Sanctions Screening, Evasion & Enforcement

Sanctions compliance lives or dies on screening. Institutions screen customers at onboarding and then continuously, because someone clean today can be designated tomorrow, the moment OFAC, the UN, or the EU adds them to a list. They screen transactions in real time, especially SWIFT wire payments and trade documents, before money moves, so a hit can be stopped rather than clawed back.

Screening isn't just names; it covers aliases and 'also-known-as' spellings, addresses, dates of birth, passport and tax identifiers, and vessel names and IMO numbers. And because sanctions lists change frequently, sometimes daily, firms must rescreen their entire existing book whenever a list updates, a process called retroactive or list-refresh screening. The exam expects you to see screening as a continuous, list-driven process, not a one-time check at the door.

Names are messy, so screening uses fuzzy matching to catch spelling variants, transliterations from Arabic, Cyrillic, or Chinese, and reordered or hyphenated names. The trade-off is volume: fuzzy logic generates many false positives, alerts that look like a match but aren't, think of every customer named Mohammed or every common surname lighting up. In fact, the overwhelming majority of screening alerts, often well above ninety percent, are false positives, and a trained analyst must clear each one and document the rationale.

The art is tuning the threshold. Set it too tight and you miss a real sanctioned party, a false negative and a serious violation; set it too loose and you drown analysts in noise so real hits get buried in the backlog. Calibrating that balance, and avoiding alert fatigue, is a core competency the exam probes.

Sanctioned actors work hard to evade screening, and you should know their playbook. Wire-stripping removes or alters the originator and beneficiary fields in payment messages so a sanctioned party slips through, a practice that has cost banks billions in OFAC settlements. Front companies and deliberately complex ownership hide a blocked person behind the 50 Percent Rule.

In trade, evaders use transshipment through neutral countries, falsified end-user certificates, mislabeled goods, and under- or over-invoicing. In shipping, vessels go dark by disabling their AIS transponders, falsify their flag, and conduct ship-to-ship transfers on the open sea to disguise the origin or destination of cargo, classic in oil-sanctions evasion. Spotting these patterns, especially missing or stripped data, vague descriptions, and economically illogical routing, is how investigators catch evasion that pure name-matching would miss.

When violations happen, OFAC's Economic Sanctions Enforcement Guidelines, published at 31 CFR Part 501, Appendix A, govern the response. Remember the strict-liability point: OFAC can impose civil penalties even without proof of intent, and per-violation maximums run into the hundreds of thousands of dollars, multiplied across every transaction. In setting penalties, OFAC weighs aggravating factors, like willfulness, recklessness, harm to sanctions objectives, and senior-management awareness, against mitigating factors, like a strong compliance program, a clean history, and cooperation.

One of the most valuable mitigants is voluntary self-disclosure: reporting your own violation before OFAC discovers it can roughly halve the base penalty. The exam reasoning here is practical, when a firm discovers a breach, prompt self-disclosure, remediation, and a documented root-cause analysis are almost always the better path than concealment.

OFAC's published framework, A Framework for OFAC Compliance Commitments, lays out five pillars of a sanctions compliance program: management commitment, risk assessment, internal controls, testing and auditing, and training. Notice how those mirror the AML program pillars we'll see later, the financial-crime disciplines converge on the same governance backbone, so learn the five once and reuse them. A useful exam habit is to map any control failure you read about back to whichever pillar it broke, weak screening logic is an internal-controls gap, an untrained analyst is a training gap.

So, recap. Screening is continuous and list-driven; fuzzy matching is necessary but floods you with false positives that must be cleared; evaders strip data, hide ownership, and go dark; and enforcement is strict-liability, with self-disclosure and a real program as your best mitigants. If a question describes a violation already discovered, the highest-scoring answer almost always pairs voluntary self-disclosure with remediation, never quiet concealment or hoping it goes unnoticed.

Next, we follow the money into tax crime, FATCA, and the CRS. Test yourself first.