OFAC Sanctions Screening Best Practices
Why single-list screening is no longer sufficient — and how multi-list, multi-algorithm screening programs catch what basic systems miss.
Screening Is Not a Checkbox — It's an Architecture
The Office of Foreign Assets Control (OFAC) administers and enforces economic sanctions against targeted foreign countries, regimes, terrorists, narcotics traffickers, and proliferators of weapons of mass destruction. OFAC compliance is not limited to financial institutions — it applies to all US persons and entities, including defense contractors, educational institutions, healthcare organizations, and any business engaging with foreign nationals.
Yet most organizations screen against a single list — typically the SDN list — and call it compliance. This approach misses sanctioned entities on the BIS Entity List, EU sanctions targets, UK OFSI designations, DDTC debarred parties, and a dozen other restricted party lists that OFAC expects you to monitor.
Worse, basic exact-match screening misses name variations, transliterations, and aliases that sophisticated sanctions targets deliberately use to evade detection. OFAC applies strict liability — if you should have caught a match and didn't, the penalty is the same whether the failure was negligent or intentional.
Why Single-List Screening Fails
Organizations that screen only against the OFAC SDN list are operating with significant blind spots. Here's what a single-list approach misses — and why OFAC considers it inadequate.
BIS Entity List Entities Are Not on the SDN List
The Bureau of Industry and Security maintains a separate Entity List of organizations subject to export restrictions under the EAR. An entity can be on the BIS list (requiring export licenses for even basic technology) without appearing on the SDN list. SDN-only screening would clear them for access to your facility.
EU and UK Sanctions Diverge from US Lists
Post-Brexit, the EU and UK maintain independent sanctions regimes. Entities sanctioned by the EU may not appear on OFAC lists, and vice versa. If your organization operates globally — or hosts visitors from EU/UK-sanctioned jurisdictions — US-only screening creates compliance gaps in your international obligations.
Exact-Match Screening Misses Name Variations
Sanctioned individuals routinely use transliterated names, aliases, and spelling variations to evade detection. “Mohammed” has 30+ English transliterations. Russian Cyrillic names have multiple romanization standards. Chinese names vary in Pinyin, Wade-Giles, and regional dialect spellings. An exact-match system catches none of these variations.
Ownership Structures Are Not Captured by Name Matching
Under the OFAC 50% Rule, an entity is blocked if 50% or more is owned — directly or indirectly — by one or more SDN-listed persons. These entities do not appear on any sanctions list by name. Only ownership graph analysis can identify them. If you are screening names only, you are missing an entire category of sanctioned entities.
Strict Liability Means No Excuses
OFAC enforcement applies strict liability. “We only screened one list” or “our system doesn't do fuzzy matching” are not defenses. OFAC expects organizations to maintain screening programs commensurate with their risk profile — and for any organization hosting foreign nationals, that means multi-list, multi-algorithm screening.
19+ Sanctions Lists You Should Be Screening
A comprehensive sanctions screening program covers multiple government sources across jurisdictions. Here are the primary lists and why each matters.
| List | Source | Description | Priority |
|---|---|---|---|
| OFAC SDN | US Treasury | Specially Designated Nationals and Blocked Persons. The primary US sanctions list — 18,000+ entries covering individuals, entities, vessels, and aircraft. | Required |
| OFAC SSI | US Treasury | Sectoral Sanctions Identifications. Targets specific sectors of sanctioned economies (financial, energy, defense). | Required |
| BIS Entity List | Commerce Dept | Entities subject to specific export license requirements under the Export Administration Regulations (EAR). Critical for dual-use technology. | Required |
| BIS Denied Persons | Commerce Dept | Individuals and entities denied export privileges. Any transaction involving a denied person is prohibited. | Required |
| DDTC Debarred | State Dept | Parties debarred from participating in defense trade under ITAR. Directly relevant to defense contractors. | Required |
| UK Sanctions (OFSI) | HM Treasury | UK consolidated sanctions list maintained by the Office of Financial Sanctions Implementation. | Required |
| EU FSF | European Union | EU Financial Sanctions Facility — consolidated list of EU sanctions targets across all EU sanctions regimes. | Required |
| UN Consolidated | UN Security Council | UN Security Council sanctions committees consolidated list. Foundation for many national sanctions programs. | Required |
| FBI Most Wanted | FBI | Terrorism, kidnapping, and fugitive lists. Catches individuals who may not appear on financial sanctions lists. | Recommended |
| INTERPOL Red Notices | INTERPOL | International wanted persons. Critical for organizations with global visitor programs. | Recommended |
| SAM Exclusions | GSA | Government contractor exclusions from SAM.gov. Required for organizations with federal contracts. | Recommended |
| LEIE | HHS OIG | List of Excluded Individuals/Entities from federal healthcare programs. Required for healthcare-adjacent organizations. | Recommended |
Additional lists include UFLPA, World Bank Debarment, IADB Sanctions, French DGT, Federal Reserve Enforcement, Singapore MAS Enforcement, and BIS Unverified List.
The Science of Name Resolution
Exact-match screening catches perhaps 60% of true matches. The remaining 40% require fuzzy matching algorithms that account for transliterations, misspellings, aliases, and name reordering. A production-grade screening system uses multiple algorithms in parallel and combines their outputs into a composite confidence score.
The challenge is balancing sensitivity (catching true matches) against specificity (avoiding false positives). Too sensitive and compliance teams drown in false alerts. Too specific and true sanctions hits slip through.
Exact Match
Character-for-character comparison after normalization. Fastest and highest confidence — catches direct hits.
Normalized Exact
Matches after removing company suffixes (Inc., Ltd., GmbH, LLC) and standardizing formatting. Catches corporate name variations.
Jaro-Winkler
Optimized for name-length strings. Excellent at catching transpositions, missing characters, and common misspellings. Early-exit at 0.95+ for high-confidence matches.
Levenshtein
Edit distance algorithm. Catches typos by measuring the minimum number of single-character edits needed to transform one string into another.
Double Metaphone
Phonetic matching that generates pronunciation codes. Catches transliterations across alphabets — critical for Arabic, Cyrillic, and CJK romanizations.
Trigram
Breaks names into 3-character substrings and measures overlap. Effective for partial matches and name reordering (first/last swap).
Composite Score Threshold
The weighted composite of all six algorithms produces a score from 0 to 1. For sanctions screening, a threshold of 0.80 balances sensitivity and specificity. Scores above 0.90 are flagged as HIGH confidence. Scores between 0.80 and 0.89 are MEDIUM confidence and require human review.
Early-Exit Optimization
When Jaro-Winkler alone produces a score above 0.95, the system exits early with HIGH confidence — no need to run all six algorithms. This optimization keeps screening latency under 800ms per entity while maintaining accuracy for the 99% of checks that are clear non-matches.
The OFAC 50% Ownership Rule
Under OFAC guidance, any entity that is 50% or more owned — directly or indirectly — by one or more SDN-listed persons is itself blocked, even if the entity does not appear on any sanctions list by name. This is one of the most commonly missed compliance requirements.
Name-based screening alone cannot detect these entities. You need ownership graph analysis that traces beneficial ownership chains through corporate structures to calculate aggregate sanctioned ownership.
How Ownership Calculation Works
Identify the Entity
The visitor's company or affiliated organization is identified during pre-registration. Entity name is matched against corporate registries and sanctions databases.
Trace Ownership Chains
Ownership chains are traced up to 5 levels deep using data from Companies House (UK), SEC 13D filings (US), GLEIF relationship data, and OpenSanctions ownership graphs. Both direct and indirect ownership is calculated.
Calculate Aggregate Ownership
Ownership percentages from all SDN-linked owners are aggregated. If the total reaches 50% or more, the entity is blocked under the OFAC 50% Rule — even though it appears on no sanctions list by name.
Blocking Decision
Three triggers cause automatic blocking: OFAC 50% Rule (aggregate ownership ≥50%), BIS Affiliate Logic (subsidiary of denied party), or Direct Listing Match (entity appears on a sanctions list). All decisions are logged with the complete ownership chain for audit purposes.
The Hidden Sanctions Exposure
Entities blocked under the 50% Rule are not listed on any public sanctions list. They can only be identified through ownership analysis. This means a visitor from a seemingly legitimate company could represent an SDN-linked entity — and your screening program must be able to detect this before granting facility access.
Adjudication Workflows That Scale
Screening produces matches. Adjudication determines what to do about them. A well-designed adjudication workflow resolves 85-90% of matches automatically while routing genuine ambiguity to human compliance officers with full context.
Automatic Disposition
Low-confidence matches (below auto-approve threshold) are automatically cleared. Very high-confidence matches against active sanctions programs are automatically blocked. This auto-disposition handles 85-90% of screening results, freeing compliance teams to focus on the cases that actually require human judgment.
Human-in-the-Loop Review
Cases in the ambiguous range are routed to compliance officers with full context: the original screening query, all matching algorithms and their individual scores, the matched list entries with program details, and AI-generated recommendations. The compliance officer makes the final decision — approve, deny, escalate, or approve with conditions. Every decision is logged with the reasoning, creating a defensible audit trail.
AI-Assisted Recommendations
AI analyzes match context — name similarity, program relevance, country associations, historical dispositions of similar cases — and generates a recommendation for the compliance officer. The AI recommendation and the human decision are both logged separately, creating transparency about whether AI influenced the outcome and whether the human overrode the recommendation.
Bulk Adjudication
For organizations processing high volumes of visitors or entities, bulk adjudication allows compliance officers to review and disposition multiple similar cases simultaneously. Common patterns (like a popular name that consistently matches a specific SDN entry for the wrong country) can be resolved in batch, reducing adjudication overhead without sacrificing audit quality.
Building Defensible Screening Evidence
When OFAC investigates, they don't just ask whether you screened. They ask how — what lists, what algorithms, what thresholds, and what the adjudication process looked like. Defensible evidence means documenting every step.
What OFAC Expects to See
- Which sanctions lists were screened and when they were last updated
- What matching algorithms were used and at what thresholds
- The complete screening result — not just pass/fail, but the match details
- Who made the adjudication decision and what reasoning they documented
- Whether AI recommendations were used and whether humans overrode them
- The complete audit trail from screening through disposition — immutable and tamper-evident
- Evidence that screening occurs at multiple points (pre-registration and check-in)
- Record retention meeting or exceeding 5-year requirements
Evidence Pack Generation
A compliance-ready screening system generates evidence packs on demand — complete case files that include entity identity, screening parameters, all match results with scores, adjudication decisions with reasoning, and the full audit trail. Evidence packs should be exportable in multiple formats (PDF for regulators, CSV for analysis, JSON for system integration) and signed with tamper-evident hashing.
Screening Architecture Built for Compliance
19+ Sanctions Sources, Daily Sync
SecurePoint USA maintains a consolidated sanctions database covering OFAC SDN, OFAC SSI, BIS Entity List, BIS Denied Persons, DDTC Debarred, UK OFSI, EU FSF, UN Consolidated, FBI Most Wanted, INTERPOL Red Notices, SAM Exclusions, LEIE, and 7+ additional sources. Lists are synced daily using a smart-diff strategy that processes only changed records — keeping data fresh without overwhelming the database.
6-Algorithm Composite Fuzzy Matching
Every screening query runs six parallel matching algorithms — Exact, Normalized Exact, Jaro-Winkler, Levenshtein, Double Metaphone, and Trigram — producing a weighted composite score. Early-exit optimization on high-confidence matches keeps latency under 800ms per entity. Configurable thresholds let organizations balance sensitivity and specificity for their risk profile.
OFAC 50% Ownership Graph Analysis
Beyond name matching, SecurePoint USA traces beneficial ownership chains up to 5 levels deep using data from Companies House, SEC 13D filings, GLEIF relationship data, and OpenSanctions ownership graphs. Aggregate sanctioned ownership is calculated automatically, and entities exceeding the 50% threshold are blocked with the complete ownership chain documented for audit purposes.
Adverse Media & PEP Screening
Sanctions lists tell you who is designated today. Adverse media screening tells you who is about to be designated tomorrow. SecurePoint USA screens against DOJ enforcement actions, SEC fraud cases, FinCEN actions, FCA findings, and AI-powered news aggregation — with auto-disposition for low-confidence results and human escalation for validated findings.
Immutable Audit Trail & Evidence Packs
Every screening result, adjudication decision, AI recommendation, and human override is recorded in an append-only, cryptographically hashed audit log. Records cannot be edited, deleted, or backdated by anyone. Evidence packs are generated on demand in PDF, CSV, and JSON formats — ready for OFAC investigations, internal audits, or assessor review.
Sub-Second Screening at Scale
Parallel search architecture screens a single entity across all 19+ lists in 200-800ms. Bulk screening processes CSV uploads for high-volume pre-screening. Circuit breaker patterns ensure graceful degradation if any individual source is temporarily unavailable — screening continues against available lists while alerting the compliance team.
The Cost of Inadequate Screening
OFAC enforcement actions demonstrate that screening failures carry billion-dollar consequences. These are not edge cases — they represent systematic gaps in screening programs that could have been prevented.
BitPay
2021Allowed persons in Cuba, North Korea, Iran, Sudan, and Syria to transact through its platform. Failed to screen customers against the SDN list.
Société Générale
2018Processed transactions for sanctioned entities including Cuba, Iran, and Sudan through the US financial system. Multi-year compliance failures.
UniCredit Group
2019Processed transactions through the US financial system on behalf of sanctioned entities in Iran, Cuba, Libya, Myanmar, and Sudan.
IMG Academy
2024Provided sports training to persons from sanctioned jurisdictions without OFAC screening. Demonstrated that non-financial services trigger OFAC enforcement.
Standard Chartered
2019Violated sanctions against Iran, Myanmar, and other sanctioned jurisdictions. Settlement included a deferred prosecution agreement.
ZTE Corporation
2017Violated US sanctions by shipping telecommunications equipment to Iran and North Korea. Also violated the BIS Entity List restrictions.
Stop Screening Against
One List and Calling It Compliance
OFAC applies strict liability. “We only checked the SDN list” is not a defense. Multi-list, multi-algorithm screening with ownership analysis and defensible adjudication is the standard OFAC expects.
SecurePoint USA screens against 19+ sanctions sources with 6-algorithm fuzzy matching, OFAC 50% ownership analysis, AI-assisted adjudication, and immutable audit trails — all in under one second per entity.
This whitepaper is provided for informational purposes. It does not constitute legal or compliance advice. Organizations should consult with qualified sanctions counsel and OFAC compliance professionals for guidance specific to their screening programs. © 2026 SecurePoint USA. All rights reserved.