Greece: Avoiding Inadvertent Sanctions Violations By Covering All Bases: IP Address, Email And Other Communication Channels

Managing sanctions risk remains an intricate task, despite plentiful technology available today. While many companies have robust sanctions programs in place, they often do not consider all communications channels and sources of information available to them that can unmask actors operating from sanctioned jurisdictions.

Kallia Gavela, Senior Director and Head of Disputes and Investigations at Alvarez & Marsal (A&M) Greece, joined sanctions experts and regulatory figures at the C5 Group's European Forum on Global Economic Sanctions in Berlin to debate the rapidly changing global sanctions landscape.

In the article below, she discusses the sanctions risk introduced into organizations by the various types of communication channels in use, and outlines some best practices for companies trying to navigate sanctions and build a more robust and effective sanctions screening process.

Information sources to consider when screening for sanctions violations:

• IP addresses

Internet Protocol (IP) information¹ can be collected from various sources, such as user registrations, transaction logs or web server logs, and can be converted into geographic location data. It can thus be used as a key indicator for understanding the locations from which users – legitimate or nefarious – may be accessing an organization's products and services. Although a critical source of information, it is oftentimes neglected and excluded from both upfront Know Your Customer (KYC) checks and ongoing customer risk monitoring. There are limitations to be aware of in this context, however, as this information can be masked and the true location of the user/customer obfuscated, especially through the use of Virtual Private Networks (VPNs) and other anonymizers.

• Email addresses, telephone, cell or fax numbers

Email addresses and telephone, fax or cell number information can also play a significant role in sanctions screening as they serve as identifiers for individuals and entities involved in various transactions and communications. This is especially true as each country has its own International Country Calling Code (ICCC), which will be indicated when a telephone call (landline or cellular) or fax originates from that country. Equally, the country code Top-Level Domain (ccTLD)², i.e. the two-letter Internet top-level domain designation, represents a specific geographical location. In cases whereby companies allow users to transmit payment instructions via email, phone, and even fax, this can benefit individuals located in a comprehensively sanctioned jurisdiction, if the entity obliges due to its less rigorous sanctions screening process.

That being said, certain limitations should be borne in mind. Mobile phone calls, for example, indicate the country of issuance of the phone and not the country of its physical location, and may therefore differ. Also, certain regions subject to comprehensive sanctions may not have a specific TLD. As such, albeit an important source of information, email addresses, telephone, cell and fax information cannot be relied upon in isolation.

Emerging solutions:

• Geofencing

Organizations can also consider embedding a geofence, essentially a geographic boundary set up by using the Global Positioning System (GPS), radio frequency identification (RFID), wi-fi or cellular, to prevent access to their services by users in sanctioned, embargoed or high-risk jurisdictions. Access can be limited based on the potential user's location by using data including from the user's device.

Indeed, geofencing services have developed beyond simply tracking a device's IP address. They can now leverage multi-source geolocation data to establish where a user is located. This reduces the risk of bad actors spoofing their IP data to trick geofencing software.

In some regions, such as Europe, geofencing may only be permitted when users opt-in. In others it is illegal. Furthermore, while geofencing can prove very effective when it comes to sanctions screening, it also raises data privacy concerns.

• Device fingerprinting

As alluded to above, user identification within computer science has evolved past IP address information. Basic browser fingerprints have increased identification information further by including more device attributes, pushed by the browser, within the identifier. A device fingerprint, or machine fingerprint, is information collected about the software and hardware of a remote computing device to facilitate its identification³.

As an alternative to cookies as a means of tracking, it combines certain device attributes – the operating system, the web browser and its language setting, system language and system country, local time zone, installed fonts and plugins, CPU architecture and the device's IP address – to identify it as a unique device. It also analyzes the user's configurations of software and hardware, creating a unique ID for each configuration, known as a device hash.

Similar to geofencing, device fingerprinting comes with legal and data privacy considerations.

Regulatory efforts:

Across the globe, regulators have been highlighting the importance of deploying geolocation tools as an effective internal control both in sanctions compliance guidance issued, but also through enforcement actions.

The U.K.'s Financial Conduct Authority (FCA) distinguishes between geolocation data and an IP address when setting out FCA client identity verification expectations⁴. The Financial Action Task Force (FATF) has also identified multi-source geolocation data – such as Wi-Fi, GPS, GSM/cell tower triangulation, and HTML5 – as a necessary part of digital identity and KYC verification⁵.

There have also been enforcement actions in this arena, with recent examples in the U.S. of companies having to pay multi-million fines to settle sanctions violations allegations with the Treasury's Office of Foreign Assets Control (OFAC).

In many cases, regulators have considered to be a mitigating factor the fact that the organizations in question were willing to admit to the violations and implemented corrective actions, including geofencing and IP address screening, against further incidents⁶.

Best practices for organizations:

It is critical that every compliance department knows if and to which extent data and insights from the various sources of information discussed in this article are incorporated into the organization's sanctions compliance program. A company should consider incorporating the review of such information into its program, even if it was obtained for a different reason — such as for business or security purposes — to ensure the company is using all available information for compliance purposes. The process and any learnings from it should be thoroughly documented and aligned with the organization's risk-based compliance approach.

Furthermore, often a "look-back" exercise is required to understand if internal controls have failed or to identify potential gaps.

Some practical recommendations would include:

• IP addresses

Organizations must obtain knowledge from their IT/Cybersecurity departments of all the instances in which IP address data related to customer engagement with systems or apps is collected and stored. They should also maintain an inventory of all access points where customers can log in, with each access point updated to prevent logins from sanctioned jurisdictions. It is also important to ensure that the scope of an annual audit includes sanctions penetration testing to check whether company sites can be accessed with an IP address from sanctioned jurisdictions.

• Telephone, mobile and fax

Organizations must ensure that they capture information on telephone, mobile and fax numbers provided by customers when they open an account in the relevant CRM or KYC system. Companies can then identify customers with a mobile or fax number from a sanctioned jurisdiction, and create rules that prevent adding such numbers to the system. It is also important to ensure that searching for these phone numbers triggers a manually created case in the case-management tool for review by an experienced analyst.

• Email addresses

Email content rules must be created relating to sanctioned jurisdictions, for both email and website domains. Institutions must query email addresses maintained within the system and search for emails matching those on sanctions lists, as well as the "top level domain" of email and website addresses in the system. Sanctions penetration testing must also be included in the annual audit report, to verify which products allow users to update their details with an email or website address located in a sanctioned jurisdiction.

A&M. Action. Leadership. Results.

A&M's privacy and data compliance practice supports clients in navigating the evolving and complex data protection regulatory landscape by developing and implementing solutions to address these challenges. Our team is also highly experienced in conducing forensic investigations into alleged data privacy violations.

The practice brings specialist advisory and consulting services on international and cross-border privacy, data protection, secrecy and related laws and sectoral rules. Professionals within the practice include former consultants, regulators, data protection officers and certified information privacy professionals who are skilled at aligning and implementing complex regulatory requirements within operational processes and settings.

Footnotes

1. To this topic see also: What's in an IP Address? A Key Compliance Risk Indicator You Should Get to Know Better | Alvarez & Marsal | Management Consulting | Professional Services (alvarezandmarsal.com)

2. A list of the current ccTLDs, including their registry operators, is provided here: Country code top-level domain - ICANNWiki.

3. See Legal Requirements for Device Finterprinting - TermsFeed.

4. See Financial crime systems and controls during coronavirus situation | FCA.

5. See FATF (2020), Guidance on Digital Identity, FATF, Paris, www.fatf-gafi.org/publications/documents/digital-identity-guidance.html.

6. See for example the mitigating factors listed in OFAC's enforcement release from June 20, 2023: OFAC Settles with Swedbank Latvia 20230620 (treasury.gov).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.