OFSI Annual Review – 2022-2023

Sneaking in at the end of last year, OFSI (Office of Financial Sanctions Implementation HM Treasury) published their annual review. Or at least, the annual review running to March 2023, so a document that is some 9 months in the making!

Headlines, assuming that you can call them headlines given that the document is essentially out-of-date the moment that it was published, centred on Russian sanctions relating to the war in Ukraine, new cyber designations, and the growth of OFSI staff by 96 FTE. But no headline grabbing enforcement numbers. Between April 2022 and March 2023, OFSI issued just two monetary penalties with a combined value of £45,000.

As of March 2023 there were 3883 designations across 35 regimes, this compares to 3121 at March 2022, close to a 25% growth.

£21.6 billion of funds were reported to OFSI as frozen as of September 2022, an increase of £9.2 billion since 2021. In year reporting between February 2022 and October 2023 presents the impact of Russian sanctions with £22.7 billion of assets frozen.

It will be interesting to see the final impacts in the 2023-2024 report.

OFAC continue their focus on corporates

OFAC have just announced a $5 million settlement agreement with a Hong Kong and China based firm, Sojitz (Hong Kong) Limited. The fine was for US dollar cross-border transactions relating to trade with Iran for Iranian-origin high density polyethylene resin (HDPE) purchased in Thailand. This continues the general trend of more focus and fines for sanctions violations by corporates.

The settlement agreement provides details of employees hiding and removing information from their compliance team and going ahead with payments even when informed not to.


Takeaways are the obvious:

  • Employees (at all levels) need to be open, honest and transparent about country of origin information and not remove this information or obscure it from compliance teams
  • If ‘errors’ happen then self-disclosure is always the right course of action. Total value of USD transactions was $75 million so the fine could have been a lot more had they not self-disclosed (up to $150 million given an egregious violation).

And perhaps most obvious, if you are to trade in goods with Iranian provenance, don’t pay in US dollars!

U.S. Department of Treasury Sanctions Review

On Monday (18 October 2021) the U.S. Department of Treasury released its 2021 Sanctions Review.
The report presents some welcome directions: enhanced multilateral coordination, avoidance of unintended consequences, clarity and reversibility, and the need to modernize. 
But it also reminds us why sanctions implementation continues to be an enormous industry pain point, slowing customer on-boarding, creating friction in the payment chain, and creating a compelling need for new technologies and approaches.
A 933% increase in OFAC sanctions designations in the last 20 years!

IP geo-blocking and sanctions compliance

Yesterday, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced a settlement agreement with NewTek for apparent sanctions violations relating to Iran. NewTek is a small US company that develops and supplies live production and 3D animation hardware and software systems.

Corporates are coming increasingly under the regulatory radar and need to think more seriously about their approaches to compliance. The settlement agreement shows that NewTek was naive in its approach to sanctions compliance and as such this acts as yet another reminder to firms.

More interesting though are the remedial actions taken by NewTek and were considered by OFAC as mitigating factors. Following the apparent violations the company:

  • Established export controls and sanctions compliance policies and procedures;
  • Hired a Director of Compliance;
  • Provided compliance training to employees in sales, marketing, shipping, service, and compliance personnel;
  • Obtained formal export classifications from the U.S. Department of Commerce confirming that New Tek’s products are properly designated EAR99 for export control purposes;
  • Implemented bulk name screening of its product registrants and current and pending distributors against the SDN List;
  • Implemented geo-IP blocking measures to prevent individuals located in Cuba, Iran, North Korea, Syria, and the Crimea region of Ukraine from downloading or registering NewTek products;

The last of these is the most interesting.

If you are a software company, operating in the US or with US affiliation or ownership, what do you do today to stop your products from being downloaded by individuals located in sanctioned countries?

And since software is just bits and bytes, no different from web pages, documents, pictures or NFTs, what does this mean for other types of virtual assets?

5 RegTechs to Watch

I was asked today which companies I think have the opportunity to change the way that we think about RegTech. Here’s my list and the reasons why.

There are some great larger organizations, but I’ve deliberately focussed on less well-known or smaller players. And I’ve also tried to pick those that are doing something quite different or operating in an area that is on the cusp of change.

In no particular order:

Neterium : Sanctions Screening

Fircosoft (LexisNexis Accuity) remains the dominant player in transaction screening, but otherwise, the sanctions screening market is extremely fragmented both at the enterprise level (BAE, Actimize etc), platform market (Temenos, FiServ), and with many small vendors (FinScan, ComplyAdvantage). Even though they are all building and promoting their own engines, the market has remained pretty much unchallenged in terms of technology and approach for the last 10 years. But the problem space has changed significantly.

Historically, customer onboarding didn’t require a high precision filter as processes were very manual. With automated workflows and customer experience the new priority, this is no longer the case. In the transaction space investment in sanctions was seen as a sunk cost by treasury teams and not something they were keen to change or improve – it’s now a cost that banks want to shift and the friction that filters create is unacceptable, again impacts customer experience, and is a principle reason why payments are so slow.

There’s an opportunity for the right product to disrupt the space and the Neterium team has the credibility of having done it before. If they don’t get there, then someone else will. If it is not Neterium then I would look to APAC or UAE given the additional challenges that those geographies have on character sets.

HelloFlow: KYC On-Boarding

A tiny startup that is taking a very different customer and application-centric approach to the customer onboarding process. Given their size, they may struggle to get a foothold in the market, but the demo on their website offers a glimpse of how onboarding flows can be easily automated. This could accelerate onboarding for fintech challengers, and ease adoption and adaption pains as they grow into new markets and create new products. More radically, the technology could allow big banks to catch up with the challengers in terms of agility and customer experience.

Tookitaki: AML Transaction Monitoring

So fundamentally AML transaction monitoring is really in need of a reboot, and I’ve not seen anyone yet that really has the vision to make a real change in this area. Today the trend is to improve, rather than replace the underlying transaction monitoring systems, and there are two ways people are working to do this.

The first approach is to streamline investigations through robotic process automation (RPA) and data consolidation, ensuring the analyst has a complete, informed, and re-prioritized view of risk. There are many vendors doing flavors of this: Blue Prism, DataRobot, Arachnys, Quantexa – all with their own merits.

The second is to optimize detection performance.

Tookitaki is in this second group, competing with the consultants who see it as a process problem (PWC, Deloitte etc), the toolkit vendors that see it as an artificial intelligence challenge (C3AI, SAS), and others that may be more focussed on sanctions than AML (e.g. Silent 8).

Tookitaki seems to be ahead in terms of its approach, analyst presence, and overall potential. They also have stronger regulatory ties which give them advantages given the sensitivity of this space.

Ravelin: Fraud Prevention

With a move to online, the fraud problem becomes a burden carried by the merchants and not by the banks. Ravelin was one of the first to offer API integration at merchant checkout that both addresses the merchant fraud problem and enhances the customer experience.

Compared to the fraud models that are applied by the banks, who only see transaction value, place, and time info, Ravelin can monitor the customer activity in more detail. They can understand purchase history, consider the modes of fraud associated with particular goods and services, scan IP information, and even consider customer dwell times.

Given that the old card issuer / merchant acquirer models are under threat from EPI in Europe and direct-to-account payment initiatives are being pushed by everyone (even the card schemes!), it would seem that there’s an opportunity in this area and those that offer easy integration and a complete holistic view of risk will win out.

Apiax: Regulation

The bridge between regulation and what gets implemented at an institutional level is a difficult one to build and has historically been filled by a combination of specialist advice, from big consultancies, legal firms, or specialist consultants and online news and training services such as those offered by Thomson Reuters, LexisNexis, and ACAMS. Consultants are engaged to build the compliance processes at your organization to align with regulations and the news services keep you up-to-date on changes.

The challenge with these approaches is that they do not make the mapping from regulation to implementation easy. And also don’t future proof an organization as regulatory requirements change, new products are introduced, or business shifts to new geographies.

Apiax is trying to become the new bridge. Joining regulation, to rules, to implementation. In theory, their approach could allow a FinTech to set up shop and be compliant with regulation without ever having to have engaged with lawyers or employed domain specialists to guide their implementations. Although this would probably not be viable in practice, many startups and even established institutions could accelerate time to market with this sort of approach.

Final Thoughts

I continue to be excited and inspired by the rate of change in the RegTech space. There are numerous other companies that I know of that could easily have made the above list, and probably even more that I’ve yet to encounter.

The above represents my own opinions, so please take it at face value.

Finally, if you want to have a conversation on any of this please get in touch.

NCA – Annual Threat Assessment

The National Criminal Investigation agency has just published its annual threat assessment.

A very interesting report full of facts and figures and some lovely info-graphics. Strong evidence this year of Covid-19 playing its role in the changing landscape of crime and a clear demonstration of how quickly criminals adapt.

Many insights make depressing reading. Over £12bn of criminal cash generated annually, the scale of money laundering in the hundreds of billions, money mule activity, cyber-crime, ransomware and crypto-asset laundering on the up, child sex abuse increasing due to lockdown and increased online access, fraud at £3bn …

Sometimes though bigger numbers aren’t always bad. Here’s two that I’ll take as positives:

  • £172 million was denied to suspected criminals as a result of defence against money laundering requests (up by 31% – see the SARs Annual Report for detail);  and
  • £982 million of potential financial sanctions breaches were reported in the year ending March 2020. A 3.7 times increase from £262 million in 2018/2019.

Two indicators that firms are doing a better job in relation to financial crime compliance. More reports, more investigations, more disruption of criminal gangs.