sanctions due to Russia’s invasion of Ukraine, noted the following issues with watchlist management within firms, as part of their overall sanctions systems and controls framework:

• Lack of understanding of how sanctions screening tools are calibrated and when lists are updated, so that firms didn’t know if their lists were correct, if the lists were missing names, and if the incorrect data was producing too many false positives.

• Insufficient management intelligence for senior management, including quantitative and qualitative data to enable effective oversight, identification of risk, and trend analysis.

• Inability to explain why alerts were not generated against certain names on the Office of Financial Sanctions Implementation (OSFI)’s consolidated list of individuals subject to sanctions.

• Low quality of customer due diligence (CDD) and know your customer (KYC) processes, such as not being able to articulate full ownership structures of entities, leading to the possibility of not screening all relevant parties, making a sanctions breach is more likely.

All of these issues are due, in part or completely, to having an insufficiently robust approach to watchlist data governance, and a lack of transparency into data processes as a result. For example, not knowing if watchlists are complete, being unable to deliver needed senior management MI, inability to see why data isn’t generating alerts, and being unable to identify the beneficial owners of related organisations are all fundamentally rooted in data management issues.

Reading the regulator

It’s clear that the regulator means business when it says it wants to see improvements in firms’ sanctions systems and controls, and that the regulator is focused on data, too. Sarah Pritchard, executive director of markets, and executive director of international at the FCA, said in a speech in September 2023 about sanctions systems and controls: “We are stepping up our testing of firms’ risk-based systems and as a data-led regulator, using data and tech to do so. Our recent testing of firms’ compliance with sanctions was driven by data and tech. We asked firms to test their own controls against a sample data set, and then selected those for a visit who had not picked up what we were expecting. More effective use of artificial intelligence will bolster our toolkit in the future.” 

A February 2024 publication, Reducing and Preventing Financial Crime, underscores the determination of the regulator to ensure firms are managing watchlist data properly: “Firms must ensure that systems and controls keep up with the increasing sophistication of criminal groups and should use the advances in technologies to help prevent financial crime. Firms must calibrate how they use technology to their individual requirements to be as effective as possible. But that does not mean they should calibrate once and then ‘plug and play’ forever. Firms need to keep fine tuning their response to combat the changing threat.” This includes managing watchlist data properly – without robust data, accurate model tuning is a significant challenge, and is unlikely to produce accurate outcomes.

Focusing on sanctions

In its new business plan, the FCA said it will be continuing the activity around sanctions systems and controls that it already has underway. The FCA’s 2023-2024 business plan said that, as a “key activity”, the regulator would “use a data-led approach to proactively supervise firms’ sanctions systems and controls.” In its September 2023 report, the FCA provided additional detail: “We will continue our supervisory focus on sanctions with our objective of ensuring that firms have effective sanctions systems and controls. We will continue to refine our processes and look to develop and enhance our approach in line with developments in sanctions risks and issues.” So, firms can expect the FCA to evolve its sanctions supervision as it uncovers more challenges during its work. 

Indeed, it seems likely that sanctions systems and controls – and the data management that underlies a robust approach – will be a focus for the regulator for some time to come. Financial firms who suspect that they have the kinds of sanctions systems and controls issued identified by the FCA above should consider improving their watchlist data management approach as a starting point. Strong watchlist data governance is the foundation on which a compliant and accurate sanctions screening programme is constructed.