Sanctions Systems and Controls: What Strong Firms Do Differently

Why sanctions controls matter more than ever

Sanctions risk has become a core financial crime issue for firms of every size. It is no longer enough to focus only on asset freezes or basic screening. Effective sanctions systems and controls now need to cover the full lifecycle of customer, product, jurisdictional and transaction risk, from governance and risk assessment through to escalation, freezing, licensing and breach reporting.

Recent supervisory findings show a clear pattern. Firms with strong controls usually have clear policies, well-supported management information, regular testing and a practical understanding of where sanctions risk can arise. Firms with weaker controls often rely too heavily on generic financial crime frameworks, vendor settings or group support, without enough challenge or oversight.

Governance and oversight that set the tone

Strong sanctions governance starts with policies that are current, specific and usable. Good policies do not just mention asset freezes. They also address investment bans, trade restrictions, sectoral measures and proliferation financing risks where relevant. They give staff clear guidance on what business the firm will not undertake and how decisions should be escalated.

Supervisory expectations also point to the value of meaningful MLRO reporting. Useful reports do more than list developments. They assess how sanctions changes affect the firm’s business model, products, geographies and customer base, and they explain what the firm has done in response. Role-specific training is another marker of good governance. Staff in higher-risk areas, including onboarding, payments, trade finance and compliance operations, should receive enhanced training that reflects their day-to-day responsibilities.

A common weakness is over-reliance on group entities for sanctions support with limited oversight. Where a firm uses shared services, the local firm still needs to understand the arrangements, test them and remain accountable for outcomes.

Bastian Schwind-Wagner _Follow

"Strong sanctions systems depend on clear governance, current risk assessments and controls that are tested in practice. Firms that rely too heavily on vendor settings, group support or broad financial crime frameworks without sanctions-specific detail leave themselves exposed to avoidable breaches.

The strongest programs connect policy, screening, alert handling, evasion detection and breach reporting into one consistent control environment. That approach helps firms identify issues earlier, respond faster and show regulators that sanctions risk is being managed with care and discipline."

Management information that tells a real story

Good sanctions MI should help senior management understand both exposure and control performance. That means more than a dashboard of alert volumes. Strong firms collect and monitor data on customer exposure to high-risk jurisdictions and sensitive industries, and they combine quantitative data with qualitative analysis and commentary on trends.

Weak MI often fails to give a clear picture of overseas branches and offices, making it harder to assess whether sanctions obligations are being met across the business. In some cases, firms quantify sanctions exposure or risk without a documented rationale, which makes the figures hard to trust and difficult to challenge.

Well-designed MI should show not only what the risks are, but also how effective the controls have been and where action is needed.

Risk assessments need to be specific and current

A business risk assessment is one of the most important documents in a sanctions framework, but only if it is detailed and up to date. Strong assessments clearly consider financial sanctions, trade sanctions and proliferation financing risk. They also explain how the firm’s products, services, customer types and geographies affect the risk profile.

The best assessments are used actively. They help firms identify gaps, prioritise remediation and assign ownership for actions. Weak assessments, by contrast, are often outdated, vague or only a superficial overlay on a broader AML or financial crime assessment. In some firms, sanctions risk is not clearly separated from other financial crime risks, and proliferation financing is barely considered at all.

Jurisdictional risk assessments are another weak point when they rely too heavily on vendor ratings without internal challenge. Firms should be able to explain why a country, sector or customer segment presents a particular level of risk and how that view is supported by internal and external intelligence.

Customer due diligence and ongoing monitoring

Sanctions risk should be built into customer due diligence (CDD) from the start and carried through the customer lifecycle. Good practice includes regular updates to CDD policies, targeted sanctions-specific questions and, where appropriate, questions about trade activity as well as financial sanctions exposure. Firms should also take sanctions risk into account when deciding how often to review a customer.

Some firms make the mistake of outsourcing parts of CDD without properly overseeing the third party’s controls. Others fail to record enhanced due diligence (EDD) for high-risk or politically exposed persons (PEPs), and they do not define monitoring or periodic review frequencies. That can create both fines and wider regulatory problems.

The key issue is whether the firm can show that its due diligence process is designed to identify sanctions risk in a meaningful way, not just complete a checklist.

Screening policies, list management and data feeds

Screening remains a central control, but it only works if the policies, data and governance behind it are sound. Strong firms maintain clear screening policies that define scope, frequency, escalation thresholds and ownership. They also have formal approval and review processes for any screening exclusions.

Weaknesses often begin with exclusions that are not well justified. Some firms exclude categories of names from screening without a clear rationale. Others rely on historic vendor settings without reassessing whether they still work. In some cases, firms do not fully understand how sanctions lists are ingested into their screening systems, which creates a real risk that updates are incomplete or ineffective.

Good list management should include more than official sanctions lists. Primary lists may need to be supplemented with internal and external data sources, especially where there are concerns about ownership, control or evasion. For trade sanctions, intelligence can also help enhance internal watchlists for customers linked to evasion behaviour.

Clear contractual arrangements with vendors also matter. Firms should know how often lists are updated, what data quality standards apply and how issues are escalated.

Calibration, configuration and testing

A screening engine is only as good as its configuration. Strong systems are calibrated so they can detect names that are obfuscated, translated, shortened or written with extra title elements. They should also be tested after material list changes or system changes, not just left to run on default settings.

Supervisory findings show that some firms have poorly designed systems that struggle with non-Latin alphabets or variant spellings. Others do not really understand how vendor logic works, which makes it hard to explain why some matches are or are not generated.

Periodic validation and testing are essential. Firms need evidence that screening tools still work as intended and that changes have not weakened the control environment.

Alert handling needs people, process and quality control

Even good screening systems will produce alerts, so firms need a reliable process for managing them. Strong firms have clear escalation policies that are embedded in practice, not just written in a procedure manual. They test investigations periodically and apply quality assurance to ensure decisions are consistent and timely.

Weak firms often miss internal service level targets or depend too heavily on external screening providers without enough oversight. That can lead to delayed reviews, poor escalation and missed sanctions matches.

Resourcing matters too. If the team is too small or too lightly trained, the quality of investigations will suffer. Staff should understand not only the alert process but also the sanctions typologies that may sit behind the alert.

Evasion detection must be proactive

Sanctions evasion is not static. It changes as regimes tighten and as bad actors adapt. Good firms train staff to recognise red flags and typologies, and they actively stress-test systems against emerging risks. They do not wait for a confirmed breach before checking whether controls would have worked.

Some firms also run thematic lookbacks to test control effectiveness. That is better than simply reacting to known issues after the fact. In trade finance and related areas, firms may maintain internal repositories of trade documents and use technology to identify inconsistencies or signs of falsification.

A common weakness is when evasion risk is not properly reflected in policies, risk assessments or control design. That leaves firms vulnerable to sophisticated attempts to disguise sanctioned activity.

Asset freezing, licences and breach reporting

Once a sanctions concern is identified, firms need clear procedures for freezing assets, blocking transactions and deciding what restrictions apply. The best policies explain when accounts should be restricted, who approves the action and how the decision is documented.

Licence compliance is another critical area. Firms should know when a licence is required, whether they are relying on one, and how to ensure that activity stays within the permissions granted. This is especially important where a client is offboarded for sanctions concerns, because freezing obligations may still apply.

Breach reporting should also be well documented. Firms need a clear process for assessing suspected breaches and deciding what remedial steps are necessary. Where issues arise, the focus should not only be on reporting but also on understanding root cause and preventing recurrence.

What supervisors are really looking for

Strong sanctions frameworks are built on clear ownership, informed judgment and evidence that controls work in practice. Weak frameworks tend to show gaps between policy and reality, poor oversight of vendors or group services, incomplete risk assessments and screening arrangements that have not been properly tested.

Firms that want to reduce sanctions risk should ask a simple question: if a supervisor reviewed this control tomorrow, could we show that it is understood, monitored and effective? If the answer is uncertain, the control likely needs more attention.

Final thought

Sanctions compliance is not just about checking names against a list. It is about understanding the firm’s exposure, designing controls that match the risk and proving that those controls work day to day. Firms that treat sanctions as a living part of their financial crime framework will be better placed to avoid breaches, respond to change and demonstrate control to regulators.