Sanctions Screening Is Harder Than It Looks

The Surprising Complexity of a Simple Idea

Sanctions sound straightforward. Governments publish lists of people and companies you are not allowed to do business with. You check your customers against those lists. If there is a match, you stop the transaction. Simple, right?

In practice, this turns out to be fiendishly difficult. The lists are maintained by multiple authorities that do not coordinate perfectly with each other. Names get transliterated differently across languages. People use aliases. And the people who are most dangerous are the ones trying hardest not to be found.

Who Makes the Lists

• OFAC (US): The most powerful sanctions authority in the world, partly because of the dollar's role in global finance. If your transaction touches the US financial system in any way, OFAC rules apply
• EU: Maintains its own sanctions regime. Since Brexit, the EU and UK lists have started diverging, which creates extra work for everyone
• UN: The Security Council's sanctions are binding on all member states and usually form the floor that other authorities build on top of
• UK (OFSI): The UK now runs its own independent sanctions program, which has been charting its own course since Brexit
• Everyone else: Many countries layer on additional national lists beyond their international obligations. The more places you operate, the more lists you need to check

The Name Matching Problem

Here is where it gets interesting. You need to match your customer data against these lists accurately enough to catch real matches but not so aggressively that you drown in false positives. This sounds like a tuning problem, and it is. But the underlying matching problem is genuinely hard.

Sanctions compliance is strict liability in most jurisdictions. "We did not know" is not a defense. You have to show you took reasonable steps to screen against every applicable list, all the time.

Why Exact Matching Fails

Imagine a sanctions list contains "Mohammed Al-Rahman." Your customer signed up as "Mohamed Alrahman." A simple string comparison says these are different. But they are obviously the same person. This is not an edge case. It is the normal case when you are dealing with names transliterated from Arabic, Chinese, Russian, or dozens of other scripts.

Fuzzy matching algorithms solve this by using phonetic matching, edit distance calculations, and token-based comparisons. The trick is calibration. Set the threshold too tight and real matches slip through. Set it too loose and your compliance team spends all day clearing false positives on people named "Mohammed" who are definitely not on any sanctions list.

When and How to Screen

You cannot just screen once and forget about it. Sanctions lists change constantly. During periods of geopolitical crisis, they might update multiple times a day. So you need to screen at several points in time.

A solid screening program does all of these:

1. At onboarding: Check every new customer before you let them in the door
2. Before every transaction: Screen payments and transfers in real time, including the counterparty, before the money moves
3. Whenever lists change: Re-screen your entire customer base each time a new designation is published
4. Looking backward: When someone new gets sanctioned, immediately check whether they are already in your customer base or have appeared in recent transactions

How People Evade Sanctions

The people on sanctions lists are not sitting around waiting to be caught. They are actively trying to evade detection, and they have gotten creative about it. Understanding their playbook is essential if you want your screening to actually work.

• Name games: Aliases, transliteration tricks, maiden names, and legal name changes to dodge matching algorithms
• Shell companies: Operating through companies that are not themselves sanctioned, creating a layer of separation
• Nominees: Putting an unsanctioned person's name on the paperwork while the sanctioned party keeps actual control
• Ownership chains: Building long chains of companies to put distance between themselves and the operating entity
• Trade-based schemes: Using trade invoices to move value across borders without triggering the usual financial system controls
• Crypto: Using digital assets and decentralized exchanges to route around the traditional banking system entirely

What a Good Screening Program Looks Like

Technology alone will not save you. You also need clear policies, people who know what they are doing, documented procedures, and regular testing. Here is what matters:

• Cover all the lists: Make sure you are screening against every sanctions list that applies to your jurisdictions, your customers, and your transaction corridors
• Tune your matching: Calibrate your algorithms to your specific risk profile, and test regularly to make sure the balance between catches and false positives is right
• Update fast: Get new list entries into your system within hours, not days. The best platforms do this automatically
• Handle alerts well: Have clear procedures for investigating hits, escalating real concerns, and documenting your decisions
• Test it: Run independent tests periodically to make sure your system actually catches what it should
• Keep records: Maintain a complete audit trail of every screening activity and every decision you made about an alert

The World Is Not Getting Simpler

Geopolitics has gotten more volatile, and sanctions programs have expanded in response. The pace of new designations has accelerated dramatically. Some days bring multiple updates.

If your screening system cannot keep up with that pace, you have a problem. And the cost of a sanctions violation, which can run into hundreds of millions of dollars plus criminal liability, makes this one of the easiest cost-benefit calculations in all of compliance. The investment in good screening is tiny compared to what happens when you get it wrong.