News

Sanctions have become the top compliance priority of many, if not most, global banks during the 18 months of Russia’s full-scale invasion of Ukraine, which ushered in an unprecedented array of financial and commercial restrictions against Moscow.

But they already ranked high on the agenda for Societe Generale, France’s third-largest lender, which five years ago agreed to overhaul its sanctions compliance program and pay U.S. authorities nearly $1.4 billion after admitting to handling billions of dollars of prohibited transactions that benefited parties in Iran, Cuba and other blacklisted jurisdictions.

Bertrand Salewyn, Societe Generale’s global head of financial crime and representative at the Wolfsberg Group, discussed sanctions against Russia, the compliance-related challenges fintechs present, obstacles that prevent French financial institutions from sharing intelligence with each other and other issues with moneylaundering.com reporter Gabriel Vedrenne.

An edited transcript of their conversation follows.

Societe Generale’s internal controls went through a significant revamp after the bank entered into a deferred prosecution agreement with the U.S. to settle accusations that it breached sanctions. What did this remediation program entail and where is the bank now in terms of compliance?

The investigations that led to the DPA started a few years earlier, so we did not wait for the agreement to be signed to upgrade our controls. But since the signing in November 2018, we have carried out, in coordination with U.S. authorities, a major remediation project internally called the “Lafayette Program,” which consists of around 500 various actions covering all aspects of the bank’s sanctions-risk management and compliance with embargoes.

At the same time, we carried out a vast remediation plan on our know-your-customer component, which mainly consisted of reviewing and updating almost all of our KYC data. It was a complicated project in light of the volume of files to be processed, and because like many large banks, we had not yet moved to a formal system of periodically reviewing our customer base to ensure that we updated our KYC data in a timely manner.

How do you update so many files in such a short period of time?

To ensure that this remediation is sustainable, we had to review our KYC process from top to bottom by formalizing it, defining minimum global standards and developing workflow tools to automate data transfers between our different lines of defense.

But we also made the process easier for customers by providing them a self-serve, digital KYC interface where possible, and by folding our efforts to obtain and renew our KYC records into their usual commercial activity [opening accounts, sending payments, applying for loans, etc.] instead of annoying them by contacting each of them, solely and specifically for KYC purposes.

Still, major international customers who require banking services in several countries told us that several of our affiliates from different jurisdictions asked them for the same information. Today, a large part of our compliance personnel can access the same KYC files, analysis and ratings for clients that they share, regardless of where they are located.

Did this in-depth review lead to you offboarding any customers?

Yes, around 5 percent of the client base overall—mainly those who did not respond to our requests despite numerous reminders. Without the necessary documentation, we cannot assess their risk, and thus can’t work with them.

Did Societe Generale’s KYC overhaul have to happen before the bank could begin using artificial intelligence for KYC purposes?

Indeed. We had to standardize our data collection to be able to rely on artificial intelligence.

Standardization not only allowed us to develop and use optical character-recognition tools to automatically read documents and check their expiration dates, but also to extract income-related details from documents such as payslips and tax notices, then transpose those details in a direct, structured way into each client’s records, which automatically generates a risk rating for each client and assigns a corresponding level of due diligence.

These new processes appear to rely heavily on information sharing. But operating in several jurisdictions, as Societe Generale does, means having to comply with differing laws and standards for data privacy. How does the bank address data-privacy issues that may arise when operating in the most restrictive jurisdictions?

There are indeed a few jurisdictions, like China, which prohibit the sharing of client data outside the country, so we have adapted data-sharing protocols and access to KYC files, transactional alerts, tax records and other documentation.

There are a few more countries, especially in Africa, that prohibit sharing suspicious transaction reports outside their borders, even with the bank’s parent company.

We adjust to that by reviewing statistical data, such as the number of STRs, the type of clientele, the industries in which those clients operate, the underlying offenses that triggered those reports, and how they were detected. We then send compliance and audit teams from headquarters to conduct onsite visits in those countries more frequently than we do in others.

Speaking of information exchange, could you update us on the development of private-private partnerships and data-pooling projects in France?

I think the moral of the story is that we’re smarter when we work together and share. Several European countries such as the Netherlands have more advanced models than France, where the current laws and bank secrecy rules do not allow us to go very far. Banks in France are ready, but the legal framework must be reformed first.

How do you manage your relationship with payment services providers, electronic money institutions and other fintechs whose innovative business models often carry new types of risk, and whose compliance programs are not always up to scratch?

We have a relatively cautious approach, as traditional monitoring methods do not work with these still relatively new actors. Onboarding PSPs is a bit like providing correspondent services, so we developed a similar risk-management framework, a specific follow-up process and specific due diligence, with a very precise and detailed questionnaire which can be topped up with onsite visits. We also defined and implemented specific monitoring scenarios tailored to their unique business models.

We are clearly still on a learning curve on how to work with fintechs, and where we are in terms of our appetite for risk.

The only concern we can have is that the supervisory framework for these types of companies seems less strict than for large financial institutions. We can observe it, for example, when a large bank takes over a PSP or a fintech and suddenly the upgraded AML controls they have to put in place handicap the fintech’s business model and degrade the expected profitability.

More consistency in the regulatory requirements imposed on these entities would be welcome.

Nearly a year and a half after Russia invaded Ukraine, sanctions imposed on Moscow remain a hot topic. What difficulties did Societe Generale experience last year, in the first months of the full-scale invasion? How does the lender manage sanctions today?

First there was a tsunami, an avalanche of sanctions regimes by all major jurisdictions, sometimes with discrepancies between the restrictive measures imposed by the EU, U.S. and other Western jurisdictions—all of which led to particularly complicated situations.

The significant investments we already made as part of the Lafayette Program enabled us to react and implement sanctions against Russia rapidly and effectively. We also quickly took the decision to cease our activities in the country and sell our Russian subsidiary, a transaction that we concluded early, in May 2022.

Attention is now shifting towards sanctions circumvention, which is much more difficult to spot. What controls has Societe Generale put in place to identify such attempts?

Sanctions circumvention is indeed the main challenge all banks are currently facing, especially the ones providing correspondent banking services. As a consequence, we monitor SWIFT [Society for Worldwide Interbank Financial Telecommunication] messages for certain jurisdictions suspected of serving as transit countries, or as safe havens for sanctioned counterparties or individuals.

In addition to imposing enhanced monitoring on our most risk-exposed customers and tracking changes in the beneficial ownership of the legal persons we serve, we also constantly look at how transactional volumes to and from those jurisdictions evolve.

Contact Gabriel Vedrenne at gvedrenne@acams.org