Jonathan Bennett
Recent regulatory action has shown how important it is to ensure your KYC processes and sanctions screening are up to scratch. Almost every week another firm is being fined, investigated and publicly scrutinised for KYC failures that could have been prevented.
You may have seen in the news last week that the Bank of Scotland was fined £160,000 for onboarding a sanctioned individual.
There are plenty of lessons in this case about policies, procedures, and controls which a lot of people have already written about. But the big takeaway is much simpler… it was all perfectly ordinary.
Yes, there was failing in the banks processes, had they run both PEPs and sanctions check at once they may have identified the risk earlier. Had they used more sophisticated tools they may have picked up on the slight variation in name.
What really stands out in this case though is how simple it all was. They opened a perfectly ordinary bank account in a perfectly ordinary manner.
The individual didn’t try to be clever.
There were no fake AI-generated documents.
There were no complex offshore structures.
There were no proxies / associates involved.
The reality is, they almost certainly knew they were sanctioned and assumed they wouldn’t be caught or that they could achieve their goal in the time it took for them to be caught.
That assumption is what organisations need to worry about.
Because if you think “that wouldn’t happen to us”, you’re already exposed.
Sanctions risk isn’t always sophisticated. Often, it’s routine and that’s what makes it dangerous.
How to setup effective controls
For law firms, strengthening KYC processes often means increased manual reviews, duplicated checks and slower client onboarding.
⚠️ Screen too narrowly and you risk missing critical information that lets bad actors fall through the gaps
⚠️ Screen too broadly and you generate excessive false positives, overwhelming fee earners and increasing the chance of oversight.
The key is to find that balance between the two, which really depends on both your risk profile and appetite. If you are dealing in high-risk areas like conveyancing, then your controls should reflect this, while lower-risk areas like family law will need less scrutiny.
Specialist compliance software can also help you manage your processes more effectively. Screening for PEPs and sanctions can be a very time-consuming task, with varying levels of data quality provided internationally. Some tools, like Credas’, help aid the process by providing profile pictures and adverse media screening.
What all regulators want is a clear process that takes into consideration the different risks and potential gaps in your processes, with clear guidance for staff when something is unclear.