The KYC principle: Why are banks particularly in the focus of sanctions?
Against the backdrop of the Russian attack on Ukraine and the resulting sanctions by America, the EU and Switzerland, the hoped-for effects and undesired side effects of sanctions are a very topical issue. As part of our series of articles on this topic, we describe in this article why banks are particularly in the focus of sanctions.
Role of banks in sanctions compliance
Most sanctions are linked to financial transactions. A trade sanction, for example, prevents or restricts trade between two parties. This means not only the exchange of goods, but also the financial compensation for the goods in the form of a remittance. A financial sanction freezes assets or prevents or restricts money transfers. Financial transactions are thus associated with sanctions and are thus also subject to sanction regulations.
Most financial transactions in the form of transfers, cheques or direct debits are processed through banks. Banks are obliged to comply with existing sanctions law when processing these transactions. The decisive factor is which sanctions law the banks are subject to. Banks must comply with both the sanctions law in the country of their headquarters and the sanctions law in the respective countries in which the branches are located. A bank from the USA with a branch in Germany must therefore comply with both US sanctions law and EU sanctions law.
Furthermore, banks must not only monitor financial transactions, but also take into account trade transactions in their operations in order to prevent money flows related to an exchange of goods that is sanctioned.
Why is KYC crucial for sanctions compliance?
Banks have special departments that deal with the impact of sanctions policy on the bank's business and with sanctions compliance. The interaction of these two topics is called Sanctions Due Diligence or SDD for short.
When deciding whether assets or transactions are subject to sanctions, KYC is of critical importance to the banks' sanctions department.
Know Your Customer is a recommendation issued by the Financial Action Task Force (FATF) in February 2012 and updated in 2018. The FATF recommends that institutions incorporate the following measures into their KYC programmes:
- Identification of the client and verification of the client's identity using reliable documents, data or information from independent sources
- Identify the beneficial owners and take appropriate measures to verify the identity of the beneficial owners
- Understand and, where appropriate, obtain information about the purpose and intended nature of the business relationship.
- Conduct ongoing due diligence on the business relationship and review transactions undertaken in the course of the business relationship to ensure that the transactions undertaken are consistent with the institution's knowledge of the client, its business, its risk profile and, where applicable, the source of its funds
Although not all elements of a full KYC programme are directly relevant to sanctions due diligence, a sanctions programme should include the following basic elements tailored to the company's business profile:
- Knowing and verifying the identity of a client and all counterparties
- Knowledge and verification of beneficial owners
- Understanding the nature and purpose of the client's account or transactions, including:
- The client's underlying business activity, what goods and services they trade in and why they use financing or other services
- Where the client is located and, if different, its principal place of business
- Where the client intends to send funds to or receive funds from
- The source of funds and the source of wealth
Above all, the initial identification of the beneficial owners and their sources of assets are crucial in the KYC process as part of sanctions due diligence. This information enables a bank to assess whether a company and its transactions are subject to sanctions.
In addition to the initial beneficial ownership check, banks check the payment history of their clients to identify the jurisdictions in which the client is trading. If the sanctions policy affecting the bank changes, this information can be used to quickly identify clients to be sanctioned and stop transactions.
The following example shows what penalties a bank has to fear if it does not comply with adequate sanctions due diligence:
Case study U.S. BANCORP
In 2018, four U.S. regulators fined U.S. Bancorp more than $600 million for failures in its AML compliance programme. According to the U.S. Attorney's Office for the Southern District of New York, the bank "willfully failed to establish, implement, and maintain an adequate AML programme" from 2009 to 2014.
One focus of the complaint related to inadequate funding of the compliance team responsible for investigating potentially suspicious activities. Instead of aligning its compliance programme with the alerts generated, the bank limited or froze the number of staff and set caps on the information to be collected on new and existing clients. Although AML compliance team members explicitly identified the lack of investigative resources as a risk, the Bank did not provide the necessary additional resources to meet the identified needs. The number of investigators and the density of information on clients remained constant, despite an increase in the Bank's assets, suspicious activity reports and law enforcement enquiries.
Due to insufficient funding of the Compliance Department, which includes the KYC and Sanctions Department, many of the Bank's sanctions violations were not detected internally. The information the bank had on its clients was insufficient to identify and classify potential sanctions violations. In ongoing client relationships, transactions were not monitored. Thus, there was no verification whether the client information on business activities corresponded to the real transactions.
A sanctions programme is only as good as the KYC programme
The example of U.S. Bancorp shows the penalties that a lack of sanctions due diligence or too weak sanctions due diligence can have for a bank.
But it also shows how important a functioning KYC programme is for banks to avoid such penalties. The decisive factor for the punishment of U.S. Bancorp was the sanctions violations, which could not be detected due to the minimal information about the customers. With KYC programme funding commensurate with the assets, the penalty might have been avoided.
Sanctions departments in banks rely on the client information from the KYC departments to identify and classify any sanctions violations. In this way, both departments protect the bank from the sanctions of the supervisory authorities.
In conclusion, good sanctions due diligence stands and falls with the information from the bank's KYC department.