On July 25th 2019, programmers in Iran awoke to disaster. GitHub, an online code repository and collaboration platform for software developers, announced that due to US sanctions rules, it would be restricting access for users in the country. As Al-Jazeera reported, that meant many Iranian programmers being shut out of projects years in the making – no matter if they were resident in the Islamic Republic or not.
It was hardly the first time that US sanctions have inadvertently targeted innocent people. With the US Office of Foreign Assets Control issuing $1.3bn in penalties in 2019 alone, businesses have often been overly cautious in applying sanctions. The unintended consequences range from PayPal customers complaining they have been blocked from purchasing Persian carpet-themed mousemats, to Iranian expatriates seeing their current accounts frozen, Venezuelan cancer patients unable to travel abroad for treatment, and bread shortages in war-torn Syria.
Whether the benefits of sanctions justify this collateral damage can be debated. Sanctions helped bring both Iran and North Korea into negotiations around nuclear disarmament and pared-back Russian intervention in Ukraine. But Iran may have resumed its pursuit of nuclear weapons, North Korea remains determined to keep its arsenal, and Russia continues to mount international cyberattacks against its rivals while assassinating dissidents abroad.
Nevertheless, they are fact of life for international businesses. “Sanctions are probably one of the most rapidly developing areas of compliance, and one that businesses have struggled to keep up with,” explains Dr Anna Bradshaw, a partner at Peter & Peters and an expert on international sanctions. “Not only have the number of sanctions increased exponentially, but also the complexity of sanctions is constantly evolving.”
That means, sooner or later, businesses are going to get it wrong, either by misinterpreting the rules or failing to identity sanctionable customers. Heavy penalties for non-compliance have prompted some organisations to adopt ‘de-risking’ strategies, refusing to serve entire categories of customer in extreme cases. But this blunt instrument can result in “financial exclusion, less transparency and greater exposure to money laundering and terrorist financing risks,” according to the Financial Action Task Force.
Sanctions are probably one of the most rapidly developing areas of compliance, and one that businesses have struggled to keep up with.
Dr Anna Bradshaw, Peter & Peters
Is there a better way? Some say there is. With the judicious application of machine learning algorithms, technologists argue that international sanctions can become smarter and more agile, enabling organisations to target those who truly matter in a target state, and without fear of accidentally triggering the ire of regulators. Even so, questions remain about the extent to which AI can really help in addressing the root causes of over-compliance of sanctions among corporate institutions – issues that go far beyond the parsing of data.
AI for sanctions: a useful tool?
Governments have used sanctions to exert pressure on foreign regimes for decades, but the tactic has recently accelerated. “President Trump imposed sanctions at a record-shattering rate, more than any other president in US history,” the creators of the Global Sanctions Data Base wrote earlier this year. “At the same time, other large countries (or groups of countries), such as China and the EU, have followed this policy trend.”
The cost and responsibility for imposing these sanctions often falls to the private sector, and in particular the financial services industry. “At some stage, whatever happens, it’s going to need to go through a bank account,” says Bradshaw, and one usually managed by an institution that falls under US or EU legal jurisdiction.
As a result, financial institutions’ compliance operations “are probably the most sophisticated, and that is obviously driven by the significant fines that banks have faced,” explains Ben Smith, a partner at Baker McKenzie. Most operate automated screening systems that compare the latest updates from US, EU or UK regulators with their customer records. While straightforward in theory, this approach still results in a large number of false positives, forcing compliance departments to dig through the corporate records manually to double-check if the system was correct.
This is a burden that compliance departments are eager to shake off. “These lists change very, very regularly, and without much warning,” says Bradshaw. Manual checks are also subject to human error, leading to customer relationships being severed out of an abundance of caution. Significant challenges also remain in identifying whether legal entities identified in official sanctions lists are controlled or serviced by individual clients. As a result, says Baker McKenzie's Smith, “we’re seeing more and more solutions being offered in the market that help, or profess to help, narrow down the real hits.”
We’re seeing more and more solutions being offered in the market that help, or profess to help, narrow down the real hits.
Ben Smith, Baker McKenzie
Most of these rely on machine learning. Indeed, the problem seems tailor-made for it. Use of natural language processing, in particular, allows these systems to sift through company records automatically, not only spotting matches with sanctioned organisations and individuals, but variations in names that human compliance officers might miss. The main advantage conferred by such packages is speed, with machine learning algorithms able to reason whether a hit in the screening process is legitimate or not at a much greater pace – and at a lower price – than a dedicated team of compliance officers.
Tookitaki is one such provider, whose clients include Singapore’s United Overseas Bank. “We started working on an AML screening solution back in early to mid-2016,” explains Abhishek Chatterjee, the firm’s CEO. “The AI-based solution offered by Tookitaki provides for enhanced name matching through a wider range of complex name permutations, reduction of undetermined hits through inference features, and accurate alert detection through primary and secondary information.”
Machine learning is a vast improvement on the current rules-based approach of most screening systems, which “need to create granular rules for thousands of scenarios,” Chatterjee says. For one client, he claims, Tookitaki’s solution reduced false positives in individuals’ names by 70% and in corporate names by 60%. And it can scan large volumes of records in non-Latin scripts – a feature, adds Chatterjee, that many lack.
Ultimately, these kinds of solutions might help to bring the costs of compliance down for financial institutions, reductions that could trickle down to other affected sectors. “Many businesses still don’t really understand sanctions well enough to be able to confidently say that they are complying,” says Bradshaw. By helping to automate the process and being directly linked to constantly updated official sanctions lists, AI compliance programs could help to conquer this sense of nervousness.
Regulators are now beginning to scrutinise sectors beyond finance, such as shipping, which has been subject to a rising number of fines. By making compliance more affordable, AI-powered scanning systems could make it easier for these industries to adopt. “Sanctions compliance is expensive – really expensive,” adds Bradshaw. "It’s not going to be something that comes naturally to many businesses, to spend quite significant sums on compliance, unless they feel they really have to.”
AI-powered scanning offers a targeted and nuanced approach to sanctions compliance but it is not without risks.
One lies in black-box modelling, says Chatterjee. “At present, many AI models lack transparency,” he says. For machine learning algorithms to make a meaningful contribution toward improving sanctions compliance regimes, they need to be trusted – something that can’t happen if organisations can’t explain how their own system works. “To address the problem, Tookitaki [has] developed an explainable AI framework,” says Chatterjee, providing users with “clear explanations for its predictions.”
There’s also a more fundamental problem that AI alone can’t address: data quality. “The problem is that, in obtaining the information you need to screen them in the first place, [making sure] the information you get is correct, and updated,” says Bradshaw. Organisations who can afford them have subscriptions with third-party data service providers, she explains. “They’re all great, but many of them get their data from open sources, i.e. the internet.”
In truth, says Bradshaw, compliance operations are reliant on a hodgepodge of less-than-official source material. “One of the main difficulties that I come across in my line of work is that much of your due diligence today is based on Google searches,” she says. These results, in turn, are often the product of competing agendas among well-meaning NGOs and media outlets, the accuracy of which varies according to how isolated a given sanctioned nation is from the global economy. In the end, this is unavoidable, says Bradshaw. Even so, the potential for mistaken targeting of sanctions remains huge – and could get worse if AI plays a greater role in compliance.
“That’s where I see [it] not being helpful, in making public domain, open source information more instantly available for due diligence purposes,” says Bradshaw, as the way in which legal and regulatory obligations are framed means there's often little room for sense-checking whether the information at hand is accurate or not. “If there was a way for AI to improve quality control in this sense, that would be truly transformative from a compliance perspective,” she adds.
It also remains unclear how AI-powered compliance solutions would improve efforts to catch those intentionally violating sanctions rules. “Sanctioned parties are very good at finding their way around” restrictions, says Smith. “So, whilst a company may be listed, the individuals behind that company may set up another, and deal indirectly.”
It may be the case, then, that the problems of over-compliance and mistaken targeting in the implementation of international sanctions is too big a problem for technology to solve on its own. While AI and other forms of regtech can speed up the process, it will take a consistent and long-term effort on the part of regulators and private enterprise alike to not only improve raw intelligence-gathering on who could be subject to sanctions, but also create an aligned implementation framework that everyone can easily understand.