Sanctions Screening for Customer Onboarding: How to Screen Before You Onboard
Every customer relationship begins with a critical compliance checkpoint and getting it wrong can mean violations from the very first day. Customer Due Diligence (CDD) regulations are clear: Sanctions screening must take place before a business relationship is formally established. Whether it's OFAC's expectation of screening at account opening or the EU's Anti-Money Laundering Directives (AMLD) requiring checks before or during the establishment of a business relationship, the regulatory message is consistent which obliges that onboarding without screening is not an option.
-
Why Onboarding Is the First Line of Defense
Neglecting the screening processes before starting a business relationship dramatically increases the chances of onboarding a designated person or entity, which directly creates a compliance breach.
Furthermore, this is also a regulatory mandate from several regulators. For example, the EU AML framework and OFAC guidelines expect firms to apply Customer Due Diligence (CDD) measures when establishing a business relationship, which include relevant screening procedures.
-
What to Screen at Onboarding: Data Points and Fields
For individual customers:
- Full legal name: Names are used as the primary search key across sanctions lists. However, more often than not, many people share the same name and in order to minimize errors, a business must separate fields for each name, include the native-script version, and discourage the use of initials unless supported by documentation.
- Aliases: There are many instances where designated persons appear under multiple transliterations, which makes it crucial for businesses to implement a dedicated field for other names, include maiden names, former legal names, and allow multiple entries.
- Date of birth: Date of birth is one of the most important differentiators when it comes to identifying a sanctioned individual or entity. It is recommended for businesses to use a standardized format, prevent impossible dates, and not allow text entries.
- Nationality: Nationality is another key element for eliminating false positives and identifying higher-risk profiles. To capture it properly, businesses can implement solutions such as ISO-standard country lists and allow multiple citizenships.
- ID document data: Passports or national IDs can confirm or dismiss a match. However, details such as document type, number, issuing country, expiry date, and image upload for verification must not be neglected.
- Country of residence: Geographic risk is another crucial factor to watch for and country of residence information is particularly valuable in this regard. Organizations can implement structured address fields, avoid single-line free text, and allow the country to be captured separately from the city.
For entities:
Legal name: Similarly to individual customer processes, names are also used as the primary search key across sanctions lists for entities as well. To capture it properly, businesses use the exact registered form, match registry spelling, and avoid abbreviations unless they are official.
Registration/incorporation country: Just like individuals, geographic context is very useful in differentiating between entities with similar names. It is possible to capture it by setting up a dropdown and linking to the registry where possible.
Ultimate Beneficial Owners (UBOs): Identifying UBOs is a key requirement imposed by several regulators and an entity may become subject to restrictions if a sanctioned person owns or controls it. This depends on the ownership percentage and nature of control.
Directors and authorized signatories: Similarly to UBOs, directors and authorized signatories can also get listed. These can be captured through structured person records, role definitions, and triggered screenings.
-
When to Screen: At Which Step in the Onboarding Flow
Timing of screening depends on multiple factors such as regulatory expectations, operational design, and risk appetite. For example, it may take place after collecting sufficient data but before granting account access or processing the first transaction. However, a simple initial screening can detect obvious matches before investing time and resources in full KYC (Know Your Customer) as well.
Some other notable options are:
- Screening after form submission (pre-review)
- Screening after ID verification
- Screening before final approval
- Screening after approval but before first transaction
-
Handling Screening Results: Clear, Potential Match, and Block
When handling screening results, there are three possible outcomes: No match, potential match, or confirmed match. Indicators and actions for each of these scenarios can be found in the table below:
|
Result Category |
What It Means |
Typical Indicators |
Operational Action |
Can the customer transact? |
|---|---|---|---|---|
|
Clear / No Match |
No meaningful similarity present to a listed individual or entity. |
Low similarity score and mismatching identifiers such as date of birth and nationality. |
Approve and continue process. |
Yes. |
|
Potential Match |
There are some identifiers that overlap and cannot be ruled out. |
Similar name, partial date of birth match, same country, alias similarity, etc. |
Escalate for analyst and conduct Enhanced Due Diligence (EDD) if needed. |
Not until resolved. |
|
True Hit/Confirmed Match |
Determined to be the listed party or controlled by one. |
Strong identifier alignment, documentary or intelligence confirmation. |
Block onboarding, freeze if applicable, and file as required. |
No. |
-
Screening Beneficial Owners and Related Parties
Sanctions risk goes beyond the legal entity, as can be seen in the international AML/CFT standards such as the Financial Action Task Force (FATF) Recommendations. Therefore, it is essential to identify ultimate beneficial owners and related parties before onboarding. The threshold to be considered a UBO is 25% or more in most jurisdictions. However, some countries use lower percentages and different control tests.
For individual customers, it is recommended to screen against Relatives and Close Associates (RCAs) databases. Appearance in one of these lists, such as the Politically Exposed Person (PEP) lists, does not necessarily mean that they are sanctioned. However, such connections are still factors that may increase risk, require stricter monitoring intensity, or trigger enhanced review.
With Sanction Scanner, the screening of multiple layers of customer and entity data is automated within a single workflow. Its database covers more than 3,000 sanctions, PEP, wanted and watch lists from more than 200 countries. In addition to these, Sanction Scanner consolidates all matches into unified case files, which makes it easier for compliance teams to evaluate risks.
-
Ongoing Obligations After Onboarding
It goes without saying that AML and CTF compliance is not a one-time process and this includes sanctions checks. There are multiple reasons for this: constantly evolving political situations, changing ownership structures, and more. The FATF standards require jurisdictions to ensure that institutions maintain ongoing due diligence and keep customer information up-to-date for the duration of the relationship.
For example, when an authority publishes a new update, businesses must screen their customer base in batches. Even when there isn’t any new sanctions entry, a customer may become a PEP or ownership may change. Last but not least, it should be kept in mind that modern programs configure automatic checks depending on specific triggers such as periodic reviews, edits to customer data, or geographic exposure changes.
(Connect back to 'Real-Time vs Batch' article and 'Ongoing Monitoring' content.)
-
Common Onboarding Screening Mistakes
- Failing to screen beneficial owners, controllers, directors, and signatories.
- Not conducting any screening activity after the business relationship starts
- Not documenting results that include date and time information, database version, and identity of who validated the outcome
- Allowing a customer or an entity to have any type of access before complete validation
- Only screening customers against sanctions lists while omitting PEP lists and adverse media databases
