Hi, everyone. Welcome to our webinar session, Can I Trust My Supply Chain? Best Practices for Screening Business Partners. My name is Asif, and I'm the senior marketing manager at Descartes. We have 1 hour for this webinar. Hopefully, we might finish a little bit earlier, depending on the questions and answers session. I will be the moderator for this session, and I have a few housekeeping items before we begin. You can submit any questions you have via the panel, and we'll try to answer as many of them as possible. If we do not get to all of the questions, we will provide a document with all the questions and answers as a follow-up to the session. Also, the webinar will be recorded, and we will provide you with a follow-up email with a link.
Now let's get started. Today's session is presented by a PwC partner for customs and international trade, Giovanni Gijsels, PwC manager for export controls and sanctions compliance, Vira Savva, and senior account executive at Descartes, Konrad Preuninger. I'll turn it over to Giovanni to kick things off for us.
Okay. Thank you very much. Talking about the need for screening, there are a number of things you have to take into account. When we look at the reason for screening, maybe as a bit of a background, I started out as a fewer customs and trade advisor. I really talking about the only, talking about customs, import and export. When I started, screening certainly was not on the agenda. Over time, we started to realize that a lot of companies, mainly in sensitive industries, were looking into, yeah, who are my business partners, needed to be able to control who are my business partners. It was, for instance, defense-related companies or companies with high-tech sensitive items.
Over time, that has really evolved, and I think today we are in a situation that actually every single company should have a screening process. How that screening process looks like, how that takes place can be very different, and I think we will discuss that further on today on how you can structure that. Every single company needs to have a structure in place, have a reason behind it, why they're screening, looking into what kind of business partners am I looking into. The reasons are quite clear, and on the slide, we show some examples. Those are published, and certainly in the U.S., you see that the legislator and, for instance, OFAC, one of the government authorities, basically looking into screening, they are very open about sharing cases.
They share the names, they share the reasons behind it, why they basically sanctioned the company, and there are quite some good examples on actually what they want companies to do. The challenge very often is that companies, most companies struggle a bit with data quality, but also the lists from the authorities are not always perfect. I think one of the good cases that we see here are, for instance, the one of Apple, where Apple on the App Store, basically is doing screening. You know that if you go online, or on your iPhone, basically, you can download various apps, and actually, Apple was screening them. What they did not do is looking at the people behind those companies.
You don't see any of the people behind it, and that's basically the reason why they got a sanction from the U.S. We also see, well, significant monetary fines. Typically, companies are in the from a U.S. point of view, getting very significant fines, but we'll come to that later on, and also from a European point of view, that might change. There is always that, well, name and shame part, but also the fines linked to a violation are very significant. The next example that we can share is this Microsoft, that had to pay $3 million over Russian sanctions, basically, because their screening process did not take into account to sufficient extent the fact that a lot of the names are in Cyrillic.
If you screen, the lists are quite often in, let's say, Roman characters, from an English point of view, but that gives a challenge if you're screening against Chinese, or Russian counterparties, where you have a different alphabet and with Cyrillic, yeah, it is not that different. Transliterations can be made, for instance, but that's basically, where they got the complaint that they did not do enough efforts there to make sure that they captured the different entities. This is mainly from a US point of view. One of the big reasons why in Europe it came onto the agenda is, of course, due to the actions of Russia towards Ukraine and the invasion there, where suddenly, yeah, an economy very interlinked with the European economy was sanctioned.
We did have it before with Iran, we did have it before with Syria, but actually the impact with Russia is much more significant on the European economy. It's not massive. The Russian economy is not that large, but nearly every country in Europe does have some connections with Russia. If you just think about all the discussions on oil and gas, for instance, dependency on Russia, it is much more interlinked than these other countries that had sanctions in the past. The exposure for the typical company is much higher. It also made it very local. If you talk about doing business with Iran, everyone thinks really shipping things to Iran only and not doing business with Iran.
Now, with Russia, what we did see is that a lot of European companies really operate in part of our ecosystem here in Europe, suddenly got sanctioned because ultimately, up the chain, they are owned by a Russian oligarch that was sanctioned. That's who owns the company becomes very important. For instance, there was an example in Belgium, in the port of Antwerp, where a company basically linked to some other chemical companies actually got sanctions, and they made fertilizers. Where initially they didn't have a license to operate, which was causing even a hazard for the other companies because they were part of that supply chain, where certain substances need to move from one place to another, and you can only stop that for a certain amount of time.
The reason behind that was, okay, the company is owned by, but it's actually other than that, it is a company which is fully part of the economy, and not Russian by nature. You would not recognize that's a Russian company. It does show the need of knowing your business partners, even locally, so that there could be local impacts or who owns the company ultimately becomes very important. That led to quite some discussions in Europe, where a lot of these oligarchs suddenly transferred a lot of their assets and shares and whatever, to their wives or mothers, and for instance, there was a case on the Wagner chief. The Wagner Group is active in Ukraine.
You might have seen there's a person in the news complaining about the lack of resources he's getting, but he's part of that inner circle of Putin. Basically, yeah, his belongings were transferred to his mom, and she basically filed a court case and actually won that. It does put the limits on what is possible there, but you do see that there is a big shift in yeah, who do we need to screen? These things can move. That's also very important. It's not a very static topic. It's a topic that is constantly moving.
I mentioned that, from a fine perspective, and the reasoning behind it, you do see that U.S. has very significant fines and typically also looks into what is your process and are you doing the necessary things to make sure that things cannot go wrong? They look into what could go wrong, based on your current setup. The fact that you, for instance, if you don't screen and they don't find any infraction from a U.S. point of view, they might say, "Well, you're not screening. You're doing business all over the world.
You could have had an issue, and you would not discover it, so we will fine you." You will see, in a broader sense than pure screening, that a lot of companies got fines because the U.S. considered their compliance program as insufficient for their business. It is very important that you have something in place that meets the, let's say, the risks of your business, that is in line with the risk of your business, so you can defend yourself if they say, "Okay, are you in control? Are you doing whatever you can to avoid that things go wrong?" And that's a bit what the U.S. always takes as a position.
In Europe, we have much more, or we had much more, the position that we look into what went wrong, and then are there reasons to explain why it went wrong? In a lot of cases, that means that the actual fine and the actual impact is rather low unless you really did things on purpose. A big change happened end of last year, where actually they said sanction evasion is so important now that we want to make that a European crime. European crimes are very limited. We talk about things like child trafficking, for instance. Very, very well, severe things where basically everyone says you cannot do that. They brought sanction evasion up to that level. I've also followed is that the Commission prepared a proposal to give, let's say, European context on the sanctions.
Sanctions in Europe are still a responsibility or something that member states can decide themselves. How do you do your sanction system? Which fines do we impose? Actually, for sanctions evasion, they want to bring that to European level and said, "Okay, there should be a minimum threshold," where they're talking, for instance, about 5% of the global turnover of a company if you made funds available to a sanctioned entity. 5% of the global turnover of a company as a group, that brings us from a, let's say, a monetary fine perspective, really on par with the U.S., where you talk about fines of $ millions, even into $ billions.
Where in Europe, we talk hundreds of or thousands of euros typically. If you move into 5% of turnover, yeah, you talk about millions. It is really a topic that is of concern for everyone and to maybe summarize that. Indeed, there could be monetary fines if you don't do that. If you're really involved in certain activities that authorities really don't like, and they say, "Hey, you've done that on purpose," they could deny your export privileges. They could list you as a sanctioned entity. Also, I think what is important is that there's a criminal liability of executives. What that typically means is that, for instance, the CFO of a company will be held accountable.
You, and I've seen the cases, you might get a letter at home, if you're a CFO, stating that your company is in violation and that you are personally also held liable for that. Last part, you do see that screening becomes very broad, so it's not only about the sanctions that are in place, but for instance, also, human rights considerations are taken into account. You do see that the reputational element, and like there you see Apple, Microsoft here, and you are published. That's not good, but you also see that consumer groups, and certain activists are listing. I just did some research prior to the webinar. There is a list stating these companies are still active in Russia, or companies being called out for using sweatshops and so on. You do see that also that part-...
the social aspect, the human rights criteria, et cetera, become very important. It's not only the sanctions or the penalties you might get from authorities, but also from the consumers, the market out there, that actually is imposing on companies to be aware of who you are working with up and down the supply chain. With that, I hand over to Vira, who will well, explain us a bit how a screening program could look like.
Thank you, Giovanni. Good morning, welcome everyone. I want to apologize in advance a bit for my voice. It went on vacation a bit earlier than it planned to go, but let's just make it work anyway. What we want to cover in the next 2 sections of the webinar is to give you this practical aspects of how the sanctions screening should look in a company. It's important to start from the fact that there are no clear legal requirements on what you are obliged to do as a company. There's nothing that would say you're obliged to screen, but at the same time, there is a law that says you are not allowed to deal with a sanctioned entity. How you come to this point?
It's a good question. We actually collect the requirements from the enforcement cases piece by piece. When you have a Microsoft case, you suddenly see that authorities are actually expecting you to screen against Russian characters, which was not the case before. In this Apple case. We see how they care about upper and lower cases in my words. This is exception. What's important here is that it's not a program that would fit every type of a company. It doesn't mean that a smaller company necessarily should have a comprehensive, huge sanctions screening program that would be the same as a pharmaceutical company have immediate, so business partners. No. Authorities are also saying there is no one-size-fits-all. It's up to the company to do the risk assessment and to decide on what exactly do they need to do to not work with sanctioned.
What we put on the slides next is the, you know, the concentrate of all the practical experience we have dealing with different companies or different sites, and knowing where the risks lie, and, yeah, what do you need to do as a company to be sure that you can sleep well, and you are doing your best to not have sanctioned entity in your, in the list of your business partners. First question that you might ask, "Who do I need to screen?" Because often we see the perception that the customers are enough, and it's normally, treasury that might screen outgoing payments to make sure the money do not go to the war, to the, to the sanctioned entity, or I'm looking at my customers.
That's the first in the case of vendors. For the customers, if I'm checking my customers, there is sanctioned entity, that's. That's not quite the case. You really need to look at all the business partners who you do. Obvious choice is everyone I'm paying to, everyone who's paying to me, and the banks I'm dealing with, and the banks of my business partners. That's not where it ends. Actually, you need to go as far as possible in certain circumstances. If you have any information about the end users of your goods, you need to screen your end users. That's again, very good example with Russia.
When you are selling goods to a company located in Kazakhstan, but the end user is located in Russia, and you need to ask a question, and you need to screen the end user to know that it's not sanctioned entity. This is as far as authorities are expecting you to go. The same for sub-suppliers. I'm buying from the company in Poland, and where do the goods come from ultimately? Who is the sub-supplier? Maybe I also need to dig deeper and screen them as well. It's not always, you might not have this data, and that's often a question from the clients. What about the distributors? I have a distributor, and my distributor has their own customers. They will never tell me the names. I'm not capable of getting this information in this group.
Here the answer is always, of course, it depends on the risk. What are you selling, first of all? Of course, if it's a standard business practice, you cannot get the name, no one will blame you for not getting the name. At the same time, if your goods will ultimately end up with a Russian company, you wouldn't like to be in this situation. All we can suggest is at least include in the provision that you expect your distributor to do the screening. It will not shift the responsibility from you fully, but it will help at least in the future damage control. The same for any other entities and individuals who are, that whose data you possess within the deal. If you have the data, you should screen. That was again, the already mentioned case, Apple.
When Apple had the name of the MDN in their data, because this was the name of the software owner in the App Store, but not the developer. They screened the developers, but they didn't screen the software owners, and this was a deficiency, and that's also one of the reasons they were penalized. A good question here as well is like: What do we do with employees? Every time we work with the clients on establishing sanctions screening program, this question pops up because we have a contradictory legislations here.
We have GDPR rules in Europe that say you're not allowed to collect and screen data without legitimate interest, we have a screening requirement specifically for the U.S. sanctions, where you that's a very, very blurry case when you really need to screen as business, but authorities are not European authorities, are not forcing you to do so. Here we always suggest go to privacy officer of your company, assess his case country by country, because position of Sweden can be different position of Belgium. This is complicated question, need to be assessed, this is prior to establish the sanctions screening program. Now moving to the next big set of questions is, which lists do I care about? We know who do we need to screen, which lists do we need to use?
First layer is obvious one, the one that directly applies to me because I'm located there. If I'm a U.K. company, I care about U.S. sanctions. I might also care about sanctions of my country. Germany can go further than E.U. and sanction more companies. That's also the reality. If you're a U.K. company, you care about U.K. company first. Comes from other layers. The most complicated one, but at the same time, very easy one is, of course, U.S. lists. They do not directly apply to you, but they have this extra territoriality element in them, which means that if you have so-called U.S. nexus in your transaction, and good example is just I do the payment in U.S. dollars.
I receive the payment in U.S. dollars, meaning that it goes through the U.S. financial system. This is the U.S. nexus, and you need to care about it. That's why we always say, better screen against the U.S. sanctions list and then assess case by case, do they really apply to my transaction than just ignoring it? Sometimes U.S. sanctions are faster than European ones, and you see, okay, this is a Turkish company that was sanctioned today by the U.S., but it's an intermediary of Russian company. I would like to stop doing business with them, even if the sanctions not apply to this transaction. It's my decision as a company to stop. This is the second type of the list. Then we have a batch that would be relevant for your type of business.
Export control lists, that's like we call them export control lists, but this is a good example. Entity List of Bureau of Industry and Security of US, German proliferation concern, Japanese proliferation concern. These are the lists where authorities are saying, "I'm suspecting this company might be engaged in the proliferation of weapons of mass destruction." If you are selling something to them, that is subject to control, wide jurisdiction, you need a license. This is a very simplified way. Of course, there are many gray areas and many if and if, but this is a simplification. They are not necessarily always directly applied to you. Again, it's US list. You don't care about US list in this particular transaction, or this is your vendor, not a customer. You're not selling anything to them.
You would still might want to screen against this list because the allegation is pretty harsh, and you might want reputationally dealing with entity. Another good example is if you are a pharmaceutical company, you have a full list of the U.S. medical lists, which means that you are not allowed to deal with this company or individual because you cannot pay from the medical, U.S. medical program funds. It's pretty mandatory for pharmaceutical companies, but not relevant for other businesses. That's something to think about as well, where I'm working, with whom I'm dealing, what kind of list I might be. Of course, if you have transactions happening in Australia or in Japan or in U.K., you might want to have their national sanctions lists. They are very much aligned with the EU and U.S., but there might be exceptions.
Canada, for example, quite often goes further and sanctions more than U.S. If you do business in Canada, you might want to have Canadian sanctions. The last set, we call it beneficial to have, but this is a really important thing. You might have heard about 50% ownership rule or the ownership and control concept, as we have in EU. You are not directly dealing with a sanctioned entity, you're dealing with a company that has owned the sanctioned entity. Maybe after 3 chains of companies, maybe in aggregate, a couple of sanctioned individuals, and you're not allowed to deal with them. The problem with this kind of companies is that authorities are not necessarily publishing. You might not know that, like, Belgian company is actually sanctioned because it is owned by the sanctioned oligarch.
There are content providers who are working on this, so they're creating and constantly updating the list of companies that are owned by the sanctioned companies. If you have this content, you're safe. You can really detect business partner that you are not allowed to deal with. Similar example with the control list, because in EU, we also care about control, which is not the case for the US. Control is a very blurry kind of notion, hard to say, but good again. Russia is always a good example now because we have so many new sanctions, so many things happening. The Russian oligarch was owning 80% of the company, but suddenly, after sanctions were imposed, they owned 48% of the company because they passed the ownership stake to their wife. It's...
Does it mean that the company is not controlled by the Russian oligarch anymore? That's a question that is negotiable. There are many legal aspects in it, but that's again, the kind of lists that help you to detect that here is the case. It's up to your company to decide, do you have the risk here that this oligarch is still ultimately controlling the company and you're violating European sanctions? Another good example is FCPA, Foreign Corrupt Practices, kind of list, and companies that are having anti-corruption, anti-bribery policies are often screening business partners in this kind of place as well. Forced labor, which is now very hot topic, Germany and Switzerland have relevant legislation in place. These are two examples, the last two lists, that show also the sanctions screening program.
It's really a tool that can allow you to expand not only to the trade sanctions, but have other considerations in this. This is really a mechanism to protect the business partner. How you will act after will depend on the necessary team. It may be responsible sourcing team or sustainability team, whatever kind of team you might have in your company that will also benefit on the screening solution that you have. Next type of question is: When do I need to screen? How often do I need to screen? Here again, the answer is depends on your company, depends on your risk profile. Not maybe, not necessarily all kind of screens you are, you will be needing, but the best practice is to have these 3 types of screening that you see on the screen.
The first one is the pre-contractual, we call it contractual. You don't have a contract yet. You haven't created the business partner in your ERP system yet. Your sales or procurement team is starting negotiation. They are doing a lot of work. They might be even selling some samples, sending some samples. Ultimately, after months of work, you create a business partner, and you see that it's sanctioned. You even couldn't have this negotiation. You spend the time for nothing. That's why we always advise either train your sales and procurement to do the screening themselves or tell them to reach out to the responsible team.
Even before the business partner is created, first thing, just especially if there is a risk, especially if it's a new company created in Turkey after 2022, or it's a company in Kazakhstan, or it's a new customer that is not very well known on the market. Better screen before entering the discussion than after losing your time, efforts, and industry. Second type of screening is an ongoing screening. Your master data created, you have your customers, vendors, banks, whatever you have in your system, and you screen them every day, every month, every week. Depends on your, again, risk profile, your situation, like your decision, how often do I want to have it?
You screen them against the sanctions update because authorities are publishing updates every day, and yesterday your supplier could be okay, but today it's suddenly sanctioned, and you need to stop business. You need to stop shipment that is ongoing. You need to stop payment if it's planned. That's why this ongoing screening element is very important. It's your existing database that you constantly check. Is there something new that I need to know about? The last one that is very good to have is transactional screening, is when you create sales order, you create an outbound delivery, inbound delivery, payment, and there might be parties mentioned that are not your master data. Suddenly, account holder is a different entity, the bank is different. You might want to know why.
You might want to be sure that I'm not actually sending the money to the sanctioned entity now. My business partner was okay, but maybe it was an intermediary sanctioned entity. These are three type of screening that are good to have, like expected to have, and it's of course, depends on capabilities, depending on the risk profile, where do you settle in it? Then what do you do with the hits? Let's imagine you screened, and you suddenly have a list of, in your workplace, a list of companies that you need to deal with, and how do you, how do you handle them? What is the best practice in the market? That's again, that's just an example. Typically, what do we see or what do we do as well as a company?
We have a first-level review, where it's like a very simple comparison, where machine still sees the similarity, but the human can say, "No, these are certainly different entities," and you don't need to go any further. You see that this name and this name are completely different. They have some similarities, but they are different, and you just eliminate the false positives. It's like two minutes per hit, somewhere there. It's quite fast to do, but depends on the volumes. Of course, you might have many of them if you have many business partners, but this is the first-level review that is done. It can be a really junior kind of profile that is just reviewing and eliminating false positives. Whatever is not obvious and can look as a potential true hit, goes to the second-level review.
Here, the person with a deeper knowledge of investigation, sanctions investigation, understanding the impact of sanctions, needs to look at these hits and start really looking into available information. Who is my business partner? Who is the sanction entity? Are they the same? Are they related? They normally start using all the available database resources you can have, starting from simple Google search and Google Maps. When you see located and not located in the same place, they're certainly not the same group. Looking at the, I don't know, publicly available audit reports published by the company. Are they related? Is this the same group or not? This is the more mature profile and with the knowledge of sanctions, needs to investigate, and then if it's a really true hit, needs to understand what does it mean for us. Not all sanctions are black and white.
Not all sanctions mean that you have to stop dealing with the business partner. Some mean that you cannot deal with either. Then the person needs to have knowledge to explain this further to the next escalation and decision. Here, the best practice is to involve the upper management into the discussion. What does it mean for us? What is the business partner? What are the sanctions? What is allowed, what is not allowed? For them to take an ultimate decision, are we continuing in business or not? Because this is ultimately their responsibility, because they have this good understanding of the business, and they need to know, need to have the feeling how sanctions are important. They need to take a painful sanctions business decision.
This is, we sometimes see the whole committee is created when there is responsibles from legal, from financial department, from sales, from procurement, et cetera, and they are discussing the cases and taking a decision. Here it's important that during all this process, from the moment when you have identified the hit, until the moment the decision is taken, and sometimes it takes a while, no business should happen with this business partner. There are very mature IT systems where the hit appears, and then the business partner is locked in your ERP, and you cannot the document anymore, use it. Not all companies have this in place, so just a good communication, integration with other departments when you say, "We need to stop. We need to wait until the decision is taken.
All shipments, all payments need to stop at this point of time." An important element of all this is record keeping. Investigations you do, hits you have, you need to write it down because authorities can come and check on you to be able to demonstrate that you do have a special screening in place, and here are the proof. Again, maturity systems allow you to have the audit trail that will be showing who did what, did when. Last slide, I'm... yeah, we stay a bit on time. What are the preconditions for the efficient screening? What are the elements that we really need to care about? Master data quality, that's the first one.
If you want to compare your business partners, again, the sanctioning, you need to be sure that your business partner master data are correct. You have full name, you have address as minimal. It's great, of course, if you have more information, you have, for example, identification number of the company. It allows you to do the investigation more efficiently. If the names are incorrectly mentioned, if the addresses are missing, it's really hard to do the investigation. It's just a lot of work for everyone. Of course, up-to-date sanctions lists. You want to know what's happening in the world. You want to be able to detect it as fast as possible. There are content providers in the market, including the government, that are providing you with the daily updates.
It's a delta file that's sent to your IT system, that's catching all the updates and checking your business partners. Of course, a screening tool, and Konrad will pick up after me and demonstrate his screening solution. We are now luckily living in the time of a very good technology, when we can see that the algorithms are designed to really minimize the amount of false positive you have, which means less work for you in the view, but also avoid false negatives because you don't want to miss it. Of course, the fuzzy logic behind it doesn't care about upper case or lower case. It doesn't care about is it SAVVA VIRA or savva vira, it will still get the hit.
It's important that typos and different type of spelling the name, especially with the names that we are not used to, are considered, and solution is still capable to catch and understand. The team that you would have in your company or a person who will be doing this kind of work, that needs to be independent from the business in a way, because the decisions that they need to take sometimes are contradictory to the financial interests. That's something that need a skilled person, knowing sanctions, but also being independent in the judgment. What is good to have and really missing often is integration with other company's processes.
You might have a legal team or compliance team that doing a QA with senior customers, integrate them with the sanction team, that they know that there is a solution, they reach out actively. The same again, you have a responsible sourcing team. They should be able to leverage on the screening solution you have. That's important to also be sure that whatever sanctions team is doing is communicated to other business units, that they have a power to stop the transaction if necessary. It's a bit like helicopter view on all compliance processes you have and business processes you have, and having the smart integration of the screening tool, so it doesn't become a burden in a way, but have a sufficient element. We are capable of catching what needs to be caught, we are not disrupting the business for no reason.
That's a bit the idea. I'll stop here and pass it over to Konrad for the demo of their solution.
Sure. Thank you, Vira. I'm gonna start to show my screen. Which one? Screen one. Perfect. If Vira, is it thumbs up, you can see my screen? Yeah. Okay, perfect. Thank you. Yeah, good day, everyone. Konrad Preuninger here from Descartes. If there's any questions along the way, feel free to throw them in the chat, or if there's a Q&A section on the control panel, throw it over, whether for myself or for Vira and Giovanni at PwC. After my section, we're gonna do a Q&A part, so we'll address those questions. If we don't, we can do it at a later point.
In my session, I'm going to go through one slide on what key capabilities you're looking for in a screening platform, and then I'll give a small demo on three fun use cases of type using different search screening logic. If you divert your eyes to the bottom of the screen, there are three different options that you look for in a screening tool or a combination in it. On the left side, you have your online screening. I think it's very simple, straightforward. It's a web-based tool where you can log in, plug in your business partner information, and then retrieve the results within a few seconds.
This will be more applicable to, you know, smaller companies or departments and companies that are, you know, doing screening for 12 or so entities per week. It's a bit more manageable because this is a process that can bog down your time, and you want to make sure you still have a healthy balance between this or operative processes and your strategic projects. Leading into the middle of the batch screening, having a tool that can upload your Excel spreadsheet because you likely are working with a large pool of business partners, hundreds or thousands, that you don't want to have to manually screen. You just want to upload in the system and retrieve the results, and have that ongoing screening.
There's many different use cases where you may enter into a joint venture or acquire another company, and you want to quickly screen their business partners before you officially engage in that type of partnership to make sure you perform your due diligence. The last part, the integrated screening, and this is always the best way, is really automating the screening in the background, whether it's your ERP or CRM or whichever business system you use, where your business partners live today. This is the preferred solution because you're gonna want to automate the screen in the background to eliminate the human risk. It's easy to forget to, you know, screen every partner, that's why it is the preferred solution.
Especially when the bigger company you are or as you do acquisitions, you may have multiple business systems, so you can point everything into 1 solution, such as Descartes' Visual Compliance sanctions tool. For example, we have 1 customer who has 8 different ERP, CRM systems, Oracle, SAP, and Salesforce. Instead of doing the screening, you know, decentralized, they point everything into Visual Compliance, so they have 1 source of the truth, and they kind of centralize all those activities. Of course, you're gonna want a combination of everything. You're always gonna need online screening to perform, you know, extra screenings off those hits that you get, and then batch screening can come into play as you need.
My recommendation, especially if this is a totally new process to you, is crawl, walk, run. Start with the online screening, regardless of how big you are, and then scale the process as you see it working for you and your company and your department. A few key capabilities, which, if you navigate your eyes to the top, the main thing that Vira really touched on in one of her slides, was the ongoing monitoring. We call that Dynamic Screening. Regardless if you've done it in an online, batch or integrated screening approach, you want those entities to be re-screened daily by your platform. Because Company A may be safe today, but they could enter a sanctions list tomorrow or in 3 years from now.
You don't want to set up a manual recurring process where you go and manually re-screen them, you know, let the system do the work for you. No news is good news. If there's ever a hit in the future, you want to let the system notify you via email to resolve those results. The second part is global list coverage. There's a ton, there's hundreds of lists out there. Typical ones are the E.U., U.S., U.N., U.K., Switzerland. If you're doing business in Qatar or the UAE or China, you know, there's all those local lists that you need to adhere to. At Descartes, we manage it on our own.
We have a team of about 80 people that are staying on top of these regulatory changes and then codifying it into our database, so you always have the latest list that you're then re-screening it in, within the system. The third part is advanced adjudication, and this is more applicable to when you have those larger volumes. Because you're gonna have a false positive rate, and wherever it may be, you wanna very quickly resolve all those hits. Why do we have a hit? Very quickly clear it or close it, so you can move on with your day and on your other more strategic projects. Second to last, we have our search tuning logic, and also what Vira touched on was the master data quality.
This is something most of our customers are challenged with because they have data from multiple systems which are entered by their sales team or other types of teams, and they're all gonna differ in quality. You want to be able to adjust the logic of, and how your data is matched against those sanctions lists. If it's very good government-verified data, you wanna use, you know, more of an exact search. If you know, it's of lesser quality, you may wanna open up that risk net and use something like fuzzy or phonetic. I'm gonna show a few examples after this. The last point is the analytics and governance. Usually, that's seen as a nice-to-have, but it's one of my favorite parts is the analytics gives you of, like, how well the process is working.
After 3 to 6 months, you have the data in the system, you know, you can identify where the bottlenecks are, and then you can run or engage some improvement processes so that we can streamline this process faster. The governance is for, you know, if you're, if you have a larger team, maybe like 15, 20+ users around the world, you want to ensure that your team is doing what they're supposed to be doing. They said, "Yeah, I'm gonna conduct screening," but are they really? Even if they are, how are they resolving the hits? If they're kind of indicating everything's a false positive, is that really the case, or are they just trying to, you know, checkmark that box?
It gives you that control over the entire compliance procedure. In the end, especially if this is a new process, it's a change management project. It's, you know, people, process, technology. You have the people, which you conduct training, the process is following your ICP, the technology is there to make it easier for you to do, and automate whatever is possible. I'm going to skip over into Visual Compliance now and give you a few examples. Again, any questions that come up, please feel free to type them in the chat. I just have about 6 more minutes, and then the last 10 minutes, we'll have for Giovanni to wrap up on key takeaways and then any questions you have. I've already logged in to Visual Compliance on our online screening page.
I zoomed in. To understand this is there's 3 parts. You have your form, where you input your business partner information. The second part in the middle is your search tuning logic, so depending on the quality of your data, you can really finely tune how that's matched against those sanctions lists. The 3rd part is all of our sanctions lists, which are in groups and categories. As I said, there are hundreds around the world, and as you can see, we group them in buckets. You have your typical OFAC, and BIS, and the export, and as well, and the sanctions bucket. It allows you to switch off or switch on the relevant list, depending on who you're screening and for what reason.
The main reason you do this is because of the, your false positive, right. You want to, you know, make sure that we only screen against what's necessary, so you don't have a large page of results to resolve. For my first example, I'm going to enter my name, and then I've already entered Cuba in the field and conduct the screening. On this page, you can see there are 0 records returned, which mean I'm a safe party to do business with. I'm not on a sanctions list, which is a good thing. However, it does do the holistic view, so there is a flag on the country. I did enter Cuba. I think that's obvious.
Even though I'm a safe party to do business with, there are restrictions, on the country level, and depending on your business, you may not be able to trade with me, because of that, the country location. To finish off here, I just opened a search criteria to remind ourselves what I searched against which list, logic, and the date timestamp. What's really important for your tool is to have something that automates the audit log. This is now within my audit record, so I know what was screened, when, and by who, and if there is any resolution, what it was exactly. The second thing that's happening is that continuous monitoring.
Even if I do something bad tomorrow and three years from now, and I enter a sanctions list, then the system will catch that and notify your company of that possible match. Good. I'm going to go back and give a new example, and I'm going to search Aaron Tucker in the country of Turkey. I'm going to use the exact search tuning logic, this is what you typically use this when you have more data on the company or it's government verified. When we conduct that screening, you can see that there are 0 records returned. There are country flags. It's Turkey. I think that's another obvious one.
If I go back and search the same name again and open up to a fuzzy logic, number two is the most common, so those are typographical errors where either there's missing letters or there is a substitute letter. I'm going to use a combined search, and that's going to search across every single search logic, so I don't have to continuously search that same name again. Again, we have exact zero, and if I pop over to fuzzy, we can see there is a match now. If again, the, it's all about data quality, depending on what your system looks like. Ergun, we made a match on Ergun Tuker. If I open up this list, this hit, right, we can see this is coming from the source BIS, the Entity List, and it's for Ergun Tuker.
I open up what we searched again, we can see Aaron matched with Ergun because there's a possible missing letter, and then Tucker, C, and the R. One thing is, yeah, sanctioned entities, companies learn that they're sanctioned, and they do intentionally type in a wrong name. Aaron Tucker looks a little bit more innocent, and in this case, you would, yeah, review the results, understand if this is the same address. You may ask your sales team to verify where is this shipment going, or you may reach out to the actual individual and say, "Can you please verify your shipping address," for example.
Yeah, if they return this name, then you know you have a positive match, and if they don't respond at all, yeah, that's also an indication that there's likely a positive match, and you shouldn't move forward. Very nice. I will go back and do one more search, and this is one of my favorite types of searches to do because this is what Vira touched on before. It was the sanction ownership or the OFAC 50% rule, especially in light of current events. This has become a more popular type of list to search against. If I use Arena Events in Finland, and I take off our optional list, and that's the partners we have that provide this more premium type of content and conduct the screening.
We could see there are zero records returned, which mean, yeah, Arena Events is, it looks like a safe party to do business with. If I go back and turn on that OFAC 50% Rule and screen the same company again, we now have a hit, or actually 5 hits. If we focus on the 50% Rule, and we hover over the first one, we can see from our partnership with Kharon, we do have a hit on Arena Events. Why is that? If we look at the notes, we can read that these two Russian oligarchs, who actually sit on the SDN and the UK Sanctions List own 50% or more of Arena Events.
Because these two oligarchs sit on the sanctions list and own this company, Arena Events is therefore a sanctioned entity, and you cannot do business with them. It's very, it's a very interesting type of data set to review, but it is very important to understand and, like, really knowing your customer and who owns it. We're starting to see more and more that sanctioned entities are starting to kind of divest their ownership to 49.5%, just below the threshold, or even set up shell companies to hide their identity and their ownership or control. This type of data really can catch that. Yeah, it saves you from compliance and also reputational risk. That's it on my screening use cases.
I'm happy to always connect with you one-on-one and go through it more in depth. There's a lot more to show, but as long as you understand how, yeah, online screening could work with the different types of fuzzy logic, phonetic, and exact, and as well as the list, the same can be applied to, you know, running a batch screening within the environment and getting all your business partners into a screening process and continuously monitor it. Now I'm gonna pass it back to Giovanni to wrap up, and then we'll answer any questions. Yeah, thank you for listening in here.
Thank you, Konrad. I think, while we are pulling up the slides again, I think that there are some key takeaways that we want to reiterate and make clear to everyone. I think, in the examples that I shared earlier on, but also, what Vira mentioned, and Konrad, for instance, the last example was a clear one. I think it is very important to know that screening is something that everyone should be doing. It is relevant for all parties involved, and you need to see to what extent you are really impacted by that. it's...
You need to screen, I think the level or the extent to which you are impacted should be something you need to look into. That's one of the elements we need to take away. I don't know why the slides are not.
Yeah.
popping up yet.
Yeah.
Second one that we want to give is you need to set up an organization behind that. You need to know, okay, how do we organize things? How do we structure things? Who do we reach out to when things, let's say, go wrong, when we do have a new business partner that is impacted? How do we communicate? For instance, Europe has been very vocal now on the fact that there's a lot of potential evasion that there's diversion of goods going to Russia that end up in Turkey, sorry, ending up in Russia. Kazakhstan is mentioned there, they showed some statistics a few weeks ago on trade that just doesn't match.
For instance, if you have a new business partner in Turkey that you don't know, and you're in the contracting phase, okay, if you identify, yes, this might be a party that is impacted, then you might need to talk to, for instance, your sales team. You might need to talk to your legal team because you might need to rent contracts and so on. It is important to do things that are across your organization and that you do it in the correct way. On the screening part, yeah, I think also with the examples that we have seen, of course, you could skim through the list, and compare with your own business partner data, but it might be very challenging.
I think the examples have shown that it's important to capture those typing errors or variations that exist in a name, not only because we know that there are challenges on the master data front in organizations. The same challenge exists on, let's say, the list creation part, where the products also have their limitations. As Konrad mentioned, also, keep in mind that some people want to avoid being screened and basically will make all these small changes to escape being caught. They make small variations, they make small changes in order not to get onto the list. I think the main conclusion overall that I would like to bring is don't throw away the good because you want to have the perfect.
I think, and also Konrad made that very clear, if you don't do anything today, maybe, yeah, start with doing that manual or that one off screening to assess your impact. How big are we impacted? If you're only doing business here, well, the examples have shown that you do need to do screening, but probably the risk might be a bit lower than when you're very active in countries around, let's say, Iran, Russia, China, and so on. Take those things into account, but start small if you're not doing anything, and take it from there and see where you need to go.
Typically, what we see with clients is that if they want to take that step, if there's, like, sort of business case behind it, that very often, once you start screening, the business case materializes. You will capture things that you say, "Hmm, maybe we need to think about this. Maybe think about, yeah, continuing business. Might be for a sanctions perspective, might be even purely from a reputational point of view that you want to take these actions. Those are, yeah, the key points I want to reiterate, maybe now we can see as for some questions.
Yeah. Thank you for everyone that submitted a question. We might not get a chance to go through all of them, but we'll try and get through as many as we can. I think the first one is probably for you, Giovanni, is, do we need the screening of owners, of entities, with regards to the 50 percent rule? I think that's something you touched on, maybe.
Yep.
Yep. Do you need it? Yes and no. You do see that the trends, it is being imposed towards more and more entities, financial institutions or consultants, as we are at PwC, we already need to look into that. That's like a legal requirement. It's not there for all companies yet, but you do need to see, for instance, now with the Russian cases, these oligarchs are mentioned. Very often, they mention their companies behind it. If you purely screen for the company itself, you might not immediately find it. Also there, is it a hard requirement? Not yet.
Again, that risk assessment, if you're, for instance, very closely interlinked with the Russian economy, it might make more sense than when you're only active in your own country again. It's indeed a growing trend that is certainly out there, and I expect it to increase in the coming years, actually.
Thank you. I think the next one probably for Konrad. Related to the Visual Compliance Tool, what is the guarantee that everything is up to date and all the time? Additionally, what is the coverage? Can a global company use it?
Very, question I get quite often. As I mentioned before, we have a team of about 80 people around the world and in countries where you can't even really get the data yourself. One example is China. We have, you know, very senior analysts with good connections with government officials that get... They get data sometimes before it's even published. Our, our lists are updated almost as fast as they are published, in some cases before, they're published in a, in a timely manner. We, we don't guarantee it's, you know, on that exact minute, but within a timely manner. You will catch, those, new hits in the future, within, a good time frame.
Our global coverage is at almost every country in the world. I haven't seen, we haven't missed a list yet. At one case, I think our, a colleague didn't have something in Cuba or in South America, and we were just able to very easily add that into our system. It's more about when you get started, which list don't you need, and so we can cut off and reduce that false positive rate. Thank you.
Another one is, I think, back to Giovanni. What happens if the owner is sanctioned and the entity is not, for example, being Russian oligarchs that are sanctioned, but their companies aren't necessarily? What do you do in that case?
Now, here, the question about, yeah, ownership and control comes into play. Typically, what you have seen is that, yeah, not all those companies were sanctioned immediately. You need to restrict your business with them because probably you will come up with the list, but you also see that, for instance, authorities don't have all the information all the time available. In some cases, it might be linked, and they might publish all things together. In other cases, they might not do that because also, yeah, they're moving ownership all the time, so it's also a fight that the authorities are having to keep the list up to date, basically.
It's a bit up to the companies as well to look into that to say, "Yeah, are these companies, indeed, restricted now for us?" Which in some cases, actually was the case, yeah, a few months ago with several companies in Europe.
Just conscious of the time, so I think the last question, I think for you, Konrad. Can the Visual Compliance Tool screen transactions, so sales or purchase orders?
That's a difficult question to answer without, yeah, asking a few more questions, what they mean. If it sounds like it's more of a transactional screening approach, then the answer is yes. Yeah, I'll stop there because we're a minute over it. Yeah, happy to talk afterwards, one on one.
Yeah. Thank you, everybody. Firstly, I'd like to thank our speakers, and I'm sure you'll all agree that that was quite an insightful session. Also, thank you to you all for taking the time to be with us today, and thank you for your questions. As a reminder, this session has been recorded and will be available to view on demand, should you wish to view parts of the presentation again, which we'll provide via email, and we'll also answer the rest of the questions that haven't had a chance to be answered today. Thank you so much for joining us, and I hope you have a great rest of your day.