September 2013 Understanding sanctions Wire stripping: managing compliance risk by Jason Wingo and Julien Chanier Recently, there has been an increasing amount of press coverage and news about financial institutions failing to comply with requirements to screen and block payments linked to sanctioned individuals, entities and countries. Many of these institutions have demonstrated an inability to monitor or prevent wire stripping. Wire stripping is the deliberate act of changing or removing material information from wire payments or instructions, thereby making it difficult to identify and restrict payments to and from sanctioned parties or countries. Facilitating or turning a blind eye to such activity may subject financial institutions and their most senior executives to regulatory actions and criminal proceedings. In recent wire-stripping incidents identified by US regulatory authorities, certain institutions were involved in concealing, or simply removing, true originators from transactions processed through US banks in order to avoid the sanctions-monitoring programs put in place by those institutions. A number of these institutions even went a step further, advising originating banks on how to format their transfers in a manner that would allow the transactions to avoid detection completely. As a result of their activities, the institutions were subjected to substantial regulatory fines, in addition to the reputational damage they suffered. While the actual number of true violations uncovered at these institutions was relatively small compared to their total wire activity, and also as compared to their actual transactions “stripped,” the absence of controls and compliance culture at these institutions led directly to significant regulatory actions. With the closer scrutiny now imposed by regulatory authorities, highly public investigations and a growing number of regulatory enforcement actions, financial institutions have begun to take a much more proactive approach to identifying, communicating and mitigating wire-stripping activities. While implementation approaches may vary, the core concepts of developing people, improving processes and leveraging available technology appear consistently when examining how best to hinder such activity from occurring within the walls of an organization, and they are necessary components of an effective compliance program. Developing people A recurring theme emerging from the analysis of recent events suggests that most wire-stripping activity occurs when management oversight or attitude is lax. Educating employees on the practice of wire stripping and providing them with an understanding of why it is important to identify this type of activity should be the first line of defense. However, the impact of such education will be limited if a culture of compliance does not exist within an institution, senior management is complacent or doesn’t emphasize it as a priority, or if there are concerns about retaliation against whistleblowers. Establishing a culture of compliance at all levels within an organization is a crucial step that companies must take to empower their people to remain vigilant and cognizant of situations or activities that would be deemed non-compliant. However, a culture of compliance is not something that simply happens overnight; it requires ongoing and committed efforts from senior management. The tone from the top must thus enable compliance rather than facilitate noncompliance. Organizations can potentially prevent or mitigate wire- 2 | Wire stripping: managing compliance risk stripping activities by empowering highly trained employees who are adequately informed and who maintain a heightened sense of awareness toward non-compliant activity. This said, the next questions that organizations may ask are, “What else can we do to prevent these activities?” and “How can we implement additional controls to prevent or detect these risks?” Improving processes and controls Defining or improving processes and controls within different functions of the organization can significantly mitigate risks and enhance the detection and prevention of wire-stripping activities over time. These processes can be implemented within customer relationship management, operations and compliance functions and typically fall into three broad categories: • Assessments — Improving self- and independent assessment processes while simultaneously coordinating with internal audit to identify potential areas of concern in sanctions programs, including wire stripping • Monitoring — Developing both preventive and detective processes and tools and utilizing visual analytics environments for examining large data sets to help organizations understand where future compliance risks and concerns may occur based on several different factors, such as historical issues, contextual data or industry-related events • Governance — Improving overall governance and the level of management reporting available within an organization to measure progress against objectives and requirements Although certain process improvements can allow organizations to increase compliance awareness, it is essential for organizations to continue leveraging available and emerging technologies for ongoing improvement of their compliance-monitoring and assessment programs. This will also permit better management of ever-changing business models and the regulatory landscape. Leveraging technology Organizations can implement detection processes to monitor and act upon wire-stripping activity. There are a variety of different options for organizations to consider, depending on the capabilities or limitations within their current operating environments. Compare payment before entering or leaving the organization In some situations, someone inside the organization may manipulate the contents of a payment transaction once it is received but prior to its being processed by the institution’s payment or settlement systems. A possible solution to identify this type of activity is to compare the payment before it enters and after it leaves the organization’s SWIFT gateway. Hash keys could be systematically generated and then compared for similarity before notifying the appropriate resources if they do not match in a particular transaction. Mismatched hash keys may signal that wire data within the payment transaction message was changed once it entered the SWIFT gateway and before it was processed by payment systems. • Checking for suspicious phrases usually used to conceal originator or beneficiary identity (e.g., “No name,” or “On behalf of a customer”) Alternatively, organizations can maintain archives of all raw SWIFT payload messages either entering or leaving the organization and then create processes that would reconstruct transaction records into their corresponding SWIFT payload format. These reconstructed SWIFT messages could then be compared to the archived SWIFT messages during assessments or internal audits so that any potential violations can be identified. • Deriving the country of the sending institution from the BIC code in the SWIFT message and comparing it to the country code of the originator’s address Compare key attributes of payment pairs In some cases, payments are linked to other payments, and discrepancies between these payment pairs may indicate that wire stripping has occurred. A possible detection method for this situation is to compare certain key fields of these payment pairs. For example: • When a financial institution acts as a correspondent bank and processes payments, key attributes of incoming and outgoing messages that are expected not to be altered or changed should be compared to confirm that, in fact, the information has not been altered (e.g., beneficiary and remitter). • When the financial institution is the remitting bank, it should be confirmed that the remitter and beneficiary fields are the same for matched pairs (e.g., MT103 and MT202-COV pairs). Perform field level checks and detect common wire-stripping techniques As wire stripping can also occur before an organization receives the payment, automated red-flag checks can also be a useful means of detecting potential wire-stripping activities being performed, most likely, by other institutions along the payment path. Some typical red-flag checks that can be implemented against payment transactions include: Identify similar payments that have already been blocked or rejected An additional method for detecting potential wire-stripping activity focuses on comparing previously submitted and rejected payments. This method will require financial institutions to maintain and leverage historical profiles of payment messages that were blocked or rejected. The institutions would then be able to monitor SWIFT messages against a set of payments that had previously been submitted and rejected in an effort to identify messages subsequently resubmitted without material data elements, such as originator or beneficiary name and address. While technology, as well as any of these methods, may be leveraged for detection, it often needs to be supplemented by changes in people and processes to forestall wire-stripping activities more efficiently. Wire stripping remains a concern for regulators as it can be viewed as an overt act of non-compliance. Many institutions cannot demonstrate strong controls and validation processes to evaluate efficacy or even awareness of the potential for wire stripping; this can raise additional concerns. As several high-profile regulatory actions have occurred with regard to this issue, financial institutions would be well advised to take proactive steps to evaluate their exposure to wire stripping and begin to implement strategies to mitigate that exposure. • Checking for suspicious patterns of characters in originator or beneficiary fields, such as sequences of digits, special characters or empty spaces. (e.g., “AAAA”, “ “, “$%&#”) September 2013 | 3 About the authors Jason Wingo Julien Chanier Ernst & Young LLP tel: +1 212 773 5228 email: jason.wingo@ey.com Jason is a senior manager in EY’s Financial Services Advisory practice. He has more than 15 years of experience in the IT industry serving capital markets, retail and banking clients in the areas of anti-money laundering, economic sanctions, trading and regulatory compliance. Ernst & Young LLP tel: +1 212 773 2925 email: julien.chanier@ey.com Julien is a manager in EY’s Financial Services Advisory practice. He has more than three years of experience in advising clients with sanction screening technology and seven years of experience in application design and development. His past professional experience also includes two years in the compliance software industry, helping top-tier US and global financial institutions implement and integrate Actimize sanction screening solutions. EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. EY is a leader in serving the global financial services marketplace Nearly 35,000 EY financial services professionals around the world provide integrated assurance, tax, transaction and advisory services to our asset management, banking, capital markets and insurance clients. In the Americas, EY is the only public accounting organization with a separate business unit dedicated to the financial services marketplace. Created in 2000, the Americas Financial Services Office today includes more than 4,000 professionals at member firms in over 50 locations throughout the US, the Caribbean and Latin America. EY professionals in our financial services practices worldwide align with key global industry groups, including EY’s Global Asset Management Center, Global Banking & Capital Markets Center, Global Insurance Center and Global Private Equity Center, which act as hubs for sharing industry-focused knowledge on current and emerging trends and regulations in order to help our clients address key issues. Our practitioners span many disciplines and provide a wellrounded understanding of business issues and challenges, as well as integrated services to our clients. With a global presence and industry-focused advice, EY’s financial services professionals provide high-quality assurance, tax, transaction and advisory services, including operations, process improvement, risk and technology, to financial services companies worldwide. © 2013 Ernst & Young LLP. All Rights Reserved. SCORE No. CK0688 1308-1124709 NY ED None This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor. ey.com