Module 4 — Your Role in Mitigating Sanctions Risk (Stop, Escalate, Document)

Goal of this module

After this module, you should be able to:

• Apply the Stop–Escalate–Document discipline consistently and confidently.
• Recognize the most common sanctions risk signals in payments and marketplaces.
• Escalate effectively by providing the right evidence the first time.
• Document actions in a way that is defensible in audits and regulatory reviews.

---

The rule that protects the company: Stop → Escalate → Document

When a sanctions risk signal appears, employees should follow one simple operational rule:

1. STOP the relevant activity (hold/pausing actions as required by your process).
2. ESCALATE to the right internal channel with a complete evidence pack.
3. DOCUMENT what happened and what you did, in the system of record.

This rule prevents:

• prohibited funds movement,
• accidental provision of services/value to a sanctioned party,
• inconsistent handling across teams,
• weak audit trails that create regulatory exposure.

---

1) STOP: What “stop” means in practice

“Stop” does not mean panic. It means controlled containment.

What you should stop (common examples)

Depending on your role and systems, “stop” may include:

• Onboarding: pause verification/approval, do not activate accounts.
• Transactions: place a hold, do not release payments/payouts/refunds.
• Account actions: pause withdrawals, card issuance, limit increases (per internal rules).
• Marketplace actions: pause seller payouts, disable listings, stop fulfillment to restricted destinations (per internal rules).
• Support actions: do not advise workarounds (e.g., “try a different bank account”).

What “stop” is trying to prevent

• funds leaving your control before review,
• creation of value (services, payouts, refunds, credits) for a designated party,
• evidence loss (logs overwritten, cases closed prematurely).

What you must not do

• Do not “test” by splitting payments or retrying through other rails.
• Do not suggest customers “use a different name,” “try another account,” or “ship elsewhere.”
• Do not close the alert because it “looks unlikely” unless you are the authorized decision-maker.
• Do not communicate definitive outcomes to customers unless approved by Compliance.

Operational standard: If your process says “hold,” you hold. If unsure, you stop and escalate.

---

2) ESCALATE: How to escalate in a way that resolves the case fast

Escalation is not forwarding a screenshot. It is delivering a complete decision-ready package.

Who you escalate to (typical patterns)

Your company will define channels such as:

• Sanctions/Compliance queue in a case management tool,
• a dedicated Slack/Teams channel with structured intake,
• an on-call compliance rota,
• a ticketing category with required fields.

If multiple options exist, use the one that:

• creates a tracked case,
• ensures time-stamped ownership,
• preserves an audit trail.

---

Escalation priority levels (common operational approach)

Not all alerts are equal. A practical model:

• P1 — Potential true hit / strong indicators

  • high similarity match plus matching DOB/nationality/address
  • obvious geographic restriction issue (restricted destination/region)
  • ownership/control link indicators
  • Action: immediate stop + immediate escalation

• P2 — Possible match / limited identifiers

  • common names, partial matches, limited data
  • inconsistent but not definitive geography signals
  • Action: stop + escalate with enrichment request

• P3 — Likely false positive

  • low similarity, clear mismatch on DOB/address/country
  • Action: follow local procedure (often still document and route if required)

Important: Employees should not downgrade severity informally. Follow the predefined process.

---

The “first-time-right” evidence pack (what Compliance needs)

Provide the following whenever available. Missing items should be explicitly stated as “not available.”

A. Alert summary (what triggered the stop)

• product/system that generated the alert (onboarding screen, transaction screen, rule trigger)
• matched list/source (EU, OFAC, UN, UK, etc.)
• match details (matched name, match score/confidence, matched fields)

B. Party information (who is involved)

For individuals:

• full name + aliases
• DOB/place of birth
• nationality/residence
• address
• ID document details (if collected)

For entities:

• legal name + trading names
• registration number + country of incorporation
• directors/signatories
• UBOs and ownership structure (if available)
• website/business activity summary (if relevant)

C. Transaction context (what is happening)

• amount, currency, timestamp
• payer/payee roles and identifiers
• corridor (origin/destination countries)
• beneficiary bank and intermediary details (if available)
• purpose/description (free text, invoice, MCC, SKU/category)

D. Geography and delivery signals (where it is happening)

• billing country, shipping country/region
• IP/device geolocation signal (if you use it)
• fulfillment/warehouse location (marketplaces)
• evidence of rerouting/transshipment attempts

E. Actions taken so far (what you did)

• hold applied? account frozen? payout paused?
• which system actions were triggered
• whether customer communication occurred (and what was said)

Employee takeaway: The better the evidence pack, the faster the decision and the lower the operational disruption.

---

3) DOCUMENT: What “good documentation” looks like

Documentation is not bureaucracy. It is protection.

Why documentation matters

Sanctions decisions are reviewed by:

• internal audit,
• regulators,
• correspondent banks / scheme partners,
• your own legal team during incidents.

Poor documentation creates three risks:

• decisions appear arbitrary or inconsistent,
• you cannot prove controls operated,
• you cannot reconstruct events during an investigation.

---

What to document (minimum standard)

In the system of record, document:

• what triggered the stop (screening alert / rule)
• what you stopped (which action/transaction/account)
• when you stopped it (timestamps)
• what you escalated and to whom (case reference)
• what data/evidence you provided
• what decision was made (clear / reject / block / other)
• who approved the decision
• what follow-up actions occurred (release, lookback, tuning)

Documentation language: clear, factual, audit-ready

Write notes like you are explaining to someone who was not there:

• avoid opinions (“looks fine”)
• avoid slang (“seems sketchy”)
• use structured facts (“DOB mismatch; address differs; match is alias only”)

---

Common sanctions risk signals employees should recognize

A. Screening signals (list-based)

• match on full name + DOB/nationality
• multiple aliases that align
• match on address or passport/national ID
• entity match + UBO/principal match

B. Geography signals (country/region sanctions)

• shipping destination is restricted region
• bank account country inconsistent with stated operations
• customer tries repeated routing changes to avoid geo controls
• IP/device signals conflict with declared location (supporting signal)

C. Behavior signals (evasion patterns)

• repeated failed payments then success through different rails
• sudden changes to beneficiary details before payout
• multiple accounts with similar identifiers
• requests for “workarounds” from support (“Can we pay to another country?”)

Rule: You do not investigate like law enforcement. You capture signals, stop, escalate, and document.

---

Practical scenarios (what you should do)

Scenario 1 — Onboarding: seller looks clean but UBO is flagged

A marketplace seller’s company name screens clean. During KYB, an ultimate beneficial owner (UBO) returns a close match to a designated individual.

Do

• Stop onboarding activation.
• Escalate with the UBO details, ownership percentage, company registry info, and screening output.
• Document what checks were run and what was held.

Don’t

• approve the seller “because the company is not listed.”
• ask the seller to “use another person as UBO.”

---

Scenario 2 — Payout: beneficiary name triggers a close match

A payout is scheduled. Beneficiary name generates a close match on a sanctions list, but you only have name + country.

Do

• Stop the payout (hold).
• Escalate and request enrichment: DOB, address, ID, bank details, relationship to account holder.
• Document the hold and evidence gap.

Don’t

• release the payout to “avoid delays.”
• retry via a different bank rail.

---

Scenario 3 — Shipping: order to a restricted region

A marketplace order is placed for delivery to a restricted region. Buyer and seller are not listed.

Do

• Stop fulfillment/shipping and associated payment release.
• Escalate with order details, destination, product category, and any rerouting attempts.
• Document the policy trigger (geo restriction).

Don’t

• ship to an alternative address suggested by the customer without review.
• assume “no listed party” means “allowed.”

---

Scenario 4 — Support: customer requests workaround

A customer contacts support: “My payments keep failing. Can I send from another account under my relative’s name?”

Do

• Stop and escalate as potential evasion attempt.
• Document the request verbatim (as a risk signal).
• Follow approved communication scripts.

Don’t

• advise how to bypass controls.
• suggest “try another spelling” or “use a different beneficiary.”

---

What you can safely say to customers (approved-style language)

Use neutral, non-accusatory language. Examples:

• “Your transaction is under compliance review. We will update you as soon as possible.”
• “We are unable to process this request at this time due to regulatory requirements.”
• “Please provide the requested documentation so we can complete the review.”

Avoid:

• “You are sanctioned.”
• “We matched you to a watchlist” (unless your policy allows this disclosure).
• “Try a different bank/name.”

---

Quick checklist: Stop–Escalate–Document

Use this checklist whenever you see a potential sanctions issue:

STOP

• Hold/pause onboarding, transaction, payout, refund, or shipment (as relevant)
• Prevent retries/workarounds
• Preserve logs/evidence

ESCALATE

• Create a case in the right channel
• Include screening outputs + match details
• Include party identifiers + transaction context + geography signals
• State what is missing and what you need

DOCUMENT

• Time-stamped actions taken
• Data reviewed and provided
• Decision owner and outcome once available
• Follow-up actions (release/block/lookback/tuning)

---

Knowledge check (5 questions)

1. If a sanctions alert seems unlikely, employees should ignore it to keep customer experience smooth. True or false?
2. “Stop” typically means applying a hold/pause while review is ongoing. True or false?
3. A good escalation includes transaction context and identifiers, not only a screenshot of a name match. True or false?
4. Documentation should capture actions, timestamps, decision owners, and rationale. True or false?
5. Advising customers on ways to bypass controls is acceptable if it helps complete the transaction. True or false?

Answers

1. False. You must follow Stop–Escalate–Document consistently.
   
2. True. Stop means contain risk while a decision is made.
   
3. True. Compliance needs identifiers and context to resolve efficiently.
   
4. True. Strong records reduce regulatory and legal exposure.
   
5. False. Workarounds can be sanctions evasion and create serious risk.

---