Real-Time Sanctions Screening for CASPs: What to Check at Every Touchpoint

This is part 2 of our "Tools for Compliance" series. Part 1, Travel Rule, End-to-End, covered the originator/beneficiary workflow. This one zooms in on sanctions screening — the layer that has to fire before any of those transfers settle. For the regulatory framing of OFAC specifically, see OFAC Sanctions Screening for Crypto: A Practical Guide.

Sanctions screening is the only AML control where being "mostly right" produces strict-liability exposure. A 99.9% catch rate sounds excellent until you realise the 0.1% is the OFAC SDN hit that just credited an account. The fines are not proportional to volume — they are per-violation, and the recent enforcement curve in crypto has been steep.

Compliance teams know what sanctions screening is. The operational question is harder: when, exactly, does the check fire? A CASP that screens at onboarding and assumes the customer stays clean forever has built a control that the first list update will break. Below is the touchpoint-level workflow that an NCA examiner expects to see — with the lists, the indirect-exposure logic, and the audit trail.

The Lists, Stacked

"Sanctions screening" is shorthand for a set of overlapping list checks. A CASP operating in the EU or globally has to clear all of these simultaneously, because none of them defers to another:

• OFAC SDN List (US Treasury) — strict-liability regime; applies extraterritorially to USD-denominated activity and to most crypto activity touching US infrastructure
• EU Consolidated Financial Sanctions List — binding on EU CASPs under the Restrictive Measures Regulations; updated by the Council typically following UN designations
• UN Security Council Consolidated List — the upstream source for many regional regimes; updated by the 1267/1989/2253 and 1718 sanctions committees
• UK HMT Consolidated List (OFSI) — post-Brexit standalone; diverges from EU in specific designations
• Swiss SECO Sanctions List — relevant for Swiss CASPs and any EU CASP serving Swiss residents under cross-border rules
• National lists — France's gel des avoirs, Germany's additional measures, Italy's OCSE compliance lists, Spain's CNMV designations

For crypto specifically, the OFAC SDN entries with attached wallet addresses (Tornado Cash smart contracts, Garantex deposit addresses, Lazarus-attributed clusters) are the most operationally consequential. These are the entries where a wallet address in your customer's transaction graph maps directly to a designated entity — the lookup is binary, the answer is unambiguous.

The 5 Touchpoints Where Screening Must Fire

Screening at onboarding is necessary and not sufficient. The control has to run at every point where money, identity, or risk profile changes:

1. Customer onboarding

Name, date of birth, and address screened against all applicable lists at account creation. PEP screening typically runs in the same pass. A clean onboarding result is recorded with timestamp and the list versions checked.

2. Every inbound deposit (real-time)

The depositing wallet address is screened against the OFAC SDN crypto entries, the BA risk graph, and against indirect-exposure indicators (one-hop and two-hop counterparty risk). For an inbound deposit, the check must fire before the funds become available for withdrawal. A deposit that flows through the system before screening completes is a control gap, full stop.

3. Every outbound withdrawal (pre-execution)

The destination wallet, the beneficiary identity (if supplied via Travel Rule), and the customer profile are screened before the on-chain transaction is broadcast. A negative result blocks the withdrawal and routes it to manual review. Some CASPs implement a soft hold (hours) for medium-confidence hits and a hard hold (until cleared) for high-confidence hits.

4. Continuous re-screening of existing customers

Every list update triggers re-screening of every active customer. OFAC SDN updates can occur multiple times per week. EU additions can roll through after Council meetings. A customer who screened clean on Monday can be on the SDN on Wednesday, and the CASP's obligation does not wait until the next onboarding cycle. This is the touchpoint most CASPs under-build — it requires batch screening infrastructure and a documented re-screening cadence.

5. Behavioural triggers

Events that re-open a customer's risk profile — address-of-residence change, sudden increase in transaction volume, exposure to a newly designated entity, adverse media hit — all should re-run sanctions screening with elevated thresholds. The control is not just "is this customer on a list," but "has anything changed that requires me to re-check."

Indirect Exposure: The Hard Part

A direct match — customer wallet equals an SDN address — is the easy case. The harder case is indirect exposure: the customer wallet has not been designated, but its funds flowed from or to a designated address within a certain number of hops.

OFAC's own guidance and the EU's sanctions guidance both contemplate that exposure to sanctioned entities through intermediaries can still trigger prohibitions, particularly where the CASP "knew or should have known." In practice, screening at the indirect level requires:

• Hop depth policy — how many transactional steps removed counts as exposure? 1 hop, 2 hops, more? Different CASPs land in different places; the choice must be documented and risk-based.
• Time-decay — does a 5-year-old transaction with a now-sanctioned entity count the same as a transfer last week? Most programmes apply a decay curve, but the cut-off is a policy choice that needs documentation.
• Cluster analysis — many sanctioned actors operate hundreds or thousands of addresses. A direct match to one address in a cluster is a direct match to the cluster. Screening must use clustering, not isolated address lookups.
• Volume thresholds — a customer with EUR 5 of indirect exposure to a sanctioned entity is a different signal than one with EUR 50,000. The threshold and the action at each level must be set in advance.

How BA does it. BA Screen returns a single risk decision combining direct match (against the OFAC SDN crypto addresses, EU Consolidated, UN, UK HMT, SECO) and indirect exposure (against the BA risk graph of 1B+ labelled addresses across 80+ chains, including the clusters attached to designated entities). The hop depth, the time decay, and the threshold per category are configurable per CASP and recorded in the audit trail.

Hit Handling: What Happens After the Alert

A screening hit is not a decision — it is a trigger for one. The workflow downstream:

1. Automated pre-screening — the hit is enriched with customer context (KYC, profile, history) and false-positive indicators (name similarity score, jurisdiction, common-name flag)
2. Analyst review — a trained compliance analyst confirms the hit, classifies it (true positive / false positive / partial match needing more info), and documents the rationale
3. MLRO decision — for confirmed hits, the MLRO determines whether to file a SAR, freeze the funds, terminate the relationship, or notify the competent authority (the answer is often more than one of these)
4. Asset freeze and reporting — for OFAC SDN matches, US-touching CASPs must block the property within hours and report to OFAC. EU CASPs have parallel obligations under the Restrictive Measures Regulations
5. Tipping-off prohibition — the customer must not be informed that the screening hit occurred or that a report has been filed (AMLR Art. 54, mirrored in national laws)

The hit-handling workflow is what auditors test by walking a specific alert from generation to resolution. The deficiencies they typically find are: no documented analyst rationale, no clear MLRO sign-off, no record of the freeze action timing, no evidence the tipping-off prohibition was communicated to front-line staff.

Audit Trail Per Touchpoint

The screening programme produces evidence at each touchpoint. A defensible audit trail includes:

• Onboarding screening result with list versions, timestamp, and analyst sign-off on any borderline match
• Per-transaction screening payload for every deposit and withdrawal: wallet address, risk score, list-match details, indirect-exposure score, decision
• Re-screening log showing every list update, when re-screening ran, how many customers were re-checked, and the outcomes
• Hit-handling case file for every alert: enrichment data, analyst notes, MLRO decision, freeze/SAR outcome, supporting on-chain evidence
• 5-year retention of all of the above per AMLR Art. 77

Next in the series: Tools for Compliance #3 — Ongoing Customer Wallet Monitoring, where we move from per-transaction checks to continuous surveillance of customer wallets and the alert calibration that keeps the analyst queue manageable.