Avoid inadvertent sanctions violations by covering all the bases: IP address, email and other communication channels – telecom, mobile and cable

Managing sanctions risk remains a complex task, despite the plethora of technologies available today. While many companies have robust sanctions programs in place, they often do not consider all the communication channels and information sources available to them that can unmask actors operating from sanctioned jurisdictions.

Kallia Gavela, Senior Director and Head of Disputes and Investigations at Alvarez & Marsal (A&M) Greece, joined sanctions experts and regulators at the C5 European Forum on Global Economic Sanctions in Berlin to discuss the rapidly changing global sanctions landscape .

In the article below, he discusses the risks of sanctions introduced into organizations by the different types of communication channels used, and outlines some best practices for companies trying to navigate sanctions and build a more robust and effective sanctions screening process.

Sources of information to consider when reviewing sanctions violations:

Internet Protocol (IP) information.1 may be collected from various sources such as user registrations, transaction logs, or web server logs, and may be converted to geographic location data. It can therefore be used as a key indicator to understand the locations from which users – legitimate or nefarious – can access an organization’s products and services. Although this is a critical source of information, it is often neglected and excluded from both Know Your Customer (KYC) upfront checks and ongoing customer risk monitoring. However, there are limitations to be aware of in this context, as this information can be masked and the actual location of the user/customer obfuscated, particularly through the use of Virtual Private Networks (VPNs) and other anonymizers.

  • Email addresses, telephone, mobile or fax numbers

Email addresses and telephone, fax, or mobile number information can also play a significant role in sanctions screening because they serve as identifiers for individuals and entities involved in various transactions and communications. This is especially true as each country has its own International Country Calling Code (ICCC) which will be given when a telephone call (landline or mobile phone) or fax originates from that country. So is the Country Code Top Level Domain (ccTLD)2, i.e. the two-letter designation of the Internet’s top-level domain, represents a specific geographic location. In cases where companies allow users to transmit payment instructions via email, telephone and even fax, individuals located in jurisdictions with comprehensive sanctions may benefit if the entity complies due to a less stringent sanctions screening process.

That being said, there are some limitations to keep in mind. For example, calls from mobile phones indicate the country of manufacture of the phone, not the country of its physical location, and therefore may vary. Some regions subject to comprehensive sanctions may also not have specific TLDs. As such, email addresses, telephone, mobile and fax information, while an important source of information, cannot be relied upon in isolation.

Emerging Solutions:

Organizations may also consider embedding a geofence, essentially a geographic boundary set using global positioning system (GPS), radio frequency identification (RFID), wi-fi or cellular networks, to prevent access to their services by users in sanctioned, embargoed countries or high-risk jurisdictions. Access can be restricted based on a potential user’s location using data, including data from the user’s device.

Indeed, geofencing services have evolved beyond simply tracking a device’s IP address. Now they can use multi-source geolocation data to find out where the user is. This reduces the risk of bad actors spoofing their IP data to fool geofencing software.

In some regions, such as Europe, geofencing may only be enabled when users log in. In others it is illegal. Furthermore, while geofencing can prove to be very effective in terms of sanction screening, it also raises privacy concerns.

As mentioned above, user identification in computer science evolved in the past with IP address information. Basic browser fingerprints further increased the identifying information by including more device attributes that the browser pushes into the identifier. A device fingerprint or machine fingerprint is information collected about the software and hardware of a remote computing device to facilitate its identification.3.

As an alternative to cookies, as a means of tracking it combines certain device attributes – operating system, web browser and its language settings, system language and system country, local time zone, installed fonts and plugins, CPU architecture and device IP. address – to identify as a unique device. It also analyzes user software and hardware configurations and creates a unique ID for each configuration, known as a device hash.

Similar to geofencing, device fingerprinting is associated with legal and personal data protection aspects.

Regulatory efforts:

Regulators around the world are emphasizing the importance of deploying geolocation tools as an effective internal control both in issuing sanctions compliance guidelines and through enforcement actions.

The UK’s Financial Conduct Authority (FCA) distinguishes between geolocation data and IP address when setting FCA client identity verification expectations4. The Financial Action Task Force (FATF) has also identified multi-source geolocation data – such as Wi-Fi, GPS, GSM/cell tower triangulation and HTML5 – as an essential component of digital identity and KYC verification.5.

There have also been enforcement actions in this arena, with recent examples in the US where companies had to pay multimillion-dollar fines to settle allegations of sanctions violations with the Treasury Department’s Office of Foreign Assets Control (OFAC).

In many cases, regulators found it a mitigating factor that the organizations concerned were willing to admit the breach and implemented remedial measures, including geofencing and IP address screening, against further incidents.6.

Recommended practices for organizations:

It is important for each compliance department to know whether and to what extent the data and insights from the various sources of information discussed in this article are incorporated into the organization’s sanctions compliance program. A company should consider incorporating a review of such information into its program, even if it was obtained for another reason—for example, for business or security purposes—to ensure that the company is using all available information for compliance purposes. The process and any lessons learned from it should be thoroughly documented and consistent with the organization’s risk compliance approach.

In addition, it is often necessary to perform “lookback” to understand whether internal controls have failed or to identify potential gaps.

Some practical recommendations would include:

Organizations must obtain information from their IT/Cybersecurity departments about all instances where IP address data related to customer engagement with systems or applications is collected and stored. They should also maintain an inventory of all access points where customers can log in, with each access point updated to prevent logins from sanctioned jurisdictions. It is also important to ensure that the scope of the annual audit includes sanction penetration testing to verify that company sites can be accessed with an IP address from sanctioned jurisdictions.

  • Telephone, mobile and fax

Organizations must ensure that they capture the telephone, mobile and fax number information provided by customers when opening an account in the relevant CRM or KYC system. Companies can then identify customers by mobile or fax number from an approved jurisdiction and create rules to prevent such numbers from being added to the system. It is also important to ensure that a lookup of these phone numbers triggers a manually created case in the case management tool for review by an experienced analyst.

Email content rules must be created in relation to sanctioning jurisdictions for both email domains and website domains. Institutions must query e-mail addresses maintained in the system and look for e-mails matching those on sanction lists, as well as the “top-level domain” of e-mail and web addresses in the system. Sanctions penetration testing must also be included in the annual audit report to verify which products allow users to update their information using an email or web address located in a sanctioned jurisdiction.

MORNING. Action. Leadership. Result.

A&M’s privacy and compliance practice supports clients in navigating the evolving and complex data protection regulatory landscape by developing and implementing solutions to address these challenges. Our team also has extensive experience conducting forensic investigations into alleged data breaches.

The practice provides expert advisory and consulting services in the field of international and cross-border privacy, data protection, confidentiality and related laws and sector rules. Professionals in this practice include former consultants, regulators, data protection officers and certified data protection professionals who are skilled in harmonizing and implementing complex regulatory requirements within operational processes and settings.

Footnotes

1. On this topic, see also: What’s in an IP Address? A key compliance risk indicator you should become more familiar with | Alvarez & Marsal | Management consulting | Professional Services (alvarezandmarsal.com)

2. A list of current ccTLDs, including their registry operators, is provided here: Country Code Top Level Domain – ICANNWiki.

3. See Legal requirements for Interprinting devices – TermsFeed.

4. See Financial crime systems and controls during the coronavirus situation | FCA.

5. See FATF (2020), Guidelines for Digital Identity, FATF, Paris, www.fatf-gafi.org/publications/documents/digital-identity-guidance.html.

6. See, for example, the mitigating factors listed in OFAC’s June 20, 2023 Enforcement Report: OFAC Settles Swedbank Latvia 20230620 (treasury.gov).

The content of this article is intended to provide a general guide to the issue. Professional advice should be sought regarding your particular situation.

Leave a Comment