---
title: "Sanctions Screening for Crypto: OFAC, EU, UN — Architecture & Vendors (2026)"
slug: sanctions-screening-crypto-ofac-eu-un
publishedAt: 2026-05-05T09:00:00Z
author: Finconduit Editorial Team
tags: MiCA, OFAC, AMLR
canonicalUrl: https://finconduit.com/resources/sanctions-screening-crypto-ofac-eu-un
---
# Sanctions Screening for Crypto: OFAC, EU, UN — Architecture & Vendors (2026)

Sanctions screening architecture for CASPs — the four lists, wallet-level vs identity-level vendors, OFAC extraterritoriality, full-stack pricing, and the failure modes that cause regulatory events.

Sanctions screening is the single **highest**\-stakes control inside a regulated **CASP**'s **AML programme**. The downside of a missed **sanctions hit** is not a fine — it is loss of correspondent banking, criminal liability for senior managers under several national laws, and \(in the US **extraterritorial** case\) blocking from USD\-cleared payments globally. [Office of Foreign Assets Control](https://ofac.treasury.gov/) enforcement against non\-US firms has accelerated since 2022 and the **OFAC SDN list** now contains specific crypto wallet addresses, putting screening obligations directly into the blockchain\-analytics layer.¹[^1]

Every **CASP** must screen against four overlapping but non\-identical lists: the **OFAC** Specially Designated Nationals list, the [EU Consolidated List](https://www.sanctionsmap.eu/) of restrictive measures, the [United Nations Security Council](https://www.un.org/securitycouncil/sanctions/un-sc-consolidated-list) Consolidated List, and \(for any **CASP** serving **UK** customers\) the **UK OFSI** list. The lists overlap on major designations but diverge materially at the margins — particularly on **Russia**\-related restrictive measures, **Iran** sanctions, and crypto\-specific wallet listings. **EU**\-only screening fails US correspondent diligence; **OFAC**\-only screening fails [EBA Guidelines](https://www.eba.europa.eu/).²[^2]³[^3]⁵[^4]

This guide explains how to architect **sanctions screening** across the wallet level \(**Chainalysis**, **Elliptic**, **TRM Labs**\) and the identity level \(**ComplyAdvantage**, **Refinitiv World\-Check**, **LexisNexis Bridger**, **Dow Jones Risk**\), how the four lists interact, what the supervisor expects to see at authorisation and at inspection, the pricing benchmarks for the typical stack, and the common failure modes that turn a **sanctions hit** into a regulatory event.

## The Four Sanctions Lists Every **CASP** Must Screen

EEA\-licensed **CASP**s face a four\-list screening obligation that has hardened materially since 2022. The lists overlap heavily on the largest designations \(**Russia** post\-invasion, **Iran**'s IRGC, **North Korea**'s **Lazarus Group**, terrorist financing entities\) but each has unique designations that must be screened independently.


*Table: The four sanctions regimes a CASP must screen against \(2026\).*

| List | Issuer | Scope | CASP applicability |
| --- | --- | --- | --- |
| OFAC SDN | US Treasury Office of Foreign Assets Control | US sanctions; \~10,000\+ entities, \~700\+ crypto wallet addresses | Mandatory if any US\-cleared payment, US correspondent banking exposure, or US\-resident customers |
| EU Consolidated List | EU Council under Common Foreign and Security Policy | EU restrictive measures; thousands of designated entities; updated weekly | Mandatory for every EEA\-authorised CASP under EBA Guidelines |
| UN Consolidated List | UN Security Council under Chapter VII | Binding on all UN member states; \~700 entries; counter\-terrorism \+ non\-proliferation | Mandatory for every CASP regardless of jurisdiction |
| UK OFSI | HM Treasury Office of Financial Sanctions Implementation | UK sanctions; \~7,000\+ entities post\-Brexit; partly aligned to EU | Mandatory for any CASP with UK\-resident customers or UK correspondent banking |

> **Warning:** Treating EU \+ UN as the screening universe and ignoring OFAC is the single most common compliance failure in EEA\-licensed CASPs. OFAC enforces secondary sanctions extraterritorially: a non\-US CASP that processes a transaction touching an OFAC\-listed counterparty can lose USD correspondent banking even with no formal US presence. Real\-time OFAC screening is the table\-stakes baseline, not an optional layer.

## Two Screening Levels — Wallet and Identity

Sanctions screening at a regulated **CASP** operates at two distinct technical layers: wallet\-level \(blockchain addresses\) and identity\-level \(natural persons, companies, vessels\). Each requires different vendors, different update cadences, and different interpretation logic.


*Table: Wallet\-level vs identity\-level sanctions screening — what each layer covers.*

| Layer | Screens against | Vendor category | Update cadence |
| --- | --- | --- | --- |
| Wallet\-level | Blockchain addresses on OFAC SDN, EU CFSP listings, sanctioned exchanges | Blockchain analytics — Chainalysis, Elliptic, TRM Labs | Real\-time on every transaction; vendor lists updated within hours |
| Identity\-level \(natural persons\) | Customer name \+ DOB \+ nationality \+ ID against the four lists | World\-check / ComplyAdvantage / LexisNexis Bridger / Dow Jones Risk | Onboarding \+ ongoing \(typically daily refresh\) |
| Identity\-level \(entities\) | Corporate customer name \+ UBO \+ jurisdiction \+ registration | Same identity vendors; usually broader matching logic | Onboarding \+ ongoing |
| Indirect exposure | Counterparty wallets in transactions; their attribution chain | Blockchain analytics with hop\-tracing \(Chainalysis Reactor, TRM Investigations\) | Real\-time \+ ongoing investigations |

## The Sanctions Screening Architecture

A complete **sanctions screening** architecture for a **CASP** combines five layers, each with its own controls and vendor relationships. Missing any one layer creates a documented gap that supervisors flag at first inspection.

- Onboarding identity screen. Every new natural\-person and corporate customer screened against **OFAC** \+ **EU** \+ UN \+ **OFSI** at the moment of onboarding. **PEP** screening overlaid with the same vendor.

- Ongoing identity screen. Every customer re\-screened daily \(or at least weekly\) against updated lists. Match alerts routed to the **AML** team for rapid triage.

- Wallet screening on inbound deposits. Every inbound crypto deposit address screened against the wallet\-level lists via **Chainalysis** / **Elliptic** / **TRM Labs**. Direct **sanctions hit**s trigger automatic freeze plus **FIU** report.

- Wallet screening on outbound withdrawals. Same screening on withdrawal destination addresses pre\-send. Outbound to sanctioned address: blocked, escalated, **MLRO**\-reviewed.

- Indirect exposure / hop tracing. Periodic forensic reviews of customer counterparty chains to identify exposure within 1–3 hops of sanctioned addresses. Risk\-based decisions on continued service.

## Identity\-Level Sanctions & **PEP** Vendors

Wallet\-level vendors are covered separately \(**Chainalysis** vs **Elliptic** vs **TRM Labs**\). The identity\-level market is dominated by four vendors, with structurally different posture, list coverage, and pricing.


*Table: Identity\-level sanctions and PEP screening vendors — the four most\-deployed at regulated EEA CASPs \(2026\).*

| Vendor | Strengths | Annual cost \(mid\-sized CASP\) | Best for |
| --- | --- | --- | --- |
| ComplyAdvantage | Modern API; near\-real\-time list updates; adverse media bundled; strong fintech UX | €30,000–€80,000 | Mid\-sized CASPs prioritising integration speed |
| Refinitiv World\-Check | Industry\-deepest historical PEP database; long\-established; strong banking relationship | €50,000–€120,000 | Larger CASPs needing depth on PEP and complex corporate UBO chains |
| LexisNexis Bridger | Strong identity matching; deep adverse\-media; bundled with KYC tools | €40,000–€100,000 | CASPs running a Lexis\-stack KYC programme |
| Dow Jones Risk & Compliance | Strong on entity sanctions and country\-risk data; historical depth | €40,000–€95,000 | Institutional CASPs and OTC desks needing entity research |

> **Note:** Most large CASPs run identity\-level screening through one primary vendor \(ComplyAdvantage or Refinitiv World\-Check\) and supplement with a free secondary watchlist feed \(UN consolidated, EU CFSP\) consumed via direct API. The single\-vendor architecture is enough for compliance baseline; the secondary feed is the audit\-trail backstop when a vendor list is briefly out of date.

## Pricing the Full Sanctions Stack

A complete **sanctions screening** stack — wallet\-level analytics \+ identity\-level vendor \+ ongoing monitoring infrastructure — runs €100,000–€280,000 per year for a mid\-sized **CASP**. The breakdown:


*Table: Annual cost breakdown for a complete sanctions screening stack — mid\-sized CASP \(€100M–€500M annual volume\).*

| Layer | Vendor | Annual cost | Notes |
| --- | --- | --- | --- |
| Wallet\-level analytics \+ screening | Chainalysis / Elliptic / TRM Labs | €60,000–€150,000 | Bundled with broader blockchain analytics; not separable |
| Identity\-level sanctions \+ PEP | ComplyAdvantage or Refinitiv World\-Check | €30,000–€100,000 | Includes adverse media in most contracts |
| Ongoing screening engine | Often bundled or in\-house | €10,000–€30,000 | Daily refresh, alert routing, case management |
| AML analyst FTE allocation | Internal | €60,000–€100,000 | 0.5–0.75 FTE on alert triage |
| Total stack | — | €160,000–€380,000 | 0.05–0.5% of annual revenue depending on scale |

## Common Sanctions Screening Failures

- **EU**\-only screening, **OFAC** ignored. Most common failure in EEA **CASP**s. Detected on first US correspondent diligence and is a fatal **AML programme** weakness.

- Onboarding screening only, no ongoing. List updates daily; a customer onboarded clean three months ago may now be a designated **PEP**.

- Wallet screening on deposits only, not withdrawals. Outbound withdrawals are when sanctioned\-counterparty exposure crystallises into outright sanctions violation.

- Fuzzy matching too strict. Sanctioned individuals frequently use minor name variants \(transliteration, middle\-name omission\). Strict exact\-match screening misses 20–40% of true positives.

- No documented disposition for true positives. Discovery of a sanctioned wallet hit must trigger freeze, **FIU** report, internal escalation — a documented playbook, not improvisation.

- Indirect\-exposure tracing absent. A customer transacting with a counterparty 1 hop from **Tornado Cash** is a sanctions\-risk signal even if the customer's direct wallet is clean.

- No annual independent audit of screening rules. **EBA Guidelines** require independent review; absence is a clean inspection finding.

## **OFAC** Extraterritoriality — Why Non\-US Firms Care

**OFAC** enforces sanctions **extraterritorial**ly through three mechanisms. Each one alone has stopped non\-US fintechs from operating; together they make **OFAC** **compliance** functionally non\-optional for any **CASP** with USD exposure.

- Secondary sanctions. A non\-US firm transacting with primary\-sanctioned counterparties can be itself listed, blocking it from USD\-cleared payments globally.

- Correspondent\-banking pressure. US correspondent banks of EEA institutions require the EEA bank to enforce **OFAC** **compliance** on its own customers — a non\-US **CASP** that fails **OFAC** screening loses its **EU** bank's USD line.

- Civil monetary penalties. **OFAC** has imposed multi\-million\-dollar penalties on non\-US firms for crypto sanctions violations involving sanctioned addresses \(BitGo, BitPay, Bittrex, Kraken settlements 2022–2024\).

## Frequently Asked Questions

### Do I need to screen against **OFAC** if I am EEA\-only?

Yes if you have any USD exposure, US correspondent banking, US\-resident customers, or US\-cleared payments — which describes almost every operationally serious **CASP**. EEA NCAs do not formally require **OFAC** screening, but US correspondent banks do, and your **Travel Rule** counterparty network includes US\-licensed **CASP**s that screen incoming transfers against **OFAC**. Practical answer: yes, screen against **OFAC**.

### Which list updates **fastest**?

**OFAC SDN** typically updates within hours of designation announcements. **EU** Consolidated List updates within 24–48 hours of **EU** Council decisions. UN Consolidated List updates within 48–96 hours of Security Council resolutions. **UK OFSI** updates within 24–72 hours. Vendor consumption layers \(**ComplyAdvantage**, Refinitiv\) propagate updates within 1–6 hours of source publication for premium tiers.

### How do I handle a false\-positive **sanctions hit**?

Document the disposition. Standard practice: **AML** analyst reviews the alert with corroborating identity data \(full DOB, ID number, country of residence\), determines true vs **false positive**, dispositions the alert with a written rationale, and escalates true positives to the **MLRO**. Supervisors examine false\-positive disposition documentation as carefully as true\-positive handling — sloppy false\-positive workflow is itself an **AML programme** weakness.

### Can I freeze a customer account on a suspected **sanctions hit**?

Yes, generally — and you must on a confirmed hit. **EU restrictive measures** and **OFAC** blocking regulations require immediate freezing of assets belonging to designated persons. The freeze is mandatory, not discretionary. Communication with the customer is restricted by tipping\-off rules under 6**AML**D national transpositions; standard practice is to freeze, file the **FIU** report, and consult counsel before any communication beyond a generic 'review in progress' message.

### What about indirect exposure to **Tornado Cash** or sanctioned mixers?

Direct exposure \(a wallet that has interacted with **Tornado Cash** addresses\) is a clear high\-risk hit and most **CASP**s decline service. Indirect exposure \(a counterparty 1–3 hops from a mixer\) requires risk\-based decisions. The **Tornado Cash** designation in 2022 set the benchmark: most regulated **CASP**s treat 1\-hop exposure as automatic **EDD**, 2\-hop as risk\-based **EDD**, 3\-hop as monitored. Document the policy.

### How does [AMLR](https://eur-lex.europa.eu/eli/reg/2024/1624/oj) / **AMLA** change **sanctions screening** from 2027?⁷[^5]

**AMLR** codifies harmonised **sanctions screening** obligations across the **EU** including specific timelines for re\-screening, **EDD** triggers, and **FIU** reporting. **AMLA**'s direct supervision of significant **CASP**s from 2028 will likely set common methodology standards across vendors. Practical impact: **identity\-level screening** cadence will tighten \(likely toward daily refresh as the standard rather than weekly\), and **wallet\-level screening** will move from optional to mandatory at the regulation level rather than the **EBA** Guideline level.

> **Call to action:** Designing or remediating sanctions screening for your CASP? Finconduit scopes the right wallet\-level \+ identity\-level vendor combination, makes vetted introductions, and supports the policy and case\-management documentation NCAs examine at inspection. Get a free sanctions screening review.

## Related Guides

- [Chainalysis vs Elliptic vs TRM Labs](/resources/blockchain-analytics-providers-compared): Choosing **blockchain analytics** in 2026

- [AML Compliance for Crypto Firms](/resources/aml-compliance-crypto-6amld): What the 6**AML**D requires from **CASP**s and **VASP**s

- [MLRO Hiring Guide for CASPs](/resources/casp-mlro-hiring-guide): What to look for, what to pay

- [USD Treasury for Non\-US Fintechs](/resources/usd-treasury-non-us-fintech): BCB, Wise, JP Morgan, Cross\-River — provider selection by volume tier

Sanctions screening is the **AML** control with the **highest** asymmetric downside in a regulated **CASP** — modest cost to do well, catastrophic cost to do badly. The architecture is now well\-understood: layered screening across wallet\-level and identity\-level, four lists screened in parallel, ongoing monitoring with documented disposition workflow, and an annual independent audit. Implement the full stack before launch, document every layer in the **AML programme**, and run table\-top exercises annually on suspected\-hit handling. The cost is modest. The cost of a missed **sanctions hit** is the business.

## Footnotes

[^1]: Office of Foreign Assets Control \(OFAC\) — administers and enforces US economic and trade sanctions; the SDN list includes specific crypto wallet addresses since 2018. <https://ofac.treasury.gov/>
[^2]: EU Consolidated List of Sanctions — financial sanctions imposed under Common Foreign and Security Policy \(CFSP\) decisions, maintained by the European External Action Service. <https://www.sanctionsmap.eu/>
[^3]: United Nations Security Council Consolidated Sanctions List — adopted under Chapter VII of the UN Charter; binding on all UN member states. <https://www.un.org/securitycouncil/sanctions/un-sc-consolidated-list>
[^4]: EBA Guidelines on the management of money laundering and terrorist financing risks \(EBA/GL/2021/02\) — addresses sanctions screening expectations for crypto\-asset firms. <https://www.eba.europa.eu/>
[^5]: Regulation \(EU\) 2024/1624 \(AMLR\) — applicable from 10 July 2027 — codifies harmonised sanctions screening obligations. <https://eur-lex.europa.eu/eli/reg/2024/1624/oj>


---
Source: https://finconduit.com/resources/sanctions-screening-crypto-ofac-eu-un