Auditing Sanctions / OFAC Screening

Sanctions screening sits apart from the rest of AML for one reason: OFAC enforcement is essentially strict liability. You don't need to intend a violation to commit one; processing a payment for a sanctioned party is a violation even if no one noticed. That raises the stakes enormously, because a single missed match can be a violation with serious penalties.

Screening compares your customers and transactions against sanctions lists, the OFAC Specially Designated Nationals list and others, to block or reject prohibited dealings. OFAC's twenty-nineteen Framework for Compliance Commitments lays out what a sound program looks like. Audit tests four things: the lists, the matching logic, the coverage, and the alert clearing.

Start with list management and coverage. Sanctions lists change frequently, sometimes daily, so test whether the institution loads updates promptly; a list that's a week stale means a week of screening against the wrong names. Confirm all required lists are loaded, OFAC's lists plus any others applicable to the institution's footprint, such as UN or EU lists for international operations.

Then test coverage timing: is screening performed at onboarding, re-run when a customer's details change, and applied to transactions in real time? Both customer screening and payment screening must be covered. A gap, say, customers screened at onboarding but never re-screened against newly designated parties, is exactly the kind of finding that becomes a violation when a name is later added to the list.

The heart of screening is matching logic, and it's a dial the auditor must test. Real names rarely match a list exactly, transliteration, spelling variants, missing middle names, so systems use fuzzy matching to catch near-matches. The tuning is a trade-off.

Set the matching too tight and the system misses real matches, false negatives, which is the dangerous error because it lets a sanctioned party through. Set it too loose and it floods analysts with false positives, which buries the real hits in noise and creates pressure to clear fast. A strong technique is to inject known test names, including deliberate variants of real list entries, and confirm the system catches them.

If your test variants slip through, the matching is too tight.

Finally, audit the clearing process, because a great matching engine is wasted if humans wave its alerts away. Re-perform a sample of cleared alerts: was each potential match actually investigated, with documented rationale for why it wasn't a true hit, or auto-cleared to manage volume? Confirm that true matches are properly blocked or rejected and reported to OFAC as required under thirty-one CFR Part five-oh-one, with the right recordkeeping.

The risk pattern mirrors transaction monitoring: high alert volume creates pressure to clear quickly, and quick clearing of a genuine match is how violations happen. The exam may show you a screening hit cleared with no documented basis; that thin or missing rationale is the finding.

Step back from the screening engine to the sanctions program around it, which OFAC's Framework lays out as five essential components: management commitment, risk assessment, internal controls, testing and auditing, and training. So when you audit, confirm senior management is genuinely committed and ownership is clear, not diffuse. Check that the institution has a sanctions-specific risk assessment, since sanctions exposure isn't identical to general money-laundering risk; it turns on geographies, counterparties, and products.

Verify that training, testing, and escalation paths exist and function. And know the right response when a violation surfaces: OFAC strongly encourages voluntary self-disclosure, and a prompt, complete self-disclosure is treated as a significant mitigating factor in any enforcement outcome. So if your audit uncovers an apparent violation, the program's correct path is to investigate, remediate, and consider self-disclosure, not to bury it.

The exam may test whether you know that concealment makes things far worse while self-disclosure mitigates.

Recapping: sanctions screening is strict-liability work where a single missed match can be a violation, so audit tests list currency and coverage, the fuzzy-matching logic that decides hits and misses, and the clearing process where humans dispose of alerts. Tight matching risks dangerous false negatives, loose matching buries real hits in noise, and undocumented clearing of a true hit is a violation in the making. Next, we audit the downstream reporting: suspicious-activity-report and currency-transaction-report quality, timeliness, and recordkeeping.

Test yourself on sanctions auditing first.