The Four Eyes Principle in Sanctions Monitoring: An Internal Audit Perspective

In an ever-increasing complex regulatory landscape, companies including financial institutions and other obliged entities must remain vigilant in preventing transactions and relations with sanctioned individuals, suppliers, entities or jurisdictions. Sanctions monitoring is a critical element of any robust anti-money laundering and counter-terrorist financing framework. A weakness or failure in this area can lead to severe consequences, including fines, regulatory penalties, breach in compliance, revocation of licenses, and reputational harm. This highlights how essential strict compliance is for meeting legal requirements and maintaining confidence in internal processes.

‍Dual Control as a Foundational Safeguard

One of the most effective safeguards in sanctions monitoring is the four eyes principle – also commonly referred to as dual-control. This principle, which is widely referenced in governance and operational risk frameworks – including the COSO Internal Control Framework, stipulates that no key task or decision – such as deciding whether to clear, block or escalate an actual or potential sanctions match – is taken by a single individual person. On the contrary, this principle requires that at least two separate individuals must independently examine the decision, thus reducing the risk of errors or unilateral decisions. When applied correctly, this control acts as a strong deterrent against internal misconduct, oversight failures, operational lapses, human error or non-compliance – whether this is intentional or unintentional.

Furthermore, this dual approach promoted collaboration and sharing of knowledge within the entity. When two separate individuals review the same alert, they bring different viewpoints and specialised knowledge to the table, fostering shared learning and continuous improvement. This collaboration not only deepens the team’s collective understanding risks but also enhances the effectiveness of the screening process.

For instance, the initial screening of customers or transactions is performed by a first‑line analyst using an automated compliance tool. Whenever the system flags a potential sanction match, a second reviewer – usually a more experienced compliance officer – reassesses the alert. If the match is validated or involves particularly high‑risk individuals or entities, the case is then escalated to senior management or the designated money laundering reporting officer for a conclusive determination. At every stage, the system logs the identity of each reviewer, the timestamp of their assessment, and any decisions taken, thereby creating a complete, auditable record of the “four‑eyes” review process. This also supports external audit reviews and provides regulators with evidence that compliance procedures were properly followed.

Expectations from Regulators and Internal Auditors

Under Maltese regulations, the Malta Financial Services Authority mandates dual control within financial institutions and crypto asset service providers screening procedures, insisting that internal audits confirm proper segregation of duties and independent oversight of sanctions processes.

Enforcing dual control may be especially difficult for smaller organisations with limited resources, where segregating duties may stretch resources too thin. There is also a risk that the second reviewer simply rubber stamps the first decision – meaning approving an alert based solely on the initial reviewer’s clearance, rather than re-examining the underlying data or challenging any assumptions, which completely undermines the purpose of a four eyes check.

Beyond staffing constraints and rubber stamping, other challenges may include high reviewer workloads, a growing alert backlog and maintaining up-to-date sanctions listings.

From an internal audit standpoint, the four eyes principle must be more than a checkbox exercise. Auditors should evaluate whether:

• The process is formally embedded in the organisation’s policies and procedures
• Segregation of duties is properly enforced, without informal workarounds driven by staff shortages
• Escalation channels are well defined, appropriately assigned and followed
• Records of second level reviews and approvals are maintained, easily retrievable and complete
• Technology solutions enhance, rather than replace, human review
• Verify that personnel receive adequate training on their responsibilities under the four eyes framework.

Conclusion

In conclusion, the four‑eyes principle is far more than an administrative formality – it is a fundamental internal control that underpins sanctions compliance, protects against costly regulatory breaches and upholds organisational integrity. Internal audit plays a vital role in ensuring this safeguard works not just on paper, but in daily practice. As regulators and stakeholders continue to demand higher standards of due diligence, strong dual controls remain a non-negotiable cornerstone of effective sanctions monitoring.

Discover more insights from Zampa Partners.