Sanctions violations carry some of the highest penalties in financial regulation β the US alone levied over $1.5 billion in OFAC penalties in 2024. Unlike most compliance failures, sanctions breaches can occur even without intent: processing a payment that touches a sanctioned entity or jurisdiction, even unknowingly, triggers strict liability under US law.
This guide covers the four major global sanctions regimes every AML compliance team must screen against, how to set screening frequency, how to manage the false positives that plague manual processes, and what your audit trail needs to contain to satisfy regulators.
Scope note: This guide focuses on financial sanctions (asset freezes and prohibitions on transactions). Export control sanctions (ITAR, EAR) and sectoral sanctions are not covered here but require separate compliance programs for affected industries.
The Four Major Sanctions Regimes
There is no single global sanctions list. Financial institutions must screen against multiple regimes simultaneously β and coverage gaps are a common regulatory finding.
OFAC Specially Designated Nationals (SDN) List
Published by the US Treasury's Office of Foreign Assets Control. The SDN list identifies individuals, entities, and vessels that are subject to asset freezes and transaction prohibitions. US persons β including foreign subsidiaries of US companies and any institution processing USD β must comply globally, regardless of where the transaction occurs.
Key programs covered: Iran (OFAC's largest program), Russia (post-2022 dramatically expanded), North Korea, Cuba, Syria, Venezuela, and the Global Terrorism Sanctions program. The SDN list is updated without notice and changes can take effect immediately. Additionally, the 50 Percent Rule extends prohibitions to entities 50% or more owned by a sanctioned party β even if that entity does not appear on the list by name.
UN Security Council Consolidated List
Maintained by the UN Security Council's 1267/1988/1989 Al-Qaida Sanctions Committee and other subsidiary bodies. Unlike domestic sanctions, the UN list is legally binding on all 193 UN member states. Coverage includes terrorism financing (Al-Qaida, Taliban, ISIL/Da'esh), weapons proliferation, and country-specific programs.
UN sanctions form the floor of global sanctions compliance β most national regimes implement them as a minimum. However, they are often narrower in scope than OFAC or EU lists. Do not treat UN list screening as a substitute for domestic regime screening.
EU Consolidated Sanctions List (CFSP)
Published under the EU's Common Foreign and Security Policy. The EU consolidated list covers all sanctioned individuals and entities across all EU sanctions programs β currently over 2,000 programs active as of early 2026, with Russia-related measures (EU Regulation 833/2014 and related Council Decisions) representing the largest expansion in the list's history.
EU sanctions apply to EU persons and entities, transactions in EUR, and activities within EU territory. Post-Brexit, UK sanctions diverge from EU sanctions in important ways β particularly regarding Russia β requiring separate screening. EU sanctions are published in the Official Journal of the EU and take effect on the date of publication.
UK Consolidated Sanctions List (OFSI)
Administered by the Office of Financial Sanctions Implementation (OFSI) at HM Treasury. Since Brexit, the UK has developed its own independent sanctions regime under the Sanctions and Anti-Money Laundering Act 2018 (SAMLA). While the UK retained most pre-Brexit EU designations, new UK sanctions (particularly Russia-related) now diverge from EU measures.
OFSI has significantly increased enforcement activity since 2022, issuing monetary penalties under a "strict civil liability" standard β knowledge or intent is not required. UK-regulated firms and those processing GBP transactions must screen against the UK consolidated list as a distinct regime, not as a proxy for EU sanctions.
β Coverage gap risk: Screening against only one list β even OFAC β leaves material exposure. Each regime designates different individuals and entities. A Russian oligarch may appear on the UK list but not on OFAC's SDN, or vice versa. Full multi-regime coverage is the baseline expectation from regulators.
Screen Against All Four Regimes Simultaneously
Veridact covers OFAC SDN, UN Security Council, EU consolidated list, UK OFSI, and 25+ additional national sanctions programs in a single API call. No coverage gaps.
Additional Sanctions Regimes to Consider
For firms with multi-jurisdictional operations, the four major regimes above are not exhaustive. The following additional lists are required or expected depending on your institution's footprint:
EXTENDED Additional Sanctions Lists
- OFAC Sectoral Sanctions Identifications (SSI) List: Targets specific sectors of the Russian economy (energy, finance, defense) rather than individuals β broader in scope than the SDN for Russia-related transactions
- Canadian OSFI and SEMA lists: Required for Canadian-regulated entities; expanded significantly post-2022 on Russia
- Australian DFAT Consolidated List: Required for Australian-regulated entities; administered under the Autonomous Sanctions Act 2011
- Swiss SECO List: Switzerland is not an EU member and maintains its own sanctions regime, important for Swiss-regulated banks and their correspondent relationships
- INTERPOL Red Notices and Diffusions: Not legally binding but material for risk-based KYC and adverse media screening
- World Bank / Multilateral Development Bank debarment lists: Relevant for project finance, development lending, and government-related entities
Screening Frequency
Sanctions lists are not static. OFAC updates the SDN list on average three to four times per week β and critical additions (in response to geopolitical events) can occur at any time. A customer who was clean at onboarding may be designated tomorrow.
| Customer / Transaction Type | Minimum Frequency | Best Practice |
|---|---|---|
| New customer onboarding | At point of onboarding | Real-time at onboarding |
| Existing low-risk customers | Quarterly rescreening | Monthly or on list updates |
| Existing high-risk / PEP customers | Monthly rescreening | Daily or real-time monitoring |
| Wire transfers and payments | Per transaction | Real-time, pre-execution |
| Correspondent bank relationships | Quarterly | Monthly + on SWIFT updates |
| Beneficial owners (identified during CDD) | At CDD completion | Continuous, tied to customer profile |
Practical note: "Rescreening existing customers against updated lists" is an explicit expectation in OFAC guidance and UK OFSI supervisory findings. Institutions that onboarded customers before a designation and failed to resscreen are not protected from liability. The question regulators ask is: did you have a process that would have caught this designation when it happened?
False Positive Management
False positives β legitimate customers who share names, birth dates, or other data points with sanctioned individuals β are the biggest operational challenge in sanctions screening. In practice, the vast majority of hits (often 95β99%) are false positives. Poorly managed, they create compliance fatigue, where analysts begin approving matches without adequate review.
PROCESS False Positive Workflow
- Automated pre-filtering: Use fuzzy matching algorithms that score matches by name similarity, date of birth, nationality, and address β a score below a defined threshold should auto-dismiss, reducing analyst volume
- Defined escalation thresholds: Set minimum match scores that require human review. Document these thresholds and the rationale for setting them β regulators will ask
- Structured disposition process: Every hit, true or false, must be dispositioned with a written record: who reviewed it, what data was used to confirm or dismiss, and the outcome
- Disambiguation data collection: Collect additional data (DOB, nationality, address, passport number) at onboarding to accelerate false positive resolution
- Ongoing false positive rate monitoring: Track your false positive rate over time. A sudden increase may indicate a list update or data quality problem; a sudden decrease may indicate screening coverage gaps
- Avoid "alert fatigue" remediation by lowering thresholds: Raising dismissal thresholds to reduce analyst workload is a red flag for regulators. Address volume through technology and data quality, not by accepting more risk
The False Positive Resolution Workflow
When a screening hit requires manual review, follow a documented, consistent process:
Capture the hit
Record the match score, matched fields, list source, and timestamp. This creates the starting point of your audit trail.
Compare identifying attributes
Cross-reference DOB, nationality, passport number, address, and any aliases. Multiple matching fields increase the probability of a true match.
Obtain additional information if needed
Request clarifying documentation from the customer if the hit cannot be resolved with existing data. Document what was requested and received.
Make a written determination
State clearly: "This is / is not a match." Document the basis β which fields matched, which didn't, and what additional evidence was considered.
Escalate true matches immediately
If a true match is identified, freeze assets or block the transaction immediately, and file a report with the relevant authority (OFAC, OFSI, etc.) within the required timeframe.
Audit Trail Requirements
Your sanctions screening program is only as defensible as your documentation. In any enforcement action or supervisory examination, regulators will demand evidence that screening actually occurred β not just that you had a policy requiring it.
AUDIT What Your Audit Trail Must Contain
- Date and time of each screening: Timestamped records for every screen run, including automated rescreening events
- List versions screened against: Document which version of each sanctions list was in effect at the time of screening β list version numbers or publication dates
- Screening parameters used: Name, DOB, nationality, and any other fields submitted; fuzzy matching threshold applied
- All hits generated: Complete record of every match returned, regardless of match score β do not suppress hits before recording them
- Disposition of each hit: The outcome (false positive, true match, escalated), the analyst who reviewed it, and the written rationale
- Escalation records: For true matches: who was notified, when, what action was taken, and any reports filed with authorities
- Retention period: Minimum 5 years; OFAC specifically recommends 5 years from the date of the transaction or last business activity
β Common enforcement finding: "We screened but didn't keep records" is not a defense. OFAC and OFSI both assess penalties based partly on whether the institution had an adequate compliance program β and records are a key indicator. No records = no program.
Building a Defensible Sanctions Compliance Program
Regulators assess sanctions compliance programs using a five-pillar framework (OFAC's 2019 framework): management commitment, risk assessment, internal controls, testing and auditing, and training. Screening is one component of internal controls β it doesn't stand alone.
The institutions that receive the lowest penalties in enforcement actions are those with documented risk assessments, written policies and procedures, regular testing of screening tools, and evidence of a genuine compliance culture β not just a checkbox screening system.
Veridact automates the screening and documentation components: real-time screening across 29 global databases, automatic hit capture, structured false positive disposition, timestamped audit logs, and PDF reports ready for regulatory examination. What takes a compliance team hours of manual work takes Veridact seconds β with a complete audit trail built in.
Screen Against 29 Sanctions Lists in Seconds
OFAC SDN, UN, EU, UK OFSI, and 25+ more β all in one search. Full audit trail included on every plan.