Shadow compliance by design - Know Your Customer or pay a penalty!

I just posted a first and probably only LinkedIn blog post in which I share some reusable information of value to fellow architects i.e. URLs for websites that System Designers (especially those working in the Financial domain) should be aware of - so I am sharing here as well !

These URLs may or may not  apply to your current activities, but it’s good to know what’s out there. 

As architects responsible for designing enterprise information systems, we are dependent on inputs from multiple sources e.g. requirements (functional / non-functional), user stories, stakeholder visons etc. However, there are some things that we should all be aware of relating to third party organisations and how they interact with Legal and Regulatory compliance measures, which they are subject to.

The 360 Customer View or the Know Your Customer (KYC) approach to capturing customer behaviours and basic information is important, but does not stop at simply validating a customer’s name, address or credit status there are times (and in some regulated industries) where you must perform additional checks to ensure that your organisation is not doing business with a criminal or an individual who is on a law enforcement list for the territories your organisation operates within.

If we look at the UK, we have various laws, regulations, and procedures which aim to prevent criminals from disguising illegally obtained funds as legitimate income e.g.  The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 which in essence seeks to ;

• Deter criminals and fraudsters by making it harder for them to hide any ill-gotten money.
• Stop criminals from using money laundering to conceal crimes and the monies derived from them.
• Enforce good practices and behaviours of financial institutions by asking them to monitor customers' transactions and report on suspicious financial transactional activity.

It must be noted that various sanctions imposed by countries like the USA and others will apply in your territory as a downstream sanction as you are conducting business, or your country has a legal agreement with them. This could easily result in duplicates e.g. an individual on the UN Sanctions list may also appear on the UK Watchlist.

Finding information can be difficult, however, some sites provide a web frontend interface e.g. Interpol , which allow you to search for Red Notices (fugitives wanted either for prosecution or to serve a sentence) by a given criteria and other sites like the UN Sanctions provides you with a XML format file you can use in your applications to validate customers either way these checks require embedding into a business process around KYC. 

There are some sites which are user friendly, enabling quick lookups. Such as the EU visual website for Sanctions (https://www.sanctionsmap.eu/#/main).

Screen Shot from EU Sanctions List Website 

It must be noted that each territory your organisation operates within will need to comply to a list of some sort, if not directly then indirectly e.g. Whilst india applies all UN Sanctions it does not maintain its own country list per se, however uses a mechanism of regulatory  ‘notifications’ to implement sanctions.

List	Source	Territory	Format
UNITED NATIONS SANCTIONS LIST	https://scsanctions.un.org/consolidated/	Global 🌏	XML, PDF, HTML
The Office of Foreign Assets Control	https://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/consolidated.aspx	USA and any companies / countries doing business with or in the USA  🇺🇸 🌏	XML, ZIP you can Search online
EU - FINANCIAL SANCTIONS LIST	https://data.europa.eu/euodp/en/data/dataset/consolidated-list-of-persons-groups-and-entities-subject-to-eu-financial-sanctions)	Europe  🇪🇺 🌏	CSV, XML, PDF, HTML
HMT FINANCIAL SANCTIONS LIST	https://www.gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets/consolidated-list-of-targets	UK  🇬🇧	CSV, XLSXL, PDF, Excel HTML
DFAT CONSOLIDATED SANCTION LIST	https://www.dfat.gov.au/sites/default/files/regulation8_consolidated-26March2020.xls	Australia  🇦🇺	XLS
State Secretariat for Economic Affairs SANCTION LIST	https://www.sesam.search.admin.ch/sesam-search-web/pages/downloadXmlGesamtliste.xhtml?lang=en&action=downloadXmlGesamtlisteAction	Switzerland  🇨🇭	German, French, Italian found XML
INTERPOL WANTED LIST	https://www.interpol.int/en/How-we-work/Notices/View-Red-Notices	Global 🌏	Logon to website and perform search
Consolidated Canadian Autonomous Sanctions List	https://www.international.gc.ca/world-monde/international_relations-relations_internationales/sanctions/consolidated-consolide.aspx?lang=eng	Canada and any companies / countries doing business with 🇨🇦🌏	Available as HTML, XML or PDF File
World Bank Listing of Ineligible Firms and Individuals	https://www.worldbank.org/en/projects-operations/procurement/debarred-firms	Global 🌏	PDF
Department of State – Debarred Parties also see Non-Proliferation Sanctions List	https://www.pmddtc.state.gov/ddtc_public?id=ddtc_kb_article_page&sys_id=c22d1833dbb8d300d0a370131f9619f0	USA  🇺🇸🌏	CSV, Excel,  PDF
Bureau of Industry & Security (Denied Person, Entity and unverified List)	https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern	USA  🇺🇸	HTML

I hope the above provides you some idea of the ‘hidden’ requirements you may be need to consider. The table below illustrates some key lists with the format available. Knowing the format is important as you can easily develop a custom service to perform very rudimentary customer validations. 

Above are just some examples of the various lists that are available and organisations must comply with when identifying their customers and if your organisation, especially financial, does not validate against some lists e.g. the UN Sanctions list then you will be liable for substantial fines.

 

 

 

 

 

 

 

-