How does sanctions screening work?

The full answer

Sanctions screening checks customers, payment counterparties, and related entities against government-maintained lists of blocked individuals, entities, and jurisdictions. A potential match triggers a freeze: the transaction stops and a compliance analyst reviews the hit before any funds move.

The four lists that cover most global compliance obligations:

• OFAC SDN List (US): Maintained by the Office of Foreign Assets Control. Over 13,000 entries as of 2024. Civil penalties reach $1.3 million per count or twice the transaction value, whichever is higher.
• EU Consolidated List: All EU restrictive measures, maintained by the European External Action Service.
• UN Security Council Consolidated List: Required under UNSCR 1267 and successor resolutions. Binding on all 193 UN member states.
• UK HM Treasury Consolidated List: Operates under the Sanctions and Anti-Money Laundering Act 2018 (SAMLA) post-Brexit.

Exact name matching doesn't work on its own. "Mohammed Al-Rashid" and "Mohamed Alrasheed" may be the same person. Screening systems use fuzzy matching with phonetic algorithms, transliteration tables, and configurable score thresholds. Most institutions set thresholds between 80% and 95%. Set too low: false positive queues become unmanageable. Set too high: real hits slip through. False positive rates in screening programs often exceed 95%.

The OFAC 50% rule extends liability beyond named entities. Any entity that is 50% or more owned, individually or in aggregate, by a sanctioned person or entity is itself sanctioned, even if unlisted. This makes beneficial ownership data a direct input to screening, not just a KYC formality.

OFAC updates its lists multiple times per week. Screening at onboarding and then never again doesn't meet the standard. A customer who was clean in January may be designated by April. Daily batch re-screening of the full customer book is now standard practice, alongside real-time transaction screening. FATF Recommendation 6 requires immediate freezing without notice on a confirmed match. That standard only holds if list data stays current.

Why this matters

The enforcement record makes the stakes clear. BNP Paribas paid $8.9 billion in 2014 for processing US-dollar transactions through OFAC-sanctioned jurisdictions. Standard Chartered paid over $1.1 billion to US and UK regulators in 2019 for similar failures in correspondent banking channels. In both cases, the core failure was inadequate counterparty screening, not just a missed name match.

Regulators examine three things in a sanctions program: list coverage (are you screening the right lists for your jurisdictions?), threshold calibration (can you defend your fuzzy-match settings?), and process completeness (do you re-screen when lists update?). Failing an AML examination often traces back to gaps in one of those three areas.

The false positive problem is real and costly. Programs using legacy rule-based screeners report alert queues where 99% of hits clear after human review. That labor cost adds up, and it also creates risk: analysts reviewing 500 false positives per genuine hit lose precision over time. AI-assisted monitoring scores context and entity relationships alongside name similarity, which reduces that noise.

Sanctions exposure doesn't come only from direct customers. Correspondent banking, trade finance, and wire transfers all carry counterparty risk. Customer risk ratings need to account for jurisdictional sanctions risk, not just transaction behavior. Customers with exposure to FATF grey-listed jurisdictions carry higher baseline sanctions risk from associated counterparties.

Sanctions programs and AML programs share infrastructure but serve different legal purposes. The difference between AML and CFT matters here: sanctions are primarily foreign policy and counter-proliferation tools, enforced under the International Emergency Economic Powers Act, not the Bank Secrecy Act.

For institutions applying enhanced due diligence to high-risk customers, sanctions screening is one input in a broader risk picture that includes source of funds, counterparty geography, and transaction behavior. And because designations happen continuously, perpetual KYC is how forward-looking programs handle re-screening without relying on static periodic reviews.

Related questions

• What is the OFAC 50 percent rule?
• What percentage of AML alerts are false positives?
• What is a beneficial owner?
• What is the FATF Grey List?
• Can AI be used for AML transaction monitoring?

Related concepts and regulations

• What is perpetual KYC?
• What is the difference between CDD and EDD?
• What is the difference between AML and CFT?
• What happens when a bank fails an AML exam?
• How often should customer risk ratings be refreshed?