SecurePoint USA
SecurePoint USAEnterprise Compliance
Request Demo
/Export Compliance

The Consolidated Screening List Is No Longer Enough

For years, compliance teams screened counterparties against the CSL and called it done. The BIS 50% Rule and OFAC 50% Rule changed that. Here is what happened, what it means for your program, and what to do about it in the next 30 days.

What the CSL used to be

The Consolidated Screening List (CSL) aggregates multiple U.S. government export screening lists into a single searchable dataset: OFAC's SDN List, the BIS Entity List, the BIS Denied Persons List, Military End Users, DDTC debarments, and more.

For most of the last decade, running a name search against the CSL was considered adequate for denied-party screening. If the name wasn't on the list, you could proceed with reasonable confidence.

That is no longer true.

What changed

Two rules changed the game:

The critical implication: the CSL will no longer list every restricted party by name. Subsidiaries, holding companies, and affiliates that are majority-owned by listed entities are restricted, but they may never appear on any published list. You cannot find them with name matching.

The compliance gap

If your screening program only matches names against published lists, you have a structural blind spot. The question is not whether a counterparty's name appears on the CSL. The question is whether anyone who owns the counterparty appears on the CSL.

What this means operationally

If you screen a vendor, supplier, or customer and get a clean result from the CSL, you still need to ask: who owns this entity? If the answer is "a holding company in the Cayman Islands that is 60% owned by a firm on the BIS Entity List," your clean CSL result is meaningless.

This is not a theoretical problem. In February 2026, OFAC settled an enforcement action for $3.77 million against a company that failed to identify that its counterparty was majority-owned by an SDN-listed entity. The counterparty's name was not on any list. The ownership relationship was the violation.

What to do in the next 30 days

You do not need to rebuild your compliance program from scratch. You need to add ownership-aware screening to what you already have. Here is a practical path:

  1. Week 1: Audit your current screening. Confirm what lists you screen against and whether your tool performs any ownership analysis. If it only does name matching, you have the gap.
  2. Week 2: Identify your highest-risk counterparties. Focus on vendors, suppliers, and partners in jurisdictions with complex corporate structures (BVI, Cayman, Panama, UAE, Cyprus). These are where indirect ownership is most likely.
  3. Week 3: Add ownership screening. Use a tool that performs recursive graph traversal across corporate ownership data. The tool should multiply ownership percentages through each layer and aggregate all paths from sanctioned entities.
  4. Week 4: Document everything. When a regulator asks "what did you do?" the answer needs to be a specific, timestamped, immutable audit trail showing the entity you screened, the ownership chain you evaluated, and the disposition decision you made.

How SecurePoint approaches this

The SecurePoint Screening API runs ownership traversal automatically on every screening call. It walks up to 10 hops through corporate ownership data, multiplies percentages at each layer, classifies hits as BIS_AFFILIATE or OFAC_50_PERCENT, and returns the full ownership chain as audit-ready evidence.

Shadow mode (the default) evaluates ownership without affecting the screening decision — so you can see what the traversal finds before turning on enforcement. When you are ready, enforced mode blocks entities that exceed the 50% threshold and creates an immutable audit trail.

The system covers both rules with a single API call. You do not need separate tools for OFAC 50% and BIS 50%.

Go beyond name matching

See how the Screening API finds ownership relationships that don't appear on any published list.