SecurePoint USA
SecurePoint USAEnterprise Compliance
Book Demo
Share
/Export Compliance

The Consolidated Screening List Is No Longer Enough

For years, compliance teams screened counterparties against the CSL and called it done. Ownership-based rules changed that. Here is what happened, what it means for your program, and what to do about it in the next 30 days.

What the CSL used to be

The Consolidated Screening List (CSL) aggregates multiple U.S. government export screening lists into a single searchable dataset: OFAC's SDN List, the BIS Entity List, the BIS Denied Persons List, Military End Users, DDTC debarments, and more.

For most of the last decade, running a name search against the CSL was considered adequate for denied-party screening. If the name wasn't on the list, you could proceed with reasonable confidence.

That is no longer a safe assumption.

What changed

Ownership-based rules mean a party can be restricted without ever appearing on a list by name:

  • OFAC 50% Rule (in force): Any entity 50%+ owned in aggregate by SDN-listed persons is blocked — even if the entity itself does not appear on the SDN list.
  • BIS “Affiliates Rule” (50% rule for export controls): published as an interim final rule in September 2025, it would extend Entity List / Military End-User restrictions to any foreign entity 50%+ owned by listed parties. It is currently suspended (stayed November 10, 2025 through November 9, 2026) and is scheduled to be reimposed on November 10, 2026 — verify its status before relying on it.

The critical implication: a published list will not name every restricted party. Subsidiaries, holding companies, and affiliates that are majority-owned by listed entities can be restricted under OFAC's rule today (and under the BIS rule if it returns as scheduled) while never appearing on any list. You cannot find them with name matching alone.

The compliance gap

If your screening program only matches names against published lists, you have a structural blind spot. The question is not only whether a counterparty's name appears on the CSL. It is whether anyone who owns the counterparty appears on the CSL.

What this means operationally

If you screen a vendor, supplier, or customer and get a clean result from the CSL, you still need to ask: who owns this entity? If the answer is "a holding company that is 60% owned by a firm tied to a listed party," your clean CSL result can be misleading.

This is not a theoretical problem. OFAC's own guidance is explicit that the 50% Rule reaches entities owned by blocked persons even when those entities are not themselves listed, and enforcement actions have turned on ownership relationships the screener missed. Verify the current SDN List and any settlement specifics against OFAC before relying on a particular case.

What to do in the next 30 days

You do not need to rebuild your compliance program from scratch. You need to add ownership-aware screening to what you already have. Here is a practical path:

  1. Week 1: Audit your current screening. Confirm what lists you screen against and whether your tool performs any ownership analysis. If it only does name matching, you have the gap.
  2. Week 2: Identify your highest-risk counterparties. Focus on vendors, suppliers, and partners in jurisdictions with complex corporate structures (BVI, Cayman, Panama, UAE, Cyprus). These are where indirect ownership is most likely.
  3. Week 3: Add ownership screening. Use a tool that performs recursive traversal across corporate ownership data, multiplies ownership percentages through each layer, and aggregates all paths from listed parties.
  4. Week 4: Document everything. When a regulator asks "what did you do?" the answer needs to be a specific, timestamped audit trail showing the entity you screened, the ownership chain you evaluated, and the disposition decision you made.

How SecurePoint approaches this

The SecurePoint Screening API runs ownership traversal on every screening call. It walks corporate ownership data hop by hop, multiplies percentages at each layer, flags potential BIS_AFFILIATE or OFAC_50_PERCENT matches for review, and returns the ownership chain as audit-ready evidence.

Shadow mode (the default) evaluates ownership without changing the screening decision — so you can see what the traversal finds before turning on enforcement. The system covers both rules with a single call, so you do not need separate tools for OFAC 50% and the BIS Affiliates Rule.

Go beyond name matching

See how the Screening API finds ownership relationships that don't appear on any published list.

Found this helpful? Share it with a colleague.

Visitor Compliance Checklist

  • ITAR/EAR and CMMC L2 requirements
  • Audit-ready evidence collection
  • AI assists, humans approve
Download PDF

Stay ahead of compliance changes

Get weekly insights on sanctions, export controls, and visitor compliance delivered to your inbox.

No spam. Unsubscribe anytime.

The Consolidated Screening List Is No Longer Enough | SecurePoint USA | SecurePoint USA