UK sanctions screening policy checklist

What a sanctions screening policy is (and who it’s for)

A sanctions screening policy is a written set of rules and steps your organisation follows to reduce the risk of dealing with people, companies, vessels, or countries subject to UK sanctions. In practice, it explains what you screen (customers, suppliers, payments, beneficial owners, counterparties), when you screen (onboarding, before payment, periodically, and when details change), and how you respond if a match is suspected. It also clarifies which sanctions lists and sources you use (for example, the UK Sanctions List and any relevant internal watchlists), plus how you document decisions so they’re consistent and auditable.

This type of policy is for any UK-based business that could touch international trade, payments, or cross-border relationships—especially those handling higher-risk transactions or operating in regulated environments. That includes banks and fintechs, accountants and professional services firms, freight forwarders and logistics providers, exporters and importers, marketplaces, charities working overseas, recruitment agencies placing international candidates, and property or luxury goods businesses where large payments and complex ownership can be common.

It’s also useful for smaller teams. Even if you only run occasional overseas payments, a lightweight policy helps staff know what to do without guessing. A practical checklist-style policy typically covers: roles and responsibilities (who owns screening), tools and data standards (name formats, DOB, addresses), match handling (true match vs false positive), escalation routes, record-keeping, staff training, and review cadence so the process stays current as sanctions change.

UK context: what you’re screening against (UK sanctions lists, ownership/control, and red flags)

A practical UK sanctions screening checklist starts with knowing the reference points you’re checking against. In the UK, the primary source is the UK Sanctions List (designated persons and entities) and the OFSI Consolidated List, which supports financial sanctions screening. Depending on your sector and exposure, you may also need to check trade sanctions restrictions (goods, services, technology, shipping/aviation) and any relevant licensing conditions published by UK authorities.

Screening isn’t only about the named counterparty. You’re also screening for ownership and control risk: whether a designated person may own, control, or act through another entity. Build checks that look beyond the immediate name match to corporate structure, beneficial owners, directors, and key decision-makers, and record what sources you used (e.g., Companies House filings, reputable corporate registries, and customer-provided documentation).

Red flags to include in your policy checklist:

• Name/alias similarity with weak identifiers (missing DOB, address, registration number).
• Complex or opaque structures (multiple layers, offshore jurisdictions, frequent changes in directors/shareholders).
• Unusual payment patterns (third-party payers, rapid rerouting, mismatched payer/beneficiary).
• Geographic exposure (high-risk routes, transshipment points, sanctioned regions, dual-use goods destinations).
• Urgency and secrecy requests (pressure to bypass checks, reluctance to share ownership details).

Define match handling: what counts as a “hit,” who reviews it, what evidence clears it, and when you pause onboarding or transactions pending escalation.

Sanctions screening policy checklist: the minimum controls to document

• Scope and purpose: State which UK sanctions regimes you screen against (e.g., UK Sanctions List/OFSI) and what activities are covered (customers, suppliers, payments, shipments, beneficial owners, directors).
• Roles and accountability: Name the policy owner, who performs screening, who approves escalations, and who can stop a transaction. Include deputy cover and segregation of duties where possible.
• Risk-based approach: Document how you assess risk (jurisdictions, products/services, delivery channels, customer types) and how risk level changes screening intensity and review timelines.
• When screening happens: Define trigger points: onboarding, before first payment, prior to shipment/service delivery, periodic re-screening, and screening on material changes (name/address/ownership).
• Data standards: Specify required identifiers (full legal name, aliases, DOB, nationality, address, company number, LEI if available) and how you handle non-Latin scripts and transliterations.
• Matching rules: Set thresholds for “possible match” vs “false positive,” what constitutes a “hit,” and the minimum evidence needed to clear a match.
• Escalation workflow: Step-by-step process for pausing activity, internal review, senior sign-off, and documenting decisions. Include how urgent cases are handled out of hours.
• Recordkeeping and audit trail: What you store (search results, rationale, approvals), retention period, access controls, and how you evidence ongoing monitoring.
• System controls: Tools used, list update frequency, testing/quality checks, and fallback manual process if systems fail.
• Training and awareness: Who is trained, frequency, and how completion is tracked.

Step-by-step: build and roll out a screening workflow for customers, suppliers and payments

1. Define scope and owners. List who you screen (new customers, existing customers on renewal, suppliers/contractors, beneficial owners, directors, payees) and what you screen (names, trading names, addresses, country links). Assign a named owner and a backup for approvals and escalations.
2. Choose your screening method. Decide whether you’ll use a reputable screening tool, your bank’s checks, or a manual process against the UK Sanctions List (and any additional lists your business requires). Document the data sources and how often they’re updated.
3. Set triggers and timing. Build checkpoints: onboarding (before contract), before first payment, before each payment run, and periodic rescreening (e.g., quarterly) plus event-based triggers (name change, new director, new bank details, new country exposure).
4. Standardise data capture. Use a single form or CRM fields for legal name, registration number, date of birth (where relevant), address, ownership structure, and bank account details. Require evidence for higher-risk cases.
5. Create a match-handling playbook. Define “possible” vs “confirmed” matches, what to do with partial matches, and when to pause onboarding or payments. Include a clear escalation route to a senior approver.
6. Recordkeeping and audit trail. Store search results, screenshots/exports, decision notes, and who approved. Set a retention period and access controls.
7. Train and test. Give short role-based training for sales, procurement, finance, and ops. Run a monthly spot-check of samples from onboarding and payment runs to confirm the workflow is being followed.

Tools and approaches compared: manual checks vs screening software vs outsourced support

Manual checks suit low volumes and simple customer journeys. Teams typically search the UK Sanctions List (and any other lists your policy covers), verify name matches using extra identifiers (date of birth, address, company number), and record the outcome. Advantages: low direct cost, easy to start, and flexible judgement for borderline matches. Trade-offs: inconsistent results between staff, slower onboarding, and higher risk of missed updates if list changes aren’t monitored daily. Manual checks also rely heavily on good record-keeping to evidence who checked, when, which sources were used, and what decision was made.

Screening software is designed for repeatable, auditable checks at scale. Typical features include automated list updates, fuzzy matching, configurable risk thresholds, case management, and ongoing monitoring (alerts when a customer later appears on a list). Advantages: faster processing, consistent rules, and clearer audit trails for your sanctions screening policy checklist (e.g., match handling, escalation, and re-screening frequency). Trade-offs: subscription cost, setup time to tune false positives, and the need to maintain data quality (clean names, dates, IDs) so the tool can perform well.

Outsourced support ranges from “four-eyes” review of potential matches to fully managed screening operations. Advantages: access to experienced analysts, coverage during peaks, and documented workflows. Trade-offs: dependency on a third party, turnaround times, and the need for clear responsibilities—who makes the final decision, how evidence is stored, and how urgent escalations are handled. Even when outsourcing, keep internal oversight: defined SLAs, sample QA checks, and a clear escalation route for true matches.

Roles, responsibilities and escalation: who decides, who documents, who blocks

Define named roles (not just departments) so sanctions screening decisions are consistent, auditable and fast. Start with a Sanctions Screening Owner (often Compliance/MLRO or equivalent) who sets the policy, approves screening rules and thresholds, and signs off changes. Assign a Screening Operator (first line) to run checks, review alerts, and apply the initial disposition: clear, request more information, or escalate. Appoint a Business Approver (sales/operations lead) who can pause onboarding or delivery and confirm whether the relationship is commercially necessary, but cannot override a sanctions risk decision.

Make escalation triggers explicit. Escalate immediately when: (1) a match is on the UK Sanctions List/OFSI Consolidated List; (2) the alert involves high-risk geographies, complex ownership, or unclear identity; (3) the customer refuses to provide verification; or (4) the operator is unsure. Route escalations to the Sanctions Decision Maker (second line) who determines: false positive, true match, or “cannot rule out”. If “cannot rule out”, the default action should be to block until resolved.

Document responsibilities for evidence and record-keeping. The operator logs: search inputs, sources used, screenshots/exports, rationale, and timestamps. The decision maker records the final decision, any conditions, and who approved it. The Systems Admin maintains access controls, audit logs, and ensures blocks are enforced in CRM/ERP/payment systems. Set a clear “stop authority”: Compliance can block onboarding/transactions; only Compliance can lift a block, with documented rationale and peer review for higher-risk cases.

Record-keeping and audit trail: what to log, how long to keep it, and how to evidence decisions

Keep a clear audit trail for every sanctions screening event so you can show what you did, when you did it, and why. Log the minimum needed to evidence the decision without storing unnecessary personal data.

• What to log (per check): date/time; who/what triggered the check (onboarding, payment, periodic refresh); subject identifiers used (name, DOB, address/country, company number); data source(s) and list version/date (e.g., OFSI Consolidated List download timestamp and any third-party tool/version); search parameters (fuzzy matching settings, thresholds); results (no match / potential match / confirmed match); case reference number.
• For potential matches: the similarity factors (name variants, transliteration, country links); supporting documents reviewed; escalation steps; who approved the outcome; any contact with banks/partners; final decision and rationale.
• Actions taken: holds applied, account restrictions, rejected transactions, customer communications (high level), and any internal notifications.

How long to keep it: set a documented retention period aligned to your risk and wider compliance needs (commonly at least 5 years after the relationship ends or the last transaction), then delete or anonymise. Keep system logs long enough to reconstruct events (often 12–24 months) and keep case files for the full retention period. Record your rationale in your policy.

How to evidence decisions: store screenshots/PDF exports of list entries and tool results, plus a short decision note covering: “what matched”, “what disproved/confirmed”, “who approved”, and “what happened next”. Use immutable storage where possible (read-only folders, versioning), and ensure access controls, change logs, and periodic spot-checks of completed cases.

Frequently asked questions: thresholds, false positives, PEPs vs sanctions, and what to do when you get a match

Is there a “match threshold” we can rely on?
There’s no single UK-wide percentage that makes a match “safe” or “unsafe.” Set clear internal thresholds (for name similarity, date of birth, nationality, address, and identifiers) and document why they’re appropriate for your customer base. Review thresholds regularly, especially after system changes or new data sources.

Why do we get so many false positives?
Common names, transliteration differences, missing dates of birth, and poor-quality customer data drive false positives. Improve input quality (collect full legal name, DOB where appropriate, and address), tune matching rules, and use secondary attributes to disambiguate. Keep an audit trail of tuning decisions.

Are PEPs the same as sanctions?
No. A politically exposed person (PEP) is not automatically prohibited from doing business. PEP screening is typically used for enhanced due diligence and risk management. Sanctions screening relates to legal restrictions on dealing with designated persons/entities and can require blocking or freezing actions. Treat them as separate workflows with different escalation paths.

What should we do when we get a potential sanctions match?
Pause the relevant activity while you verify. Check identifiers (DOB, passport/registration numbers, addresses), compare against the UK sanctions list entry details, and confirm you’re screening the correct party (customer, beneficial owner, payee). Escalate to your compliance lead for a documented decision. If it appears to be a true match, follow your internal procedures for restricting activity and making any required notifications to the appropriate authorities.