Sanctions Screening for Vendors

OFAC SDN List — The U.S. Treasury's Specially Designated Nationals list identifies individuals and entities owned or controlled by sanctioned countries, or acting on their behalf. U.S. persons (including organizations) are broadly prohibited from transactions with SDN-listed entities.

OFAC Sectoral Sanctions — Target specific sectors of sanctioned economies (e.g., Russian energy, financial services). More nuanced than SDN — specific transaction types are prohibited rather than all dealings.

EU Consolidated Sanctions List — The European Union's unified sanctions registry. Relevant for any organization with EU operations, EU customers, or EU data subjects.

UN Security Council Consolidated List — Maintained by the UN, these sanctions are implemented by member states. Covers terrorism financing, weapons proliferation, and specific country regimes.

Country-Specific Lists — UK (OFSI), Canada (OSFI), Australia (DFAT) each maintain their own sanctions programs that may apply depending on your jurisdictional exposure.

Effective vendor sanctions screening goes beyond simple name matching. It should identify:

Direct matches — The vendor entity itself appears on a sanctions list. This is a critical finding requiring immediate action.

Ownership matches — The vendor's parent company, majority shareholders, or beneficial owners are sanctioned. Under the OFAC 50% Rule, an entity is considered sanctioned if one or more sanctioned persons own 50% or more of it, even if the entity itself is not listed.

Jurisdiction risk — The vendor is headquartered in or operates primarily within a comprehensively sanctioned country (currently: Cuba, Iran, North Korea, Syria, and the Crimea/Donetsk/Luhansk regions of Ukraine). Cross-border payment providers like Wise present elevated sanctions screening complexity due to multi-jurisdictional operations.

Near matches — Entities with similar names that require human review to confirm or dismiss. Fuzzy matching algorithms help identify these but create false positive management overhead.

Pre-engagement screening — Screen every new vendor before contract execution. This should be a gate — no contract proceeds without cleared sanctions screening.

Periodic rescreening — Sanctions lists are updated frequently (OFAC updates multiple times per month). Rescreen existing vendors at least quarterly, or when lists are updated.

Automated matching — Manual screening does not scale. Use automated tools that compare vendor names, aliases, addresses, and registration details against all relevant sanctions lists with fuzzy matching.

Documentation — Maintain records of all sanctions screening results, including negative results ("screened, no match found"). This documentation is essential for demonstrating compliance to regulators and auditors.

Escalation procedures — Define clear procedures for potential matches: who reviews, who approves, and what documentation is required. Never ignore a potential match.

ThirdProof's investigation of Wise demonstrates why automated sanctions screening with entity disambiguation matters. Wise (formerly TransferWise) is a global payment platform operating across 50+ countries with money transmission licenses in multiple jurisdictions. This cross-border profile creates elevated sanctions screening complexity.

ThirdProof assigned Wise a Tier 3 — Moderate Risk rating at 86% confidence. The sanctions screening itself returned Clear — No matches found against OFAC, EU, and UN lists. However, the investigation revealed significant regulatory enforcement history that a sanctions-only check would miss: multiple AML-related fines from the CFPB, multi-state US regulators, European regulators, and Abu Dhabi authorities, plus a CFPB action related to inaccurate fee advertising.

The recommended actions reflect how a compliance team should handle this profile: obtain documentation of remediation actions taken in response to the CFPB consent order, review the public enforcement record at consumerfinance.gov, and conduct manual sanctions screening for the specific legal entities (TransferWise Ltd / Wise Payments Ltd, incorporated in the UK). This walkthrough illustrates that sanctions screening is necessary but not sufficient — it must be paired with adverse media analysis and regulatory enforcement checks to catch the full risk picture.

False positives are the most operationally expensive problem in sanctions screening. Fuzzy name matching algorithms intentionally cast a wide net — comparing vendor names against sanctions lists using phonetic similarity, alternate spellings, transliterations, and partial matches. This catches evasion attempts but generates noise.

Consider a vendor named "Wise Payments Limited." A fuzzy match against the OFAC SDN list might flag entries like "Nest Wise Petroleum L.L.C" or entities containing "Like Wise" — neither of which is the payment platform. Without entity disambiguation, each match requires manual investigation: checking registration jurisdictions, corporate officers, addresses, and business activities against the sanctioned entity's profile.

ThirdProof automates this disambiguation by cross-referencing multiple data points: the vendor's verified domain, GLEIF legal entity identifier, corporate jurisdiction, and business category against each potential match. When the automated check finds that a flagged entity operates in a different country, different industry, and has no overlapping officers with the investigated vendor, it classifies the match as disambiguated — not a true positive.

For compliance documentation, record both the initial match and the disambiguation rationale. Your auditor and OFAC examiner want to see that potential matches were investigated, not ignored. A documented disambiguation is stronger evidence of compliance than no matches at all — it proves your screening process works.

Vendors operating internationally must be screened against multiple sanctions regimes — not just OFAC. Each regime has independent authority and different list coverage.

OFAC (United States) — The SDN list and sectoral sanctions programs. Applies to all U.S. persons, U.S.-incorporated entities, and any transaction touching the U.S. financial system (which includes most dollar-denominated transactions). Updated multiple times per month.

EU Consolidated Sanctions — Maintained by the European Commission. Applies to all EU persons, entities incorporated in the EU, and transactions conducted within EU territory. Particularly relevant for vendors with European operations or EU customers.

UK OFSI (Office of Financial Sanctions Implementation) — Separate from EU sanctions post-Brexit. UK maintains its own financial sanctions list. Relevant for any vendor operating in or through the UK — including Wise, which is incorporated in the UK.

UN Security Council Consolidated List — Binding on all UN member states. Covers terrorism financing, weapons proliferation, and country-specific regimes. While most UN sanctions are also implemented by OFAC and the EU, some designations differ.

For vendors like Wise that operate across 50+ countries, screening against a single list is insufficient. A vendor could be clear on OFAC's SDN list but flagged under EU or UK sanctions — or vice versa. ThirdProof's investigation checks the OpenSanctions database, which aggregates 40+ international sanctions and PEP lists into a single cross-reference, providing multi-regime coverage in a single query.