How to Detect Sanctions Exposure with Limited Data

Introduction

Sanctions risk is about coverage and process, not confidence. When working within Know Your Business (KYB) data, cross-border customers, or complex counterparty structures, the question is not whether you can achieve perfect certainty. The question is whether you have defined your exposure points, screened the parties you can identify, established monitoring cadence, and documented the limitations of your program.

This guide outlines a practical approach to sanctions screening when complete data is unavailable. It includes implementation checklists, workflow examples, and documentation templates based on observed industry practices.

‍

‍

‍

Understanding the Challenge

Many risk teams face scenarios where sanctions screening must occur despite incomplete information:

• Thin KYB programs: Limited incorporation documents, minimal ownership disclosure, or self-reported business information
• Cross-border customers: Entities registered in jurisdictions with limited public registries or opaque corporate structures
• Complex counterparties: Multi-layered holding companies, subsidiaries in multiple countries, or frequent restructuring

In these scenarios, a one-time screening at onboarding provides insufficient coverage. Sanctions exposure detection becomes an ongoing process of defining scope, screening available parties, and monitoring for changes.

‍

‍

Common Data Gaps

We observe the following data limitations across different customer segments:

‍

Small merchants and freelancers:

• No formal incorporation documents (sole proprietors, DBAs)
• Self-reported ownership with no verification
• Limited or no disclosed business partners
• Single-person operations with no KMP beyond the applicant

‍

Cross-border entities:

• Registration in jurisdictions with no public UBO registries
• Ownership structures involving trusts, foundations, or nominee shareholders
• Parent companies in different jurisdictions than operating entities
• Language barriers in transliterating names from non-Latin scripts

‍

Complex corporate structures:

• Layered holding companies across multiple countries
• Frequent M&A activity requiring continuous ownership updates
• Joint ventures with unclear control thresholds
• Special purpose vehicles (SPVs) or project-based entities with temporary structures

‍

‍

‍

Step 1: Define Exposure Points

Begin by mapping where sanctions exposure can enter your program. Exposure points typically include direct parties, indirect parties, and transaction-level indicators. Effective KYB workflows should capture these data points systematically during onboarding.

‍

‍

Direct Parties

‍

The customer entity itself:

• Legal name (including any DBAs, trade names, or former names)
• Registration number (tax ID, company registration number, or equivalent)
• Jurisdiction of incorporation or operation
• Physical address (headquarters, principal place of business)

‍

Ultimate Beneficial Owners (UBOs):

• Individuals with ownership above defined thresholds (25% is standard under FATF Recommendations; some jurisdictions require 10% or lower)
• Full legal name, date of birth, nationality, residential address
• Beneficial ownership through direct and indirect holdings

‍

Key Management Personnel (KMP):

• Directors (executive and non-executive)
• Officers (CEO, CFO, COO, or equivalent roles)
• Authorized signatories with transaction authority
• Compliance officers or MLROs (Money Laundering Reporting Officers)

‍

‍

Indirect Parties

‍

Corporate relationships:

• Parent companies or ultimate holding entities
• Subsidiaries or affiliated entities (majority-owned or controlled)
• Sister companies under common ownership
• Known joint venture partners

‍

Business counterparties:

• Major suppliers disclosed in business plans
• Distribution partners or resellers
• Franchise relationships or licensing agreements
• Service providers with access to funds or data

‍

Payment counterparties (transaction-level screening):

• Payers (customers of your customer)
• Payees (suppliers or contractors of your customer)
• Intermediary banks in payment chains
• Agents or third-party processors

‍

‍

Transaction-Level Exposure

‍

Geographic indicators:

• Shipping addresses (origin and destination)
• IP addresses or device locations (for digital services)
• Payment origination countries (payer bank location)
• Payment destination countries (payee bank location)

‍

Goods and services descriptions:

• Product categories overlapping with sanctioned sectors (defense, dual-use goods, energy, precious metals)
• Services in restricted industries (oil refining, weapons manufacturing, nuclear technology)
• High-risk descriptors (cryptography, surveillance technology, military applications)

‍

‍

Exposure Point Mapping Checklist

‍

Use this checklist to document each exposure point:

• [ ] Data source identified: Where does this information originate? (incorporation docs, applicant disclosure, third-party database, transaction metadata)
• [ ] Data completeness measured: What percentage of customers provide this data point?
• [ ] Verification method defined: How is this information validated? (document review, database lookup, manual verification, not verified)
• [ ] Update frequency established: How often does this information change? (static, annual, quarterly, per transaction)
• [ ] Screening method documented: How is this data screened? (automated name match, manual review, address check, not screened)
• [ ] Gap mitigation planned: If data is unavailable, what compensating controls apply? (enhanced monitoring, lower thresholds, restricted geography)

‍

‍

Example: Exposure Point Documentation

Here is an illustrative example of exposure point documentation for a merchant acquiring program:

‍

This table makes clear what you screen, what you do not screen, and why.

‍

‍

‍

Step 2: Screen Relevant Parties

With exposure points defined, screen against relevant sanctions lists. The primary lists include:

• OFAC SDN List (U.S. Office of Foreign Assets Control Specially Designated Nationals and Blocked Persons List): Individuals, entities, vessels, and aircraft. Updated frequently (sometimes multiple times per day). Access OFAC Sanctions Search
• OFAC Consolidated Sanctions List: Includes SDN List plus additional sanctions programs (sectoral sanctions, foreign sanctions evaders).
• UN Consolidated List: United Nations Security Council sanctions (Al-Qaida, ISIL, Taliban, country-specific regimes). UN Security Council Consolidated List
• EU Consolidated List: European Union financial sanctions (individuals and entities subject to asset freezes). EU Sanctions Map
• UK Consolidated List: UK Office of Financial Sanctions Implementation (OFSI) targets (replaces EU list post-Brexit for UK entities). UK OFSI Consolidated List
• Country-specific lists: Depending on operating jurisdictions (e.g., Canada OSFI, Australia DFAT, Japan METI, Switzerland SECO).

Automated sanctions screening infrastructure should integrate these lists and manage version control.

‍

‍

List Selection Criteria

‍

Not all programs require screening against all lists. Select lists based on:

• Regulatory jurisdiction: U.S. entities must screen against OFAC. EU entities must screen against EU list. UK entities must screen against UK list post-Brexit.
• Business operations: If you process U.S. dollar payments, correspondent banking relationships require OFAC screening regardless of your home jurisdiction.
• Customer base: If you serve customers in multiple countries, screen against the union of all relevant jurisdictions.
• Risk appetite: Some programs screen against all major lists as a best practice, even when not legally required.

‍

‍

Screening Methodology

‍

Name-based screening:

Name matching is the primary method for individuals and entities. Effective name screening accounts for:

• Transliteration variations: Names from non-Latin scripts (Arabic, Cyrillic, Chinese, Farsi) may have multiple English spellings. For example, "Qaddafi" has been transliterated as "Gaddafi", "Kaddafi", "Qadhafi", and other variations. OFAC SDN entries include known aliases.
• Name order variations: Some cultures place family names first (e.g., Chinese, Korean, Vietnamese). Screening should test both "Given Family" and "Family Given" orders.
• Nicknames and diminutives: "William" may appear as "Bill", "Will", or "Billy". "Elizabeth" may appear as "Liz", "Beth", "Betty".
• Maiden names and married names: Individuals may appear under different surnames over time.
• Corporate name variations: "Corporation", "Corp.", "Inc.", "Limited", "Ltd." may be included or omitted.

‍

Fuzzy matching:

Exact string matching misses most true positives due to typos, transliterations, and data quality issues. Fuzzy matching algorithms calculate similarity scores between input strings and list entries. Common algorithms include:

• Levenshtein distance: Counts the number of single-character edits (insertions, deletions, substitutions) required to transform one string into another. Lower distance indicates higher similarity.
• Jaro-Winkler similarity: Calculates similarity based on matching characters and transpositions. Scores range from 0 (no match) to 1 (exact match).
• Soundex and Metaphone: Phonetic algorithms that encode names based on pronunciation.

‍

We observe fuzzy matching thresholds typically set between 80% and 90% similarity. Lower thresholds increase false positives but reduce false negatives. Higher thresholds reduce false positives but risk missing true matches.

‍

Handling false positives:

The majority of sanctions screening alerts are false positives. Common causes include:

• Common names: "John Smith", "Maria Garcia", "Mohammed Ali" generate high match volumes.
• Incomplete date of birth: Without DOB, distinguishing between individuals with the same name is difficult.
• Incomplete address data: Without address, geographic separation cannot be confirmed.
• Corporate name collisions: Generic company names ("Global Trading Company", "International Services LLC") match frequently.

‍

To reduce false positive rates:

• Use additional identifiers (date of birth, address, nationality, registration number) to distinguish between individuals or entities with similar names.
• Maintain an internal whitelist of previously cleared customers to avoid re-investigating the same false positives.
• Tune matching thresholds based on observed false positive and false negative rates.
• Implement risk-based review: higher thresholds for low-risk segments, lower thresholds for high-risk segments.

‍

Entity-based screening:

When available, screen unique entity identifiers:

• Tax identification numbers (TIN, EIN in U.S.)
• Company registration numbers (varies by jurisdiction)
• LEI (Legal Entity Identifier) codes
• SWIFT BIC codes for financial institutions
• IMO (International Maritime Organization) numbers for vessels
• Tail numbers for aircraft

‍

Entity identifiers reduce false positives dramatically because they are unique. However, many small businesses lack formal registration numbers, and coverage is incomplete.

‍

Address and jurisdiction screening:

‍

Geographic screening identifies exposure based on location:

• Sanctioned countries: OFAC maintains country-based sanctions programs (Cuba, Iran, North Korea, Syria, certain regions of Ukraine). Transactions involving these countries are generally prohibited for U.S. persons.
• High-risk jurisdictions: FATF identifies countries with strategic AML/CFT (Anti-Money Laundering/Countering the Financing of Terrorism) deficiencies. These are not sanctioned but warrant enhanced due diligence.
• Embargoed regions: Some sanctions target specific regions within countries (e.g., Crimea, Donetsk, Luhansk regions of Ukraine; Nagorno-Karabakh).

‍

Address screening should account for:

• Multiple address fields (headquarters, operating address, mailing address, director residential addresses)
• Address quality issues (missing postal codes, incomplete street addresses, PO boxes)
• Address changes over time (customers relocating or opening new locations)

‍

‍

Screening Workflow Checklist

‍

For each screening event, complete the following:

• [ ] Data prepared: Input data normalized (name formatting, address parsing, date formats)
• [ ] Lists selected: Confirm which lists apply based on jurisdiction and risk profile
• [ ] Screening executed: Run automated screening tool or manual search
• [ ] Matches retrieved: Review all matches above threshold
• [ ] False positives filtered: Use additional identifiers (DOB, address, nationality) to clear obvious false positives
• [ ] Potential true positives escalated: Route remaining matches to senior reviewer or compliance officer
• [ ] Investigation conducted: For escalated matches, gather additional information (public records, news search, customer outreach)
• [ ] Disposition recorded: Document outcome (cleared, blocked, reported)
• [ ] Customer notified (if applicable): Inform customer of outcome per regulatory requirements
• [ ] Audit trail created: Timestamp, reviewer name, evidence reviewed, decision rationale

‍

‍

Example: Match Resolution Process

‍

This illustrative example shows a typical match resolution workflow:

‍

Scenario: A merchant applicant named "Ali Hassan" triggers a 87% match against an OFAC SDN entry.

‍

Step 1: Retrieve match details

• SDN entry: "Hassan, Ali" (DOB: 1975-03-12, nationality: Syrian, address: Damascus, Syria)
• Applicant: "Ali Hassan" (DOB: 1988-07-22, nationality: Canadian, address: Toronto, Canada)

‍

Step 2: Compare additional identifiers

• DOB does not match (1975 vs. 1988)
• Nationality does not match (Syrian vs. Canadian)
• Address does not match (Damascus vs. Toronto)

‍

Step 3: Disposition

• False positive. Cleared based on DOB, nationality, and address mismatch.
• Record decision: "Match cleared due to DOB (13-year difference), nationality (Canadian vs. Syrian), and residential address (Canada vs. Syria) discrepancies. No further investigation required."

‍

Step 4: Whitelist

• Add "Ali Hassan" (DOB: 1988-07-22, Toronto) to internal whitelist to avoid re-reviewing this same applicant in future screenings.

‍

Scenario 2: A corporate applicant "Global Shipping Ltd." (UK) triggers a 92% match against an OFAC SDN entry.

‍

Step 1: Retrieve match details

• SDN entry: "Global Shipping Limited" (registration: Cyprus, vessel owner)
• Applicant: "Global Shipping Ltd." (registration: UK Companies House #12345678)

‍

Step 2: Compare additional identifiers

• Company name is very similar, but jurisdictions differ (Cyprus vs. UK)
• No registration number provided in SDN entry

‍

Step 3: Enhanced investigation

• Search UK Companies House for registration #12345678: Incorporated 2018, directors listed, no Cyprus connections.
• Search public records for Cyprus "Global Shipping Limited": Identified as separate entity involved in shipping to Syria (sanctioned activity).
• Confirm entities are distinct.

‍

Step 4: Disposition

• False positive. Cleared based on UK incorporation and distinct ownership.
• Record decision: "Match cleared. Applicant is UK-incorporated (verified via Companies House). SDN entity is Cyprus-based shipping company involved in Syria trade. No overlap in directors, addresses, or operations. No further investigation required."

Effective case management infrastructure tracks these investigations with timestamped audit trails.

‍

‍

‍

Step 3: Monitor for Changes

Sanctions exposure is not static. Lists update frequently, and customer circumstances change. A complete monitoring program includes list monitoring, customer change monitoring, and transaction-pattern monitoring.

‍

‍

List Monitoring

Sanctions lists change regularly. OFAC updates the SDN list on an ongoing basis (sometimes multiple times per day). EU and UN lists update less frequently but still require continuous monitoring.

‍

Implementation requirements:

• Frequency: Screen against updated sanctions lists at least daily. Real-time screening (within minutes of list publication) is preferred for high-risk programs. As noted in OFAC's Framework for Compliance Commitments, ongoing screening is a fundamental element of an effective sanctions compliance program.
• Rescreening cadence: Re-run all existing customers against updated lists. We recommend rescreening within 24 hours of list publication to minimize exposure windows.
• Version control: Track which list version was used for each screening event. OFAC publishes list versions with effective dates.

‍

List update sources:

• OFAC RSS feed or API for SDN list updates
• EU Official Journal for EU list updates
• UN website for Consolidated List updates
• Third-party vendors (Dow Jones, Refinitiv, ComplyAdvantage, others) provide consolidated feeds with change notifications

Ongoing monitoring solutions automate list updates and trigger rescreening workflows.

‍

‍

Customer Change Monitoring

Define triggering events that require immediate rescreening:

‍

Ownership changes:

• New UBOs (individuals crossing 25% threshold)
• Changes in control (majority shareholder change, new parent company)
• Corporate restructuring (mergers, acquisitions, spin-offs)

‍

Entity changes:

• Legal name change
• Registration number change (rare, but occurs during corporate conversions)
• New DBAs or trade names
• Jurisdiction changes (redomiciling, new subsidiary incorporation)

‍

Personnel changes:

• New directors or officers
• Change in authorized signatories
• New compliance officer or MLRO

‍

Business changes:

• New operating jurisdictions (expansion into new countries)
• New business verticals (entry into high-risk sectors)
• New partnerships or joint ventures
• Franchise acquisitions or new licensees

‍

Implementation:

• [ ] Event detection method defined: How will you learn about these changes? (customer notification requirement, periodic refresh questionnaire, public records monitoring, news monitoring)
• [ ] Notification requirement established: Include contractual obligation for customers to disclose material changes within defined timeframes (e.g., 30 days).
• [ ] Rescreening SLA set: Define how quickly rescreening must occur after change notification (e.g., within 5 business days).
• [ ] Escalation path documented: If rescreening identifies new sanctions exposure, define next steps (transaction hold, customer contact, account suspension).

‍

‍

Transaction-Pattern Monitoring

Behavioral changes may indicate sanctions exposure even when static data screening returns no matches:

‍

New payment counterparties:

• First-time payers or payees from high-risk jurisdictions
• Sudden increase in transaction volume with specific counterparties
• Payments to or from entities with names similar to sanctioned parties

‍

Geographic pattern changes:

• New shipment destinations in sanctioned or high-risk countries
• Changes in payment origination patterns (new payer countries)
• IP address or device location changes to high-risk jurisdictions (for digital services)

‍

Business model shifts:

• Entry into restricted sectors (dual-use goods, defense, precious metals)
• Product description changes indicating sanctioned goods
• High-value transactions inconsistent with historical patterns

‍

Transaction monitoring rules:

Implement automated rules to flag suspicious patterns:

• Rule: Payment to/from sanctioned country → immediate block and alert
• Rule: Payee name fuzzy match (>80%) to SDN entry → hold and manual review
• Rule: Shipment to high-risk jurisdiction + dual-use MCC → enhanced review
• Rule: First transaction >$10,000 to new counterparty in FATF high-risk jurisdiction → manual review before processing

‍

‍

Monitoring Checklist

Implement the following monitoring controls:

• [ ] List monitoring in place: Automated daily rescreening against updated sanctions lists
• [ ] Customer change events defined: Written policy listing triggering events that require rescreening
• [ ] Customer notification requirement: Contractual obligation for customers to report material changes
• [ ] Periodic refresh cadence: Scheduled rescreening (e.g., quarterly or annually) independent of change events
• [ ] Transaction monitoring rules: Automated alerts for sanctioned jurisdictions, name matches, high-risk patterns
• [ ] Alert review SLA: Defined timeframe for investigating and dispositioning alerts (e.g., within 24 hours for high-risk alerts)
• [ ] Blocking procedures: Documented process for freezing accounts or transactions when sanctions matches are confirmed
• [ ] Reporting procedures: Process for filing SARs (Suspicious Activity Reports) or other regulatory reports when required

‍

‍

‍

Step 4: Document Limitations

Transparency about program limitations is essential for audit, regulatory examination, and risk management. Regulators expect risk teams to articulate what they do not know and what compensating controls mitigate those gaps.

‍

‍

Data Gaps Documentation

Document what customer information is unavailable or unverifiable:

‍

UBO coverage:

• "UBO information is collected for 68% of customers. The remaining 32% are sole proprietors (22%) or customers in jurisdictions with no UBO disclosure requirements (10%)."
• "UBO date of birth is collected for 45% of disclosed UBOs. Screening for these UBOs includes DOB matching to reduce false positives. Screening for UBOs without DOB relies on name and nationality matching only."

‍

Entity verification:

• "Incorporation documents are verified for 80% of customers. The remaining 20% are unregistered businesses (freelancers, sole proprietors) or entities in jurisdictions where documents are unavailable in English."
• "Registration numbers are collected for 90% of corporate customers. Entity-level screening uses registration numbers when available; otherwise screening relies on name matching only."

‍

Corporate structure visibility:

• "Parent company information is disclosed by 40% of customers. Screening covers disclosed parent entities but does not extend to undisclosed affiliates or sister companies."
• "Subsidiary information is disclosed by 15% of customers. Indirect exposure through customer-owned subsidiaries is not systematically screened except where voluntarily disclosed."

‍

‍

Screening Coverage Metrics

Track and report screening coverage across your customer base:

‍

This table communicates screening gaps by segment and informs where program investment would reduce risk.

‍

‍

Compensating Controls

‍

When data limitations prevent complete screening, document alternative controls:

‍

Enhanced transaction monitoring:

• "Customers without UBO disclosure are subject to lower transaction review thresholds ($5,000 vs. $10,000 standard threshold) and monthly manual review of transaction patterns."
• "Customers with parent companies in FATF high-risk jurisdictions are subject to quarterly manual reviews including news screening and public records checks."

‍

Geographic restrictions:

• "Customers without verified incorporation documents are restricted from shipping to or receiving payments from OFAC-sanctioned countries and FATF high-risk jurisdictions."
• "Customers in jurisdictions with no public UBO registries (e.g., certain offshore financial centers) are limited to $50,000 monthly volume pending enhanced due diligence."

‍

Periodic manual reviews:

• "High-risk customers (defined as MCC in dual-use goods sectors or operating in sensitive jurisdictions) are manually reviewed quarterly. Reviews include news screening, sanctions list checks, and transaction pattern analysis."

‍

Exit or decline criteria:

• "Applications from entities incorporated in sanctioned countries are automatically declined."
• "Customers who fail to provide UBO information within 30 days of request are exited from the program."

‍

‍

Documentation Template

Create a written sanctions program document that includes:

‍

Section 1: Policy Statement

• Risk appetite for sanctions exposure
• Jurisdictional scope (which sanctions regimes apply)
• Roles and responsibilities (who screens, who investigates, who approves exceptions)

‍

Section 2: Exposure Points

• Table listing all exposure points, data sources, completeness, and screening methods (as shown in Step 1)

‍

Section 3: Screening Procedures

• Lists screened against (OFAC, UN, EU, UK, others)
• Matching methodology (fuzzy matching algorithm, thresholds)
• Match resolution process (false positive clearance criteria, escalation paths)
• Blocking procedures (when to freeze accounts, when to reject transactions)

‍

Section 4: Monitoring Procedures

• List monitoring frequency and rescreening cadence
• Customer change events requiring rescreening
• Transaction monitoring rules
• Alert review SLAs

‍

Section 5: Data Gaps and Limitations

• Known data gaps by customer segment
• Coverage metrics (% screened at UBO level, entity level, etc.)
• Compensating controls for incomplete data

‍

Section 6: Reporting and Escalation

• When to file SARs or CTRs (Currency Transaction Reports)
• Regulatory reporting timelines (e.g., OFAC blocking reports due within 10 days per 31 CFR 501.604)
• Internal escalation paths (when to involve legal, senior management, board)

‍

Section 7: Training and Testing

• Staff training requirements (annual sanctions training for relevant personnel)
• Program testing (independent audit, regulatory examination preparation)

‍

Section 8: Record Retention

• How long to retain screening logs (typically 5 years minimum)
• What documentation to maintain (match results, investigation notes, dispositions)

‍

‍

‍

What Good Looks Like

A well-designed sanctions program with limited data includes clear scope, consistent cadence, escalation thresholds, and comprehensive audit trails.

‍

‍

Clear Scope

‍

Written policy:

• Sanctions program policy document approved by senior management or board
• Policy defines exposure points, screening lists, matching thresholds, and escalation paths
• Policy updated annually or when regulatory requirements change

‍

Role definitions:

• Front-line analysts: Conduct initial screening, clear obvious false positives
• Compliance officers: Investigate escalated matches, approve dispositions
• MLRO or BSA officer: Approve blocks, file regulatory reports, escalate to senior management
• Senior management: Approve policy, review program effectiveness, allocate resources

‍

Risk appetite:

• Defined tolerance for specific jurisdictions (e.g., "no customers in OFAC-sanctioned countries")
• Defined tolerance for business models (e.g., "no high-value transactions with undisclosed UBOs")
• Defined exception process (when and how risk appetite exceptions are approved)

‍

‍

Consistent Cadence

‍

Daily or real-time list monitoring:

• Automated rescreening triggered by list updates
• Alerts generated for existing customers matching new SDN entries
• Investigation completed within defined SLA (e.g., 24 hours)

‍

Event-driven rescreening:

• Customer change events trigger rescreening within defined timeframe (e.g., 5 business days)
• Contractual obligation for customers to disclose changes within 30 days

‍

Periodic rescreening:

• Scheduled rescreening independent of change events (we typically see programs implement quarterly rescreening for high-risk segments and annual rescreening for low-risk segments)
• Periodic rescreening catches unreported changes and list updates missed by automated monitoring

‍

Annual program review:

• Review false positive rates and tune matching thresholds
• Review data gap coverage and identify opportunities to improve data collection
• Review compensating controls effectiveness
• Update policy to reflect regulatory changes or business model changes

‍

‍

Escalation Thresholds

‍

Match review criteria:

• Automated clearance: Name match <70% similarity, no DOB or address overlap → auto-cleared, logged for audit
• Manual review: Name match 70-90% similarity, or incomplete identifiers → front-line analyst review
• Senior review: Name match >90% similarity, or DOB/address partial match → compliance officer review
• Escalation to MLRO: Confirmed match (name + DOB + address match, or unique identifier match) → MLRO review, block account

‍

Geographic thresholds:

• Sanctioned country: Automatic block, no manual review
• FATF high-risk jurisdiction: Enhanced due diligence, senior review before approval
• Other jurisdictions: Standard due diligence

‍

Time-based SLAs:

• High-risk alerts (>90% match, sanctioned country, large transaction): Review within 2 hours
• Medium-risk alerts (70-90% match, FATF high-risk jurisdiction): Review within 24 hours
• Low-risk alerts (<70% match, routine periodic rescreen): Review within 5 business days

‍

‍

Audit Trail

Comprehensive documentation supports regulatory examinations and internal audits:

‍

Screening logs:

• Timestamp of each screening event
• Customer or transaction identifier
• Lists screened against (with version numbers)
• Match results (number of matches, similarity scores)
• Disposition (cleared, escalated, blocked)
• Reviewer name

‍

Investigation notes:

• For escalated matches, detailed notes explaining investigation steps
• Evidence reviewed (public records, news articles, customer-provided documents)
• Rationale for clearance or blocking decision
• Approval signatures

‍

List update logs:

• Date and time of each list update applied
• Number of customers rescreened
• Number of new matches identified
• Resolution of new matches

‍

Change event logs:

• Customer change notifications received
• Date of rescreening triggered by change
• Outcome of rescreening

‍

Policy and procedure versions:

• Version-controlled policy documents
• Date of each policy update
• Approval signatures
• Training records showing staff acknowledgment of updated policies

‍

‍

‍

Common Misses

‍

‍

Treating One-Time Screening as Sufficient

‍

Sanctions lists change frequently. OFAC adds individuals and entities to the SDN list on an ongoing basis. A customer who cleared screening at onboarding may appear on a list weeks or months later. Without ongoing monitoring, exposure accumulates undetected.

‍

Impact: Programs without ongoing monitoring fail to detect sanctions exposure that arises post-onboarding. During regulatory examinations, examiners test whether programs would have detected recent SDN additions. Programs that rely solely on onboarding screening fail this test.

‍

Fix: Implement automated daily rescreening against updated lists. Ensure rescreening covers all active customers, not just new applicants.

‍

‍

Ignoring Indirect Exposure

‍

Screening only the direct customer entity misses exposure through UBOs, parent companies, subsidiaries, or business partners. Sanctions lists include individuals and entities that may not be the direct customer but control or benefit from the customer's business.

‍

Impact: Payments to a customer may indirectly benefit a sanctioned individual if that individual owns or controls the customer entity. OFAC has enforcement authority over transactions that indirectly involve sanctioned parties.

‍

Fix: Expand screening to cover UBOs and, where disclosed, parent companies and key business partners. When complete ownership data is unavailable, document the limitation and apply compensating controls (e.g., enhanced transaction monitoring, geographic restrictions).

‍

‍

Under-Documenting Data Gaps

‍

Regulatory examiners expect risk teams to articulate what they do not know. Programs that fail to document data limitations or compensating controls face criticism during audits, even if no actual sanctions violations occurred.

‍

Impact: Examiners may characterize undocumented gaps as "deficiencies" or "weaknesses" in the sanctions program, even when the risk is understood and mitigated. Documentation demonstrates that the risk team has considered the issue and made informed decisions.

‍

Fix: Maintain a written data gaps register listing what information is unavailable, why it is unavailable, what percentage of customers are affected, and what compensating controls mitigate the risk. Update this register quarterly.

‍

‍

Lack of Change-Event Triggers

‍

Many programs rescreen on a fixed schedule (e.g., annually) but miss interim changes in customer circumstances. A customer who adds a new UBO, changes business model, or enters a new jurisdiction may create new sanctions exposure that is not detected until the next scheduled rescreen.

‍

Impact: Exposure windows of 6-12 months between rescreenings allow prohibited transactions to occur undetected. Regulatory examiners view this as a program weakness.

‍

Fix: Define specific triggering events (ownership change, jurisdiction change, name change, business model change) that require immediate rescreening. Include contractual language requiring customers to notify you of these changes within a defined timeframe (e.g., 30 days). Monitor public records and news sources for unreported changes affecting high-risk customers.

‍

‍

Inadequate Match Resolution Processes

‍

Some programs over-rely on automated screening tools without sufficient manual review. Automated tools generate match scores but cannot make final dispositions without human judgment. Conversely, some programs conduct excessive manual reviews of low-risk matches, creating operational bottlenecks.

‍

Impact: Over-automation risks missing true positives (false negatives) when matching algorithms fail to account for name variations or data quality issues. Under-automation creates review backlogs and slows customer onboarding or transaction processing.

‍

Fix: Implement risk-based match resolution. Use automated clearance for very low-risk matches (e.g., <70% similarity with no DOB overlap). Require manual review for medium-risk matches (70-90% similarity or incomplete identifiers). Escalate high-risk matches (>90% similarity or partial DOB/address overlap) to senior compliance staff. Tune thresholds based on observed false positive and false negative rates.

‍

‍

Failure to Block or Report

‍

When a confirmed sanctions match is identified, some programs delay blocking the account or filing required reports. OFAC requires blocking of assets and reporting of blocked transactions within 10 days. Delays create regulatory violations.

‍

Impact: Failure to block prohibited transactions or file timely reports constitutes a sanctions violation, even if the underlying transaction is later unwound. OFAC has civil penalties for negligent violations and criminal penalties for willful violations.

‍

Fix: Implement immediate blocking procedures when a confirmed match is identified. Train staff on blocking requirements and reporting timelines. Escalate confirmed matches to the MLRO or legal team within 24 hours. File OFAC blocking reports within 10 days.

‍

‍

‍

Implementation Roadmap

For risk teams implementing or improving sanctions screening programs, we recommend the following phased approach. Risk teams serving merchant acquirers and embedded finance platforms face unique challenges in scaling these programs across diverse customer bases.

‍

‍

Phase 1: Foundation (Weeks 1-4)

‍

Objectives: Define scope, select lists, establish screening process

• [ ] Document exposure points (direct parties, indirect parties, transaction-level indicators)
• [ ] Select sanctions lists relevant to your jurisdiction and business model
• [ ] Identify screening tool or vendor (if outsourcing)
• [ ] Define match resolution process (false positive criteria, escalation thresholds)
• [ ] Draft initial policy document
• [ ] Conduct one-time screening of existing customer base

‍

‍

Phase 2: Monitoring (Weeks 5-8)

‍

Objectives: Implement ongoing monitoring, define change events

• [ ] Establish daily list monitoring and automated rescreening
• [ ] Define customer change events requiring rescreening
• [ ] Add contractual language requiring customers to report changes
• [ ] Implement transaction monitoring rules for sanctioned jurisdictions and name matches
• [ ] Establish alert review SLAs and assign responsibilities

‍

‍

Phase 3: Documentation (Weeks 9-12)

‍

Objectives: Document gaps, establish compensating controls, create audit trail

• [ ] Measure and document data gap coverage by customer segment
• [ ] Define compensating controls for customers with incomplete data
• [ ] Establish screening log and audit trail system
• [ ] Create data gaps register
• [ ] Finalize policy document and obtain management approval
• [ ] Conduct staff training on policy and procedures

‍

‍

Phase 4: Testing and Tuning (Months 4-6)

‍

Objectives: Validate effectiveness, tune thresholds, refine processes

• [ ] Review false positive rates and tune matching thresholds
• [ ] Test rescreening process (simulate list updates, verify alerts fire)
• [ ] Conduct lookback testing (test whether recent SDN additions would have been detected)
• [ ] Refine match resolution criteria based on observed patterns
• [ ] Update policy based on lessons learned

‍

‍

Phase 5: Continuous Improvement (Ongoing)

‍

Objectives: Maintain program effectiveness, adapt to changes

• [ ] Quarterly review of data gap coverage and compensating controls
• [ ] Annual policy review and update
• [ ] Annual staff training refresh
• [ ] Monitor regulatory changes and update program accordingly
• [ ] Track and report key metrics (screening volume, match rates, false positive rates, time to resolution)

‍

‍

‍

Key Metrics to Track

Effective sanctions programs track metrics to demonstrate coverage and identify improvement opportunities:

‍

‍

Coverage Metrics

• % of customers screened at entity level: Target 100%
• % of customers screened at UBO level: Varies by segment; typically 60-95%
• % of transactions screened for geographic exposure: Target 100%
• % of customers with verified incorporation documents: Typically 70-90%

‍

‍

Performance Metrics

• Average time from list update to rescreening completion: Target <24 hours
• Average time from customer change notification to rescreening: Target <5 business days
• Average time to resolve alerts: Target <24 hours for high-risk, <5 days for routine
• % of alerts resolved within SLA: Target >95%

‍

‍

Effectiveness Metrics

• False positive rate: (False positives / Total matches). Typical range 90-99% depending on thresholds
• True positive rate: (Confirmed matches / Total customers screened). Typically <0.1% for most programs
• Lookback test pass rate: (Recent SDN additions detected / Recent SDN additions applicable to customer base). Target 100%

‍

‍

Operational Metrics

• Total screening volume per month: (New customers + rescreenings + transactions)
• Alert volume per month: (Matches requiring review)
• Escalation volume per month: (Matches requiring senior review)
• Blocks per month: (Confirmed matches resulting in blocked accounts)

‍

‍

‍

Closing Question

Sanctions exposure evolves as customers grow, restructure, and enter new markets. Effective programs define not only who and what to screen, but when rescreening is required.

What change events trigger rescreening in your program? If the answer is unclear, or if rescreening occurs only on a fixed annual schedule, your program may miss emerging exposure between scheduled reviews.

‍

Consider whether your program would detect:

• A customer who adds a new UBO (sanctioned individual) 6 months after onboarding
• A parent company that appears on the SDN list 3 months after your last screening
• A customer who begins shipping to a newly sanctioned jurisdiction
• A director who is added to the EU sanctions list after joining your customer's board

‍

If your monitoring program would not detect these scenarios, you have exposure windows that require compensating controls or process improvements.

‍