The KYC Principle: Why are Banks Particularly in Focus for Sanctions?
Against the backdrop of the Russian attack on Ukraine and the resulting sanctions imposed by America, the EU and Switzerland, the hoped-for effects and undesirable side effects of sanctions are a very topical issue. As part of our series of articles on this topic, we describe in this article why banks are particularly in focus when it comes to sanctions.
Role of banks in sanctions compliance
Most sanctions are related to financial transactions. A trade sanction, for example, prevents or restricts trade between two parties. This means not only the exchange of goods, but also financial compensation for the goods in the form of a remittance. A financial sanction freezes assets or prevents or restricts money transfers. Financial transactions are therefore associated with sanctions and are therefore also subject to sanctions regulations.
Most financial transactions in the form of transfers, checks or direct debits are processed via banks. When processing these transactions, banks are obliged to comply with existing sanctions law. The decisive factor here is which sanctions law the banks are subject to. Banks must comply with both the sanctions law in the country of their headquarters and the sanctions law in the respective countries in which the branches are located. Thus, a bank from the U.S. with a branch in Germany must comply with both U.S. sanctions law and EU sanctions law.
In addition, banks must not only monitor financial transactions, but also take into account trade transactions in their operations in order to prevent money flows related to an exchange of goods that is sanctioned.
Why is KYC critical to sanctions compliance?
Banks have special departments that deal with the impact of sanctions policy on the bank's business and with sanctions compliance. The interaction of these two topics is called Sanctions Due Diligence or SDD for short.
When deciding whether assets or transactions are subject to sanctions, KYC is critical for banks' sanctions departments.
Know Your Customer is a recommendation issued by the Financial Action Task Force (FATF) in February 2012 and updated in 2018. The FATF recommends that institutions incorporate the following measures into their KYC programs:
- Identification of the customer and verification of the customer's identity using reliable documents, data or information from independent sources
- Identifying beneficial owners and taking reasonable steps to verify the identity of the beneficial owners
- Understand and, if necessary, obtain information about the purpose and intended nature of the business relationship.
- Conducting ongoing due diligence on the business relationship and reviewing transactions undertaken during the course of the business relationship to ensure that the transactions undertaken are consistent with the institution's knowledge of the customer, its business, its risk profile and, where applicable, the source of its funds
While not all elements of a full KYC program are directly relevant to sanctions due diligence, a sanctions program should include the following basic elements tailored to the company's business profile:
- Knowledge and verification of the identity of a customer and all counterparties
- Knowledge and verification of the beneficial owners
- Understanding the nature and purpose of the customer's account or transactions, including:
- The customer's underlying business activity, what goods and services they trade in, and why they use financing or other services
- Where the customer is located and, if different, his principal place of business
- Where the customer intends to send funds to or receive funds from
- The source of funds and the source of wealth
Above all, the initial identification of beneficial owners and their sources of assets are crucial in the KYC process as part of sanctions due diligence. This information enables a bank to assess whether a company and its transactions are subject to sanctions.
In addition to the initial beneficial ownership check, banks review the payment history of their customers to identify the jurisdictions in which the customer trades. If the sanctions policy affecting the bank changes, this information can be used to quickly identify customers to be sanctioned and stop transactions.
The following example illustrates the penalties a bank may face if it fails to conduct adequate sanctions due diligence:
Case study U.S. BANCORP
In 2018, four U.S. regulators fined U.S. Bancorp more than $600 million for failures in its AML compliance program. According to the U.S. Attorney's Office for the Southern District of New York, from 2009 to 2014, the bank "willfully failed to establish, implement, and maintain an adequate AML program."
One focus of the complaint related to inadequate funding of the compliance team responsible for investigating potentially suspicious activities. Instead of aligning its compliance program with the alerts generated, the bank limited or froze the number of staff and set caps on the information to be collected on new and existing customers. Although AML compliance team members specifically identified the lack of investigative resources as a risk, the bank did not provide the additional resources necessary to meet the identified needs. The number of investigators and the density of information about customers remained constant, although the bank's assets, suspicious activity reports, and law enforcement inquiries increased.
Due to inadequate funding of the Compliance Department, which includes the KYC and Sanctions Department, many of the Bank's sanctions violations were not detected internally. The information the Bank had on its customers was insufficient to identify and classify potential sanctions violations. Transactions were not monitored in ongoing customer relationships. Thus, there was no verification that customer disclosures on business activities matched actual transactions.
A sanctions program is only as good as the KYC program
The example of U.S. Bancorp shows what penalties a missing or too weak sanctions due diligence can have for a bank.
But it also shows how important it is for banks to have a functioning KYC program in order to avoid such penalties. Crucial to U.S. Bancorp's penalties were the sanctions violations that could not be detected due to minimal information about customers. Funding the KYC program commensurate with the assets might have prevented the penalty.
Sanctions departments in banks rely on the customer information from the KYC departments to identify and classify any sanctions violations. In this way, both departments protect the bank from regulatory penalties.
In conclusion, good sanctions due diligence stands and falls with the information from the bank's KYC department.