Sanctions Screening: OFAC, EU Lists and Compliance Best Practices

Sanctions screening is the process of checking customers, transactions, and business partners against government-issued lists of designated persons, entities, and jurisdictions subject to economic restrictions. For UK-regulated firms, the Financial Conduct Authority (FCA) and HM Treasury's Office of Financial Sanctions Implementation (OFSI) require robust screening programmes as a core component of AML/CFT compliance. Failures attract civil penalties: in 2024–25, OFSI recorded 394 suspected sanctions breach cases and took 57 enforcement actions.

This guide explains how sanctions screening works, which lists to cover, regulatory obligations under UK and EU law, and the operational best practices that leading compliance teams apply in 2026.

What is sanctions screening?

Sanctions screening is the systematic verification of counterparties — clients, suppliers, payment beneficiaries — against official lists of individuals, entities, or countries subject to asset freezes, trade restrictions, or other prohibitive measures. It forms part of a broader AML/CFT programme alongside Know Your Customer (KYC) checks, transaction monitoring, and Suspicious Activity Reports (SARs).

As of 1 January 2026, Regulation (EU) 2023/1113 on information accompanying transfers of funds requires payment service providers to verify originator and beneficiary data against the EU consolidated sanctions list in real time. UK-equivalent obligations persist under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017), as amended post-Brexit.

Sanctions screening differs from PEP (Politically Exposed Person) screening: PEP checks flag individuals with prominent public roles who may pose higher corruption risks, whereas sanctions screening identifies parties subject to binding legal prohibitions. Both are required simultaneously at onboarding for high-risk sectors.

Key sanctions lists for UK-regulated businesses

The UK Consolidated List, maintained by OFSI, currently contains over 3,000 designated persons and entities as of March 2026, with significant additions made following post-Brexit autonomous sanctions programmes under the Sanctions and Anti-Money Laundering Act 2018 (SAMLA 2018).

Why is sanctions screening legally required?

For UK-regulated firms, sanctions screening obligations derive from several legislative sources.

The Money Laundering Regulations 2017 (MLRs 2017), as amended by the Money Laundering and Terrorist Financing (Amendment) (EU Exit) Regulations 2019, require relevant persons to conduct customer due diligence that includes checking clients against sanctions and asset-freeze lists before entering business relationships.

The Sanctions and Anti-Money Laundering Act 2018 (SAMLA 2018) provides the legislative basis for post-Brexit UK sanctions regimes. Under SAMLA, it is a criminal offence to make funds or resources available, directly or indirectly, to a designated person without an OFSI licence.

Regulated sectors in the UK subject to sanctions screening obligations include banks, building societies, payment institutions, e-money institutions, investment firms, insurance undertakings, estate agents, accountants, law firms, and crypto-asset service providers under the FCA's registration regime.

Users on compliance forums and professional networks regularly raise a common operational concern: "How do we reduce the alert volume from false positives without missing genuine hits?" This is addressed in the best practices section below.

OFAC SDN List: extraterritorial reach and UK implications

The OFAC Specially Designated Nationals (SDN) List contains over 15,000 designations as of March 2026, covering individuals, legal entities, vessels, and aircraft. OFAC's jurisdiction extends to:

• All U.S. persons worldwide;
• All transactions conducted in U.S. dollars;
• Any entity with U.S. nexus (U.S.-incorporated subsidiaries, correspondent banking relationships).

The OFAC 50% Rule states that any entity owned 50% or more by a sanctioned person is itself considered sanctioned, even if not explicitly listed on the SDN List. This rule makes ultimate beneficial ownership (UBO) analysis an integral part of effective screening.

For UK firms using U.S. dollar correspondent accounts, OFAC sanctions apply de facto to all USD-denominated payments. Violations attract penalties of up to $250,000 per transaction or twice the transaction value on a strict liability basis — no proof of intent required. OFAC civil enforcement actions exceeded $1 billion in 2023–24.

The EU Blocking Statute equivalent — maintained in UK law through the Protecting Against the Effects of the Extraterritorial Application of Third Country Legislation Order 2018 — limits UK entities' ability to comply with certain OFAC sanctions programmes targeting Cuba, Iran, and Libya. Legal advice is required when these conflicts arise.

EU Consolidated Sanctions List: post-Brexit obligations

Following Brexit, EU sanctions are no longer directly applicable in the UK. However, UK businesses with EU operations, subsidiaries, or clients must screen against the EU Consolidated Sanctions List maintained by the European External Action Service (EEAS). Failure to comply with EU sanctions in EU territories exposes UK-based parent companies to regulatory action across member states.

The EU Consolidated List is accessible via the EU Sanctions Map portal in XML and CSV formats for automated integration. Since February 2022, the EU has adopted 14 sanctions packages against Russia, adding over 2,200 persons and entities by March 2026.

The EU Anti-Money Laundering Package — comprising Regulation (EU) 2024/1624 (AMLR) and Directive (EU) 2024/1640 (AMLD6) — creates a unified sanctions screening framework across all EU member states. While the UK is no longer bound by EU directives, EU regulatory developments influence FCA expectations and international counterparty requirements.

Types of sanctions screening: a practical overview

Effective sanctions screening covers multiple dimensions beyond simple name matching.

Entity screening checks legal persons — companies, trusts, foundations — against consolidated sanctions lists, including analysis of beneficial ownership structures under the 50% rule.

Transaction screening applies to payment flows in real time, flagging payments involving sanctioned countries, currencies, or routing codes. This is mandatory for UK payment service providers under the MLRs 2017.

Automated periodic rescreening triggers alerts when sanctions lists are updated, without waiting for the next client review cycle. Compliance teams on professional forums consistently identify this as the most critical control improvement: a sanctioned counterparty that was clean at onboarding may appear on a list six months later.

Best practices for sanctions screening in 2026

1. Calibrate fuzzy matching thresholds by risk tier

Name-matching algorithms must handle transliterations (Arabic, Cyrillic, Chinese scripts), spelling variants, and aliases. High-risk clients should trigger alerts at lower similarity thresholds (75–80%), requiring manual review, while standard-risk clients may use higher thresholds (88–92%) to reduce false positive volume. Document the calibration rationale in your risk assessment.

2. Apply the beneficial ownership analysis systematically

The OFAC 50% Rule and equivalent UK/EU control criteria require screening not only the immediate counterparty, but its owners up the corporate structure. CheckFile's KYC platform automates beneficial ownership extraction from corporate documents, feeding screening systems with structured UBO data that manual processes routinely miss.

3. Implement real-time screening for payment flows

OFSI and the FCA expect payment institutions to screen transactions before execution, not after. Real-time API integration with sanctions databases is the standard for 2026. Static weekly batch screening is no longer sufficient for high-volume payment processors, as confirmed in FCA Dear CEO letters on financial crime controls (2023).

4. Document every alert decision with a full audit trail

Every alert generated by the screening system — including false positives cleared after review — must be documented with the analyst's rationale, the data reviewed, and the outcome. The FCA expects to review alert management records during supervisory visits. Retention period: minimum 5 years under MLRs 2017, Regulation 40.

5. Conduct independent validation annually

Sanctions screening failures rarely originate from the software itself. They arise from misconfigured matching parameters, outdated sanctions sources, or untested screening logic for new product types. Annual independent validation — conducted by a function separate from the first line of defence — is now considered a supervisory expectation by both the FCA and PRA.

CheckFile's document verification platform integrates sanctions screening into document-based onboarding workflows, reducing manual handoffs between compliance and operations teams. See our compliance risk assessment guide for a framework to evaluate your current screening programme.

Penalties for sanctions screening failures

Beyond financial penalties, sanctions violations trigger reputational damage, correspondent banking relationship terminations, and in serious cases, criminal prosecution of senior managers under the Money Laundering Regulations 2017, Regulation 86.

For a broader view of how sanctions screening fits into your AML programme, see our Anti-Money Laundering compliance guide.

Frequently asked questions

What is the difference between sanctions screening and AML screening?

AML screening is a broader category encompassing customer due diligence, transaction monitoring, suspicious activity reporting, and sanctions screening. Sanctions screening is a specific subset that focuses exclusively on checking parties against government-issued prohibition lists. All regulated firms must conduct both, but the processes use different data sources and generate different types of alerts.

Do small businesses need to conduct sanctions screening?

Any business subject to the Money Laundering Regulations 2017 — including estate agents, accountants, and legal firms — must screen clients against sanctions lists as part of their customer due diligence. The FCA's threshold guidance does not exempt smaller firms from sanctions obligations. CheckFile's pricing page provides options scaled to different transaction volumes.

How often should existing clients be rescreened?

The FCA's financial crime guide suggests rescreening at least annually for standard-risk clients, and more frequently for high-risk relationships or in periods of significant sanctions activity (such as the Russia-Ukraine conflict). Automated systems can trigger immediate rescreening whenever a relevant sanctions list is updated.

What should a firm do when a sanctions match is identified?

A confirmed sanctions match requires: (1) immediate freezing of any assets or funds connected to the designated person; (2) reporting to OFSI within seven days using the asset freeze report; (3) refusing any further transactions; (4) filing a Suspicious Activity Report (SAR) with the National Crime Agency (NCA) if additional suspicious indicators are present. Do not tip off the subject.

Is OFAC screening required for UK-only businesses?

UK-only businesses that never transact in USD and have no U.S. nexus are generally not within OFAC's primary jurisdiction. However, most UK financial institutions maintain U.S. dollar correspondent accounts, creating indirect OFAC exposure. Additionally, major international sanctions databases recommended for UK compliance programmes include OFAC SDN as a global best practice, regardless of direct jurisdictional obligation.

---

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. It covers the regulatory framework applicable to the United Kingdom and, where relevant, the European Union and United States. Readers should seek specialist legal advice for their specific circumstances.