Financial technology and payment systems continue to evolve, and their advancements may carry new compliance risks for the entities that enable or transact using these tools. Instant payment systems transmit and make funds available with near-real-time speed.
The speed and increasing value and volume of these payments have opened up a new line of questioning, mainly by banks, about how to best implement sanctions compliance measures and due diligence for instant payments.
In response, OFAC recently issued new guidance encouraging financial institutions to adopt a risk-based approach to ensure they are managing their sanctions risk and consider all relevant factors.
Understanding Risk Factors and Considerations for Instant Payment Systems
In the guidance provided, OFAC once again reminds readers that all US persons (including entities and US banks) must comply with OFAC regulations. They make the recommendation of adopting a risk-based approach to compliance by developing, implementing and regularly updating a robust sanctions compliance program that incorporates the following:
- Management commitment
- Risk Assessment
- Internal Controls
- Testing and Auditing
As there is no one-size-fits-all approach to managing sanctions risks related to instant payments, and as every financial institution is situated differently, decisions on whether and how to screen transactions should be based on the institution’s own assessment of the risk.
This may mean considering the extent of its international presence, the geographic territories in which they operate, the nature and transactional history of its customers, and its size and sophistication.
In general, domestic instant payment systems pose a lower risk of sanctions exposure than institutions that permit cross-border transactions. The nature and value of payment can also assist with assessing the relative sanctions risks of payments made via an instant payment system. For example, payments that are consistent with past customer behavior that a financial institution has previously vetted and cleared for sanctions implications may pose a lower risk than payments that appear inconsistent with past behavior, e.g. sudden significantly higher value payments made to foreign persons with whom the customer hasn’t dealt with previously.
OFAC also acknowledges that technology solutions aimed at facilitating or enhancing sanctions compliance have advanced significantly in recent years and become more scalable and accessible, which can contribute to mitigating a financial institution’s sanctions risk.
The use of artificial intelligence and compliance solutions that leverage information-sharing mechanisms across financial institutions will enhance sanctions screening functions and reduce false positives. In the guide, OFAC states that they encourage the use of emerging technology to manage sanctions risk in the context of instant payments.
Guidance For Instant Payment Systems
Per OFAC’s guidance, developers of instant payment systems should incorporate sanctions compliance during the design and development process so that controls are present and accounted for when new payment technologies are developed.
OFAC also encourages such developers of instant payment solutions to incorporate sanctions compliance features, tools, and contractual clauses that allow system participants to maintain a sanctions compliance program in line with the risks the system may pose.
One suggestion posed includes enabling communication among participating financial institutions involved in processing payments to effectively gather information related to sanctions alerts. That way, institutions will have access to sufficient information to block or reject large volumes of transactions that may involve a sanctions nexus.
Instant payment systems should make provisions for exception processing, i.e. enabling a transaction to be removed from the automated process so that it can be investigated when there is a potential sanctions concern.
Transactions are becoming faster, but the need for a speedy transaction does not mean that financial institutions or instant payment providers are in any way exempt from regulatory compliance requirements. All financial institutions should adhere to minimum standards and expectations for compliance, including conducting due diligence checks and adopting screening technology.
As with most transactions, every organization should take a risk-based approach to compliance and determine its own risk.
More information can be found on the OFAC Website.