Why You Need Business Partner & Sanctions Screening in SAP - and How to Set it up

O V E R V I E W

This paper discusses the nature and importance of financial and trade sanctions and sanctions screening. Sanctions are measures implemented by governments to restrict or prohibit trade with parties involved in illegal activities, while sanctions screening is a process that detects potential matches between organizational operations and global sanctions lists. Despite its simplicity, sanctions screening is complicated by multiple variables such as international languages, culture, spelling, aliases, and technological limitations.

The text highlights the complexity of sanctions, distinguishing list-based or smart sanctions, which target particular persons, entities, and organizations, and secondary sanctions, targeting third-party actors. Additionally, challenges include the increasing use of sophisticated sanctions evasion techniques, such as the use of Virtual Assets, and a rapidly changing geopolitical environment.

The text highlights that all businesses, not just those in the financial services and fintech industries, need to comply with sanctions regulations and screening requirements. Non-compliance with sanctions can lead to hefty fines; in the U.S alone, OFAC‘s enforcement penalties reached $1.2 billion in 2019.

Here are some key recommendations on how to set up sanctions screening:

1. Preparing your Data: High data quality, integrity, and completeness are essential for a robust screening process. Companies should clean their Know Your Customer (KYC) and vendor master data to avoid false positives and negatives during the screening process.
2. Defining the relevant Sanctions Lists for your Business: Businesses need to consider the various sanctioning bodies relevant to their operational territories and trade currencies, such as HM Treasury Sanctions List, EU Consolidated List of Sanctions, OFAC Sanctions List, and UN Sanctions list, among others.
3. Name Matching: Accurate name matching is challenging due to transliterations of names, nicknames, missing name components, and other issues. Understanding the mechanics and limitations of search and name matching technology is important to mitigate these challenges.
4. Data Points for your Screening Process: The balance between under-defining (many false positives) and overdefining (possible false negatives) the search depends on the data quality and ?risk appetite‘. Companies can screen Individuals, Entities, and also Vessels, Aircraft, and Crypto Wallet Addresses.
5. Screening Interval and Trigger Events: Regular screening should be done at the time of onboarding, during transactions, and at predetermined intervals.
6. Archiving and Case Management: All search requests should be archived for future audits. Potential matches can be managed using a ticketing system or a simple recording system.
7. Handling Matches: An alert during screening needs to be verified to determine whether it‘s a true or false positive. Positive matches need to be reported to the internal compliance team, and transactions with the matched client should be suspended.

Through a blend of machine learning and traditional name matching techniques, the automation of the sanctions screening process can enhance efficiency and accuracy, reducing the risk of non-compliance.

Overall, sanctions screening is an important compliance requirement for all companies. By following the recommendations outlined in this document, you can help to ensure that your company is compliant with sanctions regimes and protected from the risks associated with doing business with sanctioned individuals or entities.

Speacial thanks: This white paper was produced together with our partner sanctions.io.

Sanctions Compliance Intro

What are Sanctions and Sanctions Screening?

Financial and trade sanctions are implemented by governments around the globe to restrict or prohibit trade with foreign and domestic targets involved in illegal or undesired activities. Sanctions may be leveled against territories, individuals, or entities, as well as against any countries, individuals, or entities acting on behalf of others that are engaged in criminal activities. Sanctions are often backed by civil and criminal penalties.

Sanctions screening is a control designed to disrupt financial crime and sanctions risk through comparing data sourced from an organization‘s operations, including customer or other business partners and transactional records, against global sanctions lists containing names and other indicators of sanctioned parties or locations to detect similarities to determine whether a possible match exists

Organizations will typically utilize two main screening controls to achieve their risk reduction objectives:

1. Transactional screening that seeks to identify transactions that involve targeted individuals, organizations, or entities;
2. Customer / Name screening to identify targeted individuals, organizations, or entities during the onboarding or other crucial stages of the customer relationship, or periodically.

The complex Landscape of Sanctions

Sanctions screening may sound deceptively simple, but in reality, determining a “true match” is complex and deals with multiple variables, including international languages, cultures, spelling, acronyms, aliases, and technological limitations including varying algorithms, match rules, and workflows. Accuracy is influenced by the type and availability of data, the inherent sanctions risks to which the organization and its products/services/customers may be exposed, and the third-party sanctions screening solution deployed.

The nature of Sanctions also adds to the complexity. Unlike economic embargoes, which prohibit all activity and transactions involving a specific country, list-based or smart sanctions target particular persons, entities, and organizations rather than a specific regime or country. Secondary sanctions target third-party actors doing business with specific regimes, organizations, persons, or entities. (A good example of secondary sanctions includes many Ukraine-related programs, which target Russia’s financial and energy sectors specifically). This means that customers who are not on a sanctions list but have a relationship with a sanctioned entity could present a potential risk for the organization in question.

Other factors to consider:

There is a push particularly in Western nations to consider sanctions for a wider range of concerns, including human rights violations and cyber-attacks;

• Sanctions regimes may include sectoral or national embargoes;
• Sanctions evasion techniques such as the use of Virtual Assets are becoming more sophisticated;
• A rapidly changing geopolitical environment makes it harder for organizations to meet their sanctions obligations.
• Many legacy screening platforms are still in use, which is both cumbersome and prone to large amounts of false positives.

For more information on Sanctions Compliance please refer to the following resources:

• Wolfsberg Guidance and Best Practices for Sanctions Screening The Complete Guide for an Effective Sanctions Screening Process
• OFAC guidelines from the OFAC website here.

Who needs to comply and screen against Sanctions Lists?

Enforcement actions are stricter and more prominent in the financial services and fintech industries, but all businesses in all sectors need to comply with sanctions regulations and screening requirements and may be subject to fines if not.

An Example for Non-Financial Industry related OFAC Fines: Software Transfers Must Comply with Sanctions

Software companies should pay special attention to which laws sanctions comply. Technological sanctions exist on the products such as mobile phone applications and the following goods and services:

• Physical software products (although rare in today’s world)
• Cloud-based software and applications
• Software-as-a-service (SaaS) products
• Other software delivery methods

Limitations apply to software transfers against sanctioned nations, including retailers, developers, IT service providers, and customers.

Rules Are Applicable By Location

OFAC regulates software and applications differently, depending on the relevant country’s regulations, resulting in differential treatment for various software transfers to multiple countries. For instance, the Libya Sanction Regulations allow for tangible goods and services, including software, except as specifically outlined in Executive Order (EO) 13566, which prohibits transfers to officials of the Libyan government and central bank.

End-User Screening Is Essential

By implementing an effective end-user screening program, businesses can increase their OFAC compliance. A strong end-user screening program enables a software provider to ensure that the software is not sold to an embargoed country, SDN, blocked individual, or for the government’s benefit of an OFAC- embargoed country.

Perform Due Diligence on Payments

Those subject to US jurisdiction who receive payments from OFAC-designated countries should conduct diligent due diligence to ensure that OFAC permits such payments without requiring a governmental license. If the underlying payment is made by an SDN national or blocked party, costly complications may ensue. Speak with a business lawyer near you if you have specific questions about your situation.

Example of a Sanctions Violation by a Software Company

In April 2021, the US government initiated litigation with a German software company, for alleged US sanctions violations, as reported by Reuters.com. According to agency notices, the software company supplied software and cloud-based services from the United States to third parties with reason to believe the offerings would be used or purchased by Iranian users or customers between 2010 and 2018.

The violations took place in two ways:

1. Sold software licenses in Turkey, the United Arab Emirates, Germany, and Malaysia, who resold them to third parties in Iran
2. Sanctions evasion techniques such as the use of Virtual Assets are becoming more sophisticated;

Ultimately, the company voluntarily disclosed the issues, cooperated with investigators, and significantly improved its export controls and sanctions compliance program. The company paid $8.3 million in fines to resolve the case.

This figure does not account for the total cost of investigating and resolving the issues at hand. The company spent more than $27 million on remediation, which was cited as a significant mitigating factor. The software company also agreed to three years of third-party compliance audits.

Lessons to Learn From This Case

This case is the most recent sanction enforcement action involving the online provision of goods or services. As with previous announcements, there are several takeaways for the technology industry and businesses that conduct business online:

• Lesson 1. Data Accessed From US Servers Is an Export: Sanctions and export control laws enacted by the United States have a broad reach. This case demonstrates that providing services and downloading software from US servers are considered “exports” and may be subject to approval by OFAC and Commerce.
• Lesson 2. Always Perform Intermediary Due Diligence: The case demonstrates how intermediaries can expose a business to liability under US sanctions and export control regulations. Appropriate due diligence, controls, and monitoring of distributors and resellers are critical in any industry but are even more critical when a US company lacks complete visibility into the end users’ identities of its goods or services.
• Lesson 3. Intermediaries Are Not “Risk-Free”: The software company permitted subsidiaries to operate independently, despite being aware that those subsidiaries lacked adequate sanctions compliance programs. Companies must ensure that non-US affiliates maintain sufficient controls, particularly following the acquisition of new entities.
• Lesson 4. Compliance teams matter: The company relied on its US-based compliance team. However, the team was underfunded, lacked authority to manage the processes, and ran into resistance from the subsidiaries. OFAC emphasized in its notice that compliance teams must be adequately resourced and empowered to implement compliance controls in response to identified risks.
• Lesson 5. Train employees adequately: Employees based outside the United States oversaw the sale of US-based offerings and travel to Iran. Corporations with a US presence should educate all relevant employees about red flags to identify and report issues.

Auditors identified the absence of IP address geoblocking as a risk to sanctions compliance in 2006, but the company did not implement adequate controls until 2015. By failing to act on audit findings, OFAC stated that the company was negligent concerning US economic sanctions and cited its failure as an aggravating factor.

Non-compliance with sanctions can be very costly, in the United States alone, OFAC’s enforcement penalties hit a high of $1.2 billion in 2019.

Penalties for Sanctions Violations

The government enforces sanctions against some countries, foreign governments, and SDNs to advance US foreign policy and national security objectives. Congress has the power and authority to enact economic sanctions regulations, while OFAC imposes and enforces relevant laws. OFAC violations can result in several thousand to millions of dollars in civil and criminal penalties with up to 30 years imprisonment.

Here’s a closer look at how these charges add up:

• Trading with the Enemy Act Violations: Up to $50,000 per civil violation, $1 million in criminal penalties, and 20 years in prison
• International Emergency Economic Powers Act Violations (IEEPA): Up to $308,000 per violation
• Foreign Narcotics Kingpin Designation Act (FNKDA): Up to $10 million in fines, with individuals facing up to ten years imprisonment

The severity of penalties is determined by the nature of the offense and the number of prior convictions. Accused parties must mount an expensive legal defense to fight the charges.

Bear in mind that fines are not only levied for sanctions violations but also if the Organization fails to implement adequate controls. In addition to fines and penalties, the reputational damage is an additional risk to consider.

Setting up your Screening Process

Automating your Sanctions screening process requires the definition / consideration of the following process steps:

Preparing and Streamlining your Data

Often the lack of data quality, integrity, or completeness is the reason sanction screening systems fail or suffer from poor performance. Companies need to compile and clean their KYC (Know Your Customer) information to avoid producing a large number of false positives and to avoid the possibility of failing to detect sanctioned entities during the screening process (false negatives).

Companies should also consider screening their vendors, and potentially their employees, in line with legal and data privacy boundaries.

SAP systems have both customer and vendor master data required for sanction list screening. Data Points to consider for your sanctions screening process:

Defining the relevant Sanctions Lists for your Business

Businesses need to consider the relevant sanctioning bodies active in the countries they operate in, the territories in which they and their partnerships and alliances trade, and the currencies they are operating in.

Examples for some of the most relevant Sanctions lists for businesses operating in the US and Europe:

? The HM Treasury Sanctions List applies to all individuals and legal entities within or who undertake activities within the United Kingdom, as well as all UK nationals and legal entities established under UK law. It’s enforced and overseen by OFSI (the Office for Financial Sanctions Implementation).

? The EU Consolidated List of Sanctions applies to all EU citizens or corporate entities constituted in a member state and overseen by the EU Council.

? The OFAC Sanctions List applies to all US citizens and corporate entities constituted in the US, as well as any entity that either trades in US dollars, US goods, or US components or that has a US parent or affiliate. Its regulatory body is the US Office of Foreign Assets Control (OFAC).

? The UN Sanctions list applies to all UN Nation-states and is overseen by the UN Council.

In addition to the above, there is a wide number of additional, country-specific regulatory bodies you might need to take into consideration when defining your Sanctions screening process. Depending on your business exposure, this task can be quite challenging. The following resources might be helpful:

ACSS Association of Certified Sanctions Specialists

The Problem of Name Matching

Name Matching is the real ?hard nut to crack“ in AML and Sanctions screening. While different Fuzzy Algorithms can help with some of the real-world challenges like typos, incomplete strings etc. some issues like transliterations of names, nicknames, missing name components etc. can‘t be mitigated with any fuzzy algorithm. The usual approach to mitigate these problems is that searches will be (under)defined very wide resulting in an overload of false positives or, even worse, false negatives.

Before starting with the integration of any screening solution, it is very important to understand how the search and name matching technology, including any match scoring models work. Understanding the mechanics and limitations is very important for a successful and reliable screening process that limits false positives - but even more importantly, prevents false negatives.

The following examples are real world matching challenges. We use the combined solution VOQUZ Labs remQ Sanctions Compliance and sanctions.io’s name matching technology to illustrate how

More information on Name Matching Technologies

Data Points for your Screening Process

There is no ‘one fits all’ balance between under-defining (many false positives) and over-defining (possible false negatives) the search as this largely depends on the data quality of your business partner data as well of the specific Sanctions List and also the ?risk appetite‘, exposure to high-risk customers/countries, and the compliance resources any organization has.

Another very important factor for your Screening setup is the matching technology utilized by your screening solution. The recommendations below are based on the VOQUZ Labs ’ and sanctions. io’s combined experience and our advanced matching technology.

Figure Screening Setup: this example shows a setup for both vendors and customers (in an ECC 6.0 system, the data is stored in tables LFA1 and KNA1 respectively). Blocked vendors/customers are excluded from screening and only business partners created during the last 30 days are screened.

Screening for Individuals

For Individuals, a good approach for example is to start with the Full Name and the Date of Birth (DOB) or Year of Birth (YOB for a ‘wider’ approach) in your search request. Usually, these two data points are sufficient and lead to good results with our smart matching technology.

Additional data points like Country of Birth, Passport IDs and/or Addresses in your search request can help reduce further the number of false positives but often are not available in the SAP system. Furthermore, data for these categories provided in sanction lists sometimes is outdated.

If a name matches, but the country or other data points do not match, we recommend boosting the confidence of the search result.

Figure Example Screening Results: this shows screening results for both vendors and customers in an SAP system. The customer name in the table KNA1 was matched with similar names in the SDN list, with a confidence score of 91%.

Screening for Entities

A recommendable approach for Entity screening is to use the Name of the Organization along with the Country field. This will usually lead to good results and with a good name matching algorithm you don‘t need to strip the organization‘s name of legal forms like LLC, INC etc. (A challenge many screening solutions still struggle with).

Screening for Vessels, Aircraft, and Crypto Wallet Addresses

Our database also contains vessel/aircraft names and IDs as well as Crypto Wallet Addresses which can be searched for in the respective fields.

The above discussed screening setups should be a good starting point for most organizations. The performance of this screening setup should continuously analyzed and fine-tuned over time.

Archiving and Case Management

Generally, it is recommendable to archive all your search requests for future audits. For that it is important that the API response from your screening solution also contains all the search parameters that were used for the search and so delivers all data necessary for a comprehensive archiving and auditable process.

If you perform many screenings, the audit logs can grow considerably. We recommend that you implement archiving for an extended retention period, typically in line with other legal data retention requirements. So that can mean you archive all requests and responses for a 10-year period. Alternatively you can save meta data only, or only archive certain requests/responses in a risk-based approach.

For managing potential matches we recommend using either a ticketing system with full audit trail (such as ServiceNow, Zendesk, etc.) or use the case management system of a software vendor solution as shown in the images.

Handling Matches

It’s important to note that an alert that is generated during screening, indicating a match between a customer or business partner and a record on a sanctions list, is not necessarily an indication of a sanctions risk. It needs to be verified, confirmed, or discounted using additional information to determine whether the match is true or a false positive.

Manually review all the client identity information you hold against the information within the sanctions list. You may also wish to approach your client for additional information.

If the individual or entity matches all the information on the list, it is likely a positive match and needs to be reported to your internal compliance team and/or you need to file a Suspicious Activity Report (SAR). All transactions with this client or business partner should be suspended.

If you are confident that the match is a false positive, you may wish to whitelist the client’s name within your systems to avoid future matches.

For more information please refer to the FinCen Guide on filing SARs.

About the Author

Jens Kettler , Director Business Unit Risk & Compliance

Jens has 20+ years experience in SAP security, compliance and internal controls. He is an ex-auditor, always curious, willing to learn and to share knowledge. At VOQUZ Labs Jens is responsible for our risk and compliance products. He enjoys interacting with customers and finding quick and simple ways to improve our products to deliver value to customers. Pragmatic and customer-focused? Then Jens :)

About VOQUZ Labs

VOQUZ Labs is a leading provider of SAP? software solutions that support businesses to manage their SAP? platform and business operations in an effortless and cost-effective way. Our portfolio consists of products designed to reduce SAP? license costs, enhance compliance and avoid business losses - we deliver efficient SAP? management by combining innovative tools with our extensive consulting expertise in license advisory, compliance and internal controls. We serve customers around the world from our offices in Amsterdam, Berlin, Cape Town, Cluj-Napoca, Kuala Lumpur, Lausanne, London, Mexico City, Munich, New York, Singapore and Stuttgart.

Our SAP Solutions

Best-in-class tools to improve the efficiency of SAP?: An ERP strategy has long-term impacts – our visoryQ Business Case Builder for SAP? reviews customers’ strategies, options and costs to facilitate their transition from ERP to S/4HANA and RISE. VOQUZ Labs is a recognized leader in SAP? license management. Most of our samQ? software customers achieve savings in license and maintenance fees that significantly exceed their investment in samQ?, which assesses and manages SAP? licenses, automates user classification and helps customers to save costs. setQ? is a tool for managing users and authorizations. It reduces access risks and SODs and increases compliance. For business screening and automation of internal control systems, remQ continuously monitors and controls critical business processes. remQ Follow the Money protects revenue and prevents financial loss in sales, finance, procurement and payroll. remQ Sanctions Compliance helps reduce counter-party and legal risks by screening business partners against global sanctions lists. Use our solutions to save costs!

? Copyright by VOQUZ Labs AG. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of VOQUZ Labs AG. In case such permission is granted, the potential usage shall contain the copyright remark of VOQUZ Labs AG. This publication is provided by VOQUZ Labs AG for informational purposes only, without representation or warranty of any kind. These publications have been prepared based on publicly available information and contain subjective judgments and assumptions. Under no circumstances should decisions to purchase products and/or services be based solely on the publication. VOQUZ Labs AG or its affiliated companies or directors shall not be liable for errors or omissions with respect to the publication. Possible inaccuracy or incompleteness of the information contained herein shall neither cause any liability claim nor have any legal effect. The only warranties for VOQUZ Labs products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting a warranty.