Mastering Sanctions, PEPs, and Criminal Data
In 2024, the US introduced 2,500+ new sanctions designations, the most in a year ever.
On April 23, 2026, the EU implemented its 20th package of sanctions related to Russia, the largest package in two years, featuring 120 individuals and entities along with sanctions on energy, cryptocurrency, and financial services sectors.
The global total number of sanctions designations across major programmes stood at 79,830 in March 2025, marking a 17.1% YoY growth.
From the compliance team’s perspective, this statistic implies only one thing. The screening tool introduced two years ago now struggles to work with an entirely different data set, which grows each quarter.
This guide reviews sanctions screening, applicable lists for specific businesses, PEP and criminal entity screening, and a comprehensive screening programme for 2026.
What is Sanctions Screening?
Sanctions screening is the process of checking individuals, companies, vessels, and transactions against official government and international watchlists, to identify parties restricted from receiving funds, goods, or services.
Designations come from:
→ The US Treasury’s Office of Foreign Assets Control (OFAC)→ The European Union→ The United Nations Security Council
→ The UK’s Office of Financial Sanctions Implementation (OFSI)→ National authorities including Canada, Australia, Switzerland, Japan, and others
A confirmed match means the relationship or transaction cannot proceed without specific regulatory authorisation.
Sanctions screening covers formally designated parties. But two other categories of counterparty carry significant risk and never appear on a formal designation List
→ Politically exposed persons (PEPs) → Individuals and entities flagged in criminal and warrant databases
The Difference Between Sanctions, PEP, and Criminal Screening
1. Sanctions Screening
The Goal: Cross-referencing against official government designation lists (OFAC, EU, UN, etc.).
The Action: Hard Block. There is zero discretion. Assets are frozen, transactions are rejected, and the match is reported to authorities.
The Risk: Legal non-compliance and massive regulatory fines.
2. PEP (Politically Exposed Persons) Screening
The Goal: Identifying senior officials, heads of state-owned enterprises, or their close associates.
The Action: Enhanced Due Diligence (EDD). A PEP match is not an automatic block; it triggers a requirement for “Source of Wealth” verification and senior management sign-off.
The Gap: Risk is dynamic. A standard customer can become a PEP overnight. Treating PEP and Sanctions results as the same “clearance step” is a major red flag for regulators. Sanctions Database’s PEP list covers over 180 countries with regular updates to support both checks.
3. Criminal Entity & Warrant Screening
The Goal: Identifying parties with documented exposure who haven’t been formally sanctioned yet (e.g., international arrest warrants, organised crime flags, or active fraud investigations).
The Action: Risk Mitigation. Prosecution moves faster than the slow wheels of international sanctions. This layer catches “pre-sanction” risks that could otherwise slip through your net for months or years. Sanctions Database’s warrants and criminal entities list covers over 180 countries within the same workflow.
Also Read – PEP sanctions screening: Everything you need to know
What Sanctions Lists Do Compliance Teams Need to Check?
| Sanctions List | Maintained By | Who It Applies To |
|---|---|---|
| OFAC SDN List | US Treasury | US persons and entities; non-US organisations clearing dollar transactions |
| OFAC Consolidated List | US Treasury | Broader OFAC coverage including sectoral and correspondent account restrictions |
| EU Consolidated List | European External Action Service | EU persons and entities; transactions cleared in euros |
| UN Consolidated List | United Nations | All UN member states |
| UK Financial Sanctions List | OFSI, HM Treasury | UK-regulated parties; operates independently from the EU list since 2021 |
| Country-specific lists | National bodies | Canada (OSFI), Australia (DFAT), Switzerland, Japan, and others |
The OFAC SDN list alone contained more than 12,000 entries as of March 2026. Add the EU consolidated list, the UN Security Council list, the UK financial sanctions list, and country-specific programmes, and the total scope grows considerably.
Tracking each separately and catching updates across all of them without missing a cycle is where programmes start to break down.
Sanctions Database’s global sanctions list covers over 180 countries, pulling designations from all major programmes into one source. Fresh data is scraped at the point of purchase and delivered within 24 hours.
Does OFAC Apply to Non-US Companies?
Yes, in most practical situations. Every transaction processed in US dollars passes through the US correspondent banking system. US banks are required to block payments involving sanctioned parties regardless of where institutions are located.
Non-US companies also fall within OFAC’s reach if they have any of the following
→ US shareholders → US employees → US-incorporated subsidiaries
Shipping, insurance, and trade finance firms screen against OFAC as standard practice because their US counterparties require it.
The practical test: does any element of the transaction touch the US financial system or a US person?
Does the EU Sanctions List Apply to Non-EU Companies?
Yes, depending on your operations.
If any of the following apply, the EU consolidated sanctions list is relevant to your business:
→ Transactions clearing in euros → Operations running through EU-regulated entities → Counterparties that are EU-regulated
The specific obligations depend on business structure and transaction flows. The EU’s 20th sanctions package, adopted April 23, 2026, also extended certain restrictions to third-country operators assessed as systematically enabling circumvention. That is a broadening of reach, not a narrowing.
How Often Do Sanctions Lists Update?
More often than most programmes monitor.
The → The OFAC SDN list updates multiple times per week → During active enforcement periods, new designations can appear several times in a single day → In February 2024 alone, OFAC designated nearly 500 individuals and entities in a single announcement → The EU and UN lists update on less predictable schedules but can change at any time.
A monthly batch review creates a window, every single month, where a newly designated party is not being caught. Ongoing monitoring tied to list update cycles, not internal calendar dates, closes that window.
When a list updates, existing counterparties get rescreened. That is the standard that holds up under regulatory examination.
The OFAC 50% Rule
.Any entity owned 50% or more in aggregate by one or more sanctioned parties is subject to the same restrictions as a directly listed party, even if its name does not appear on any official list.
The aggregate part is what catches most programmes.
→ Sanctioned Person A owns 26% → Sanctioned Person B owns 26% → Combined: 52%, the entity is fully covered by the rule → Neither holds a majority stake individually, but the rule applies.
A clean company name is not a clean company.
Applying the rule requires beneficial ownership data. Shell companies and nominee director arrangements are used specifically to obscure these links. Name-only screening does not surface them. OFAC has taken enforcement action in cases where ownership information was reasonably available and the program missed it. That is the gap a consolidated sanctions list with ownership data attached is built to close.
What is the EU and UK control test, and how is it different from the 50% rule?
Screening for 50% ownership is the baseline in 2026, not the complete picture.
Under UK financial sanctions regulations, an entity is also subject to sanctions if a designated person:
→ Has the right to appoint or remove a majority of its board of directors, or → Is reasonably expected to be able to ensure the entity’s affairs are conducted in accordance with their wishes
That applies even with zero ownership on paper.
OFSI launched a formal call for evidence on the control test in February 2026, specifically because firms reported that the hypothetical element was hard to apply in practice. The question of whether a sanctioned person could exert control, even if they are not currently doing so, does not have an obvious answer from company filings alone. The EU framework applies a comparable standard.
Why do sanctions screening programmes produce so many false positives?
Industry benchmarks from Alessa, LexisNexis Risk Solutions, and KPMG put false positive rates at 90 to 95%.
A compliance team reviewing 100 alerts a day, spending five minutes per alert, is spending seven to eight hours on alerts that clear. Every single day.
The main driver is thin data. When a screen runs on a name alone, partial matches fire across a wide population.
Adding identifying data narrows that population structurally:
→ Dates of birth → Passport numbers → Registration numbers
Screening software matters, but the data underneath it is what determines how many alerts land on a desk in the first place.
What happens when a sanctions match is found?
Step 1 → Block or reject Funds or property in which a sanctioned party has an interest must be frozen and cannot be transferred. Transactions moving value to or from a sanctioned party are rejected at the point of processing.
Step 2 → Report Blocked transactions must be reported to the relevant authority within a defined timeframe. → OFAC requires annual reporting of blocked property → OFSI has separate reporting requirements for UK-regulated parties
Step 3 → Document the decision Every alert, whether it results in a block or a cleared false positive, requires documentation:
→ The date the screen was run → The lists screened against → The basis for the decision → Who reviewed and approved the outcome
OFAC’s final rule extending recordkeeping from five to ten years was published in the Federal Register on March 21, 2025, under 31 CFR Parts 501 and 515 and took effect on that date. Documentation built around a five-year retention schedule does not meet the current requirement.
Step 4 → Handle communication carefully In many jurisdictions, informing a counterparty that they triggered a sanctions alert can itself be a regulatory violation. Escalate internally and get legal guidance before any external communication.
Step 5 → Involve legal counsel Sanctions law is fact-specific. Every confirmed match requires legal counsel before further steps are taken.
What is a false positive in sanctions screening, and how do you reduce them?
False positives are not just a time problem. They create a documentation burden, review backlogs, and alert fatigue, where reviewers start clearing alerts faster than they should because the volume is unmanageable.
The two levers that reduce them:
→ Better data. Adding dates of birth, passport numbers, registration numbers, and nationality data to the screening set narrows the match population before a human looks at anything.
→ Fuzzy matching logic. Matching on name transliterations, spelling variations, and aliases, not just exact strings, reduces both false positives and false negatives at the same time.
How does sanctions screening work during onboarding vs. ongoing monitoring?
These are two different problems that both require coverage.
At onboarding
The screen runs before the relationship starts. Sanctions, PEP, and criminal entity checks run simultaneously, not in sequence. A party that clears all three can proceed, with any PEP flags triggering enhanced due diligence before sign-off.
Ongoing monitoring
The screen runs against existing counterparties when lists update, not on a fixed monthly or quarterly calendar. It runs when the list changes
→ A counterparty sanctioned on a Tuesday needs to be caught on Tuesday
→ A customer who becomes a PEP after onboarding needs to be caught before the next transaction
Most programmes have onboarding covered. Ongoing monitoring, tied to actual list update cycles rather than internal review schedules, is where the gap usually sits
Also Read : How to Find Global Sanctions Data, PEP Lists, and Criminal Entity Records in 2026?
What does a complete sanctions screening programme look like in 2026?
| Screening Activity | What It Covers | When It Runs |
|---|---|---|
| Onboarding screen | Sanctions, PEP, and criminal entity checks simultaneously | Before any relationship starts |
| Transaction screen | Individual payments and trade instruments | At the point of processing |
| Ongoing monitoring | Existing counterparties rescreened | When lists update, not on a fixed internal calendar |
| Ownership and control check | OFAC 50% rule and EU and UK control tests | At onboarding and when structure changes |
| Alert documentation | Rational for every result retained for ten years | Per the March 21, 2025 final rule |
Frequently Asked Questions
What is the difference between a sanctions list and a PEP list?
A sanctions list contains formally designated parties restricted from transacting. A PEP list identifies politically exposed persons requiring enhanced due diligence before proceeding, but are not prohibited by default.
What is criminal entity screening?
Criminal entity screening checks individuals and organisations against law enforcement databases covering outstanding warrants and documented criminal activity. These parties may sit outside formal sanctions lists but carry regulatory exposure for any organisation that onboards them without a check.
How often should sanctions screening happen?
At onboarding, at the transaction level where relevant, and on an ongoing basis tied to list update cycles. The OFAC SDN list updates multiple times per week, so monitoring frequency should match data update frequency rather than a fixed internal review dates.
What is the OFAC 50% rule?
Any entity owned 50% or more in aggregate by one or more sanctioned parties is subject to the same restrictions as a directly listed party, even if its name does not appear on any list. Applying this rule requires beneficial ownership data, not just legal entity name screening. Under EU and UK frameworks, the control test extends this further: a sanctioned person with board appointment rights or effective decision-making influence brings an entity within scope regardless of ownership percentage.
Can a company be sanctioned if it is not on any official list?
Yes. Under the OFAC 50 % rule, entities owned 50% or more in aggregate by sanctioned parties are restricted even if unnamed on any list. Under EU and UK rules, the control test means entities where a designated person can direct affairs or appoint directors are also in scope, regardless of ownership percentage.
What records does OFAC require compliance teams to keep?
Under the final rule effective March 21, 2025, every person engaging in a transaction subject to OFAC regulations must keep a full and accurate record of that transaction for ten years. This applies to both blocked transactions and cleared ones. The rule is codified under 31 CFR Parts 501 and 515.
Does the EU sanctions list apply to non-EU companies?
If transactions clear in euros, if operations run through EU-regulated entities, or if counterparties are EU-regulated, the EU consolidated sanctions list applies. The specific obligations depend on business structure and transaction flows.
What happens when a sanctions match is found?
The transaction must be blocked or rejected, the match must be reported to the relevant regulatory authority, and the decision must be documented. Under OFAC’s final rule effective March 21, 2025, records must be retained for ten years. Legal counsel should be involved before any response is given to the counterparty.
What does a defensible sanctions screening program look like in 2026?
Documented list coverage across all relevant programs, screening at onboarding and ongoing tied to list update cycles, alert review with documented rationale for every cleared result retained for ten years, ownership and control tracing covering both the OFAC 50 % rule and EU and UK control tests, and sanctions, PEP, and criminal entity data running together in a single workflow.
For questions about fitting this data into your workflow, contact Sanctions Database at enquiry@sanctionsdatabase.com or visit our contact page.