8 minute read 21 Jan 2020
person admiring the ouse valley

Seven steps to leading list management

By Patrick Craig

EY EMEIA Financial Crime Technology Lead

Helping banks get the most out of their financial crime risk management programs. Experienced with compliance and AML technologies.

8 minute read 21 Jan 2020

Discover seven ways of identifying and closing gaps within your list management capabilities, and benchmark yourself against competitors.

We live in a climate of ever-changing geopolitics and evolving technologies. Within this environment, list screening of sanctions, politically exposed persons (PEPs) and adverse media watch lists remains steadfast as a key control within the compliance programs across all regulated financial institutions (FIs). Screening remains on the radar of regulators globally, and the increasing complexity of sanctions, and the global integration of economies subject to them, continues to cause unwanted risk and cost headaches for FIs.

Recent focus within the screening domain has been centered around the adoption of, and ability to trust in, artificial intelligence for alert dispositioning or the remediation of data quality issues. In EY’s experience, however, less attention is paid to the other fundamental element of the screening process – the watch lists themselves. List management remains a comparatively underdeveloped control area for FIs worldwide.

There is no ‘one size fits all’ approach for list management. However, EY has outlined seven key areas of focus that should allow greater control and increased effectiveness of this critical risk management function. When coupled with EY List Management Maturity Assessment Matrix, these focus areas will provide FIs with rapid ways of identifying and closing gaps within their list management capabilities, as well as benchmarking themselves against other players within the industry.

Discover seven ways of identifying and closing gaps within your list management capabilities

1. De-duplication and entity consolidation

Numerous regulators implement an autonomous sanctions regime, closely mirroring that of the larger multi-jurisdictional bodies (such as the European Union and United Nations), with few substantial differences. This leads to sanctioned parties being duplicated across lists, resulting in numerous matches against the same party. The obvious solution would be to remove the local list from screening completely; however, there is no assurance that the multi-jurisdictional body’s list will continue to remain aligned in content. The risk, therefore, of missing a true match through the removal of a local list outweighs the operational impact of dispositioning duplicated alerts.

Entity consolidation technologies are commonly applied to FIs’ customer bases to create a ‘golden source’ record. The same technology can be applied to the list side of the equation, to identify, consolidate and harmonize records automatically across watch lists. If implemented effectively, and with appropriate levels of testing, this has been found to significantly reduce hit volumes being provided to operational teams through the grouping of cases.

FIs are starting to use advanced entity resolution techniques to create a ‘single view of watchlist’ – vastly reducing the number of names they need to screen against and helping to minimize false positives.
Aaron Elliott-Gross
AML Solutions Lead at Quantexa
2. List enrichment, linkages and optimization

Screening only against names appearing on public sanctions lists may not necessarily identify all sanctions risk within an FI’s customer base. There is increasing expectation to identify high-risk networks within an FI’s customer base and, when a customer’s activity may have sanctions exposure (no matter how obscure or complex), to think two or three steps removed. Utilizing additional, targeted and enriched data sources enables the building of networks for an FI’s customer base and uncovers broader risk exposure that may not be apparent from basic list screening. Despite more list entries contributing to more alerts for review, advances in cloud computing for intensive matching, and the application of secondary analytics layers to assist in alert dispositioning, mean that FIs no longer have to choose between the constant compromise of coverage versus efficiency.

3. List reconciliation

‘Third-party or source regulatory list?’ is a common question that has been asked since the inception of customer and transaction screening. Whilst most FIs have migrated to using third-party vendor lists due to efficiency gains and their data enrichment capabilities, there is a large degree of reliance placed upon the third party for a key element of the control framework. This is particularly pertinent as vendors rarely guarantee that their lists will accurately represent source content or that updates to source will be reflected automatically – can FIs afford the risk of onboarding, or providing economic benefit, to a party that appeared on a sanctions watch list that same day?

An increasingly common trend in combatting this problem is to implement automated daily reconciliation checks against in-scope source watch lists, to identify and rectify gaps that may be present in an FI’s third-party list. This process has been made possible through the increasing use of application programming interfaces (APIs) to retrieve the external data required to perform quality and completeness checks.

Third-party list vendors generally do a fantastic job, getting very high levels of accuracy, but mistakes can be made, and these are often associated with poor data quality from the original list. Generally, list vendors perpetuate data quality issues rather than fix them, in the well-founded belief that their clients want what the original list provider put literally – mistakes and all. However, to properly address risk should we be more interested in what the regulator meant to say, rather than what they did say?
Jeremy Round
Managing Director, SQA Consulting
4. Robust internal list management controls

Internal lists are used industry-wide to identify individuals outside of risk appetite and manage alert volumes for regular false matches. The ongoing management of these internal lists, however, has proven to be problematic. There are ever-increasing list additions, often with a lack of rationale as to why the entry was added, how or when it can be removed, or how it should be actioned if a true match is identified.

The use of technology, whether it be a designated case management system or a workflow tool, is a key element in ensuring better practice for ongoing list management. Moving away from email approvals and countless unmanaged spreadsheets throughout the firm is key to achieving effective internal list management. A centralized, single source of internal lists, with enforced capturing of rationale, approval processes and regular reviews to ensure list currency, will ensure a healthier, auditable function.

Rohan Basu, Senior Manager, Financial Intelligence Unit at TSB Bank, clarifies the historical challenge of internal list management and how technology can treat the problem.

Historically, organizations have used their internal lists (particularly blacklists) to add on any suspicions or customers they want to track without applying a level of rigor or oversight. It has often involved non-sanctions or even non-Financial Crime staff adding list entries for a variety of reasons that are not documented or controlled. Technology can be a simple way to resolve a future manual tick-back exercise or a lapse in governance by building tools and controls with a centralized workflow, approval process and automated audit trail.

5. A defined policy, standard and screening risk appetite

Third-party list providers are often comprehensive in the breadth of their offerings; however, they provide little guidance on what specific watch lists FIs should screen against. Ultimately, the decision is a choice only the FI can make, usually influenced by its geographical exposure, countries they interact with and customer demographic.

Effective list management is dependent on an enforced policy. A clearly defined global sanctions policy should determine which lists are screened against at a minimum across the group, with local addenda providing additional requirements on a case-by-case basis. This allows not only effective documentation of screening risk appetite but also the rationalization of lists that fall out of scope, thereby ensuring the generation of relevant alerts.

6. PEP and relative or close associate definition and list rationalization

The rationalization of lists is as relevant for PEPs as it is for sanctions. A clear internal definition of a PEP and what constitutes a relevant relative or close associate (RCA) is crucial in managing alert volumes by removing list entries that fall outside of this scope.

There are multiple ways of tackling this task – from the broad stroke removal of whole sub-categories of PEP from the list being consumed to using advanced technologies such as natural language processing (NLP) to identify and categorize key words within the records information. NLP presents a unique opportunity to extract maximum insight from free text fields in lists – information often ignored by many screening engines. This unstructured data often provides context to a PEP’s status and identity, including approximate age, role history and description of connections to other named entities, strengthening any judgement on whether a given entity falls inside or out of risk appetite.

Jeremy Round, Managing Director, SQA Consulting, provides further insight into how the EU’s Fifth Money Laundering Directive may further affect this issue.

The EU’s Fifth Money Laundering Directive will require all EU governments to define which roles qualify as PEP status. It will be very interesting to see what disparity is created across the EU as each government independently identifies those roles.
Jeremy Round
Managing Director, SQA Consulting
7. Governance, committees and defined roles and responsibilities

Much of this article has focused on the application of technology to better manage lists; however, underpinning every aspect should be the application of a strong governance model. Without it, none of the above is possible. From the implementation of regular list management forums on both a global and local level, where key regulatory changes, entry updates and associated impact assessments are discussed, through to clearly defined roles and responsibilities for the daily tasks involved, overarching governance is key to a well-oiled machine.

Clearly the application of technology has a key role to play in establishing effective list management control; this article considers entity analytics, network analytics, APIs, cloud computing, machine learning, and NLP techniques. EY List Management Maturity Matrix considers the foundational platforms and appropriate sequence of application of these technologies.

Summary

At first glance, list management for screening appears to be a simple task. However, the level of risk associated with ‘getting it wrong’ makes it worth an FI’s investment in time and thought. There is no ‘one size fits all’ approach for effective list management. However, the seven steps outlined in this article should provide some guidance on how to optimize your current processes and enhance your existing control framework.

About this article

By Patrick Craig

EY EMEIA Financial Crime Technology Lead

Helping banks get the most out of their financial crime risk management programs. Experienced with compliance and AML technologies.