Sanctions Screening Best Practices: Reduce False Positives and Stay Compliant

Sanctions screening is one of the most critical components of any anti-money laundering (AML) compliance programme. Every business that touches financial transactions -- whether you are a bank, fintech, payment processor, or cryptocurrency exchange -- must verify that customers, counterparties, and beneficial owners do not appear on global sanctions lists. Getting it wrong can mean millions in fines, criminal prosecution, and lasting reputational harm.

This guide covers the sanctions landscape, the most common screening pitfalls, and the practical steps your compliance team can take to reduce false positives while staying on the right side of regulators.

The Global Sanctions Landscape

Sanctions are restrictions imposed by governments and international bodies to limit dealings with designated individuals, entities, and countries. Compliance teams need to screen against multiple overlapping lists, each with its own structure and update cadence.

OFAC (United States)

The U.S. Office of Foreign Assets Control maintains several key lists:

SDN List (Specially Designated Nationals): Individuals and companies owned or controlled by, or acting on behalf of, sanctioned countries, as well as terrorists and narcotics traffickers. Assets must be blocked and transactions prohibited.
SSI List (Sectoral Sanctions Identifications): Targets specific sectors of the Russian economy. Restrictions are narrower than SDN but still carry heavy penalties.
Consolidated Sanctions List: A single download combining SDN, SSI, and other OFAC programmes for easier screening.

OFAC enforcement follows a strict liability standard -- you can be penalised even without intent or knowledge of the violation.

UN Security Council

UN sanctions resolutions are binding on all 193 member states. The UN Consolidated List covers individuals and entities subject to asset freezes, travel bans, and arms embargoes. While the list is smaller than OFAC's, non-compliance can trigger national-level enforcement.

EU Consolidated List

The European Union maintains its own consolidated list of persons, groups, and entities subject to EU financial sanctions. Since Brexit, this list diverges from the UK list, meaning businesses operating across both jurisdictions must screen against each independently.

UK OFSI (Office of Financial Sanctions Implementation)

HM Treasury's OFSI enforces UK financial sanctions. The UK sanctions list was initially seeded from the EU list but has since evolved with its own designations, particularly around Russia and Belarus. OFSI has the power to impose monetary penalties of up to GBP 1 million or 50% of the estimated value of the breach.

Country-Specific and Regional Lists

Beyond the major lists above, compliance teams may also need to screen against lists from Australia (DFAT), Canada (OSFI), South Africa (FIC), and others depending on their operational footprint. Politically Exposed Persons (PEP) lists add another layer, covering government officials and their associates who pose elevated corruption risk.

Why Sanctions Screening Matters

The consequences of inadequate sanctions screening are severe and multi-dimensional.

Financial penalties are substantial. OFAC has imposed fines exceeding USD 1 billion in a single case. Even smaller violations routinely result in penalties in the hundreds of thousands. EU and UK regulators have followed suit with increasingly aggressive enforcement.

Criminal liability is not theoretical. Individuals who knowingly facilitate sanctioned transactions can face prison sentences. Senior compliance officers have been personally charged when screening failures are traced to negligence.

Reputational damage may outlast the fine itself. Enforcement actions are public. Correspondent banking relationships can be severed, and customers lose trust. For fintechs and startups, a single sanctions failure can be existential.

Common Pitfalls in Sanctions Screening

Name Variations and Transliteration

Sanctioned individuals often have names that can be transliterated from Arabic, Cyrillic, Chinese, or other scripts in multiple ways. "Mohammed" can appear as "Muhammad," "Mohamed," "Mohamad," or dozens of other variants. A simple exact-match search will miss these. Aliases, nicknames, and maiden names add further complexity.

Partial Matches and Common Names

Names like "Ali Hassan" or "John Smith" appear frequently in any customer base. Without intelligent matching, these common names generate enormous volumes of false positives that overwhelm compliance analysts, leading to alert fatigue and, eventually, genuine matches being overlooked.

Outdated Lists

Sanctions lists are updated frequently -- OFAC publishes changes multiple times per week. Screening against a list that is even a few days old creates a window of exposure. Some organisations still rely on monthly or quarterly list refreshes, which is wholly inadequate given the pace of designations.

One-Time Screening Only

Screening a customer once at onboarding and never again is a common but dangerous practice. Individuals and entities can be designated at any point after they become your customer. Without ongoing rescreening, you could be transacting with a sanctioned party for months or years without knowing.

Best Practices for Effective Sanctions Screening

Use Fuzzy Matching Algorithms

Exact-match screening is insufficient. Effective screening engines employ multiple fuzzy matching techniques in combination:

Trigram similarity (pg_trgm): Breaks names into three-character sequences and compares overlap. Highly effective for catching misspellings and minor transliteration differences.
Levenshtein distance: Measures the minimum number of single-character edits needed to transform one string into another. Good for detecting typos and small variations.
Phonetic matching (Soundex, Metaphone): Groups names that sound alike regardless of spelling. Useful for catching transliteration variants that look different but sound identical.

The best results come from combining these techniques and tuning them per use case.

Screen at Onboarding AND on an Ongoing Basis

Implement screening at two levels:

Real-time screening at customer onboarding, before any transaction is processed. This is your first line of defence.
Batch rescreening on a regular cadence (daily or on every list update) across your entire customer base. This catches newly designated individuals among your existing customers.

Both are necessary. Real-time alone misses post-onboarding designations. Batch alone creates a gap between customer onboarding and the first screen.

Maintain Complete Audit Trails

Regulators do not just want to know that you screen -- they want to see proof. Every screening event should be logged with:

The input data (name, date of birth, country)
The lists screened against and their version or date
All matches returned, including scores
The disposition decision (true match, false positive, escalated)
Who made the decision and when

A complete audit trail transforms a regulatory examination from a crisis into a routine exercise.

Set Appropriate Matching Thresholds

Matching thresholds control the sensitivity of your screening. Set the threshold too low and you drown in false positives. Set it too high and you risk missing genuine matches.

There is no universal "correct" threshold. The right setting depends on your risk appetite, customer base, and the lists you are screening against. Start with a moderate threshold (typically 75-85% similarity), review a sample of results, and adjust. Different customer segments may warrant different thresholds -- a high-risk jurisdiction warrants a lower (more sensitive) threshold.

Implement a Risk-Based Approach

Not every customer or transaction carries the same sanctions risk. A risk-based approach means:

Applying enhanced screening (lower thresholds, additional lists, manual review) to higher-risk customers, jurisdictions, and transaction types.
Allowing streamlined screening for lower-risk scenarios where the probability of a sanctions nexus is minimal.
Documenting your risk assessment methodology so regulators can evaluate its adequacy.

This is not about cutting corners. It is about directing your compliance resources where they have the greatest impact.

API Integration Patterns

Modern sanctions screening should be embedded directly into your operational workflows through API integration rather than treated as an offline, manual process.

Real-Time Screening at Onboarding

Integrate a screening API call into your customer onboarding flow. When a user submits their identity information, the API checks the name (and optionally date of birth and country) against all relevant lists and returns results in milliseconds. If there is a potential match, the onboarding flow pauses and the case is routed to a compliance analyst for review.

Batch Rescreening

Schedule a nightly or list-update-triggered batch job that submits your entire customer base for rescreening. The API processes thousands of names in minutes and returns only new or changed matches, so your team reviews only incremental alerts rather than re-adjudicating the entire portfolio.

Webhook Notifications for List Updates

Subscribe to webhook events that fire whenever the underlying sanctions lists are updated. This allows your system to trigger an immediate rescreening cycle rather than waiting for the next scheduled batch, closing the window between a new designation and your detection of it.

How CirclesCheck Reduces False Positives

CirclesCheck was built specifically to solve the false positive problem that plagues most sanctions screening tools.

250+ sanctions and PEP lists, updated daily through automated ingestion pipelines. You screen against OFAC, UN, EU, UK OFSI, and dozens of country-specific lists in a single API call.
pg_trgm fuzzy matching at the database level, combining trigram similarity with normalisation for transliteration, diacritics, and name-order variations. This catches real matches that simpler engines miss while filtering out noise.
Configurable matching thresholds per API key, so you can tune sensitivity to your risk profile. High-risk onboarding flows can use a lower threshold; low-risk batch rescreens can use a higher one.
Sub-200ms response times for real-time screening, fast enough to embed directly in onboarding flows without degrading user experience.
Complete audit trail for every screening event, including input data, match scores, list versions, and disposition history -- ready for regulator review at any time.

Frequently Asked Questions

How often should we update our sanctions lists?

At minimum, daily. OFAC alone publishes updates multiple times per week, and newly designated individuals can begin transacting immediately. CirclesCheck ingests list updates daily through automated pipelines, so your screening is always current without manual intervention.

What matching threshold should we use?

There is no one-size-fits-all answer. A threshold of 80% similarity is a reasonable starting point for most use cases. Lower it (e.g., 70-75%) for high-risk jurisdictions or customer segments, and raise it (e.g., 85-90%) for low-risk batch rescreening where you want to minimise analyst workload. Review a sample of results periodically and adjust based on your false positive and false negative rates.

Do we need to screen existing customers, or only new ones?

Both. Regulatory guidance from OFAC, the FCA, and other authorities is clear: screening must be ongoing. A customer who was clean at onboarding can be designated at any time. Batch rescreening your entire customer base on a regular cadence -- ideally daily or on every list update -- is a compliance requirement, not an optional enhancement.

Can we rely on a single sanctions list?

No. Different jurisdictions maintain independent lists, and a person may be designated on one list but not another. If your business operates internationally or processes cross-border transactions, you must screen against all lists relevant to the jurisdictions you touch. A consolidated screening solution that covers OFAC, UN, EU, UK, and regional lists in a single query eliminates the risk of gaps.