Are Nordic financial institutions really compliant with US sanctions?

To answer this, one most likely need to go deep on all financial institutions (FI), however, what if one would ask some simple questions to begin with? Lets start with the following;

• Are you screening your clients against US sanction lists?

            Most would answer Yes

• Are you screening your client’s counterparties against US sanction lists?

            Many would answer No

• Which US lists are you screening against?

            Many would answer OFAC

• Are you using "raw" sanction data directly from the free open sources provided by US bodies, either directly or through your sanction screening software provider?

            Most would answer Yes

• Are you using a comprehensive sanction data provider? 

            Many would answer No

I know from my experience working over 10 years in the Nordics and the Baltics, that for FI´s to answer this within their regions, they will struggle. Why? 

First. let’s start with the Nordics FIs, most of them (still not all) screen their customers during onboarding and on an ongoing basis against sanctions lists from OFAC. In Sweden, the FIs had to get acceptance from the Swedish Data Inspection Authority to screen their customers against OFAC. 

When I talked to the Swedish Bankers Association (SBA) a couple of years ago relating to why Swedish FIs did not screen against more lists, i.e., other US sanction / watchlists such as UK, Canada, Australia, Switzerland and so on, and the response from the SBA at that time was that as long as the FIs themselves didn’t ask specifically to screen against more lists from other countries, the SBA wouldn’t recommend their members to do so. As I said to the person that I talked to, was that this would never happen because of that their members, the FIs understand that the more lists you screen against the more matches you’ll get, as well as false matches. Notably is that the Board of Directors of the SBA are some of the leading figures of the biggest Swedish banks. And of course, they don’t want to increase their staffing and costs relating to this.

Secondly, many of the FIs in the Nordics are using (old or new poor) KYC/AML-systems for client screening, transaction monitoring and maybe also, but far from all, a function for sanction screening of payments, including counterparty and in very few cases also message information. In many cases, these systems only use the free open source raw data from OFAC (and EU, UN). The vendors sales pitch to the FIs is often “our solution makes you compliant with US sanctions”, but this is far from true. Let me tell you why! (most of you may already know this)

The raw data that is found free on the website of OFAC, is what it is, raw data. Analyzing the data, one would quickly see that there is no master data management, or cleaning of data performed by OFAC, and there is no comprehensive enrichment of the data, i.e., information on subsidiaries and branches majority owned and controlled by these sanctioned companies. That’s where OFAC puts all responsibility to the FIs, to make sure that their customers are not sanctioned, or majority owned and controlled by a sanctioned entity.

To illustrate some examples:   

• The Norwegian entity RN NORDIC OIL AS, is 100% owned by a Swiss company, ROSNEFT JV PROJECTS, which again is majority owned by ROSNEFT, which is sanctioned by the US. RN NORDIC OIL AS is not found in the OFAC data, neither is ROSNEFT JV PROJECTS. Hopefully a good KYC/AML system for screening against sanctions would identify the Swiss entity based on “Rosneft” in its name, however, many FIs has determined that they will only screen the company name of their customer, individuals related to that company, and beneficial above 25%.
• The Swedish company KUBIKENBORG ALUMINIUM I SUNDSVALL AB, previously 100% owned by the CRITERION HOLDINGS LTD, now owned by LIBERTARTEM MATERIALS LTD, both with the UBO being Oleg Deripaska, who is sanctioned by the US. Neither KUBIKENBORG, CRITERION nor LIBERTATEM is found in the OFAC data.

This mean that when screening against sanctions data from OFAC raw data, neither RN NORDIC OIL nor KUBIKENBORG ALUMINIUM would be identified as sanctioned-owned entities, neither during customer screening nor payment screening of counterparty. One would hope that during onboarding of the two companies, the controlling sanctioned object would be identified, however in the current implemented sanctions’ compliance measures in the Nordics, that is far from sure.

To say that the sanction risk in the Nordics is non-relevant because there are very few sanction targets in the Nordics, that would be understating an unknown risk, because if the FIs do not have control over the sanction screening of their customers and not screening against comprehensive sanction data (i.e., Refinitiv, Dow Jones, Acuris, RDC, LexisNexis), they most likely don’t have control over their customers counterparties (KYCC). Sanction evaders know this, and if the Nordics are the weak link, they don’t even have to have an evasion scheme going, because Russian companies directly sanctioned by the US can both send and receive payments from Nordic companies without detection.

The Nordic FIs need to step up and the US corresponding banks, or US owned European banks need to put pressure on these Nordic FIs, without pressure from the US, there will be business as usual, same as for the last 10 years, and as my experience with the Swedish Bankers Association, the FIs will not do this if nobody is looking over their shoulders.   

And in general in the Nordics they screen against OFAC raw data, when it comes to other, from a risk based perspective actual relevant US lists, very few FIs screen against any of them, especially in Sweden where they think that screening against more lists than EU, UN, and OFAC, that this would violate GDPR(?!).

#ofac #ustreasury #sanctioncompliance #sanctionscompliance #sanctions #ussanctions