By Stuart Watkins, CEO, Zenoo
If you have read the OFSI guidance on sanctions screening, the OFAC framework for risk-based compliance, and the EU's best practices for restrictive measures implementation, you might have noticed something: they are not saying the same thing. Not exactly. And the gaps between them are where compliance teams get into trouble.
We work with compliance teams across the UK and EU who are screening against multiple sanctions lists simultaneously. The practical challenges they face are rarely addressed in the guidance documents themselves. This article is an attempt to bridge that gap: what the guidance says, what it actually means for your operations, and where you need to make your own risk-based decisions.
The fuzzy matching problem nobody wants to talk about
Every sanctions screening provider offers fuzzy matching. It is, in theory, what makes automated screening work: the system catches name variations, transliterations, and spelling differences that an exact-match search would miss. The guidance from OFSI, OFAC, and the EU all reference the need for screening systems to account for name variations.
In practice, fuzzy matching is where most of your false positives come from. And the guidance offers almost no help on calibration.
OFSI's guidance says firms should use "appropriate" screening tools and consider "name variations including transliterations." OFAC's guidance says compliance programmes should include "screening software with adequate fuzzy logic." The EU's best practices say screening should account for "alternative spellings and transliterations." None of them tell you what matching threshold to set.
"We ran the same customer list through three different screening providers with their default fuzzy matching settings. Provider A generated 340 alerts. Provider B generated 1,200 alerts. Provider C generated 780 alerts. Same customers, same sanctions lists. The guidance says to use 'appropriate' tools. How do you define appropriate when the results vary by 350%?"
The practical reality is that matching threshold calibration is a risk-based decision that your compliance team needs to make, document, and defend. There is no magic number. But there is a methodology: run your customer base against your screening tool at multiple thresholds, measure the false positive rate at each level, and determine the point at which lowering the threshold further generates noise without catching genuine matches.
Document this analysis. If a regulator asks why you set your threshold at 85% rather than 75%, you need an evidence-based answer, not "that is what the vendor recommended."
Screening frequency: the guidance says "ongoing" but means different things
OFSI expects firms to screen their entire customer base whenever the UK sanctions list is updated. Given that the consolidated list is updated multiple times per week, this effectively means continuous screening. OFAC takes a slightly different approach, emphasising real-time screening of transactions and periodic re-screening of customer databases. The EU's approach varies by member state, but the general expectation is that screening occurs at onboarding, at list updates, and at trigger events.
For compliance teams, the practical question is: can your systems handle this?
Batch screening (running your entire customer database against updated lists on a scheduled basis) is still common, but it creates a window of exposure between list updates and screening runs. If a new designation is published on Monday morning and your batch screen runs on Wednesday night, you have a two-day gap during which you might process transactions involving a newly designated person.
Real-time or near-real-time screening (triggering a screen whenever a list is updated) eliminates this gap but places significant demands on your technology infrastructure. Your screening provider needs to push list updates to your system in real time, and your system needs to process those updates against your customer base without manual intervention.
Practical step: Map your current screening frequency against the expectations of every jurisdiction you operate in. If there is a gap between what your systems can deliver and what the guidance requires, that is a compliance risk that needs to be addressed and documented, either through technology upgrades or through compensating controls.
The vessel screening and trade finance blind spot
Sanctions guidance increasingly addresses vessel screening and trade finance, reflecting the reality that sanctions evasion often involves complex shipping routes, flag-swapping, and opaque trade documentation. OFSI's maritime guidance, updated in 2023, sets out expectations for firms involved in shipping, insurance, and trade finance.
But many financial institutions that are not obviously in the "maritime" sector still have exposure. If you provide payments services to import/export businesses, if you finance trade transactions, or if your customer base includes companies with supply chains that touch sanctioned jurisdictions, vessel and trade screening is relevant to you.
The guidance expects firms to take a risk-based approach, which in practice means: if your customer base has trade exposure, you should be screening vessel information, port calls, and trade documentation against sanctions lists. The technology to do this exists, but it is often siloed in specialist providers rather than integrated into mainstream KYC screening workflows.
Correspondent banking and payment chains
If your firm processes payments through correspondent banking networks, sanctions screening becomes significantly more complex. You are not just screening your own customers. You are screening originators, beneficiaries, and intermediary banks in the payment chain.
The Wolfsberg Group's guidance on correspondent banking due diligence provides a useful framework here, but the practical challenge is data quality. Payment messages (particularly MT103 messages) often contain incomplete or inconsistent originator and beneficiary information. Your screening system needs to handle this gracefully: screening on available fields, flagging transactions where required information is missing, and routing incomplete messages for manual review.
"The biggest operational headache is not screening the names. It is dealing with the 15% of payments where the originator information is incomplete or formatted in a way our screening tool cannot parse. Those all end up in the manual review queue, and each one takes 20 minutes to resolve."
Alert disposition: where the real regulatory risk sits
Generating screening alerts is the easy part. Disposing of them correctly, consistently, and with proper documentation is where regulatory risk concentrates. The guidance from all major regulators is clear: every alert must be reviewed, and the review must be documented with a rationale for the disposition decision.
In practice, this means your compliance team needs clear, documented procedures for each possible alert outcome: true match, false positive, partial match requiring further investigation, and inconclusive. Each category needs a defined escalation path and documentation standard.
The most common failure we see is inconsistency. Different analysts disposing of similar alerts in different ways, with different levels of documentation. This is not a training problem. It is a process design problem. If your alert disposition procedures are ambiguous, your analysts will interpret them differently.
Practical step: Take 50 recently disposed alerts and review them for consistency. Are similar alert types being handled the same way? Is the documentation standard consistent across analysts? If you find significant variation, your procedures need tightening.
Multi-list screening and the consolidation challenge
Most firms need to screen against multiple sanctions lists: the UK consolidated list, the EU consolidated list, OFAC's SDN and non-SDN lists, UN Security Council lists, and potentially additional national lists depending on where they operate. The guidance from each jurisdiction focuses on its own list, which is not helpful when you need a unified screening process.
The practical challenge is deduplication and consolidation. A designated person often appears on multiple lists with slightly different name spellings, different identifying information, and different designation reasons. Your screening system needs to handle this without generating duplicate alerts for the same underlying designation.
The better screening providers offer consolidated list management, but the quality varies significantly. We have seen providers whose "consolidated" list is really just a concatenation of individual lists, with no deduplication or cross-referencing. This leads to duplicate alerts, wasted analyst time, and a false sense of coverage.
What good looks like
Based on working with compliance teams across the UK and Europe, here is what effective sanctions screening operations have in common.
Documented calibration. They have tested their matching thresholds, documented the results, and can explain their chosen settings to a regulator with supporting data.
Real-time or near-real-time screening. They screen against list updates within hours, not days. They can demonstrate the lag between a list update and their screening run.
Consistent alert disposition. They have clear, unambiguous procedures for every alert category. They quality-check dispositions regularly. They can show that different analysts handle similar alerts the same way.
Integrated multi-list coverage. They screen against all relevant lists through a single, consolidated process. They handle deduplication at the system level, not the analyst level.
Documented risk-based decisions. Where the guidance is ambiguous (which is often), they have documented their interpretation, their rationale, and their compensating controls.
