How-to guide: How to ensure sanctions screening and sanctions due diligence is effective (USA)

Introduction

This guide will assist in-house counsel and private practice lawyers with the creation of sanctions screening that complies with the requirements of the US Anti-Money Laundering Act of 2020, Division F of the William M (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (AMLA).

This guide sets out key issues to address and points to consider when preparing to create and implement this type of compliance program.

This guide covers:

Understanding the AMLA
US Office of Foreign Asset Control (OFAC) sanctions
Core elements of an OFAC sanctions compliance program
Regulatory expectations for sanctions screenings
Sanctions screening: challenges and control considerations
Fitting sanctions screening into a sanctions compliance program

Measures relating to US sanctions are primarily set out in the AMLA and related regulations. They apply to financial institutions including banks, credit unions, and other organizations whose business involves handling and transmitting money.

This guide may be read in conjunction with How-to guides: How to assess your organization for money laundering and terrorist financing risk, How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern, How to identify suspicious activity and make a Suspicious Activity Report (SAR) and How to identify relevant sanctions regimes and deal with conflicting obligations.

Section 1 – Understanding the AMLA

The AMLA was enacted on January 1, 2020 as Division F of the Defense Authorization Act for Fiscal Year 2021. The overarching purpose of the AMLA is to allow for more effective efforts in combating financial crimes and countering the financing of terrorism, and to ‘reinforce that the anti-money laundering and countering the financing of terrorism policies, procedures, and controls of financial institutions shall be risk-based.’ See, 31 USC section 5311 note. To achieve this purpose, provisions in the AMLA increase penalties for violations of the Bank Secrecy Act of 1970 (BSA) and AMLA, enhance whistleblower protections, and expand both subpoena power and the definition of ‘financial institutions.’

The AMLA reporting requirements may apply to financial institutions, as well as corporations, limited liability companies (LLCs), and other entities that are now required to file reports regarding their beneficial ownership with the US Department of Treasury. The AMLA also expands the definition of a ‘financial institution’ to include businesses that could potentially be used for money laundering purposes including some small businesses as well as ‘dealers in antiquities.’ A dealer in antiquities is defined as a person engaged in the trade of antiquities advisors, consultants, or any other person engaged in the business of solicitating or selling antiquities. Examples of ‘other businesses’ that may be covered by the broad scope of the AMLA include:

insurance companies;
travel agencies;
pawnbrokers;
casinos with revenues over $1 million;
dealers in precious metals, stones, or jewels; and
non-bank lending companies.

There is also a catch-all provision that allows the Secretary of the Treasury to issue regulations to define businesses engaged in similar business activities, or those businesses whose cash transactions ‘have a high degree of usefulness in criminal, tax, or regulatory matters.’ The broadened scope of financial institutions complicates due diligence efforts for those now required to report.

1.1 Increased penalties for BSA and anti-money laundering (AML)

The AMLA added two new criminal BSA violations for customers intentionally deceiving or withholding information from financial institutions. Customers that conceal, falsify, or misrepresent material facts regarding the source of assets utilized in a financial transaction with a value of at least $1 million may be deemed to be engaged in an intentionally deceiving action. It is critical that the personnel monitoring the compliance program are knowledgeable about these new violations, and that it updates its sanctions screening and due diligence processes and systems to ensure adherence to the new requirements.

See How-to guides: How to assess your organization for money laundering and terrorist financing risk and How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern.

1.1.1 Misrepresentation of material facts

AMLA section 6313, codified at 31 USC section 5335, adds two new offenses. First, this section makes it a crime to misrepresent a material fact to a financial institution concerning the ownership of assets involved in a monetary transaction if the owner of the assets is a senior foreign political figure (or a close associate or a member of the immediate family of such a senior foreign political figure), and the value of the assets involved is at least $1 million.

Second, section 6313 makes a criminal offense for similar conduct concerning the sources of funds in any transaction that the US Treasury Secretary finds is a ‘primary laundering concern.’

Violations of either of these prohibitions are punishable by up to 10 years in prison, or a maximum fine of $1 million. Additionally, any funds obtained from the crime may have to be forfeited by the organization.

Compliance programs must implement risk-based processes to identify potentially risky transactions and entities based upon the organization’s risk profile, products, services, customers, and locations. Organizations should also designate and train personnel who can effectively identify and accurately report these transactions in accordance with the law.

1.1.2 Increased penalties for repeat and egregious BSA violators

An egregious civil violation is defined as one committed willfully and that facilitated money laundering or the financing of terrorism. BSA offenders who have engaged in ‘egregious conduct’ may be required to pay an additional civil penalty of three times the profit made (or the loss avoided, whichever is greater) as a result of egregious conduct, or twice the otherwise applicable maximum penalty. See, 31 USC section 5321(f). Those who commit egregious violations will be barred from serving on the board of directors of a United States financial institution for 10 years after their conviction or entry of judgment.

As part of their sanctions screening and due diligence programs, organizations should implement internal policies, procedures, and processes for complying with the BSA and AML requirements. Organizations should provide their personnel with comprehensive training on the various forms of money laundering (ML) and terrorist financing (TF), as well as how to detect and avoid the risk of sanctions.

See: How to appoint a Bank Secrecy Act (BSA) compliance officer and How to monitor Bank Secrecy Act (BSA) compliance.

A person – defined as an individual, a business entity, a trustee, or a representative of an estate – convicted of a violation of the BSA may be subject to increased penalties, including fines equal to the amount of the profit gained by that person attributable to the offense, in addition to any other applicable fine. See, 31 USC section 5322(e). Therefore, organizations should utilize IT systems, trained personnel, and other processes and procedures as tools that can identify violative conduct.

Further, organizations should provide training on the consequences, for individuals and for the organization, that could result from the commission of egregious violations. Provide training to personnel at various levels of the organization, including staff, management, and governors (such as the board of directors). Such training should be ongoing to ensure that all personnel stay current on requirements.

1.2 Enhanced whistleblower program

The BSA has traditionally authorized payments to reward certain whistleblowers who provide original information leading to government collection of fines, civil penalties, or forfeitures due to violations of BSA transaction reporting requirements or the AML provisions of the BSA. See, 31 USC section 5323. Payments to whistleblowers were previously capped at $150,000 and were paid at the discretion of the US Department of Treasury. However, the AMLA has changed this policy by narrowing the government’s discretion to pay an award but has increased the potential amount of whistleblower awards to up to 30% of the government’s collection if the monetary sanctions imposed exceed $1 million. See, 31 USC section 5323.

In deciding the amount of the award, the government considers the significance of the information provided by the whistleblower, the degree of assistance provided, and the appetite of the Treasury Department for deterring violations. The AMLA does not set a minimum reward ‘floor,’ so the Treasury Department retains its discretion to continue to award only nominal payments. The payee has no right of appeal for such a reward.

Under new AML provisions, the definition of whistleblower now also includes individuals who have an obligation to report violations as a part of their professional role at an organization. As whistleblowers are often former or current employees, the AMLA adopted protection provisions that prohibit employers from retaliating against whistleblowers. Employers may not discharge, demote, threaten, or harass employees who provide information relating to ML and BSA violations to the authorities. See, 31 USC section 5323(a)(2).

Internal whistleblowers who report suspected wrongdoing to their employer are also afforded protection under the AMLA. See, 31 USC section 5323(g). However, this subsection applies only to employers identified as ‘insured institutions’ under the Federal Deposit Insurance Corporation (FDIC) and Federal Credit Union Act (FCUA). This means that it applies to banks and credit unions.

On August 1, 2024, the Department of Justice (DOJ) launched the Corporate Whistleblower Awards Pilot Program, a three-year initiative offering financial rewards to incentivize whistleblowers to report corporate misconduct. Under this program, individuals can receive monetary awards for providing original and truthful information about criminal misconduct, provided it isn't covered by other federal whistleblower programs, falls within certain subject areas, and leads to successful asset forfeiture exceeding $1 million.

The program supplements existing whistleblower avenues and focuses on four key areas: financial institution violations not covered by the Financial Crimes Enforcement Network (FinCEN), corporate foreign corruption not covered by the SEC, domestic corruption involving bribes to public officials, and federal healthcare offenses not covered by the False Claims Act. Whistleblowers are encouraged to report misconduct internally first, with a 120-day window to report to the DOJ to qualify for rewards.

The program also addresses whistleblower treatment, urging individuals to report company retaliation. The DOJ will consider retaliation when determining cooperation credit and evaluating compliance programs and may bring charges against companies obstructing whistleblower reporting.

The DOJ has temporarily amended its Voluntary Self-Disclosure Policy. Companies that receive internal whistleblower reports may qualify for a ‘presumption of a declination’ if they make self-disclosure to the DOJ within 120 days, and provide full cooperation and remediation.

Considering the broadened whistleblower definition and increased sanctions, organizations should empower compliance and auditing personnel to report potential BSA and AML violations, even against the organization itself. Although reporting violations internally could lead to corrective measures being taken voluntarily, it is important to draft an internal reporting policy in a manner that does not discourage, or even appear to discourage, reporting violations to the appropriate regulatory authorities. A compliance program must also include written policies that state explicitly that no one who reports violations to government agencies will face retaliation from the organization or individual employees. There should be a means for reporting retaliation. The implementation of confidential reporting options that protect the anonymity of reporting parties should be considered, if feasible.

1.3 Expanded subpoena authority regarding foreign banks

The AMLA expands the government’s subpoena power vis-à-vis foreign bank accounts. Previously, the US Department of Justice or Treasury Department could issue a subpoena to foreign banks holding correspondent accounts in the United States for ‘records related to such correspondent account[s].’ A correspondent account is an account established by a US financial institution on behalf of a non-US bank so that the non-US bank may conduct business in the United States without maintaining a physical presence there. The AMLA now authorizes the government to subpoena records relating to correspondent accounts or ‘any account at the foreign bank’ that is the subject of a BSA and AML investigation, a civil forfeiture action, or any federal criminal investigation. See, AMLA 2020 section 6308.

Foreign banks are now required to authenticate requested records. If a bank fails to comply with the subpoena, the government may assess civil penalties against it of up to $50,000 per day of non-compliance. The government may also seek a court order to compel the foreign bank to appear and produce records.

Organizations should be familiar with the new rules regarding the government’s subpoena authority, and their compliance programs should account for the fact that the AMLA amendments may lead to more enforcement. Prosecutors can now more easily obtain and use records related to correspondent accounts and are likely to evaluate whether and to what extent an organization maintains policies, communications, and training that emphasize the importance of compliance. Thus, organizations should ensure that they have effective risk-based processes and training regarding customer due diligence, identifying illicit activity, and reporting.

1.4 Modernization of regime to account for emerging finance channels

The AMLA includes a wide range of additional measures. Financial institutions should be aware of all of these measures as they may have significant effects on the financial industry.

For instance, the AMLA amends the BSA to state that parties who transmit or exchange value that serves as a substitute for currency (eg, cryptocurrency) are now subject to BSA registration and compliance requirements.

One new measure is the designation of the US Department of Treasury to lead a study on whether dollar thresholds for currency transaction reports (CTRs) and suspicious activity reports (SARs) should be adjusted.

Organizations should evaluate whether these changes impact their institution’s status and CTR and SARs obligations, as the new AMLA provisions may require organizations to significantly increase the breadth of their due diligence and screening policies. Organizations should assess their existing approaches to reporting transactions and suspicious activity with consideration to their products, services, and customers.

See How-to guide: How to identify suspicious activity and make a Suspicious Activity Report (SAR).

1.5 Reporting companies

Many entities defined as financial institutions are required by the laws regulating them to make reports to the applicable regulatory authority regarding their ownership. Examples include banks and broker-dealers. Under the AMLA, ‘reporting companies’ are generally defined as companies, including foreign entities, that are registered to do business in the United States. Notably, the AMLA creates a requirement that reporting companies disclose information regarding their beneficial owners (ie, those who directly or indirectly ‘exercise substantial control’ over the entity, or those who own or control more than 25% of the ownership interest of such entities). Organizations should create and maintain written processes reasonably designed to identify and verify beneficial owners and should include these processes in their compliance program.

Several types of businesses are exempt from the definition of ‘reporting company.’ See, 31 USC section 5336(a)(11)(B)(i)-(xxiii). Organizations must understand whether they are a reporting company that is exempt from, or bound by, the requirement to disclose beneficial owners. Exemptions primarily apply to larger companies, meaning that smaller organizations must be especially knowledgeable about their new beneficial owner reporting requirements. For organizations to which these requirements apply, it is important to conduct ongoing monitoring of any changes in customer beneficial ownership information, as these changes must be reported in a timely manner.

In addition, FinCEN has launched a non-public registry of beneficial owners based in part on the information supplied by financial institutions. See, 88 FR 88732.

Organizations must implement any necessary changes to their compliance policies and procedures well in advance of the effective dates of those changes to avoid potential disruptions to business operations.

Section 2 – US Office of Foreign Asset Control (OFAC) sanctions

The US Office of Foreign Asset Control (OFAC) is responsible for administering and enforcing economic and trade sanctions in accordance with US foreign policy and national security goals.

All US persons must comply with OFAC regulations. This includes all US citizens and permanent resident aliens, regardless of where they are located. It also applies to all persons and entities within the United States, and all US incorporated entities and their foreign branches. Certain programs, such as those imposing sanctions on Cuba and North Korea, state that all foreign subsidiaries owned or controlled by US companies must also comply. Some programs also require foreign persons in possession of goods with a US origin to comply.

OFAC imposes substantial fines for noncompliance across all industries. In 2024 it carried out 12 enforcement actions with settlements and penalties totaling $48.79 million. In 2023, OFAC levied more than $1.54 billion in fines against non-compliant companies. OFAC violations can also result in business restrictions as well as reputational damage.

2.1 Specially Designated National and Blocked Persons (SDN) list

The SDN List is published by OFAC and lists the individuals and companies that are owned or controlled by, or that are acting on behalf of, named countries targeted for sanctions. The list also names groups, individuals, and entities that have been designated under non-country-specific programs. The assets of SDNs are blocked and, generally, US persons are prohibited from dealing with them. A specific sanctions order may require that all dealings with a person on the SDN list cease immediately.

For example, President Biden’s Executive Order sanctioning some Russian nationals for interference with US elections states that ‘[a]ll property and interests in property that are in the United States, that hereafter come within the United States, or that are or hereafter come within the possession or control of any United States person of the [designated] persons are blocked and may not be transferred, paid, exported, withdrawn, or otherwise dealt in.’ See, EO 14024. Therefore, it is imperative that organizations regularly review the SDN list.

Failures in sanctions screening have been a prominent feature in numerous OFAC penalty settlements, including those involving both financial and non-financial entities. To ensure compliance with OFAC requirements, organizations must conduct screenings of their transactions, customers, intermediaries, counterparties, supply chain, and financial and commercial documents.

Organizations should routinely update their sanctions screening software to include any changes to the SDN list and Sectoral Sanctions Identifications (SSI) list (which identifies persons operating in sectors of the Russian economy that are subject to sanctions under Executive Order 13662). Organizations should be sure to include any pertinent identifiers for sanctioned, designated, or blocked financial institutions. Organizations should also include any alternate spellings, prohibited parties, or countries, especially in cases where the organization conducts business in locations that frequently utilize the alternate spelling.

It is important to monitor for when sanctions are lifted as well as for any additions to the SDN list, as this may present new business opportunities and to avoid incurring resources monitoring individuals and entities where sanctions no longer exist. For example, on June 30, 2025 President Trump signed an Executive Order that terminated all prior sanctions on Syria. Concurrent with the Executive Order, OFAC removed 518 individuals and entities from the SDN List.

Section 3 – Core elements of an OFAC sanctions compliance program

Screening and due diligence are essential to an effective sanctions compliance program. According to OFAC, sanctions compliance programs should be based on, and should incorporate, at a minimum, five essential components:

management commitment;
risk assessment;
internal controls;
testing and auditing; and
training.

3.1 Management commitment

The support of senior management (ie, senior leaders, executives, and the board of directors) is essential to the actual and perceived success of an organization’s sanctions compliance program. Accordingly, it is important to maintain effective management support through the provision of adequate resources to the compliance unit, and protection of the authority and autonomy of compliance personnel within the organization. Organizations should create procedures by which senior management can review and approve the organization’s sanctions compliance program, which will bolster the program’s legitimacy and help develop a culture of compliance internally.

The commitment of senior management to the compliance program is also crucial to the program’s success. Organizations should demonstrate their commitment by hiring high-quality senior leaders and personnel who have the experience and technical knowledge necessary to develop and comply with the sanctions compliance program. Organizations should create a line of direct reporting between the compliance program and senior management, including both routine and periodic meetings between them. Further, senior management should assess the organization’s risk profile and ensure the sanctions compliance program has the resources necessary to fit that profile, including IT, capital, and protocol for personnel to report violations without the fear of retaliation.

3.2 Risk assessment

OFAC recommends that organizations take a risk-based approach when designing or updating a sanctions compliance program. Organizations should routinely conduct a risk assessment for potential OFAC issues that the organization is likely to encounter. Currently, no specific time interval between risk assessments has been established as meeting the requirement of being ‘routine.’ Organizations should also conduct risk assessments and sanctions-related due diligence during mergers and acquisitions, especially those involving companies outside the United States.

While there is no uniform manner of assessing risk, an organization should engage in a comprehensive review of its customers, supply chains, products, services, and locations so that they may identify potential threats. Sanctions compliance programs should implement mechanisms that help reduce the possibility of a risk being ignored, minimized, or improperly handled. Failure to address a threat may result in sanctions or other negative impacts to the organization or its reputation. Thus, organizations should use the results of a risk assessment to further develop the policies, internal controls, procedures, and training requirements of the compliance program.

3.3 Internal controls

Organizations should create and maintain internal controls in their sanctions compliance program. Internal controls include policies and procedures to identify, intercept, escalate, report, and keep records related to potentially prohibited activity. The OFAC does not provide any guidance as to what internal controls should be established, but it is likely that, at a minimum, the controls would include comparing the names and addresses of potential customers to the list of individuals on the sanctions lists.

Organizations should devise internal controls that clearly outline expectations, define processes and procedures pertaining to OFAC compliance, and reduce any risks identified during the course of the organization’s risk assessment process. Organizations should enforce internal controls and identify any weaknesses that exist using root-cause analysis of compliance breaches that have occurred. Internal controls should also be quickly adaptable to accommodate any changes made by OFAC.

3.4 Testing and auditing

It is critical that organizations know how their programs are performing and take action to enhance, update, and recalibrate their programs in accordance with any changes in a risk assessment or sanctions regime. Thus, organizations should implement a testing or audit procedure to identify any deficiencies or weaknesses with its compliance program.

Organizations should employ testing and auditing procedures appropriate to the complexity of the organization’s sanctions compliance program. In addition, an organization’s testing and auditing procedures should conduct an objective and comprehensive examination of the organization’s internal controls and OFAC-related risk assessment. Whether testing and auditing is done internally or externally, once a deficiency or weakness is discovered, the organization must take corrective action by enhancing its program to remedy the compliance gaps.

3.5 Training

Implement an OFAC-related training program that is tailored to the organization’s risk profile, its products and services, stakeholders, and employees. The training program should provide employees and, where appropriate, stakeholders with the information and instruction necessary to support the compliance program. Organizations should further tailor their training program to any high-risk employees at the organization.

The frequency of the training should be based upon the organization’s risk profile and OFAC-related risk assessment. If you discover deficiencies or weaknesses through the course of testing and auditing, then provide additional training or take other appropriate corrective action with regard to any personnel involved. Finally, organizations should make sure that the materials and resources in their training programs are easily accessible to relevant personnel.

Section 4 – Regulatory expectations for sanctions screenings

4.1 OFAC frameworks

OFAC has not published detailed guidance regarding its expectations or requirements for sanctions screening programs. It has, however, published a brief guidance document relating to the management of ‘false hit lists.’ False hit lists contain individuals and entities with characteristics that trigger a match to one or more SDNs but, upon further review, are found not to be SDNs, blocked persons or entities, or are not affiliated with a geographic region or activity that is subject to OFAC sanctions.

Ensure you develop and utilize processes for the review, evaluation, and reassessment of the persons or entities included on false hit lists. Once an organization determines that it has received a false hit, the organization’s compliance team should be involved in administering and overseeing the lists. Update the lists as soon as false positives are located, and as often as necessary thereafter to incorporate changes made to sanctions lists.

4.2 New York Department of Financial Services (NYDFS) guidance

While OFAC has provided only limited guidance, the New York Department of Financial Services (NYDFS), the agency in charge of regulating financial institutions licensed by the state of New York, has taken a more proactive stance towards sanctions screening programs. NYDFS has set out specific requirements for these programs (3 NYCRR Part 504), including a requirement that boards of directors or senior officers certify compliance on an annual basis.

Under NYDFS guidance, organizations must maintain a sanctions screening program. The program must be designed to prevent transactions prohibited by OFAC. More specifically, the program must:

be based on the organization’s risk assessment;
be based on tools, technology, or processes for matching names and accounts according to the organization’s particular risks and its product and transaction profiles;
include end-to-end testing of the filtering program (defined as a manual or automated program that is ‘reasonably designed for the purpose of interdicting transactions that are prohibited by OFAC’);
be subject to ongoing analysis that can assess the reasoning for, and performance of, the mechanisms used to match names and accounts, in addition to the OFAC sanctions list and threshold settings; and
include documentation that conveys the design and intent of the filtering program’s tools, technology, or processes.

Further, the screening program must include the following:

identification of all data sources containing relevant data;
validation of the accuracy, integrity, and quality of the data to confirm complete and accurate data flows;
data extraction and loading processes that provide a complete and accurate data transfer;
governance and management oversight, to include policies and procedures for changes to the filtering program;
a description of the vendor selection process in cases where a third-party vendor is used for any aspect of the program;
adequate funding for the design, implementation, and maintenance of a compliant program;
qualified personnel or outside consultants who are responsible for the design and operation of the program; and
periodic training of all stakeholders regarding the program.

The rules are binding only on institutions licensed in New York State, or that are regulated by the New York Department of Financial Services. Although not all US organizations are subject to these particular rules, the rules nonetheless provide a convenient benchmark to use when assessing whether a program is well designed and operating effectively.

Section 5 – Sanctions screening: challenges and control considerations

OFAC does not mandate a specific screening regimen. However, organizations should implement screening processes and procedures that fit their risk profile and compliance program. Organizations are not required to screen for weak aliases (AKAs). These are defined in Treasury Department guidance as a broad or generic alias used by targets or by others to refer to the target. The Treasury Department will generally not issue a civil penalty against a person or entity who processes a transaction with a weak AKA if the only sanctions reference in the transaction is a weak AKA, the person involved in the processing had no other reason to know that the transaction involved an SDN or was otherwise in violation of US law, and the person maintains a rigorous risk-based compliance program.

Organizations should maintain a thorough, risk-based sanctions compliance program to avoid being penalized by OFAC. Further, since weak AKAs can help identify potential matches with actual targets, organizations may use weak AKAs to determine the accuracy of a match that is based on other information.

As OFAC regulations do not require, but only encourage, a formal sanctions compliance program, an organization may face problems in program compliance if the organization maintains different lines of business, or a wide variety of affiliates, that operate in a manner that is, in effect, autonomous or ungoverned. Organizations should be aware that, if they utilize multiple teams that operate using different strategies, it will leave little room for uniformity in compliance, management, or review. This is important, as this type of disconnect has put many organizations in violation of OFAC, due to misinterpretations of its regulations and confusion surrounding its requirements.

Section 6 – Fitting sanctions screening into a sanctions compliance program

6.1 Governance and risk assessment

Sanctions lists should be used for screening, and organizations should apply more stringent screening criteria in higher-risk areas. Any identified sanctions risks should be in alignment with the organization’s sanctions screening program. As part of the risk-assessment, organizations should pay particular attention to current ‘hot spots’ for sanctions risks. See, International Compliance and Risk Mitigation Heat Map (2024). The OFAC also provides a list of its Sanctions Programs and Country Information which can help organizations zero in on risky geographic areas (eg Afghanistan, Russia, etc.) as well as operation types (eg cyber-related sanctions).

For instance, NYDFS requires that screening programs speak to the links between the risk assessment and the configuration of the screening program. Organizations must use mechanisms to screen for potential sanctions exposure that are based on the risk assessment. Organizations should configure these mechanisms using a risk-based approach and must test them to make sure they provide results according to the specific risks identified. Organizations must also document any links between the identified risks and the configuration of the screening program.

6.2 Internal controls – due diligence

Whenever a new customer is onboarded, organizations must obtain and verify essential information relating to the customer’s identification. Essential information includes, for example, the customer’s name, any alternate names, address, and date of birth. The information for a business entity customer should include the registration number and jurisdiction of incorporation or organization. This information is useful during subsequent screening for sanctions, as it will aid the determination of whether a potential sanctions match is accurate.

Organizations should also be aware of the ultimate beneficial ownership (UBO) information for an entity. UBO information is important when determining whether a person or company is subject to sanctions restrictions because of their beneficial ownership of a sanctioned entity.

6.3 Internal controls – screening

An organization’s sanctions screening processes should implement various controls. First, determine whether all relevant information (see above) has been gathered, after which evaluate the quality of the data. Typographical errors, non-standard inputs, blank values, and inconsistencies in structure can make effective sanctions screening difficult, if not impossible.

The second consideration is the proper configuration of the screening program. Sanctions screening can be performed against the data retained by the organization, or against individual transactions. Sanctions matching is usually based on name screening, which entails looking for a match between an entry on the sanctions list and an organization’s internal information. This comparison is often performed during due diligence on new customers. Name screening may produce both false positive and false negative matches, but the risk of false negatives – a failure to identify an actual match to a sanctioned party – is significantly greater than the risk of false positives. A common issue with name screening is that the screening tool only searches for exact matches and does not account for slight variations in the name.

Where possible, organizations should utilize screening technology, tools, and processes that can effectively perform name screening while reducing the likelihood of false negatives. For example, ‘fuzzy matching’ provides flexibility in the way an organization’s screening system matches names or terms. Through the use of fuzzy matching, each spelling of a name that may have variations, could be considered equivalent, especially if the person’s last name or date of birth match is a perfect match.

If an organization utilizes fuzzy matching, it must be aware of the risks associated. Namely, if search criteria become too broad, there is an increased risk that matching will produce an unmanageable number of false positives. A large number of false positives, while perhaps not as damaging as a large number of false negatives, will nonetheless have a negative impact on the efficiency and effectiveness of the screening process. Thus, organizations should employ data analytics when using fuzzy matching, which may include sound methods, distance methods, statistical similarity methods, and hybrid methods.

OFAC publishes Civil Penalties and Enforcement Information that includes Enforcement Actions by Year. Gaining an understanding of the circumstances in which OFAC has issued sanctions should be a part of the sanctions due diligence process.

Examples

In June 2025, OFAC imposed on GVA Capital the statutory maximum civil
monetary penalty of $215,988,868 for violating OFAC’s Ukraine-/Russia-related sanctions and for failing to comply with an OFAC subpoena. OFAC asserted that GVA Capital knowingly violated compliance with the sanctions, and further exacerbated the violation by a prolonged failure to produce responsive records, which led to 28 months of non-compliance with OFAC’s subpoena resulting in 28 additional violations.

In December 2023, OFAC settled with Privilege Underwriters Reciprocal Exchange (PURE) for $466,200 for 39 apparent violations of OFAC's Ukraine-/Russia-Related sanctions. OFAC alleged that PURE failed to exercise due caution or care for its sanctions compliance obligations when it did not ensure that ownership information about a customer was incorporated into its sanctions screening program. The relevant sanctions were expanded and OFAC published guidance on the 50 Percent Rule (which states that entities are considered blocked if they are owned 50 percent or more (directly or indirectly) in the aggregate by one or more blocked persons). PURE, however, took no subsequent due diligence or other measures to identify this gap until receiving notice of a government inquiry in 2022.

In April 2023, Microsoft Corporation was fined $2,980,265.86 for the indirect export of services and software to sanctioned jurisdictions. The company’s violations were attributable to inadequate screening procedures that failed to identify blocked parties not specifically listed on the SDN List.

In July 2020, Amazon settled with OFAC for $134,523. In hundreds of instances, Amazon’s automated sanctions screening processes failed to flag correctly spelled names and addresses of persons on OFAC’s SDN List. Amazon’s screening processes for shipments did not flag orders with address fields that contained an address in ‘Yalta, Krimea’ for the term ‘Yalta,’ nor did it flag the variation of the spelling of ‘Crimea.’ According to OFAC, Amazon also failed to interdict or otherwise flag orders shipped to the Embassies of Iran located in third countries.

In November 2019, Apple settled with OFAC for $466,912. The company failed to identify that SIS, an app store developer, was added to the SDN List, meaning the developer was blocked. Apple attributed the failure to the failure of its sanctions screening tool to properly match the uppercase name ‘SIS DOO,’ as entered into Apple’s system, with the lowercase name ‘SIS d.o.o.,’ as the name appeared on the SDN List. The acronym ‘d.o.o.’ is a standard corporate suffix used in Slovenia to identify a limited liability company.

6.4 Internal controls – investigation

The third consideration for an organization with regard to its sanctions screening program is the process by which potential sanctions violations are evaluated. After the screening process identifies potential violations, organizations must deploy the appropriate personnel trained to conduct a manual investigation, in order to determine if there is an actual match. If the manual review shows that repeated alert closures are made due to non-matches, the repeated false matches should be incorporated in a separate list that prevents the names that generated the false matches from triggering alerts in the future. Whenever changes are made to relevant sanctions lists, the list should be reviewed.

Investigate and review screening programs periodically. Perform an investigation if manual reviews show that false matches are a recurring problem, as opposed to an occasional glitch in the system. Investigation or review should also be done when new lines of business are offered, or when a customer is, or will be, doing business in or with a country that the organization has not dealt with previously.

An investigation into a sanctions screening program should include the following:

a review of the due diligence that was performed and included during the screening process;
a review of the specific data that is subject to screening, as well as its field mapping;
an independent assessment of the current configuration of the screening program in a test environment to compare it to the data that the screening tool is supposed to uncover; and
a comparative analysis of search terms run through the existing screening tool against a sanctions search engine to verify whether any likely matches were missed.

6.5 Auditing

Organizations should consider three areas of focus with regard to the evaluation of the auditing element of their sanctions compliance program. The first is the determination of whether the configuration of automated screening tools is directly connected to the sanctions risk assessment. The second area involves conducting an independent evaluation of the software configuration, as well as the results achieved. Organizations may conduct this evaluation by outsourcing to another party who will re-scan existing transactions and customers to determine if similar results are obtained. Third, the organization must be able to gain and retain control over the outsourcing of any elements of the screening process.

6.6 Training

Organizations should consider two key areas of focus involved when evaluating the training element of their sanctions compliance program as it pertains to screening. The first is to determine whether those who manage the screening process have undergone specialized training in topics such as techniques used to evade sanctions, data analytic methods used for fuzzy matching, and basic language or cultural training to understand the ways that names and punctuation may differ between and within different countries and regions. The second is to incorporate the information acquired during the match process for potential sanctions into the broader sanctions training provided to organization’s personnel.

Additional Resources

AMLA 2020, Division F of the William M (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, PL 116-283
Federal Financial Institutions Examination Council, BSA/AML Manual
Federal Financial Institutions Examination Council, Assessing Compliance with BSA Regulatory Requirements
US Department of the Treasury, Clarification on Specially Designated Nationals Alias Screening
US Department of the Treasury, A Framework for OFAC Compliance Commitments
Financial Action Task Force, Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers
US Department of the Treasury, Proposed Rule – Beneficial Ownership Information Reporting Requirements
Financial Crimes Enforcement Network, Statement on the Issuance of the Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) National Priorities
International Compliance and Risk Mitigation Heat Map (2024)