Are you responsible for completing ๐Ÿงaudit requests๐Ÿง? Are you or your team gathering the data ๐Ÿ“‘๐Ÿ“Š requested by Compliance Auditors or Examiners? After two decades of preparing data for audits, exams, and compliance reports, I have learned a lot along the way. ๐Ÿคฆ

As I grew up the ranks and was able to hire and manage others, I realized they too were making the same mistakes ๐Ÿ˜ฑI had made, even my experienced hires . To reduce the learning curve ๐Ÿ“‰, I created a checklist โœ…they could use prior to delivering audit deliverables. This not only helped them raise ๐Ÿ“ˆ the bar of performance, but it drove their credibility. People knew they could trust  ๐Ÿ‘ซ the deliverables of my team, and in Compliance that means a lot. In fact, it made my team the go-to team ๐Ÿ™Œ when anything important was needed. This was great ๐ŸŒŸvisibility for the team.

Things to Remember Before Submitting:

๐Ÿ‘€1 COMPREHENSION – Verify Request Details – Read the request multiple times before and after gathering the data to ensure accuracy.

โŒ›๏ธ 2 COMPLETENESS – Validate with other sources – Check Your Data before handing it off; search for nulls, blanks, gibberish, truncation, test records, duplicates, encoding issues. Validate.

๐Ÿ’ฏ3 ACCURACY – Check for nulls, blanks, truncation – Run Summary Stats on columns, find fields with < or > than avg character counts, & review to understand the differences.  

โš–๏ธ 4 INTEGRITY – Join all data sets and validate – If multiple data sets, sharing a primary key, will be provided, join them & verify data’s accuracy & completeness (e.g., spurious tuples, missing or orphaned records). Validate & Repair Query.

๐Ÿ“† 5 CONTINUITY – Compare prior year deliverables – Review deliverables from prior year & compare to identify, understand & validate differences.

๐Ÿ”ฎ 6 BE PREEMPTIVE- Review data thru their eyes – What do you think you auditors are looking for? Search for it, and see what you find.

๐Ÿ’ฌ 7 TRANSPARENCY – Disclose failures upfront – Summarize exposure, mitigants, net risk, & next steps. (And, never assume your smarter than your auditor. This will set you up for failure.)

๐ŸŒˆ 8 PARTNERSHIP – Work with Audit to reduce risk – Audit can be your greatest partner as well as your biggest supporter. Help them understand your program and underlying rationale so, they can help you remove your blinders and ultimately lead to successful exams.

Pls add your ๐Ÿฆ„ tips, advice, and stories in the comments. I am sure we all have stories of those moments when we realized a file was truncated, there were encoding issues, someone provided “Mickey Mouse” ๐Ÿญ test records in the batch.

Hope you enjoyed this and find it helpful!
Have a great weekend!!

#compliance #audit #moneylaundering #sanctions #testing #dataengineer #dataanalyst #ofac #fincen #bsa #aml #antimoneylaundering #tipsandtricks #cryptocompliance #PreventinganOhShitMoment #banksecrecy #crypto #banking #payments #regulatoryexams

 

Coming to a bookstore near you, “Screen This, Avoid That”.   This book is dedicated to helping you quickly learn and understand what to include for sanctions screening as well as these should be included. Aside from providing a list of fields to consider for your sanctions screening program, the book also cites the major OFAC enforcements that stemmed from screening program failures.  Altogether you  can learn what to screen, why to screen, and mistakes of others to avoid. Become a global sanctions screening expert!!

Available soon, will keep you posted !

~Crystal 

Scr

Bowtie Risk Analysis 

 

 

 

 

 

 

The Bowtie Risk Analysis is a powerful tool in Compliance. It helps you see your risks, controls, consequences, as well as identify gaps.

Early on in my Sanctions Compliance career, years ago, I came across an example of a bowtie used by car manufacturers to model the various causal threats and consequences linked to safety feature failures. It was at that moment I saw the potential for this tool and created my own version related to sanctions.

While going through some files from years ago, I found my Sanctions Compliance focused bowtie. My bowtie was focused on understanding the causal threats and consequences relating to Sanctions Screening failures for global financial institutions.

I look forward to updating its contents to address risks we see today, such as Synthetic Identity, IP Blocking, Crypto/Blockchain: Risks (Anonymity, Mixers, L2 Protocols preventing Travel Rule compliance, MultiSigs, Mining location, etc).

In the mean time, it would be a shame to keep this tucked away in a drive somewhere. So, I thought I would share this with my network as it may inspire you to build a similar analysis for yourself. Enjoy! I placed a link to the PDF and PPT below.

The history of OFAC’s foray into IP Addresses, Dialing Pre-Fixes, and Email Address…

The video above is a high level 1 minute summary. The below article is in depth!

Did you know OFAC’s 2019 settlement with Standard Chartered Bank (SCB) referenced the word “fax” 21 times? It also mentioned email addresses, IP Address, and logins from sanctioned countries.

The web announcement did not include these details, however the lengthy Settlement Agreement did cover these in detail. (For those who have recently started following Settlements, OFAC used to provide two documents: high level summary via a webpost and they’d also provide a settlement agreement providing more details. Nowadays, they’ve combined this into one document per announcement.) I will include all relevant links at the bottom of the article. Now back to the History of OFAC’s first settlement touching on these topics.

Payment Instructions Faxed from Iranian Fax Numbers

The settlement agreement has multiple pages dedicated to “faxed” instructions where the customers would fax in their payment instructions. These faxes were sent from Iranian phone numbers. Thus, putting the bank in a position to carry out payments instructions benefiting persons and/or companies located in comprehensively sanctioned countries.

In its remedial efforts, SCB searched for all received faxes having Iranian dialing codes (“98, +98, or +0098”) “and identified 11,809 faxed payment instructions”. It also took preventative measures to prevent this in the future. However, no details were provided about those measures.

Why is this Important?

Does your company allow users to transmit payment instructions or RFI responses via email, fax, or phone? If so, does your Sanctions Program have controls in place to prevent users located in comprehensively sanctioned countries and/or jurisdictions from using those communication mediums?

Customers / Users may provide telephone, cell, and fax numbers during account opening, KYC / CDD /EDD, Identity Validation, etc. This information is hopefully captured in your institutions CRM and/or KYC system. Potential Considerations:

  • Work with your engineering partners to create rules that either prevent adding numbers having a dialing code from a sanctioned country/jurisdiction,
  • Work with your engineering partners to create rules that identify customers / users with a document telephone number, cell phone number, or fax number where the dialing code points to a sanctioned country/jurisdiction,
  • The rule searching for these phone numbers should trigger a manually created case in your case management tool for review by an experienced analyst.
  • If your institution can receive faxed instructions from clients, consider scouring your fax history as SCB (i.e. understand and verify your institution’s exposure, exposure may be hire in those countries physically closer to a sanctioned country or jurisdiction).

“IP Address” makes its OFAC Debut

“IP Address” makes its OFAC debut in the SCB settlement and is mentioned 4 times. The OFAC settlement states: “SCB did not implement any controls to restrict access from jurisdictions subject to comprehensive sanctions until April 2013…”. Although SCB did this for one of its product portals, it failed to apply it enterprise wide and therefore applied it to a 2nd product portal a year later.

Why is this important? Because it reminds us that most global FIs, MSBs, FinTechs, Payment Processors, etc have various products, platforms, domains, and login sites. And, through mergers and acquisitions, they may have acquired legacy products having separate login screens, domains, platforms, etc. OFAC pointing out that SCB implemented IP Address controls for one product in 2013 and another in 2014 reminds us that when working with your engineering, network admins, and security resources it is important to:

  • have an inventory of all access points where customers/users can login,
  • each of those should be updated equilaterally to prevent logins from comprehensively sanctioned countries and/or jurisdictions,
  • your institutions annual audit scope should include sanctions penetration testing to verify if it is possible to logon to any of your companies sites with a IP Address from a comprehensively sanctioned country and/or jurisdiction.
  • You may also consider asking your technical and security resources, in the case of Disaster Recovery or Backup Contingency activation, are those IP Address controls applied? Depending on your institution’s DRP and BCP design those IP controls may or may not be applied as expected. Again, its worth testing.

“Email Address” makes its OFAC Debut

SCB was the first to get dinged (officially via an SL) for many themes that most banks had not even considered until the release of their settlement agreement. For those institutions with tech savvy sanctions compliance officers, the writing was on the wall. Their lessons learned should not be lost upon us.

and also listed an email address which contained the name of the Iranian Person and the petrochemical company group. 

Now, the above may seem innocuous, however when you consider its potential implications, the impact is much greater. Additionally, as we have seen with OFAC settlements in recent years (e.g. SCB, Bitgo, BitPay) refer to email addresses as well as the 2020 Berkshire settlement which refers to the contents within the email chains!

despite numerous warning signs over a period of several years regarding the company’s Iranian connections, including direct communications with the petrochemical company, the receipt of emails and faxes from Iranian companies and/or telephone numbers, and the rejection of transactions involving the petrochemical company by U.S. financial institutions. SCB’s failure to connect the information resulted in the bank continuing to process transactions involving the company for several years until blocking its account…

Why is this important? Because most Sanctions programs out there do not consider screening email addresses, having email content rules relating to sanctions countries/jurisdictions, do not have monitoring rules for email domains, nor do they have monitoring rules for website domains. Potential Considerations:

  • work with your technical resources to query email addresses maintained by your institution (customers, users, contracts, vendors, etc.) and search for emails matching those on the OFAC list.
  • work with your technical resources to query the “top level domain” of email addresses (used to denote country) maintained by your institution (for customers, users, employees, contracts, vendors, etc.) and search for emails ending in: “.CU”, “.IR”, “.KP”, or “.SY”. Here is a website that provides you with a list of Internet Country Codes (top level domains): https://www.worldstandards.eu/other/tlds/
  • work with your technical resources to query the “top level domain” of website addresses (used to denote country) maintained by your institution (for customers, users, employees, contracts, vendors, etc.) and search for emails ending in: “.CU”, “.IR”, “.KP”, or “.SY”. Here is a website that provides you with a list of Internet Country Codes (top level domains): https://www.worldstandards.eu/other/tlds/
  • Consider creating rules to monitor these and manually create and escalate compliance reviews to your seasoned compliance analysts via your case management tool.
  • In addition to having rules for internet country codes, consider screening email addresses and website addresses against those maintained by OFAC on its SDN list.
  • your institutions annual audit scope could include sanctions penetration testing aimed at verifying which products allow users to update their details with an email or website address located in a sanctioned country

What the SCB Settlement Agreement Taught Us

  1. Do not process payment instructions from SDNs or customers/users located in, travelling through, or being a resident of a sanctioned location. 
  2. Do not process customer/user requests from emails, fax numbers, phone calls, or online logins stemming from sanctions locations. 
  3. Have controls in place to identify, flag, and prevent customers from being able to connect or transmit instructions from sanctions locations.
  4. Augment your sanctions program to include rules and/or screening that monitors internet country codes, as well as email/web addresses provided by OFAC on its SDN list.

If you found this helpful, please Like and Share on Linkedin!!  

Noe Compliance is available to help you. Call Us Today! 

Related Links:

SCB Settlement links:

  • https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20190409
  • https://home.treasury.gov/system/files/126/20190408_scb_webpost.pdf
  • https://home.treasury.gov/system/files/126/scb_settlement.pdf
  • https://home.treasury.gov/policy-issues/financial-sanctions/civil-penalties-and-enforcement-information

Internet Country Code links:

  • https://www.worldstandards.eu/other/tlds/
  • https://en.wikipedia.org/wiki/.ir

Links to other OFAC settlements that touch on Monitoring Emails:

  • https://home.treasury.gov/system/files/126/20201230_bitgo.pdf
  • https://home.treasury.gov/system/files/126/20210218_bp.pdf
  • https://home.treasury.gov/system/files/126/20201020_berkshire.pdf

Link to US Treasury page for OFAC civil penalties enforcements:

  • https://home.treasury.gov/policy-issues/financial-sanctions/civil-penalties-and-enforcement-information

What happens when your Sanctions Screening Filter Times-Out? How does a screening time-out affect the on-boarding process for new customers? How does the time-out affect existing customers? Below I cover OFAC guidance, Industry Norms, & Best Practices.

 

Has OFAC provided guidance on this in the past? Has OFAC mentioned screening “time outs” in any of its Settlement Letters? Yes! 

OFAC FAQ #43 does provide applicable guidance. In 2020, OFAC also touched on the subject of screening Time Outs in its Settlement with the American Express Related Travel Services (AMEX). Link to AMEX SL: https://home.treasury.gov/system/files/126/20200430_amex.pdf

OFAC FAQ #43 asks (summarized): Must you screen a new customer immediately upon account opening or can you wait 24 hours?

OFAC FAQ 43 states (summarized): 

  • “There is no legal or regulatory requirement to use software or to scan.” 
  • “There is a requirement, however, not to violate the law by doing business with a target or failing to block property.”
  • “The important thing is not to conclude transactions before the analysis is completed.”

Thus, you must have reviewed the new customer/user for sanctions risk and compliance purposes prior to concluding transactions on their behalf.

For those meeting these requirements with a screening tool, the screening and any subsequent alerts (i.e. potential matches) must be reviewed and concluded prior to concluding transactions on their behalf. 

But, what if your filter “times out” during the customer/user approval process? 

In the 2020 OFAC Settlement with American Express Travel Related Services (Amex), OFAC determined the following to be 1 of 3 Aggravating Factors:

  • “Amexโ€™s automatic approval of applications in instances where the risk engine led to a system timeout was a critical shortcoming of its compliance program.” 

In the Mitigating Factors of this SL, OFAC included:

  • “OFAC has no information to indicate that Amex knew it maintained a card for an SDN, or that its system could be overridden.”
  • “Amex remediated, making it less likely similar violations will recur.”

LESSONS LEARNED:

  • Users should not be able to override sanctions system or trigger a time out. 
  • A system timeout should not lead to an automatic approval of new a user/customer account, enabling their account activity.
  • Filter testing should include scenarios aimed at generating an unexpected timeout to identify risks and address accordingly. 

What If Screening Times Out While Processing Transactions for Existing Approved Customers?

Although this specific topic has not yet been covered in OFAC’s settlement letters, below I will share the common industry practices I have seen throughout my career and the controls applied to support those practices.

Among other factors, given the ramifications of pausing all payments (for existing approved customers/users) in response to an unexpected time-out (e.g. during a natural disaster, vendor time-out, outage of some sort, etc.), it is not uncommon for companies to process in-flight payments for these approved/vetted customers during these time-outs to prevent financial harm to their clients and ensure their user agreement / service levels are met. Once the outage has passed and the system is up and running again, retroactive screening is performed for those processed transactions. 

If your program approaches in-flight transactions (for approved customers/users) similarly during time-outs, consider the below controls:

  • Having that decision documented and rationalized within your program documentation and/or risk appetite statement. Ensure the decision has been circulated and approved by all relevant and responsible parties.
  • Ensure there are sufficient monitoring controls, in-line with your risk, to detect screening time-outs.
  • Ensure there are sufficient governance protocols in place aimed at ensuring those controls are effectively working as expected.
  • If using a hosted screening solution, know your vendor’s contractual responsibilities, such as: “up-time”, transparency around time-out communications to clients, service level agreements with respect to response/repair time, & how retroactive screening is handled.
  • Have an Issue Management Resolution program to document such time-outs, their Root Cause Analyses (RCA), & subsequent repairs (short term tactical, as well as long term systemic repairs). The RCA, tactical stop gap, and long term systemic repair are all requirements of OFAC’s Framework for Compliance Commitments. Link: https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf
  • Lastly, if sanctioned activity occurred during time-out, freeze/block customer’s account(s) as needed, complete the RCA, quickly take remedial action(s), and perform a Voluntary Self Disclosure. Each of these steps will be considered favorably as shown in past OFAC settlements.

If you found this helpful, please Like and Share on LinkedIn!!  

Noe Compliance is available to:

  • review sanctions filters, sanctions controls, and geo-fencing / geo-blocking controls,
  • lead efforts to identify, implement, and/or enhance your screening tools, &
  • design and execute your regulatory remediation plan. 

Call Us Today! 1-202-417-7978

Published by

Crystal Noe, M.S.

Status is online
Sanctions Validation, Remediation, & Training Consultant | Specializing in Sanctions Filters, Tech, & Training for Sanctions Screening Managers, Engineers, Data Scientists, Analysts, & Vendors | Ex-Citi | Ex-Facebook
What happens if your sanctions screening filter suffers an unexpected timeout? An OFAC Settlement, touches on this very topic. How well do you know your screening program? What happens if the time-out occurs during your nightly batch screening of new customers? What happens if the time-out occurs during your business day, while processing in-flight transactions for existing/approved customers? Below, I have provided a summary of the OFAC settlement, industry norms, and best practices. Link to settlement: 

https://lnkd.in/e2Gkv6MK

As you define your 2022 goals and testing (e.g. audit scope, DRP/BCP testing, etc.) and/or update program documentation, consider expanding your scope / testing / documentation updates to include time-out error handling for the various steps of your customer’s life cycle (i.e. onboarding, active customer, dormant customer, etc). Hope you enjoyed the video! I am trying different styles to gauge my audiences’ preferences. Let me know! Pls like and follow!!

 

Are Russia Sanctions Effective at stopping Russia? Sanctions are only as good as the controls that are designed to implement them. For many of us wanting to make a difference and wanting to know that our efforts are making a difference in the #UkraineCrisis, below is a quick tire-kicking list for your Sanctions program.

#REMEMBER most engineers do not understand Sanctions Regulations, most sanctions officers do not have a systems or data background, and at times both of these groups can fail to have a deep understanding of the business they support, its data, or processes. It is nearly impossible to find people that have subject matter expertise on all three.

#CONNECTING #THE #DOTS That being the case, its important to ask yourself, your engineers, and your front line very rudimentary questions to identify and mitigate potential blind spots. These very basic discussions can lead to a world of growth, understanding, improved controls, and even increased efficiencies!!

๐Ÿ‘€ #WANT #MORE #SANCTIONS #GUIDES:

– Like and Follow Crystal Noe, M.S.

– Like and Follow Noe Compliance

– Also, follow NoeCompliance on TikTok

๐Ÿ“ข More screening guides and videos are on their way!!

#Russia#Ukraine#Cybersecurity#MoneyLaundering#Sanctions#War#Belarus#cyberattcks #NLP #Crypto #UkraineCrisis #citi #mufg  #jpmorgan #meta #circle #coinbase #bitcoin U.S. Department of the Treasury #OFAC

 

 

 

RUSSIA SANCTIONS – MINISTRY OF FINANCE OF THE RUSSIAN FEDERATION – NAME SCREENING TESTING GUIDE
๐Ÿšฉ#4 Russia Sanctions Testing Guide #4๐Ÿšฉ
๐Ÿ”ŽDoes your Filter Detect Variations for “MINISTRY OF FINANCE OF THE RUSSIAN FEDERATION”? OFAC’s does, with scores ranging from 96 to 100. ๐Ÿ‘Š๐Ÿ’ฅTest Your Filter and Verify๐Ÿ’ฅ๐Ÿ‘Š

๐Ÿ‘€ Yesterday, additional names were added to the U.S. Department of the Treasury OFAC list. In reviewing the OFAC entry for “MINISTRY OF FINANCE OF THE RUSSIAN FEDERATION”, I noticed that no AKAs were provided (strong or weak).

Given the length of the entity’s name, its known online name (aliases), the likelihood for its long name being abbreviated, and the fact there were zero weak AKAs provided, ๐Ÿšฆ non-detection of its abbreviated or simple name variations name becomes a gray area for sophisticated institutions bearing greater responsibilities as seen in recent OFAC settlements.

 

๐Ÿ“HOW TO USE THE GUIDE: Search for the name variations found online, their abbreviated forms, and some that come to mind:

โ™ฆ๏ธ “Ministry of Finance for the Russian Federation”, 
โ™ฆ๏ธ “Russian Ministry of Finance”,
โ™ฆ๏ธ “Finance Ministry of Russia”, 
โ™ฆ๏ธ “Ministry of Finance RU” 
โ™ฆ๏ธ “MINFIN”,
โ™ฆ๏ธ “MOFOTRF”  


๐ŸšฉNON-DETECTION REMEDIATION: If not generating a match for a variation you believe merits detection, contact your screening vendor to augment screening detection. If your vendor is unable to anything in the short term, add the missed name variation(s) to your in-house screening list as a stop gap.  (Always test to understand the impacts of augmenting your list.)

 

๐Ÿ‘€ REMEMBER FILTERS AREN’T LIKE HUMANS: Screening filters are not intuitive, they don’t “see” what you and I “see” and they don’t have common sense.

 

๐Ÿ’ก WANT MORE SANCTIONS GUIDES: Like and Follow 

If you would like Noe Compliance to review your filters, please contact us.

๐Ÿ“Œ DISCLAIMER
: These test scenarios don’t focus on typos, testing should always consider fat finger, transliteration, translation, abbreviations, and/or typos.

 

RUSSIA SANCTIONS – NATIONAL WEALTH FUND OF THE RUSSIAN FEDERATION – NAME SCREENING TESTING GUIDE
๐Ÿšฉ๐Ÿšฉ๐ŸšฉRussia Sanctions Testing Guide #3๐Ÿšฉ๐Ÿšฉ๐Ÿšฉ
๐Ÿ”ŽDoes your Filter Detect Variations for ”
NATIONAL WEALTH FUND OF THE RUSSIAN FEDERATION”? OFAC’s does. ๐Ÿ‘Š๐Ÿ’ฅTest Your Filter and Verify๐Ÿ’ฅ๐Ÿ‘Š

๐Ÿ‘€ Yesterday, additional names were added to the OFAC list. In reviewing the U.S. Department of the Treasury OFAC entry for “NATIONAL WEALTH FUND OF THE RUSSIAN FEDERATION”, I noticed that no AKAs were provided (strong or weak).

Given the length of the entity’s name, its known online name (aliases), the likelihood for its long name being abbreviated, and the fact there were zero weak AKAs provided, ๐Ÿšฆ non-detection of its abbreviated or simple name variations name becomes a gray area for sophisticated institutions bearing greater responsibilities as seen in recent OFAC settlements.

 

๐Ÿ“HOW TO USE THE GUIDE: Search for the name variations found online as well as their abbreviated forms:

โ™ฆ๏ธ “National Welfare Fund of the Russian Federation”, 
โ™ฆ๏ธ”Russia National Wealth Fund”,
โ™ฆ๏ธ “National Welfare Fund”,
โ™ฆ๏ธ”National Wealth Fund”,
โ™ฆ๏ธ”NWF”  


๐ŸšฉNON-DETECTION REMEDIATION: If not generating a match for a variation you believe merits detection, contact your screening vendor to augment screening detection. If your vendor is unable to anything in the short term, add the missed name variation(s) to your in-house screening list as a stop gap.  (Always test to understand the impacts of augmenting your list.)

 

๐Ÿ‘€ REMEMBER FILTERS AREN’T LIKE HUMANS: Screening filters are not intuitive, they don’t “see” what you and I “see” and they don’t have common sense.

 

๐Ÿ’ก WANT MORE SANCTIONS GUIDES: Like and Follow 

If you would like Noe Compliance to review your filters, please contact us.

๐Ÿ“Œ DISCLAIMER
: These test scenarios don’t focus on typos, testing should always consider fat finger, transliteration, translation, abbreviations, and/or typos.

 

RUSSIA SANCTIONS – BANK ROSSI – NAME SCREENING TESTING GUIDE
๐Ÿ”ŽDoes your Filter Detect “Bank Rossi”? OFAC’s does.๐Ÿ”
๐Ÿ‘Š๐Ÿ’ฅTest Your Filter and Verify๐Ÿ’ฅ๐Ÿ‘Š

๐Ÿ”ฅYesterday, additional names were added to the OFAC list. In reviewing the U.S. Department of the Treasury – OFAC List entry for THE “CENTRAL BANK OF THE RUSSIAN FEDERATION”, I noticed that the AKAs contained “BANK ROSSI, FEDERAL STATE BUDGETARY INSTITUTION”, but did not have an AKA with just “BANK ROSSI”. As your teams work to implement the latest OFAC list updates, please verify that variations you would typically seen are also stopped by your screening filters.

๐Ÿ“HOW TO USE THE GUIDE:

Search for BANK ROSSI in your filter.


๐ŸšฉNON-DETECTION REMEDIATION: If not generating a match, contact your screening vendor to augment screening detection. If your vendor is unable to anything in the short term, add the missed name variation(s) to your in-house screening list as a stop gap.  

๐Ÿ‘€ REMEMBER FILTERS AREN’T LIKE HUMANS: Screening filters are not intuitive, they don’t “see” what you and I “see” and they don’t have common sense.

๐Ÿ’ก WANT MORE SANCTIONS GUIDES: Like and Follow 

If you would like Noe Compliance to review your filters, please contact us.

๐Ÿ“Œ DISCLAIMER
: These test scenarios don’t focus on typos, testing should always consider fat finger, transliteration, translation, abbreviations, and/or typos.

๐Ÿ”ŽRussia Sanction Screening Penetration Test Guide๐Ÿ”
๐Ÿ‘Š๐Ÿ’ฅEnsure your Screening Filter Packs a Punch๐Ÿ’ฅ๐Ÿ‘Š

Many of us feel helpless watching the #UkraineCrisis unfold.
๐Ÿ”ฅ๐Ÿ”ฅ!!But, we can make a difference!! We can make sure these sanctions stick it to them. ๐Ÿ”ฅ๐Ÿ”ฅ

And, we can do that by making sure that the names added by the U.S. Department of the Treasury #OFAC and their variations, are stopped in our screening filters!!

๐Ÿ“#HOW #TO #USE #THE #GUIDE: Below is a Screening Penetration Test guide aimed at assessing your filter’s day-to-day effectiveness. The guide was created using one name from the OFAC list. The entity’s names/AKAs contain PAO and/or PJSC, and was selected as they tend to lead to high non-detection rates (entity’s with non-western prefix and suffix corporate identifiers tend to yield high non-detection during testing of most systems). ๐Ÿค“ The same test should be run for all sanctioned names/aliases containing the long or short form of: OAO OOO, ZAO, IP, and GP as well as any non-western, new, or non- traditional Corp identifier as most name variations with these typically lead to non-detection. ๐Ÿค“

๐Ÿšฉ#NON#DETECTION #REMEDIATION: For those test scenarios not generating a match, contact your screening vendor to augment screening detection. If your vendor is unable to anything in the short term, add the missed name variations to your in-house screening list as a stop gap.  

๐Ÿ’ก #REMEMBER #FILTERS #ARENT #HUMAN: Screening filters are not intuitive, they don’t “see” what you and I “see”. They typically read from left to right, and assume that every known name-variation has been included on your screening lists. Since we know filters aren’t intuitive and that OFAC lists are not exhaustive of all realistic name combinations…things go un-detected.

๐Ÿ‘€ #WANT #MORE #SANCTIONS #GUIDES:
– Like and Follow Crystal Noe, M.S.
– Like and Follow Noe Compliance
– Also, follow NoeCompliance on TikTok
๐Ÿ“ข More screening guides and videos are on their way!!

๐Ÿ“Œ #DISCLAIMER: These test scenarios don’t focus on typos, but simply re-arranging the words in manners consistent with what I have seen in real life as the root cause of non-detection. For rigorous testing, the test should be run again at least 3 more times to include typos in the name variations: 1) type in first letter of a name, 2) typo in the middle of a name, 3) typo as the last letter of the name, 4.) followed by any combos of those.

#Russia#Ukraine#Cybersecurity#MoneyLaundering#Sanctions#War#Belarus,  #cyberattcks #NLP #Crypto #UkraineCrisis 

More about how this post came to be: While reviewing names on the OFAC list, I am reminded of the many non-detection scenarios I have seen in my career that are caused by Corporate Prefixes/Suffixes such as PJSC, PAO, and PUBLICHNOE AKTSIONERNOY OBSHCHESTVO.  Because screening filters typically read from left to right, they are not intuitive enough to know that PJSC ROSTELEKOM is the same as ROSTELEKOM PJSC. Most would not generate that match. 

Now there are some cases, where an institution or the vendor themselves has created logic for the system to ignore PJSC altogether from the screening text and the list name, and can therefore create these matches. But, honestly that is most often not the case. 

To ensure that your system will detect these like names, test these scenarios. For those scenarios not generating a match, you should ask your screening vendor how to create detection for these variations.  If they are unable to do anything in the short term, add the names to a manual list.   

RussiaROSTELEKOMFilterPenetrationTestingGuide