Sanctions screening is the single highest-stakes control inside a regulated CASP's AML programme. The downside of a missed sanctions hit is not a fine — it is loss of correspondent banking, criminal liability for senior managers under several national laws, and (in the US extraterritorial case) blocking from USD-cleared payments globally. Office of Foreign Assets Control enforcement against non-US firms has accelerated since 2022 and the OFAC SDN list now contains specific crypto wallet addresses, putting screening obligations directly into the blockchain-analytics layer.¹[1]
Every CASP must screen against four overlapping but non-identical lists: the OFAC Specially Designated Nationals list, the EU Consolidated List of restrictive measures, the United Nations Security Council Consolidated List, and (for any CASP serving UK customers) the UK OFSI list. The lists overlap on major designations but diverge materially at the margins — particularly on Russia-related restrictive measures, Iran sanctions, and crypto-specific wallet listings. EU-only screening fails US correspondent diligence; OFAC-only screening fails EBA Guidelines.²[2]³[3]⁵[4]
This guide explains how to architect sanctions screening across the wallet level (Chainalysis, Elliptic, TRM Labs) and the identity level (ComplyAdvantage, Refinitiv World-Check, LexisNexis Bridger, Dow Jones Risk), how the four lists interact, what the supervisor expects to see at authorisation and at inspection, the pricing benchmarks for the typical stack, and the common failure modes that turn a sanctions hit into a regulatory event.
The Four Sanctions Lists Every CASP Must Screen
EEA-licensed CASPs face a four-list screening obligation that has hardened materially since 2022. The lists overlap heavily on the largest designations (Russia post-invasion, Iran's IRGC, North Korea's Lazarus Group, terrorist financing entities) but each has unique designations that must be screened independently.
The four sanctions regimes a CASP must screen against (2026).
| List | Issuer | Scope | CASP applicability |
|---|---|---|---|
| OFAC SDN | US Treasury Office of Foreign Assets Control | US sanctions; ~10,000+ entities, ~700+ crypto wallet addresses | Mandatory if any US-cleared payment, US correspondent banking exposure, or US-resident customers |
| EU Consolidated List | EU Council under Common Foreign and Security Policy | EU restrictive measures; thousands of designated entities; updated weekly | Mandatory for every EEA-authorised CASP under EBA Guidelines |
| UN Consolidated List | UN Security Council under Chapter VII | Binding on all UN member states; ~700 entries; counter-terrorism + non-proliferation | Mandatory for every CASP regardless of jurisdiction |
| UK OFSI | HM Treasury Office of Financial Sanctions Implementation | UK sanctions; ~7,000+ entities post-Brexit; partly aligned to EU | Mandatory for any CASP with UK-resident customers or UK correspondent banking |
Two Screening Levels — Wallet and Identity
Sanctions screening at a regulated CASP operates at two distinct technical layers: wallet-level (blockchain addresses) and identity-level (natural persons, companies, vessels). Each requires different vendors, different update cadences, and different interpretation logic.
Wallet-level vs identity-level sanctions screening — what each layer covers.
| Layer | Screens against | Vendor category | Update cadence |
|---|---|---|---|
| Wallet-level | Blockchain addresses on OFAC SDN, EU CFSP listings, sanctioned exchanges | Blockchain analytics — Chainalysis, Elliptic, TRM Labs | Real-time on every transaction; vendor lists updated within hours |
| Identity-level (natural persons) | Customer name + DOB + nationality + ID against the four lists | World-check / ComplyAdvantage / LexisNexis Bridger / Dow Jones Risk | Onboarding + ongoing (typically daily refresh) |
| Identity-level (entities) | Corporate customer name + UBO + jurisdiction + registration | Same identity vendors; usually broader matching logic | Onboarding + ongoing |
| Indirect exposure | Counterparty wallets in transactions; their attribution chain | Blockchain analytics with hop-tracing (Chainalysis Reactor, TRM Investigations) | Real-time + ongoing investigations |
The Sanctions Screening Architecture
A complete sanctions screening architecture for a CASP combines five layers, each with its own controls and vendor relationships. Missing any one layer creates a documented gap that supervisors flag at first inspection.
Onboarding identity screen. Every new natural-person and corporate customer screened against OFAC + EU + UN + OFSI at the moment of onboarding. PEP screening overlaid with the same vendor.
Ongoing identity screen. Every customer re-screened daily (or at least weekly) against updated lists. Match alerts routed to the AML team for rapid triage.
Wallet screening on inbound deposits. Every inbound crypto deposit address screened against the wallet-level lists via Chainalysis / Elliptic / TRM Labs. Direct sanctions hits trigger automatic freeze plus FIU report.
Wallet screening on outbound withdrawals. Same screening on withdrawal destination addresses pre-send. Outbound to sanctioned address: blocked, escalated, MLRO-reviewed.
Indirect exposure / hop tracing. Periodic forensic reviews of customer counterparty chains to identify exposure within 1–3 hops of sanctioned addresses. Risk-based decisions on continued service.
Identity-Level Sanctions & PEP Vendors
Wallet-level vendors are covered separately (Chainalysis vs Elliptic vs TRM Labs). The identity-level market is dominated by four vendors, with structurally different posture, list coverage, and pricing.
Identity-level sanctions and PEP screening vendors — the four most-deployed at regulated EEA CASPs (2026).
| Vendor | Strengths | Annual cost (mid-sized CASP) | Best for |
|---|---|---|---|
| ComplyAdvantage | Modern API; near-real-time list updates; adverse media bundled; strong fintech UX | €30,000–€80,000 | Mid-sized CASPs prioritising integration speed |
| Refinitiv World-Check | Industry-deepest historical PEP database; long-established; strong banking relationship | €50,000–€120,000 | Larger CASPs needing depth on PEP and complex corporate UBO chains |
| LexisNexis Bridger | Strong identity matching; deep adverse-media; bundled with KYC tools | €40,000–€100,000 | CASPs running a Lexis-stack KYC programme |
| Dow Jones Risk & Compliance | Strong on entity sanctions and country-risk data; historical depth | €40,000–€95,000 | Institutional CASPs and OTC desks needing entity research |
Most large CASPs run identity-level screening through one primary vendor (ComplyAdvantage or Refinitiv World-Check) and supplement with a free secondary watchlist feed (UN consolidated, EU CFSP) consumed via direct API. The single-vendor architecture is enough for compliance baseline; the secondary feed is the audit-trail backstop when a vendor list is briefly out of date.
Pricing the Full Sanctions Stack
A complete sanctions screening stack — wallet-level analytics + identity-level vendor + ongoing monitoring infrastructure — runs €100,000–€280,000 per year for a mid-sized CASP. The breakdown:
Annual cost breakdown for a complete sanctions screening stack — mid-sized CASP (€100M–€500M annual volume).
| Layer | Vendor | Annual cost | Notes |
|---|---|---|---|
| Wallet-level analytics + screening | Chainalysis / Elliptic / TRM Labs | €60,000–€150,000 | Bundled with broader blockchain analytics; not separable |
| Identity-level sanctions + PEP | ComplyAdvantage or Refinitiv World-Check | €30,000–€100,000 | Includes adverse media in most contracts |
| Ongoing screening engine | Often bundled or in-house | €10,000–€30,000 | Daily refresh, alert routing, case management |
| AML analyst FTE allocation | Internal | €60,000–€100,000 | 0.5–0.75 FTE on alert triage |
| Total stack | — | €160,000–€380,000 | 0.05–0.5% of annual revenue depending on scale |
Common Sanctions Screening Failures
EU-only screening, OFAC ignored. Most common failure in EEA CASPs. Detected on first US correspondent diligence and is a fatal AML programme weakness.
Onboarding screening only, no ongoing. List updates daily; a customer onboarded clean three months ago may now be a designated PEP.
Wallet screening on deposits only, not withdrawals. Outbound withdrawals are when sanctioned-counterparty exposure crystallises into outright sanctions violation.
Fuzzy matching too strict. Sanctioned individuals frequently use minor name variants (transliteration, middle-name omission). Strict exact-match screening misses 20–40% of true positives.
No documented disposition for true positives. Discovery of a sanctioned wallet hit must trigger freeze, FIU report, internal escalation — a documented playbook, not improvisation.
Indirect-exposure tracing absent. A customer transacting with a counterparty 1 hop from Tornado Cash is a sanctions-risk signal even if the customer's direct wallet is clean.
No annual independent audit of screening rules. EBA Guidelines require independent review; absence is a clean inspection finding.
OFAC Extraterritoriality — Why Non-US Firms Care
OFAC enforces sanctions extraterritorially through three mechanisms. Each one alone has stopped non-US fintechs from operating; together they make OFAC compliance functionally non-optional for any CASP with USD exposure.
Secondary sanctions. A non-US firm transacting with primary-sanctioned counterparties can be itself listed, blocking it from USD-cleared payments globally.
Correspondent-banking pressure. US correspondent banks of EEA institutions require the EEA bank to enforce OFAC compliance on its own customers — a non-US CASP that fails OFAC screening loses its EU bank's USD line.
Civil monetary penalties. OFAC has imposed multi-million-dollar penalties on non-US firms for crypto sanctions violations involving sanctioned addresses (BitGo, BitPay, Bittrex, Kraken settlements 2022–2024).
Frequently Asked Questions
Do I need to screen against OFAC if I am EEA-only?
Yes if you have any USD exposure, US correspondent banking, US-resident customers, or US-cleared payments — which describes almost every operationally serious CASP. EEA NCAs do not formally require OFAC screening, but US correspondent banks do, and your Travel Rule counterparty network includes US-licensed CASPs that screen incoming transfers against OFAC. Practical answer: yes, screen against OFAC.
Which list updates fastest?
OFAC SDN typically updates within hours of designation announcements. EU Consolidated List updates within 24–48 hours of EU Council decisions. UN Consolidated List updates within 48–96 hours of Security Council resolutions. UK OFSI updates within 24–72 hours. Vendor consumption layers (ComplyAdvantage, Refinitiv) propagate updates within 1–6 hours of source publication for premium tiers.
How do I handle a false-positive sanctions hit?
Document the disposition. Standard practice: AML analyst reviews the alert with corroborating identity data (full DOB, ID number, country of residence), determines true vs false positive, dispositions the alert with a written rationale, and escalates true positives to the MLRO. Supervisors examine false-positive disposition documentation as carefully as true-positive handling — sloppy false-positive workflow is itself an AML programme weakness.
Can I freeze a customer account on a suspected sanctions hit?
Yes, generally — and you must on a confirmed hit. EU restrictive measures and OFAC blocking regulations require immediate freezing of assets belonging to designated persons. The freeze is mandatory, not discretionary. Communication with the customer is restricted by tipping-off rules under 6AMLD national transpositions; standard practice is to freeze, file the FIU report, and consult counsel before any communication beyond a generic 'review in progress' message.
What about indirect exposure to Tornado Cash or sanctioned mixers?
Direct exposure (a wallet that has interacted with Tornado Cash addresses) is a clear high-risk hit and most CASPs decline service. Indirect exposure (a counterparty 1–3 hops from a mixer) requires risk-based decisions. The Tornado Cash designation in 2022 set the benchmark: most regulated CASPs treat 1-hop exposure as automatic EDD, 2-hop as risk-based EDD, 3-hop as monitored. Document the policy.
AMLR codifies harmonised sanctions screening obligations across the EU including specific timelines for re-screening, EDD triggers, and FIU reporting. AMLA's direct supervision of significant CASPs from 2028 will likely set common methodology standards across vendors. Practical impact: identity-level screening cadence will tighten (likely toward daily refresh as the standard rather than weekly), and wallet-level screening will move from optional to mandatory at the regulation level rather than the EBA Guideline level.
Designing or remediating sanctions screening for your CASP? Finconduit scopes the right wallet-level + identity-level vendor combination, makes vetted introductions, and supports the policy and case-management documentation NCAs examine at inspection. Get a free sanctions screening review.
Book AssessmentChainalysis vs Elliptic vs TRM Labs: Choosing blockchain analytics in 2026
AML Compliance for Crypto Firms: What the 6AMLD requires from CASPs and VASPs
MLRO Hiring Guide for CASPs: What to look for, what to pay
USD Treasury for Non-US Fintechs: BCB, Wise, JP Morgan, Cross-River — provider selection by volume tier
Sanctions screening is the AML control with the highest asymmetric downside in a regulated CASP — modest cost to do well, catastrophic cost to do badly. The architecture is now well-understood: layered screening across wallet-level and identity-level, four lists screened in parallel, ongoing monitoring with documented disposition workflow, and an annual independent audit. Implement the full stack before launch, document every layer in the AML programme, and run table-top exercises annually on suspected-hit handling. The cost is modest. The cost of a missed sanctions hit is the business.
Footnotes & Citations