There are many ways to run afoul of OFAC regulations, one being to engage with a blocked party. This risk can be mitigated by sanctions screening; failure to implement a robust screening program can result in a monetary settlement with the U.S. government, as was the case for Apple late last month. There are numerous challenges to develop and maintain effective and pragmatic sanctions screening. As a foundation, the screening must be against all the lists/sources of interest and the content of those lists must be updated on a regular basis. It must also consider all counterparties with which you do business/have visibility to, which is one of the places where Apple fell short. More complicated considerations are how to deal with name matching. There are numerous mechanisms used for matching by various screening providers; some of which can be customized, others are not able to be optimized beyond a simple “% match” score. Apple’s screening failed to match different upper case and lower case letters that appeared in Apple’s system and the SDN list. Upper case versus lower case, symbols, abbreviations, similar/alternative spellings and common misspellings should be considered in setting match parameters. A further complication arises in translations– e.g. for entities in countries where the native language does not use Roman characters, the initial translation to English may not exactly match the English name the entity provides to their business partners. Further, some companies may have third party data in languages other than English. Some screening providers provide aliases in native languages, including those with non-Roman alphabets such as Chinese, Japanese and Arabic, and use the aliases in screening. Some screening providers may claim to be able to screen in multiple languages but this could mean their system can handle the characters but the service can provide only transliteration, which means the Roman (Latin) alphabet will be used to represent the letters or characters of the other language; the output could make no sense as transliteration is not translation. In addition to name matching, screening should incorporate all relevant identifiers/additional information such as SWIFT business identifier codes and addresses. To further complicate matters, the OFAC 50% aggregate rule means that an entity may be sanctioned if it is owned in aggregate of >50% by sanctioned parties. In practice this means that even though the entity itself may not be on the SDN list, it is in fact sanctioned because its owners are sanctioned; this necessitates due diligence on beneficial ownership.
OFAC, as do other government agencies, recommends that organizations take a risk-based approach when designing or updating a compliance program, as reflected in their May 2019 issued Framework for OFAC Compliance Commitments. Companies must consider their specific risks, risk appetite and resources to arrive at the best sanctions screening approach and must also routinely review the screening program to ensure it continues to appropriately meet the needs of the company.