Sanctions Screening Requirements under IFSCA (AML, CFT and KYC) Guidelines, 2022

The International Financial Services Centres Authority (Anti-Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022, provides detailed guidance on the Sanctions Screening Requirements for the entities operating within the IFSCA. The IFSCA (AML, CFT and KYC) Guidelines, 2022, apply to every regulated entity recognised, licensed, or registered by the IFSCA and to the regulated entities authorised by it to the extent specified. Further, these guidelines’ provisions also apply to the regulated entity’s financial groups to the extent specified in Chapter XII of the guidelines. This article provides essential insights into the sanctions screening requirements under IFSCA (AML, CFT and KYC) Guidelines, 2022.

Apart from the IFSCA (AML, CFT and KYC) Guidelines, 2022, the regulated entities need to pay due consideration to the following laws, rules and regulations:

What are Sanctions?

Sanctions are restrictive measures countries and international organisations employ to restrict specific geographies, entities, and individuals from carrying out certain activities. The primary aim behind imposing such sanctions is to mitigate various risks related to national security, peace, human rights violations, and illicit activities.

Who imposes Sanctions?

At the international level, there are various bodies which impose sanctions. Countries sometimes impose sanctions on individuals, entities, and other geographies. The major international bodies imposing sanctions are:

Major International Bodies Imposing Sanctions

  • The UNSC
  • The Ministry of Home Affairs (MHA), India – Unlawful associations, terrorist organisations, individual terrorists
  • Office of Foreign Assets Control (OFAC)
  • His Majesty’s Treasury (HMT)
  • The European Union (EU)
Sanctions Screening Requirements under IFSCA (AML, CFT and KYC) Guidelines, 2022

What are the risks mitigated by imposing Sanctions?

Countries resort to the imposition of Sanctions to target and mitigate risks like:

  • Terrorist Activities
  • Weapons of Mass Destruction (WMD) Proliferation Activities
  • Human Rights Violations
  • The Annexation of Foreign Territory
  • Destabilisation of a Sovereign Country
  • Cyber-Attacks

What are the various forms of Sanctions?

Sanctions take multiple forms, including financial restrictions, trade embargos, and travel bans.

What are the various types of Sanctions?

Today, sanctions are of various types. The UNSC and various countries have enforced various sanctions to enforce specific restrictive measures to protect their interests. Here is the list of types of sanctions to counter money laundering, terrorist financing, proliferation of weapons of mass destruction and proliferation financing:

Economic Sanctions

The primary purpose behind enforcing Economic Sanctions is to cause an economic impact on the sanctioned individual, entity, or country. Economic sanctions cause ongoing damage to the sanctioned person/entity/country as they increase costs and hardships around trade. Such economic sanctions are enforced in a variety of ways:

Diplomatic Sanctions

Diplomatic Sanctions are political measures a country takes to stop having diplomatic relationships with another country. Such actions include calling off ties with a country, limiting the presence of ambassadors, etc.

Military Sanctions

These trade penalties target a country to discourage its military procurement and financing. Arms embargoes, and military-related trade restrictions are the common examples of such military sanctions.

How do Sanctions work?

When the Government of India imposes a sanction, the regulated entities in India must abide by it. Further, the regulated entities have to abide by the UNSC sanctions. They must ensure proper systems and procedures to meet Sanctions compliance.

Suppose positive matches are found during sanctions screening. In that case, the regulated entities must not proceed with the related transaction and report it to the relevant authorities.

The relevant authorities will then take necessary actions like freezing assets and preventing entry into or transit through India.

Who must comply with Sanctions?

As per the IFSCA (AML, CFT and KYC) Guidelines, regulated entities which are licensed, recognised, registered, or authorised by the IFSCA and financial groups of the regulated entity to such extent as specified in Chapter XII of the guidelines shall comply with the sanctions screening requirements.

What is Sanctions Screening?

Sanctions Screening is an important control to counter money laundering and terrorist financing risks. Sanctions screening is a vital element of the Know Your Customer and Customer Due Diligence Process, which helps mitigate ML/TF risks.

Why is sanctions screening required?

Sanctions screening is required to ensure that the regulated entity does not end up dealing with a sanctioned individual or entity. Further, it is also required to ensure that the risks associated with the high-risk jurisdictions and sanctioned countries are adequately identified, assessed, and mitigated before onboarding a customer or entering into a fresh transaction with such customers.

Money laundering and Terrorist Financing are global menace. They affect countries, companies, and individuals in a variety of ways. By conducting a Sanctions List check before onboarding a customer or entering into a transaction with the customer, the regulated entity could fight and mitigate ML/TF risks. Further, the relevant authorities can be notified, and actions can be taken against the criminals.

It’s a regulatory requirement for IFSC-based entities to perform sanctions list checks as a part of their customer due diligence process.

Who should be screened as a part of sanctions compliance?

Customers, suppliers, third parties, employees, ships, aircraft, and UBOs must be screened to comply with sanctions screening requirements.

The importance of Sanctions Compliance Policy

The reporting entities must have a defined Sanctions Compliance Policy. The sanctions compliance policy helps meet regulatory requirements and identify sanctions-related risks. A formal Sanctions compliance policy helps maintain a uniform way to counter ML/TF/ and PF risk.

A sanctions screening program is a set of written policies and procedures that help you comply with IFSCA (AML, CFT, and KYC) Guidelines concerning sanctions compliance. Further, the sanctions screening program is drafted keeping in view the nature and size of your business, available resources, risk-based approach adopted by your company, regulatory requirements, and international best practices. It provides you with a detailed guideline as to sanctions screening concerning:

  1. KYC and CDD checks
  2. Transaction Monitoring
  3. Ongoing Sanctions Screening
  4. Adhoc Name Screening

Key components of a sanctions screening program

1. Governance

The sanctions screening program should lay down a sound governance framework wherein the responsibilities of the principal officer and the top management need to be defined, the program’s overall management needs to be described, and the procedures around it need to be laid down.

2. Risk-Based Approach

The sanctions screening program should revolve around the risk-based approach taken by the firm. The sanctions lists, procedures, and resources deployed should be commensurate with the associated risks and help keep the overall risk within the company’s risk appetite limit.

3. Regulatory Framework

The sanctions screening program should refer to the underlying laws, rules, and regulations. The legal requirements should be clearly mentioned to avoid misinterpretation.

4. Name Screening Procedures

The name screening procedures, whether manual or automated, need to be described, the sanctions lists to be referred to, the procedures related to high-risk customers, and the escalation matrix should be clearly outlined.

5. KPI based periodic review

The sanctions screening program should be reviewed periodically, and a KPI-based review will help understand its efficiency.

6. Technology

The name screening software parameters configuration, access rights, workflow, sanctions database update frequency, etc., need to be identified and outlined.

7. Case Management Methodology

Most Sanctions screening software provides case management functionality where the partial and full hits trigger a notification for the principal officer to intervene, evaluate risks, and decide on onboarding a customer or maintaining a business relationship. 

8. Regulatory Reporting

The regulatory reporting requirements around sanctions screening must be clearly defined, along with the deadlines and responsibilities around it.

How is Sanctions Screening performed?

The compliance department checks customers, suppliers, employees, and third parties a business deals with against the relevant Sanctions Lists. For IFSCA-based entities, the primary requirement is to screen against the UNSC and MHA lists. However, depending on the regulated entity’s risk-based approach, other relevant sanction lists like OFAC and HMT may also be considered.

When to conduct Sanctions Screening to comply with IFSCA (AML, CFT and KYC) Guidelines

The regulated entities must perform sanctions screening before onboarding a customer or entering into a business relationship, and on a periodic basis.

Best Practices Around Timing of Sanctions Screening

  • Before onboarding a customer
  • Before entering into a business relationship
  • Before making a transaction
  • During ongoing CDD reviews
  • Upon change in customer’s information
  • Upon a change in the sanctions list
  • On a daily basis

Sanctions Screening Process

Sanctions screening is vital to ensuring that the regulated entity is not dealing with the organisations and individuals sanctioned under MHA, UNSC, and the other relevant sanction lists per the firm’s risk-based approach. The regulated entities follow the following sanctions screening process to counter their ML/TF risks and comply with the IFSCA (AML, CFT and KYC) Guidelines, 2022.

KYC

Here, the regulated entity collects KYC information from the customers. This information, in the case of natural persons, typically includes:

  • Full name, including any aliases
  • Unique Identification Number (such as an Identity card number, passport number, etc.)
  • Date of birth
  • Nationality
  • Legal Domicile
  • Current residential address (other than a post office box address)
  • Contact details such as personal, office or work telephone numbers.

If a customer is a legal person or legal arrangement, a Regulated Entity shall obtain at least the following information:

  • The full name and any trading name
  • Unique Identification Number (i.e., Tax identification number or equivalent where this exists)
  • incorporation number or business registration number
  • Registered or business address, and if different, its principal place of business
  • Date of establishment, incorporation or registration
  • Place of incorporation or registration

Further, in cases where the customer is a legal person or legal arrangement, a Regulated Entity shall also identify the legal form, constitution and powers that regulate and bind the legal person or legal arrangement. In addition, the Regulated Entity shall also identify and screen the related parties or connected parties of such customers and should remain apprised of any changes to connected parties. For identification of the connected parties, a Regulated Entity shall obtain at least the following information about each related or connected party:

  • full name, including any aliases; and
  • Unique Identification Number (such as an Identity card number, passport number, etc.).

The KYC analyst then verifies this information against the original documents and communicates with the customer to fulfil requirements for any missing information or documents.

Screening

Now, the Screening Analyst performs screening of the customer details against the UNSC list and MHA list at a minimum and identifies matches, if any. He also includes other sanction lists like OFAC and HMT as per the risk-based approach taken by the entity. Such screening can be conducted using sanctions screening software, which maintains the latest database of sanctions individuals and entities from various sanctions lists. The screening must be performed when onboarding a customer, entering a business relationship, and periodically.

Investigation

If there are matches while screening a customer, the screening analyst has to investigate such matches and decide if they are true matches. He can refer the case to the risk analyst for false matches for necessary risk assessment purposes. For true matches, the case is forwarded to the principal officer for necessary reporting purposes.

Reporting

The Principal Officer needs to verify the information, and he needs to identify if the positive match concerns Section 12A of “The Weapons of Mass Destruction and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005” or Section 51A of the “Unlawful Activities (Prevention) Act, 1967”.

The regulated entity must not carry out a transaction with such designated individual or entity and submit the full particulars of the transaction, funds, financial assets, or economic resources by email, FAX, and Post to the applicable authorities, without delay, i.e. preferably on the same business day but not later than 24 hours in any case. For detailed information on reporting requirements, check Sanctions Screening reporting requirements.

Ongoing Monitoring

Sanctions check is not a one-time exercise. It’s an everyday effort as the sanctions lists are dynamic. Various Name Screening Software available in the market helps regulated entities run scheduled automated screenings. The principal officer is alerted for further due diligence if matches are found.

Duties of Principal Officer in Complying with Sanctions Screening Requirements

The principal officer, along with the designated director, must ensure that the regulated entity remains compliant with the IFSCA (AML, CFT, and KYC) requirements and that the entity takes the required sanctions screening measures to counter Money Laundering, Terrorist Financing, and Proliferation Financing risks.

Consequences of a Sanctions breach

Failure to comply with IFSCA (AML, CFT, and KYC) guidelines severely affects regulated entities. Apart from regulatory fines and penalties, if the entity breaches an international sanction, it will have a far-reaching impact on its ability to do international business.

Manual Screening vs Automated Screening

The regulated entities can conduct sanctions screening manually or use the software. The manual screening processes are error-prone, as one could erroneously refer to the old sanctions list or overlook a true match. Further, keeping track of ever-changing sanctions lists and conducting screening against them is too difficult.

Automated screening software helps one carry out screenings against the updated sanctions database and perform ongoing monitoring by scheduling a screening.

No matter what screening method is employed, the regulated entities have to maintain proper records around screening to meet regulatory requirements.

Choosing a sanctions screening software

Choosing a sanctions screening software requires due consideration of various factors as it goes a long way in ensuring regulatory compliance with the IFSCA (AML, CFT and KYC) Guidelines, 2022. The right screening software will help reduce false positives, handle high volumes, and provide transliteration functionality.

Sanctions lists and obligations

The regulated entity must assess its legal obligations to finalise the name screening software. For IFSCA (AML, CFT and KYC) Guidelines, 2022 compliance, it is necessary that the AML software supports MHA and UNSC lists. Further, it should also support PEP screening and Adverse Media searches.

Integration capabilities

The sanctions screening software should provide APIs to integrate it with the CRM or KYC software to provide a seamless user experience.

Training

The screening software vendor must provide adequate training around the use of the software and refresher training periodically to keep up with the version upgrades.

Database refresh

Knowing how often the screening software vendor refreshes his database is essential. The smaller the duration, the higher the quality of the data. 

Screening software features

The screening software should have a user-friendly interface, reporting capabilities, batch screening functionality, ongoing monitoring capabilities, case management and workflow functionalities.

Vendor reliability

It is essential to know the vendor’s reliability, which can be judged from various parameters like the number of years in business, reference customers, testimonials, customer support, and the frequency of version upgrades.

Customisation capabilities

The screening software should be customisable to meet the reporting entity’s unique requirements.

What are the challenges in Sanctions Screening?

There are various challenges associated with sanctions screening. Most of them stem from the fact that sanctions are dynamic in nature, and multiple bodies are issuing them.

1. Sanction Lists are dynamic

Sanction Lists are dynamic in nature. They keep changing in line with the geo-political tensions, criminal activities, and national and international security concerns. It makes it very difficult for SMEs to keep up with these changes and the regulatory requirements around them.

2. Complicated Sanctions regime

Sanction regimes are complicated in nature. Sanctions could be imposed on countries, entities, individuals, ships, and aircraft.

3. Technological issues

Technological solutions helping sanctions screening need to be validated. Most come with a proprietary database aggregating sanctions data from multiple sources. Since no single data source exists, reliability concerns exist around the implemented technological solutions.

4. Difficult to identify UBOs

It is just too difficult to identify the Ultimate Beneficial Owners and screen them against the sanction lists due to the absence of a corporate registry and foul play by criminals.

5. Multiple bodies issuing the sanctions

There are multiple national and international bodies issuing sanctions. There is no single way to keep track of all of them, and sometimes, it becomes too difficult to implement the same despite one’s willingness to comply with regulatory requirements.

6. Under/Over screening

Due to a wide variety of sanction regimes, international trade, local laws, and complexity around identifying UBOs, there is always a risk of under-screening or over-screening.

7. Customer Friction

Sanctions screening requires the collection of data before onboarding or concluding a transaction. It results in delays in the execution of a transaction, causing customer dissatisfaction and loss of revenue for businesses.

8. Lack of Resources

Small and medium-sized businesses often struggle with resources, and sanctions compliance becomes an extra cost for them.

Sanctions Screening Program Health Check

Regulated entities need to conduct regular health checks on their sanctions screening programs. If such skills are unavailable in-house, external AML/CFT consultants can be appointed to ensure the program meets its objectives.

The table below provides an understanding of the outcome of the sanctions screening program health check:

Sr

Issues

Recommendations

1

Gaps between regulatory requirements and Sanctions Screening Policies and Procedures

Sanctions Screening Policies and Procedures Revision

2

No clear roles and responsibilities

Structuring of compliance department with proper roles and responsibilities

 

3

Lack of training and awareness

Sanctions compliance Training

4

Manual Processes

Requirements gathering, automation, and periodic reviews

5

Issues related to data quality

List verification, cleansing

6

Issues in data storage

Record-keeping policy and infrastructure

7

Too many False Matches

Thresholds adjustment, list verification

 

 

 

Conclusion

The IFSCA (AML, CFT and KYC) Guidelines require regulated entities to perform sanctions screening to counter money laundering, terrorist financing, and proliferation financing risks. The entries must implement a proper sanctions screening program and screening software to meet the legal obligations.

The regulated entities must adopt a risk-based approach and screen their customers, suppliers, employees, and third parties. If any positive matches are found, reporting must be made to the relevant authorities, and records must be maintained for at least 5 years.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.