Sanctions Screening in Third-Party Risk Management

Photo of author
Written By Chris Ekai

On November 21, 2023, OFAC announced a $968,618,825 settlement with Binance, the largest in the agency’s history, hours after chief executive Changpeng Zhao pleaded guilty in a Seattle courtroom. Across Treasury, DOJ, and CFTC, the package reached $4.3 billion.

Binance failed to screen its own customers, but the same statutes reach every US company’s suppliers, agents, banks, and freight forwarders, which is why sanctions screening now sits inside third-party risk management rather than in a compliance silo. Strict liability means intent is not the question; the transaction is.

Sanctions Screening in Third-Party Risk Management: Key Takeaways
Sanctions screening belongs at five points of the third-party lifecycle, not just onboarding: entity checks at intake, contract clauses, payment screening, logistics screening, and re-screening on every list change.
The enforcement range is wide open: OFAC’s 2024 docket totaled $48.8 million across 12 actions, while a single failure at Binance settled for $968.6 million in November 2023.
OFAC’s 50 percent rule blocks any company owned 50% or more by sanctioned parties, individually or in aggregate, even when the company itself appears on no list.
Screen six surfaces: legal entities and aliases, beneficial owners, geography, banks and payment routes, vessels and logistics, and change events such as M&A or new designations.
Coverage means more than the SDN list: sectoral lists, the BIS Entity List, the UFLPA Entity List, UK OFSI, and EU consolidated lists each restrict different dealings.
Expect 90-95% of screening alerts to be false positives (KPMG and LexisNexis benchmarks); alert tuning and independent testing are what OFAC’s compliance framework treats as governance duties.

The scope keeps moving. CNAS counted 1,764 persons added to the SDN list in 2025 alone, and OFAC extended its record-keeping requirement from five years to ten in March 2025, so a sanctions screening decision made this quarter has a decade-long audit tail.

Why Sanctions Screening Sits Inside Third-Party Risk Management

A supplier can pass every financial and security check and still be untouchable. When a counterparty lands on the SDN list, US persons must block its property and stop dealing the same day, and the obligation applies whether or not anyone in procurement reads Treasury press releases.

British American Tobacco paid $508 million in April 2023 over cigarette sales routed to North Korea through third-party intermediaries in Singapore. The scheme ran through the supply chain, and the case is the template for how regulators reach a parent company through its agents and distributors.

Run that exposure question through your own supplier master before filing it as a banking problem. Any US manufacturer buying components through Singapore, the UAE, or Turkiye is one intermediary away from the BAT fact pattern, because transshipment hubs are where evasion networks set up shop, and middlemen rarely volunteer their ownership.

What Sanctions Screening Covers Beyond the SDN List

Six surfaces need screening: legal entities with aliases and transliterations, beneficial owners, addresses and geography, banks and payment routes, vessels and logistics providers, and change events. Miss one and the other five carry the exposure, because designations attach to people, property, and routes at once.

Coverage also spans regimes. The BIS Entity List restricts exports rather than payments, the UFLPA Entity List creates an import presumption at US ports, and UK OFSI plus the EU consolidated list govern any transaction with a UK or EU nexus. One vendor can trip three regimes on one shipment.

The Enforcement Numbers Behind Sanctions Screening

Enforcement runs lumpy, and the lumps are enormous. OFAC’s 2024 docket totaled $48.8 million across 12 actions, while 2023 topped $1.5 billion on the back of Binance and British American Tobacco, and June 2025 brought a $215.99 million penalty against GVA Capital.

Sanctions Screening Penalties: Binance to GVA Capital

Sanctions Screening in Third-Party Risk Management

Figure 1. The sanctions screening scoreboard: a quiet 2024 docket, a record individual settlement, and a list that grew by 1,764 names in 2025.

Sanctions Screening in Third-Party Risk Management

Figure 2. One bad program outweighs a full enforcement year: Binance’s single settlement is twenty times OFAC’s entire 2024 total.

Averages mislead here. Planning around a $4 million median settlement ignores that the distribution has a $968 million tail, and the tail cases share one feature: screening that existed on paper while transactions flowed through gaps everyone had documented. A compliance risk assessment is where those gaps surface first.

Delisting never closes the exposure either. Property blocked while a party was designated stays reportable, the ten-year record rule reaches back through OFAC’s current enforcement docket, and auditors following audit risk assessment practice now sample third-party payment files for screening evidence.

The 50 Percent Rule in Sanctions Screening

Ownership math extends every list. Under OFAC’s 50 percent rule, any entity owned 50% or more by one or more sanctioned parties, counted in aggregate, is blocked automatically, even though it appears on no list anywhere. Your screening tool cannot match a name that is not published.

Ownership scenario Stake held by sanctioned parties Sanctions screening outcome
Supplier A One SDN holds 30% Not blocked by rule; escalate as high risk and document
Supplier B SDN One 30% + SDN Two 25% Blocked: aggregation reaches 55%
Sub-supplier C, owned 60% by Supplier B Indirect through a blocked parent Blocked: ownership flows down the chain
Agent D SDN divested to 49% last month Not blocked; OFAC warns on control, record the decision

Read scenario B twice, because aggregation is the trap most programs miss. Two unrelated designated shareholders holding 30% and 25% block the company even though neither stake crosses the line alone, and OFAC has never required the two SDNs to know each other. The arithmetic is the control, and it runs on ownership data your name-matching tool never sees.

The rule is why beneficial ownership data belongs in the supplier file. Registries, supplier performance risk management monitoring, and corporate-tree databases feed the calculation, and fourth-party risk management extends the same unwrap one tier further to the suppliers behind your suppliers.

Sanctions Screening Across the Third-Party Lifecycle

Screening once at onboarding answers yesterday’s list. The five lifecycle stages below each carry their own sanctions screening action, and the OCC’s June 2023 interagency guidance describes exactly this pattern for US banks: due diligence, contract terms, and ongoing monitoring as one loop.

Sanctions Screening in Third-Party Risk Management

Figure 3. Sanctions screening as a lifecycle control: five stages, each catching what the previous one cannot see yet.

Lifecycle stage Sanctions screening action Failure it prevents
Onboarding Screen entity, aliases, owners, directors against consolidated lists Contracting with a blocked party
Contracting Sanctions reps and warranties, termination and audit rights No exit when a counterparty is designated
Payments Screen banks, routes, currencies, and invoice parties Funds routed through a blocked bank
Delivery and logistics Screen forwarders, carriers, vessels, ports of call Cargo on a designated vessel
Ongoing monitoring Re-screen on list updates, ownership changes, M&A Yesterday’s clean supplier, today’s SDN

Contract language does quiet work at stage two. Sanctions representations, a termination-for-designation clause, and audit rights cost nothing at signature, then become the only clean exit when a counterparty is designated mid-contract with your deposits already paid and goods in transit.

Continuous Sanctions Screening: Triggers and Cadence

List updates arrive most weeks, so cadence is the control that decides everything downstream. Re-screen the full third-party master against every consolidated list update, re-run ownership checks quarterly for critical suppliers, and treat any counterparty M&A as an immediate trigger rather than a note for the annual review.

Wire the triggers into key risk indicators so breaches surface in governance reporting: days since last full re-screen, alerts aging past ten days, and match-rule versions in production. The calibration method in how to develop key risk indicators applies without modification, and how often risk assessments should run frames the floor.

Lists, Tools, and False Positives in Sanctions Screening

Every list restricts something different, and the table below is the coverage map. US exporters typically need the first four rows; anything with a UK or EU nexus adds the last two, and Wolfsberg Group guidance remains the standard reference for screening design.

List Authority What it restricts
SDN List OFAC, US Treasury Full blocking; property and interests, 50% rule applies
Sectoral lists (SSI, NS-MBS, CAPTA) OFAC, US Treasury Specific dealings such as debt, equity, or correspondent accounts
Entity List / Denied Persons BIS, US Commerce Exports, re-exports, and technology transfers
UFLPA Entity List DHS and CBP Import ban presumption tied to forced labor
UK Sanctions List OFSI, HM Treasury Dealings with a UK nexus
EU Consolidated List European Commission Dealings with an EU nexus

Tuning Sanctions Screening Alerts

KPMG and LexisNexis Risk Solutions benchmarks put false-positive rates between 90% and 95%, which means a team clearing 100 alerts a day spends nearly the whole day on noise. At five to twenty minutes per alert, tuning thresholds is a staffing decision disguised as a technical one.

Machine learning is entering the queue with regulator attention. A 2025 Federal Reserve staff paper tested large language models on screening decisions and found real promise alongside real error modes, and FATF keeps pressing jurisdictions on both effectiveness and explainability. Keep humans on the final block decision.

Governance That Keeps Sanctions Screening Defensible

When OFAC evaluates a violation, it scores the program behind it. The agency’s Framework for Compliance Commitments, published May 2019, names five expectations, and every settlement since reads as a case study in one of them failing. Map your program to the five rows before an examiner does.

OFAC pillar What the agency expects Evidence that satisfies it
Management commitment A named senior owner and a resourced program Board minutes, budget line, escalation path
Risk assessment Documented sanctions exposure by third party and geography Annual assessment tied to the register
Internal controls Screening at onboarding, payment, and change events System rules, workflow logs, block records
Testing and auditing Independent testing of match rules and list currency Audit reports and tuning change logs
Training Role-based training for procurement, AP, and logistics Completion logs mapped to roles

The register is where this becomes routine. Sanctions exposure earns its own rows among the key elements of a risk register, the risk appetite statement sets which geographies and ownership structures are simply declined, and compliance risk analysis keeps the scoring honest between audits.

Frequently Asked Questions About Sanctions Screening

What is sanctions screening in third-party risk management?

Sanctions screening is the control that checks suppliers, agents, banks, and logistics providers against government restriction lists before and during the relationship. In third-party risk management it runs at onboarding, contracting, payment, delivery, and monitoring, because liability is strict and designations change weekly.

What lists should sanctions screening cover?

Start with OFAC’s SDN and sectoral lists, add the BIS Entity List for anything exported, the UFLPA Entity List for imports, and the UK and EU consolidated lists when transactions have those nexuses. Screening only the SDN list leaves whole categories of restricted dealing unchecked.

How does the 50 percent rule affect sanctions screening?

Any company owned 50% or more by sanctioned parties, counted in aggregate, is blocked even though it appears on no published list. Sanctions screening therefore needs beneficial ownership data, not just name matching, and the ownership check has to re-run when stakes change.

How often should sanctions screening run?

Re-screen the full third-party master on every consolidated list update, which in practice means most weeks, and re-run ownership unwraps quarterly for critical suppliers. Counterparty M&A, a new bank, or a new shipping route each trigger an immediate re-screen inside the same week.

Who owns sanctions screening in a third-party risk program?

Compliance owns the method, lists, and match rules; procurement and accounts payable own execution at their gates; internal audit tests independently. OFAC’s compliance framework expects a named senior owner with budget, so the accountability question has a regulator-approved answer ready for the board.

How do you reduce false positives in sanctions screening?

Tune match thresholds against your own alert history, enrich supplier records with dates of birth, addresses, and registration numbers, and suppress recurring known-good matches with documented rationale. Benchmarks put false positives at 90-95%, so every point of precision recovered is measurable analyst time.

Pitfalls That Break Sanctions Screening in Third-Party Risk

Screening failures rarely announce themselves; they surface years later inside a subpoena, and by then the ten-year record rule guarantees the evidence exists, dated and discoverable. Each pitfall below pairs the root cause with a remedy that survives that timeline.

Pitfall Root cause Remedy
Onboarding-only screening Screening treated as a procurement gate Re-screen on every list update and change event
SDN-only coverage One list mistaken for the whole regime Map all six regimes to your transaction types
No ownership unwrap Tool matches names, not shareholders Beneficial ownership data plus the 50% rule check
Untuned match rules Vendor defaults left in production Quarterly tuning with documented change logs
Payments never screened AP assumed the bank screens Screen banks, routes, and invoice parties yourself
No audit trail Decisions cleared by email Case management with the ten-year record rule in mind

Sanctions Screening in 2026 and 2027: What Changes

Fragmentation is the working assumption now. The US, UK, and EU regimes drifted apart on Russia during 2025, secondary sanctions keep widening the net beyond US persons, and a supplier that is clean in one jurisdiction can be blocked in another, so screening logic has to carry the nexus question, not just the name.

The 2025 docket also went after networks instead of single names. OFAC’s actions leaned on evasion webs, front companies, and the service providers around them, which pulls enterprise supplier risk management and sanctions teams onto the same data: ownership trees, shared addresses, and shared bank accounts.

Screening tooling will keep absorbing AI, and the governance bar will rise with it. The Federal Reserve’s 2025 staff work signals that regulators are studying the same models vendors are selling, so expect examiners to ask how match rules were tested, versioned, and overridden, questions a better way to manage compliance risks already frames.

Binance remains the number that reset the ceiling. A $968 million settlement bought a five-year monitorship and a compliance rebuild under supervision, and a working sanctions screening program across the third-party lifecycle costs a rounding error against that outcome. Boards have been doing that division since 2023.

Infographic: The Six Surfaces of Sanctions Screening

Informational infographic on sanctions screening in third-party risk management showing six screening surfaces from entities and beneficial owners to vessels and change events

Figure 4. Sanctions screening on one page: six surfaces, five lifecycle stages, and a re-screening trigger list that replaces the calendar.

 

Strengthen Sanctions Screening with Risk Publishing

Risk Publishing helps US compliance and procurement teams build sanctions screening into third-party risk management, from list coverage mapping to the vendor risk mitigation clauses and TPRM platform selection behind it. See our services, or contact us if the answer to who screens your suppliers is currently a shrug.

Index