Ron Ziegler is an Engagement Director with Treliant. He is an experienced global risk management executive with expertise in forensic investigations, Bank Secrecy Act/Anti-Money Laundering (BSA/AML), Office of Foreign Assets Control (OFAC) sanctions, employee conduct risk programs, internal audit, and derivatives/securities trading at global investment and commercial banks.
Financial institutions’ exposure to risk from the US government’s use of international sanctions is escalating today—managing sanctions risk can be particularly challenging in capital markets. 2019 recorded a 10-year high in penalties for sanctions violations from the US Department of the Treasury’s Office of Foreign Assets Control (OFAC). This surge came as the total number of penalties from all US regulatory and enforcement agencies has been mounting since 2016.
With Washington leaning toward economic sanctions as a foreign-policy tool, financial institutions around the world are expected to manage the risk of being used unwittingly to facilitate transactions that evade sanctions and violate US law. Securities products and the transaction channels used in capital-markets businesses create a discrete and complicated set of sanctions-related risks that require careful management. This article is the first in a series looking at the wider financial-crime risks in capital markets.
Financial-crime risks in capital markets
International capital markets (through financial institutions such as broker-dealers, investment banks, asset managers and insurance companies) offer significant liquidity, speed in execution, efficiency in settlement and anonymity. An unintended consequence of securities market structure are the attractive features for bad actors, such as those in global criminal enterprises and sanctioned entities, who increasingly rely on capital markets to move illicit funds or evade sanctions regulations.
Over the years, financial institutions in capital markets have principally focused their financial-crime prevention on compliance programs that identify the types of behavior associated with market manipulation—such as insider trading and low-priced securities trading. While this approach has generally been effective and appropriate, the increase in other criminal activity using international capital markets is now causing financial institutions to pivot. Their first, second and third lines of defense—in their business units, risk and compliance departments, and internal audit functions—are evolving to proactively unearth behaviors that facilitate the movement of illicit funds and allow the evasion of sanctions regulations.
Through regulatory-enforcement actions, many financial institutions have become aware of new and complex financial-crime typologies in the capital markets, such as the abuse of mirror-trading schemes (buying and selling identical securities simultaneously in different locations and currencies). As a result, the effort to develop and implement new controls to proactively combat these emerging financial-crime typologies consumes significant resources and diverts focus from identifying unknown risks or risks inadequately covered by existing control frameworks.
Sanctions risks in capital markets
The practical impact of proliferating US sanctions is increased financial-crime risk across international capital markets. In particular, securities markets are ripe for exploitation by parties subject to OFAC’s sanctions regime, and sanctions risks can vary depending on the product or service offered. Financial institutions operating in securities markets as a market maker, broker or custodian often deal with two key challenges:
- Identifying the beneficial ownership of assets subject to a transaction or held in custody; and
- Interpreting directives under executive orders to identify specific securities assets subject to OFAC sanctions prohibitions or restrictions.
Beneficial-ownership challenges and controls
In securities markets, financial institutions encounter counterparty transparency risks incidental to securities market structure. While each financial institution has its own sanctions risk profile based on the risks presented by its customers, products and services, channels and geographic locations of its business activities, there are core controls that can be used to protect financial institutions from directly or indirectly providing services or dealing in securities in which there is a beneficial ownership by parties subject to OFAC sanctions. Core controls include:
- Customer due diligence: Establishing reasonable due-diligence procedures to identify customers who do business in or with countries or persons subject to OFAC sanctions. In addition, setting appropriate enhanced due-diligence triggers for customers who present a risk that they will use their accounts to hold assets or carry out transactions for third parties subject to US sanctions.
- Disclosures: Apprising customers of a financial institution’s OFAC sanctions-compliance obligations. For example, obtaining formal assertions from customers that they will not use their accounts in a way that could trigger violations of OFAC sanctions.
- Account purpose: Developing procedures to document an understanding of the purpose of a customer’s account. For example, identifying whether third-party assets will be held in a customer’s account and, if so, understanding the OFAC-sanctions risk of the third party and its assets.
- Account restrictions: Implementing procedures to prohibit customers who present an increased risk, from an OFAC-sanctions point of view, from accessing certain products or services that lack beneficial-ownership transparency. For example, restricting higher-risk customers from using omnibus accounts (a financial institution that acquires securities on behalf of its customers, in the name of the financial institution rather than the customer), which may be accessed to circumvent OFAC sanctions regulations.
Interpreting directives under executive order
Financial institutions that offer both sales and trading and custody services have the additional challenge of implementing a control framework for the unique sanctions-compliance risks associated with the operating model for each product or service.
For sales and trading activities, the risk materializes at the point when the securities transaction has been verbally agreed or electronically executed, so that first-line-of-defense functions have the primary responsibility to ensure that the transactions into which they enter on behalf of their clients or financial institutions comply with sanctions rules.
For custody services, the risk materializes at the point when a financial institution processes an instruction [for example, via SWIFT (Society for Worldwide Interbank Financial Telecommunication) message] related to a securities transaction (such as asset movement, settlement or corporate action). As such, second-line-of-defense functions have a significant role in ensuring compliance with sanctions rules.
Despite these differences, a common concern about the controls over this complicated intersection of sanctions risk and capital-markets activity is the need to develop robust policies that clearly describe the roles and responsibilities across the first and second lines of defense within a financial institution to ensure consistently effective controls. Additionally, a key step in developing the securities component of a sanctions-compliance program is the identification and analysis of securities subject to OFAC restriction or prohibition. Reviewing OFAC notifications of executive orders for securities applicability is an arduous process.
Each financial institution implements approaches that are tailored to their business activities. Whichever approach is taken, though, it is of utmost importance to ensure the complete, accurate and timely incorporation of the securities-restriction or -prohibition analysis into the control environment to prevent securities prohibited or restricted by OFAC from inappropriately being transacted or moved through the financial institution.
Furthermore, strong communication protocols—such as guidance, training and tools—are critical to supporting key stakeholders in the process of ensuring that transactions involving securities subject to OFAC prohibition or restriction are not in violation of OFAC sanctions regulations.
As an overarching measure, there is a regulatory expectation that financial institutions monitor securities activities in brokerage, trading and custodial accounts and that this monitoring is designed to detect unusual activity. Generally, the transaction-monitoring activity forms part of an institution’s anti-money-laundering (AML) compliance program. As such, financial institutions are well positioned to leverage their existing control environments to identify unusual changes in customer activities that are indicative of underlying sanctions nexus. To unlock these benefits, though, it’s essential to obtain a commitment by management to support a control environment that brings together the relevant AML and sanctions elements of the financial-crime compliance program.
Such measures should be commensurate with the sanctions risk posed by a financial institution’s business activities. The use of such transaction monitoring can assist in the identification of significant changes in key attributes (for example, volume, value and types of assets within an account), which may indicate that a customer has commenced facilitating business for third parties that should be escalated to review for potential sanctions implications.
In our experience around the world, the management of sanctions risks in capital markets often leaves room for improvement.
Over the past 10 years, OFAC’s figures show that its enforcement actions represented $4.875 billion of the $18.5 billion (26 percent) in sanctions penalties. However, 2019 saw a significant rise in OFAC sanctions penalties. The past year was the highest OFAC penalty year in the decade, representing $1.3 billion of $2.0 billion (64 percent) of all US sanctions penalties. There is no evidence to suggest that the pace of sanctions enforcement will slow, and with the emergence of new financial-crime typologies, the focus on sanctions compliance should not be underestimated.
In addition, the last decade has seen approximately $13.625 billion in sanctions penalties across five other US law enforcement and regulatory agencies (U.S. Department of Justice, Federal Reserve Bank, New York Department of Financial Services, New York County District Attorney and U.S. Attorney’s Office), and 2019 reached the highest level since 2015. Financial institutions must be nimble to ensure their controls support a strong sanctions-compliance program.
OFAC has demonstrated the long reach of its regulatory authority, and financial institutions around the globe should carefully consider the extent to which they have direct or indirect exposure to a US nexus (for example, dealing with US dollars or persons) to avoid finding themselves subject to the consequences of violating US sanctions regulations.