5 Jan 2026
Module 3 — How to Protect Your Company from Sanctions Risk (Controls and Process)
Minimum viable controls, who to screen, when to screen, and how to create audit-ready evidence packs.
Module 3 — How to Protect Your Company from Sanctions Risk (Controls and Process)
Goal of this module
After this module, you should be able to:
- Describe the end-to-end sanctions control framework a company should operate.
- Understand the difference between preventive controls (stop issues) and detective controls (find issues).
- Follow the internal escalation process when a potential sanctions issue arises.
- Know what evidence and data are needed to resolve alerts quickly and safely.
The sanctions control mindset: Prevent → Detect → Respond
Effective sanctions compliance is a system, not a single step.
- Prevent prohibited activity before it happens (onboarding checks, geo controls, product rules).
- Detect issues that slip through or emerge later (ongoing screening, transaction monitoring).
- Respond fast and consistently (blocking/rejecting, escalation, decisions, reporting, remediation).
For PSPs, acquirers, processors, neo banks, and marketplaces, sanctions risk can appear at any point:
- onboarding a customer/merchant/seller,
- processing payments and payouts,
- cross-border logistics and digital delivery,
- refunds, chargebacks, disputes,
- vendor payments and professional services.
The controls map (what “good” looks like)
| Control layer | Objective | Example controls |
|---|---|---|
| Governance & policy | Clear ownership and rules | policy, RACI, approvals, training |
| Risk assessment | Focus controls where risk is highest | corridors, customer types, products |
| Onboarding controls | Stop risky parties early | screening, UBO checks, KYB/KYC |
| Ongoing screening | Catch new designations | daily list rescreen, periodic reviews |
| Transaction controls | Stop prohibited flows | real-time screening, sanctions TM rules |
| Geo/product controls | Prevent restricted delivery/export | geofencing, shipping controls, SKU restrictions |
| Escalation & case mgmt | Consistent decisions | freeze/block workflow, evidence checklist |
| Recordkeeping & audit trail | Defensible outcomes | logs, case notes, decision rationale |
| QA/testing & tuning | Reduce noise, avoid misses | threshold tuning, sampling, model rules |
| Third-party oversight | Vendors don’t become weak points | due diligence, SLAs, audits |
| Incident response | Contain and remediate | stop-the-line, lookback, reporting |
1) Governance: ownership, policy, and accountability
What employees should know
Sanctions compliance requires clear ownership. Most companies follow a three-lines model:
- 1st line (Business/Operations): follows procedures, escalates, executes blocks/holds.
- 2nd line (Compliance/Sanctions): defines policy, reviews escalations, approves decisions, trains.
- 3rd line (Audit): tests the program independently.
Minimum governance controls
- Sanctions policy that explains:
- what sanctions regimes are in scope (EU/US, etc.),
- what is prohibited (making funds/economic resources available, etc.),
- the escalation process and decision authorities.
- RACI (who does what):
- who can “hold,” who can “reject,” who can “close” an alert,
- who approves exceptions (if any) and on what basis.
- Change management:
- control changes (rules, thresholds, lists) must be documented and approved.
Employee takeaway: If you are unsure, your job is to pause and escalate, not to improvise.
2) Risk assessment: decide where controls must be strongest
Risk assessments should be practical, not academic. You need an honest view of where sanctions risk enters your business.
Typical risk drivers in your industries
- Geographies and corridors: cross-border flows, high-risk transit routes, neighboring jurisdictions.
- Customer types: exporters/importers, logistics, crypto, offshore structures, agents/intermediaries.
- Products/services: payouts, mass payments, marketplaces with fulfillment, digital services, credit/financing features.
- Transaction characteristics: high velocity, unusual routing, third-party payments, repeated small payments.
What changes after the risk assessment
It should directly drive:
- who gets enhanced due diligence,
- which corridors are blocked or restricted,
- which transaction patterns trigger alerts,
- what rescreening frequency is required,
- what data must be collected at onboarding.
3) Onboarding controls (KYC/KYB + screening + ownership/control)
A. Screen at onboarding (and what to screen)
At onboarding, screen at minimum:
- customer/merchant/seller legal name,
- known aliases / trading names,
- directors and signatories,
- UBOs and control persons (where required/available),
- key counterparties where relevant (e.g., payment facilitators, agents).
For marketplaces: sellers + payout beneficiaries matter as much as “account owners.”
For acquirers/processors: merchants + beneficial owners + key principals matter.
B. Ownership/control checks (why name-only is insufficient)
A company can be non-listed but restricted due to ownership/control links to a designated person/entity.
Operational controls to reduce risk
- collect UBO data and verify where required,
- validate ownership structure plausibility (shell indicators),
- treat missing/opaque ownership as a risk factor that increases review.
C. Geo and product controls during onboarding
Do not wait for transactions to reveal risk.
- block or restrict service availability for disallowed regions (where your policy requires),
- validate physical presence and operational footprint for merchants/sellers,
- apply product restrictions for controlled goods/services categories (especially marketplaces).
Common onboarding red flags (escalate)
- inconsistent country signals (incorporation vs. operations vs. bank account),
- use of intermediaries with unclear purpose,
- unusual ownership chain (multiple layers, nominee directors),
- refusal to provide UBO details, or unverifiable information,
- links to high-risk jurisdictions without a credible explanation.
4) Ongoing screening (rescreening is non-negotiable)
Sanctions lists change frequently. A “clean” customer can become designated later.
What good ongoing screening includes
- Daily or frequent rescreening of:
- customers/merchants/sellers,
- UBOs/control persons (where feasible),
- high-risk counterparties where appropriate.
- Event-driven screening:
- name change, address change, new bank account, new director/UBO,
- expansion to new regions/corridors.
Why this matters operationally
The real risk is not only onboarding a listed party; it is also:
- continuing to provide services after a party becomes listed,
- processing a payout/refund after a designation event.
5) Transaction controls (screen the flow, not just the profile)
A. What transactions should be screened
Depending on your model:
- incoming payments, outgoing payouts,
- refunds and chargebacks,
- bank transfers (payer/payee, beneficiary bank),
- card payments (merchant, cardholder, descriptor, sometimes shipping data),
- marketplace orders (buyer, seller, shipping destination),
- crypto flows (where applicable).
B. Key principle: screen the relevant parties in the payment chain
Potential screened parties can include:
- payer / originator,
- payee / beneficiary,
- merchant / seller,
- shipping recipient (marketplaces),
- beneficiary bank / intermediary (where data is available),
- UBOs or control persons (risk-based).
C. Add “context controls” to reduce misses
Sanctions risk is often revealed through context:
- geography: destination, IP/device location, bank country, shipping address,
- purpose: goods/services category, MCC, invoice description, support tickets,
- behavior: sudden spikes, unusual velocity, structuring.
Operational takeaway: screening + rules-based context controls is stronger than screening alone.
6) Geo, product, and delivery controls (critical for marketplaces and digital services)
Geo controls you should expect
- country/region blocks (per policy),
- IP/device geolocation checks (supporting signal, not always decisive),
- shipping destination checks,
- bank account country checks for payouts.
Product/service controls (sanctions-adjacent, export controls intersection)
For marketplaces and platforms, sanctions risk increases with:
- controlled goods categories,
- technical services, software delivery, cloud access,
- cross-border delivery into restricted areas.
Minimum control approach
- tag high-risk categories and require additional checks,
- block restricted destinations in checkout/fulfillment logic,
- escalate if seller/buyer tries to reroute via third countries without a credible reason.
7) Escalation workflow (what to do when you get a match)
The “stop-the-line” rule
If an alert indicates a possible sanctions hit, employees must:
- Pause the onboarding or transaction,
- Do not proceed until cleared,
- Escalate through the defined channel.
A practical escalation process (example)
- Alert created (screening or rule trigger).
- Immediate hold (prevent funds movement / account actions as appropriate).
- Triage (is it a likely false positive or potentially true hit?).
- Case enrichment (collect identifiers: DOB, address, nationality, IDs, ownership, transaction purpose, shipping details).
- Sanctions decision (Compliance/Sanctions clears or confirms hit).
- Action:
- clear and release (with documented rationale), or
- reject/block/freeze (per policy and legal requirements), and
- notify internal stakeholders (Operations, Legal, Risk) as defined.
- Recordkeeping (audit trail, evidence pack, final decision).
- Lookback (if true hit: historical review for related activity).
- Remediation (tuning, training, process updates).
Evidence checklist (what to include in an escalation package)
Provide Compliance with:
- the searched name and matched name(s),
- match score / reason fields (why the system alerted),
- DOB / place of birth / nationality (if available),
- addresses and countries,
- ID numbers (passport, national ID, registration numbers),
- entity ownership/control and UBO information,
- transaction details (amount, currency, counterparty, timestamps),
- goods/services description, shipping details (if relevant),
- screenshots/log extracts (system of record), and
- your assessment (what you think is happening, without “clearing” it yourself).
Employee takeaway: speed comes from sending a complete evidence pack.
8) Blocking vs rejecting vs holding (employees must understand the difference)
Different companies use different language, but the operational ideas are distinct:
- Hold: temporary pause pending review.
- Reject/decline: do not execute the transaction (before completion).
- Block/freeze: prevent access to assets or stop dealing where required.
Important: Do not guess which action is legally required. Follow your internal process:
- apply the immediate hold if required by procedure,
- escalate to the sanctions decision-maker for final action.
9) Recordkeeping and audit trails (your best defense)
Your company must be able to demonstrate:
- what happened,
- why a decision was made,
- who approved it,
- what controls operated,
- and what was done to prevent recurrence.
Minimum audit trail fields
- alert timestamp and source (screening/rule),
- data screened (which parties, which fields),
- match outputs (scores, matched records),
- case notes and evidence,
- decision outcome (clear / reject / block) and approver,
- timestamps for holds/releases,
- any customer communication references (if applicable),
- post-incident actions (lookback, tuning).
10) Quality assurance: reduce false positives without creating false negatives
A strong program is both:
- effective (doesn’t miss real hits), and
- efficient (doesn’t overwhelm teams with noise).
Practical QA routines
- sampling of cleared alerts (to validate quality),
- periodic review of thresholds and matching logic,
- analysis of false positives by root cause (common names, transliteration, missing DOB),
- watchlist/list-source quality checks and update monitoring,
- regression testing after rule/list changes.
Employee takeaway: “Lowering alerts” is not a success metric if it increases misses.
11) Third-party risk (vendors, partners, and embedded finance)
Many firms rely on vendors for screening, KYB, monitoring, or banking rails. Vendor weakness can become your liability.
Minimum vendor controls
- due diligence (capability, data sources, update frequency, support SLAs),
- contract language (responsibilities, audit rights, incident handling),
- testing and periodic performance reviews,
- clear internal ownership of vendor outcomes.
12) Incident response (when something goes wrong)
Even strong programs will face incidents. A mature company responds fast.
What “good” looks like
- immediate containment: stop the flow, isolate accounts/transactions,
- internal escalation: Compliance + Legal + Risk + relevant Ops/Engineering,
- evidence preservation (logs, case notes),
- determination of scope (customers, transactions, time period),
- lookback for related activity,
- remediation plan (control fixes, tuning, training),
- documented closure with lessons learned.
Your role: what is expected from employees
Different teams contribute differently:
- Operations/Support: identify red flags, follow hold procedures, escalate with evidence.
- Sales/Account Mgmt: do not “promise clearance”; route escalations properly.
- Engineering/Product: implement blocks/holds safely, preserve logs, maintain data quality.
- Risk/Compliance: make decisions, document rationale, update policy, train teams.
Non-negotiable rule: If you suspect sanctions risk, you escalate. You do not bypass controls.
“Minimum viable” sanctions control stack (for fast-growing companies)
If your company is scaling quickly, these are the minimum baseline controls that must exist:
- onboarding screening (customers + merchants/sellers + UBOs where feasible),
- real-time or near-real-time transaction screening for relevant parties,
- geo restrictions aligned to policy (shipping + bank country + account country),
- rescreening of customer base at a defined frequency,
- documented escalation workflow with decision authority,
- audit trail and case notes in a system of record,
- basic QA (sampling + tuning) and training refresh.
Knowledge check (5 questions)
- If there is a potential sanctions match, employees should continue processing to avoid customer friction. True or false?
- Ongoing rescreening is important because customers can be designated after onboarding. True or false?
- Transaction controls should consider context (geography, routing, purpose), not just names. True or false?
- Clear documentation and audit trails reduce legal and regulatory risk. True or false?
- Vendor tools remove the need for internal sanctions governance and QA. True or false?
Answers
- False. You must pause/hold per procedure and escalate.
- True. List updates can create new risk for existing customers.
- True. Geography and transaction context are often decisive.
- True. Audit trails support defensible decisions and demonstrate control effectiveness.
- False. Vendors help, but internal ownership, QA, and governance remain essential.
Continue
Next, learn how to handle alerts in practice with triage, evidence collection, and clear decision outcomes (false positive vs true hit).
Related reading
Training•
Module 6 — Checklists and Templates (Audit-Ready)
Print-ready employee checklists: daily safety checklist, escalation template, and evidence pack checklist.
Training•
Module 5 — Industry Scenarios (PSP, Marketplace, Fintech/Crypto, Freight Forwarder)
Practical scenarios with red flags, correct actions, and evidence pack requirements for high-risk industries.
Training•