Sanctions screening is the process of checking a customer, counterparty or transaction party against international and domestic sanctions lists. It is mandatory for all regulated financial institutions — banks, payment institutions, e-money issuers, securities intermediaries, crypto exchanges — under FATF Recommendations, EU AMLD5, UK MLR 2017, and the standalone sanctions regulations administered by OFAC, OFSI, the EU Council and national authorities. This article walks through how sanctions screening actually works, which lists matter, how matching engines decide, and the operational workflow when a hit lands.
Why Sanctions Screening Is Its Own Category
AML screening covers three pillars: sanctions, PEP and adverse media. Sanctions stands apart because a confirmed hit is binding, not advisory. When a true match is established:
- A prospective customer cannot be onboarded.
- An existing customer's account and assets are frozen.
- Notification flows to the competent authority (OFSI in the UK, the national FIU in EU member states, FinCEN in the US).
- Funds frozen under the relevant sanctions regulation must be reported within statutory timeframes (typically 7-14 days, sometimes less).
Even a false positive carries cost: onboarding friction, transaction delay, analyst time. A sanctions screening engine must therefore be both high-recall (never miss a real hit) and operationally sustainable (not flood the queue with noise).
Which Lists Are Actually Screened?
The baseline list set most institutions cover:
1. UN Security Council Consolidated List
The Security Council's 1267 Committee (Al-Qaeda and ISIL), 1988 Committee (Taliban) and country-specific regimes (North Korea, Iran, Libya, etc.) feed a single consolidated list. Binding on all UN member states; in the EU absorbed via Council Regulations, in the UK via OFSI publications.
Update cadence: several times per week. Format: XML.
2. OFAC SDN and Consolidated Lists
The US Treasury's Office of Foreign Assets Control (OFAC) maintains the Specially Designated Nationals (SDN) list — the largest and most actively updated sanctions list globally. Any institution touching USD-denominated flows or holding a US correspondent banking relationship must screen against OFAC SDN, regardless of geographic location, because of secondary sanctions exposure under statutes like CAATSA and IEEPA.
Update cadence: 1-3 times daily, sometimes more during active enforcement periods. Format: XML, CSV.
3. EU Consolidated Financial Sanctions List
Issued by the Council of the EU under the Common Foreign and Security Policy framework (Article 215 TFEU). Binding on all EU member states and EU persons. Post-Brexit, this list has diverged from the UK list.
Update cadence: 4-6 times per month. Format: XML.
4. UK HMT OFSI Consolidated List
The UK's Office of Financial Sanctions Implementation maintains the UK consolidated list under the Sanctions and Anti-Money Laundering Act 2018. Required for any institution operating in the UK or handling GBP-denominated flows.
Update cadence: several times per week. Format: CSV, PDF.
5. National Lists
Beyond the major regimes, many jurisdictions maintain national asset-freeze lists: Canada OSFI, Australia DFAT, Switzerland SECO, France national list, Germany, Turkey (MASAK decrees), etc. Coverage depends on the institution's customer footprint.
OFAC vs UN vs EU vs UK sanctions lists compared goes deeper on scope, format and matching nuance per list.
The Matching Engine: How a Hit Is Actually Decided
Query: "Mohammed Al-Faisal, DOB 1972, Saudi national." The engine runs this against all normalised sanctions records and returns not a single record but every candidate that matches above a threshold, each with a match score.
Score components:
Name normalisation. Diacritic handling, case folding, punctuation stripping, suffix/prefix separation. "Mohammed AL-FAISAL" should match "Mohammed Al Faisal" and "Mohamed AlFaisal".
Transliteration. Conversion between Arabic, Cyrillic, Chinese, Hebrew and Latin scripts. "محمد" must map to Mohamed, Mohammed, Muhammad, Mohamad — every accepted Romanisation. Engines that ship a weak transliteration library inflate false positives by 10-15%.
Phonetic matching. Soundex, Metaphone, NYSIIS, Beider-Morse. Beider-Morse handles European-name variation well and is the de facto standard for Western lists.
Distance metrics. Levenshtein (edit distance), Jaro-Winkler (weights prefix similarity higher — good for names), n-gram overlap. The match score is a weighted blend.
Identity disambiguators. DOB, place of birth, nationality, passport number, national ID. When present these collapse the candidate set sharply. Name-only matching produces 3-5× the false-positive rate of attribute-aware matching.
The engine produces a continuous score (0-100). Matches above a configured threshold (e.g. ≥85) surface for analyst review; below they auto-clear. Threshold calibration trades false positives against false negatives — operational cost against missed risk.
When Screening Runs
At Onboarding
A synchronous API call before account activation. UX-critical: 100-300 ms target. A positive result moves the application to "under review" status (typically resolved within 24 hours).
Transaction Screening
Every wire, SEPA Credit Transfer, SWIFT message screens its parties. The 50K (originator) and 59 (beneficiary) fields of an MT103, the Dbtr and Cdtr blocks of SEPA pacs.008, the originator and beneficiary addresses on a crypto transfer (Travel Rule context) all go through the engine. A hit pauses the message for manual review.
False-positive cost is at its highest here. A UK clearing bank processing 500,000 wires per day at 1% hit rate is 5,000 manual reviews daily. Unsustainable without aggressive false-positive reduction.
Periodic Rescreening
The existing customer portfolio is re-screened daily or weekly against current lists. Two approaches:
- Full sweep: every customer against every list. Compute-heavy, full coverage.
- Delta sweep: only newly added list entries are checked against the existing portfolio. Light, fast, responsive to new designations.
Standard practice: daily delta plus weekly full.
After a Hit: The Operational Workflow
When a sanctions match lands the standard steps are:
- Automatic hold. Onboarding: account not opened. Transaction screening: message held. Existing customer: transactions blocked.
- Analyst assignment. Alert lands in a case management system, assigned to an AML analyst.
- Investigation. The analyst compares match detail against the customer's full profile — DOB, nationality, ID numbers, address history, ownership structure.
- Decision. True positive or false positive, recorded with reasoning.
- True positive actions. Asset freeze; report to OFSI / national FIU / FinCEN within the statutory window (OFSI reportable matter: 14 days; FinCEN SAR: 30 days; EU member state varies). Customer notification handled per asset freeze rules.
- False positive actions. Release the hold. Match recorded as cleared; future identical matches for the same customer auto-suppressed via match grouping.
- Audit trail. Every step logged; retention varies by jurisdiction (UK: 5 years post-relationship end; EU: 5 years; US: 5 years for SARs).
Match Management: Operational Team Structure
Processing matches at scale follows a typical tiered team:
Tier-1 analyst. Routine matches daily — common name collisions, DOB mismatches, simple false positives. Throughput: 15-30 cases/hour.
Tier-2 analyst. Complex matches (close name match + partial DOB, multi-list matches, cases needing additional research). 3-8 cases/hour.
Sanctions specialist. True positives: sanctions regime interpretation, secondary sanctions assessment, asset freeze process. Hours-to-days per case.
MLRO sign-off. Final sign-off on SARs and asset freeze notifications. Every true-positive sanctions hit needs MLRO signature.
Four-eyes principle. Every match marked true positive goes through a second analyst's verification. Erroneous asset freeze and remediation is extremely costly.
Escalation. Tier-1 to Tier-2 when uncertain; Tier-2 to specialist when uncertain; specialist to MLRO when uncertain.
Operational SLA examples:
- Onboarding match closure: <4 hours (customer waiting)
- Transaction screening match closure: <2 hours (transaction held)
- Rescreening match closure: <24 hours (not urgent but must not be forgotten)
- True-positive sanctions hit MLRO escalation: <1 hour (asset freeze timing critical)
Common Mistakes in Sanctions Screening
Name-only matching. Skipping DOB and nationality blows out false positives.
Single-threshold configuration. Low-risk customers can tolerate a higher threshold; high-risk customers need a lower one. A flat threshold over-alerts on one segment and under-alerts on the other.
List update lag. OFAC designates someone on Tuesday and your system is still running Monday's list on Wednesday. Inspection finding. Target sub-30-minute latency.
Weak transliteration. Arabic and Cyrillic names get spelled half a dozen ways in Latin script. Without solid transliteration, names slip through.
No match grouping. The same customer's same cleared match resurfaces daily and the team eventually rubber-stamps it — at which point a genuine new alert is also rubber-stamped.
Sanctions Evasion Red Flags
Sanctions screening surfaces direct list matches; sanctions evasion is more subtle. The actual sanctions target is on the list — but proxy companies, uncharged family members, layered offshore structures can route around a screen. Practical red flag set:
- Sudden volume spike. Customer historically low-volume; dramatic value increase in the last 30-60 days
- High-risk-jurisdiction transit. Pattern of UK/EU → Singapore/Hong Kong/UAE → sanctions-target jurisdiction
- Out-of-profile payment type. Manufacturer suddenly sending consultancy fees; service business suddenly handling commodity transactions
- Layered ownership. Beneficial owner cannot be traced past 3+ offshore tiers
- Off-colour counterparty. Counterparty name produces zero search traces — no website, no press, no filings
- Geographic + relationship triangulation. Small company in a high-risk jurisdiction + UBO with kinship to a sanctions-listed person
- Structuring. Multiple sub-threshold transactions to avoid reporting obligations
- Vessel and aircraft signals. Designated vessels operating with AIS disabled or under flag-of-convenience changes
System detection of these red flags goes beyond pure sanctions screening into transaction monitoring + behavioural analytics. Sanctions screening is the baseline; behaviour layers are essential to actually catch evasion.
Frequently Asked Questions
How is sanctions screening different from PEP screening?
Sanctions screening is binding — a confirmed hit triggers asset freeze and reporting obligations under specific sanctions regulations. PEP screening is a risk assessment; a confirmed PEP hit triggers Enhanced Due Diligence and closer ongoing monitoring, but the relationship is not refused on the basis of PEP status alone.
Do non-US institutions have to screen OFAC SDN?
Technically OFAC jurisdiction reaches US persons, US-located persons, USD transactions, and US-origin goods. In practice, any institution holding a USD correspondent banking relationship is required by its correspondent to screen against OFAC, and secondary sanctions under statutes like CAATSA can apply to non-US persons under specific conditions. Most international banks therefore screen OFAC SDN as a baseline.
How quickly must we report a confirmed sanctions hit?
OFSI in the UK requires reporting "as soon as practicable" with a 14-day expectation for non-urgent matters; for new designations or apparent breaches, immediate. FinCEN SAR filings have a 30-day window from initial detection (extendable to 60). EU member state reporting windows vary but are generally short (3-7 business days).
Can false-positive rates go below 1%?
In sanctions screening this is hard. Lists contain common names (Mohammed, Wang, Patel) that also appear frequently in customer portfolios. A 0.5-1% false-positive rate represents strong performance. PEP and adverse media run higher. See how to reduce AML false positives for the techniques.
Do we need a third-party list provider (Dow Jones, Refinitiv)?
Not strictly required, but in practice essential at any reasonable scale. List providers normalise source data, enrich aliases and identifiers, handle format changes, and supply consolidated coverage. Maintaining OFAC, UN, EU and UK lists in-house requires a 3-4-person data engineering team. A vendor list-licence plus matching engine (Legichain included) absorbs that overhead.
How Legichain Helps
Legichain's AML screening API provides UN, OFAC SDN and consolidated, EU, UK HMT OFSI, MASAK decrees and major national sanctions lists in one normalised source. List update latency averages under 15 minutes for OFAC, our matching layer ships Beider-Morse phonetics, strong Arabic/Cyrillic/Chinese transliteration, and identity-attribute scoring out of the box.
Synchronous endpoint for onboarding (<200 ms p99), batch endpoint for daily rescreening, message-level integration for SWIFT MT103 and SEPA pacs.008 transaction screening. Match score and hit source come back in detail; case management webhook integration available.