What does a sanctions compliance process typically involve? This page outlines the areas that regulators like OFAC generally expect organisations to address — from identifying which regimes apply, to screening, documentation, and ongoing monitoring. It is an informational overview based on publicly available regulatory guidance, not legal advice or a compliance programme.
Not every organisation faces the same sanctions obligations. Regulatory exposure typically depends on where an organisation is incorporated, where its counterparties are, and where its transactions touch.
US nexus. OFAC sanctions apply to all US persons (citizens, residents, and US-incorporated entities). They also apply to non-US persons whose transactions clear through the US dollar system or involve US-origin goods — giving OFAC jurisdiction well beyond US borders.
Multi-jurisdictional exposure. Organisations that operate in or trade with the EU, UK, Australia, Canada, or Switzerland are subject to those jurisdictions' sanctions independently. Each regime maintains its own list and its own restrictions, and they do not always overlap.
Export controls. Separately from financial sanctions, BIS export controls may apply to entities that export goods, software, or technology — or whose products contain US-origin components or were produced using US technology (under the Foreign Direct Product Rule), even if the entity is not American.
Understanding geographic exposure is a starting point: which countries do counterparties, suppliers, end-users, and partners operate in? Comprehensively embargoed jurisdictions (Cuba, Iran, North Korea, Syria, and parts of Ukraine) and heavily sanctioned jurisdictions (Russia, Belarus, Venezuela, Myanmar) represent the highest risk.
OFAC's published compliance framework identifies risk assessment as the first pillar of an effective sanctions compliance programme — a systematic evaluation of where an organisation is most exposed.[1] The depth of screening is generally expected to be proportionate to the risk.
Counterparty risk considers who the organisation is dealing with: whether they are in high-risk jurisdictions, in industries frequently targeted by sanctions (energy, defence, finance, shipping, technology), or have complex ownership structures.
Product and service risk considers whether goods are dual-use (civilian and military applications), whether financial services, insurance, or technology could be restricted, and whether the organisation operates in sectors specifically targeted by sanctions programmes.
Transaction risk considers whether transactions involve intermediaries, shell companies, or transshipment hubs, whether payments are routed through the US financial system, and whether there are unusual patterns such as last-minute changes to shipping destinations or requests to omit information.
Screening is the operational core of sanctions compliance. Regulators generally expect all parties to a transaction — not just the direct counterparty, but also end-users, intermediaries, freight forwarders, and beneficial owners — to be checked against relevant sanctions and restricted party lists.
Which lists? At minimum, this typically includes OFAC SDN and Non-SDN lists (US), BIS restricted party lists (US), the UN Security Council Consolidated List, and the sanctions lists of any jurisdiction where the organisation or its counterparties operate. See our sanctions screening guide for a detailed breakdown.
Matching approach. Exact-match-only screening misses name variations, transliterations, and spelling differences — especially important for names transliterated from Arabic, Cyrillic, Chinese, or other non-Latin scripts. Broader matching reduces false negatives at the cost of more results to review.
PEP screening. Politically Exposed Persons screening is a component of AML/CTF compliance and is expected under most KYC frameworks. PEPs are not sanctioned per se, but their status as senior government officials, politicians, or state enterprise board members typically triggers enhanced due diligence.
The 50% Rule. Under OFAC rules, entities owned 50% or more by blocked persons are themselves blocked, even if they do not appear on the SDN List by name. This means screening the direct counterparty alone may be insufficient.
Sanctions Checklist searches OFAC, BIS, UN, EU, UK, Australian, Canadian, Swiss, and other international sanctions and PEP lists in a single query. Generate timestamped PDF reports for your records. First 10 searches are free.
Search entitiesIn enforcement actions, regulators do not just ask whether an organisation screened — they ask for evidence. OFAC has noted that undocumented screening provides no mitigation.
What regulators look for: timestamped records of what was searched, when, against which lists, and what the results were — including negative results. A documented "no match" is considered as important as a documented match, because it demonstrates that screening took place.
Decision trail. When a potential match is found, regulators expect a record of who reviewed it, what additional information was gathered, and the decision made (true match, false positive, or escalated to legal counsel).
Retention. OFAC recommends retaining sanctions-related records for a minimum of five years from the date of the transaction. Some programmes require longer retention periods. Exportable reports (PDF or CSV with search parameters, sources checked, and outcomes) are the standard format for demonstrating due diligence to auditors.
Sanctions lists change constantly — OFAC can publish new designations multiple times per week. A name cleared at onboarding may become sanctioned months later while the relationship is still active.
Regulators generally expect screening frequency to be proportionate to risk: daily for financial institutions and high-risk relationships, weekly or monthly for lower-risk commercial relationships. Automated alert systems that notify an organisation when a counterparty's sanctions status changes are more reliable than manual periodic checks.
Beyond periodic rescreening, changes to counterparty information (ownership, jurisdiction, name), negative news, or changes in the regulatory environment are commonly treated as trigger events for a fresh screen.
Regulators expect organisations to have defined procedures for what happens when a potential match is identified: who reviews it, what additional checks are performed, at what point a transaction is blocked, and when legal counsel is involved.
Under OFAC rules, if a sanctions violation is identified or an asset is blocked, a blocking report is required within 10 business days. Voluntary self-disclosure of violations has historically resulted in significantly reduced penalties compared to cases discovered by regulators.
Know Your Customer (KYC) is a broader due diligence framework that includes identity verification, understanding the nature of the business relationship, beneficial ownership identification, and ongoing monitoring. Sanctions screening is one component of KYC.
However, sanctions screening obligations exist even for organisations not subject to full KYC requirements. A university screening a research partner, an exporter vetting a buyer, or a procurement team checking a supplier all face sanctions obligations — even if they are not regulated financial institutions subject to formal KYC rules.
Beyond sanctions lists, comprehensive due diligence commonly also involves:
Sanctions Checklist searches OFAC, BIS, UN, EU, UK, Australian, Canadian, Swiss, and other international lists in a single query. Save results, enable daily monitoring alerts, and export timestamped PDF reports. First 10 searches are free.
Search entities