How to Conduct Sanctions Screening for AML? Complete Guide

Every business with cross-border exposure is expected to screen its customers and transactions against sanctions lists. On the surface, this sounds like a straightforward lookup. In practice, the work behind it is more demanding than it appears.

The lists themselves change frequently. OFAC, the EU, OFSI, and the UN each maintain their own databases, updated on different schedules. A designation that did not exist last week may be relevant to a customer you are onboarding today.

Keeping pace with those updates is one part of the challenge. The other is matching names accurately when the same person may appear under different spellings across lists and customer records. A program that handles both at volume requires careful design.

But before we discuss the fix, let's understand what exactly sanctions screening is and how it fits within an AML compliance framework.

What is sanctions screening in AML?

Sanctions screening is the process of checking individuals and entities against government-issued lists of prohibited parties before or during a business relationship. It sits within the AML framework as a preventive control, running at onboarding and continuing throughout the relationship.

Where transaction monitoring looks at patterns of behaviour over time, sanctions screening asks a narrower question: is this specific party on a prohibited list? The answer determines whether a transaction can proceed or whether the relationship requires escalation.

Why sanctions screening matters for businesses

Sanctions obligations come from multiple regulatory authorities, each with its own lists, legal basis, and enforcement reach. A business operating across borders may be subject to several of them at once.

• OFAC: Administered by the US Treasury, OFAC maintains the Specially Designated Nationals list and enforces economic sanctions with extraterritorial reach across USD-denominated transactions.
• OFSI: The UK's Office of Financial Sanctions Implementation enforces UK financial sanctions and publishes a consolidated list that UK-connected businesses must screen against independently of any EU obligation.
• EU sanctions: The European Union maintains a consolidated sanctions list binding on all member states, requiring screening of parties involved in EU-connected financial transactions.
• UN Security Council: UN resolutions create baseline designations that form the foundation for most national and regional lists, with member states obligated to implement them through domestic law.
• FATF: FATF sets the global standards that require member countries to implement sanctions screening as part of their AML frameworks, and its jurisdictional watchlists inform enhanced due diligence decisions.

Types of sanctions lists businesses must screen against

Knowing which lists to screen against is the first practical decision in building a sanctions program. The answer depends on the jurisdictions a business operates in and the customer base it serves.

OFAC Specially Designated Nationals list

The SDN list is maintained by the US Office of Foreign Assets Control and is the most widely referenced sanctions list globally. It designates individuals and entities under dozens of US sanctions programs, from counter-terrorism to narcotics trafficking. Any business touching USD transactions or the US financial system must screen against it, regardless of where the business is headquartered.

The list updates multiple times per month, making automated data ingestion a practical requirement for any program that claims current coverage.

UN Consolidated Sanctions list

The UN Consolidated Sanctions list brings together all active designations issued across the UN Security Council's various sanctions committees. Member states are required to implement these designations through domestic law, so the UN list serves as the baseline for most national sanctions programs.

It is one of the few lists with genuine global jurisdictional reach. Screening against it independently of national programs is advisable, as domestic implementations can lag behind UN updates.

EU Consolidated Sanctions list

The EU Consolidated Sanctions list aggregates all restrictive measures adopted by the European Council. It applies uniformly across all EU member states and covers both asset freezes and travel restrictions for designated individuals and entities. Businesses with any connection to EU-based counterparties or transactions are required to screen against it.

Since Brexit, the EU and UK lists have diverged in certain designations, so businesses with exposure to both jurisdictions must screen against them as separate obligations.

OFSI Consolidated list

OFSI, the UK's Office of Financial Sanctions Implementation, publishes and enforces the UK's own consolidated list of designated parties. Since Brexit, the UK has developed autonomous sanctions programs that no longer mirror EU designations in all cases. Any business with a UK nexus must treat the OFSI list as a standalone screening obligation.

OFSI publishes the list in structured formats to support automated ingestion. Relying solely on the EU list for UK compliance has created gaps for businesses that have not updated their programs since 2021.

Domestic and regional sanctions lists

Beyond the major multilateral programs, many countries and regional blocs maintain their own domestic sanctions lists. Australia, Canada, Singapore, and Japan each publish national designations that may include parties not yet listed by OFAC or the EU. Businesses with operations in specific countries should identify which domestic lists apply and include them in their screening setup alongside the major databases.

Domestic list coverage is one of the most common gaps in screening programs, particularly for businesses scaling into new markets.

With the right lists identified, the next task is to build a process that covers them consistently.

How to conduct sanctions screening: A step-by-step process

The seven steps below describe how to build and run a screening workflow that holds up operationally and under scrutiny.

1. Define the scope of your screening program

Before any list is sourced or a tool is configured, the program needs clear boundaries. Defining the scope means deciding which customers and transaction types require screening. It also means identifying the jurisdictions you operate in and the currencies you process, since these determine which lists are relevant. A defined scope is what makes the rest of the process consistent and auditable.

2. Source and consolidate your sanctions lists

With the scope defined, the next step is assembling the lists themselves. This means identifying the relevant databases and establishing a process for keeping them current.

• Obtain lists directly from official sources: OFAC, OFSI, EU, and UN each publish their databases publicly
• Include domestic lists for any jurisdiction where your business has a meaningful operational or customer presence
• Consolidate all sources into a single normalized dataset to prevent format inconsistencies and duplicate entries
• Set a refresh cadence that matches each list's update frequency, with OFAC requiring near-daily updates

3. Collect and standardize customer data

The quality of screening output depends directly on the quality of the data going in. At onboarding, collect full legal names, dates of birth, nationalities, and any known aliases. Inconsistent formatting and missing fields reduce matching accuracy and increase both false positives and missed hits. Standardising data at the point of collection avoids compounding these problems at the matching stage.

4. Run name matching with fuzzy logic

With clean data and current lists in place, the fourth step is the matching itself. Exact-match approaches miss too many genuine hits because names vary across transliteration systems and data entry conventions. Fuzzy logic matching accounts for these variations by comparing names on phonetic similarity and character-level differences.

• Apply phonetic algorithms and character distance scoring to catch spelling variations and transliteration differences
• Configure match thresholds to balance sensitivity against false positive volume before deployment
• Screen against all known aliases and alternate name entries for each listed entity
• Use secondary identifiers such as date of birth and nationality to improve precision on ambiguous matches

5. Review and investigate generated alerts

Every alert the matching engine generates requires human review. The difference between a false positive and a real hit requires judgment that automated systems cannot replace. Reviewers should assess each alert against the full profile of the listed entity, checking identifiers such as date of birth and nationality. This investigation needs to happen in a timely way, since unresolved alerts can delay transactions and create backlogs.

6. Make a clearance or escalation decision

Once a review is complete, the outcome needs a formal decision. If the investigation confirms the alert is a false positive, the case can be cleared with documented reasoning. A credible match must be escalated to the compliance team before any transaction is processed or the relationship continues. Every decision, in either direction, needs to be recorded.

7. Document findings and maintain an audit trail

Documentation is what turns a screening process into a defensible compliance program. The record for each alert should capture what was screened, the threshold applied, and the reasoning behind the final decision. Regulators and auditors expect to see this record when they examine a program. A complete audit trail demonstrates that screening was conducted consistently, not just that a policy says it should be.

Common challenges in sanctions screening

Even well-structured screening programs run into a predictable set of operational problems. Most are not caused by poor compliance work. They are caused by tools and processes that have not kept pace with how sanctions regimes actually operate today.

When alert volumes exceed what analysts can reliably review

PwC estimates that false positives account for 90 to 95% of all risk alerts across AML monitoring tools. That means for every confirmed hit, analysts are clearing roughly 19 non-issues first.

The volume problem compounds fast. OFAC updated its sanctions list 129 times in 2023, often multiple times in a single day. The EU list was amended 49 times and the UK list 55 times that same year. More list updates means more alerts. Industry surveys show 59% of compliance staff report burnout, with 74% frustrated by staffing levels that cannot keep pace. The industry has largely responded by hiring more analysts, but when 95% of alerts are false alarms, adding headcount just scales the waste.

The problem is made worse when tools are not built to reduce noise. ComplyAdvantage surfaces this tension directly in its own customer reviews. One verified Capterra user noted:

"What I found challenging with ComplyAdvantage was the high number of false positives generated by the monitoring system, leading to unnecessary investigations and resource allocation." — Verified user review, Capterra

This is not a criticism unique to one vendor. It reflects a structural problem across the category: platforms default to broad matching to avoid missing true hits, but without proper calibration against your actual customer population, the alert queue becomes unmanageable. Threshold configuration tuned to your risk profile, combined with richer secondary identifiers at onboarding, is what brings rates down durably.

Matching names that exist in multiple romanized forms

Names written in Arabic, Chinese, or Cyrillic script can be romanized in multiple ways, none of which is standardized across source documents or sanctions lists. The same designated individual may appear as Hassan, Hassane, or Hasan depending on the document. A name like Mohamed Ali can match dozens of unrelated entries on a single list, each requiring manual investigation.

This is a structural problem baked into how lists are built and how customer data is collected. Even well-established data providers struggle with it in practice.

Phonetic algorithms and character-distance scoring address this at the technical level, but they need to be configured against your actual customer population, not generic vendor defaults. The other half of the solution is collecting better secondary identifiers at onboarding, so that a name match alone is never the only signal an analyst has to work with.

Starling Bank illustrates what happens when this is not resolved at scale. The FCA fined the bank £28.9 million in 2024, finding that as the bank grew from 43,000 to 3.6 million customers, its screening configuration never kept pace and name matching logic that worked at small volume became a significant liability.

Signzy's AML screening platform applies fuzzy matching and transliteration handling natively across 1,000+ watchlists, catching name variations across scripts and romanization conventions without requiring manual threshold tuning for each new market or customer segment.

Gaps that form when list sources are managed separately

45% of compliance teams cite siloed datasets as a key operational limitation, according to industry surveys, blocking the ability to connect related financial crime data across jurisdictions. When OFAC, EU, OFSI, and domestic lists are managed through separate processes on different update schedules, the program looks complete on paper but has measurable coverage holes in execution.

Independent testing by AML Analytics found that sanctions screening failures rarely stem from the technology itself. Instead, weaknesses arise from how systems are configured, governed, and operated over time, including reliance on factory default settings never calibrated to the institution's risk appetite, and alert thresholds tuned to operational capacity rather than documented risk tolerance.

Consolidating all sources into a single normalized, regularly refreshed dataset is what closes these gaps and makes audit documentation significantly more defensible.

Outdated list data and the compliance exposure it creates

Sanctions lists are not monthly publications. US sanctions designations rose to over 17,000 entities and individuals by mid-2025, a 25% increase since 2023. Every hour between a new designation and its appearance in your screening system is a live exposure window, and regulators now treat it as one.

The SkyGeek enforcement case in December 2024 made this explicit. OFAC penalized the company for processing transactions to counterparties that had been designated after the relationship began, specifically because the company had no policy to rescreen previously approved parties.

OFAC stated the case "highlights the importance of implementing appropriate risk-based controls over the course of a transaction's life cycle." In October 2024, TD Bank was fined $3.09 billion for AML and sanctions failures, with regulators citing a compliance program that had not been updated to reflect known risks, including failure to block transactions linked to sanctioned entities.

Automated list ingestion with daily or near-daily refresh is no longer a differentiator. It is the baseline regulators now expect. Signzy's AML screening platform refreshes across 1,000+ watchlists in 180 countries on a daily cycle, closing the gap that weekly or monthly vendor refresh schedules leave open.

Sanctions screening vs AML screening: What is the difference?

The two functions share some infrastructure, particularly around customer data and monitoring workflows. Sanctions screening is a gatekeeping check: it asks whether a party is on a prohibited list.

AML screening takes a longer view, examining whether a pattern of activity across transactions suggests criminal origin.

Most compliance programs run both in parallel, with the data from one informing the risk decisions of the other.

Best practices for sanctions screening

The technical setup of a screening program only goes so far. The decisions made around threshold configuration and ongoing monitoring determine whether it holds up in practice.

✅ Align screening intensity to your risk profile, applying tighter thresholds to higher-risk customers and jurisdictions than to lower-risk ones.

✅ Automate list ingestion and alert routing to eliminate manual errors and ensure every check runs against current data.

✅ Calibrate fuzzy matching thresholds carefully, since too low a setting floods analysts and too high a setting allows genuine matches to pass undetected.

✅ Rescreen existing customers whenever sanctions lists are updated so new designations are caught without waiting for the next scheduled review.

✅ Document every screening run with the lists used and the reasoning behind each alert disposition to support audit requirements.

"We operate across the US, UK, and EU markets, which means three separate sanctions obligations. Having all three consolidated in one platform with independent refresh cycles for each was the main reason we chose Signzy." — Chief Compliance Officer, Fintech Platform.

How can Signzy streamline sanctions screening?

Keeping sanctions list coverage current and alert volumes manageable at scale puts significant strain on compliance teams. Teams that build this manually tend to fall behind on list updates and accumulate alert backlogs that reduce decision quality.

Signzy's AML screening platform screens against 1,000+ watchlists across 180 countries, with a daily list refresh to ensure coverage stays current. The platform applies fuzzy matching and transliteration handling natively, reducing missed hits from name variations while keeping false positive rates manageable.

"We were manually downloading OFAC and EU list updates on different schedules and reconciling them ourselves. Signzy automated all of it, and our coverage is now consistent across every list we are obligated to screen against." — Sanctions Compliance Manager, Cross-border Payments Company.

Screening runs at onboarding and continues as ongoing monitoring, flagging customers designated after they joined without requiring manual intervention. Results are returned via API with structured output that supports audit documentation.

Signzy's broader compliance suite covers the full spectrum of AML-related controls: from KYC AML screening at onboarding to criminal screening for enhanced due diligence checks. For teams managing governance, risk, and compliance requirements across multiple jurisdictions, Signzy provides the infrastructure to run consistent, auditable programs at scale.

Book a demo with Signzy to see how the screening works in practice across your specific jurisdictions and customer base.