How Sanctions Screening Actually Works: Name Matching, False Positives, the 50% Rule, and Why Onboarding Is Not Enough

Sanctions screening sounds simple: check a name against a list, get a yes or no. The reality is more complicated. Sanctioned entities use aliases, subsidiaries, and transliterations of non-Latin names that don't match directly. The lists themselves are updated continuously — a vendor who was clean at onboarding may be designated next month. And the 50% ownership rule means you can be in violation by paying a legitimate-looking company that turns out to be majority-owned by a blocked person — without that company's name appearing on any list at all. Understanding how screening actually works is the difference between a program that protects you and one that gives you false confidence.

What Sanctions Screening Is Doing

At its core, sanctions screening compares the name and identifying information of a vendor, customer, or individual against one or more government-maintained watchlists. A match — or potential match — flags the record for review.

The challenge is that the comparison is never exact. Sanctioned parties appear on lists under their legal names, but they also operate under aliases, maiden names, company names, transliterations of Arabic, Chinese, Russian, or other non-Latin scripts, and abbreviations. A screening system that only matches exact strings will miss most of them. A system that matches too broadly will generate overwhelming false positives.

The operational sophistication of a sanctions screening program is largely determined by how it handles this tension.

How Name Matching Works

Good sanctions screening uses fuzzy matching algorithms that account for:

Transliteration variations — a Russian name like "Mikhail Ivanov" might be rendered as Michael Ivanov, Mikhail Ivanoff, Mikhail Iwanow, or a dozen other variations depending on who did the transliteration. The SDN list may have one version; your vendor W-9 has another. Both refer to the same person.

Aliases and AKAs — OFAC and other sanctions authorities list known aliases alongside primary names. Screening should check against all of them, not just the primary name entry.

Name order variations — some names are entered last-name-first, some first-name-first. Entity names with "The" at the beginning may be indexed differently.

Abbreviations and truncations — "Intl" vs. "International," "Corp" vs. "Corporation," initials vs. full given names.

Character substitutions and typos — intentional obfuscation by sanctioned parties sometimes involves minor spelling variations specifically designed to defeat screening.

A well-configured screening system applies fuzzy matching with a configurable similarity threshold. Setting the threshold too high produces false negatives (real matches missed). Setting it too low produces false positives (legitimate vendors flagged as potential matches).

The False Positive Problem

False positives are matches that look like hits but aren't — a vendor named "Iran Trading Corp" that is a legitimate business in Indiana with no connection to Iran, or an individual named "Ali Hassan" who shares a name with a sanctioned party but is a different person.

For most non-financial companies, false positives are the primary operational challenge in sanctions screening. A screening program that flags 50 potential matches per month and requires manual review of each one creates a compliance burden that either gets ignored (creating the real exposure) or consumes disproportionate staff time.

How to manage false positives:

Document clearances. When a potential match is reviewed and cleared, document the review: who reviewed it, what information was used to confirm the match is a false positive, and the date. A cleared vendor should not need to be re-reviewed for the same potential match repeatedly unless there's a new development.

Use additional identifiers. Name alone is a weak identifier. Screening that also matches on address, date of birth, nationality, EIN/TIN, or other identifiers significantly reduces false positives. A vendor's EIN confirmed through TIN matching is a much stronger indicator that they are who they say they are than name alone.

Configure match thresholds by risk level. Higher-risk vendor categories (international vendors, vendors in high-risk jurisdictions, vendors with limited identifying information) may warrant a lower similarity threshold (more potential matches reviewed). Lower-risk domestic vendors may warrant a higher threshold.

Maintain a whitelist. Vendors that have been cleared multiple times for the same false positive reason can be whitelisted so future screenings don't regenerate the same review. The whitelist itself should be reviewed periodically.

The 50% Ownership Rule

OFAC's "50 percent rule" is one of the most underappreciated aspects of sanctions compliance for AP teams.

The rule: any entity owned 50% or more — directly or indirectly — by a blocked person or entity is itself considered blocked, even if that entity's name does not appear on the SDN list.

What this means practically: You can pay a company that has no name on any sanctions list and still be in violation if that company is majority-owned by a sanctioned individual. The obligation to screen extends to beneficial ownership, not just the direct counterparty name.

For most AP teams, full beneficial ownership screening on every vendor is not practical. A risk-based approach focuses enhanced due diligence on:

  • Vendors in or with connections to high-risk jurisdictions (Russia, Iran, North Korea, Cuba, Syria, Belarus, Venezuela, Myanmar)
  • Vendors with opaque ownership structures, frequent bank account changes, or limited verifiable business history
  • Vendors where the ultimate beneficial owner is unclear from publicly available information
  • New vendor relationships in industries known for sanctions evasion (energy, shipping, commodities trading, metals)

For standard domestic vendors with clear business histories, the 50% rule risk is generally low. For any vendor where jurisdiction or ownership raises questions, it's the most important thing to investigate.

Why Onboarding-Only Screening Is Half the Job

Screening a vendor at onboarding and never again is one of the most common gaps in non-financial company sanctions programs.

OFAC designates new parties continuously — there is no annual batch; designations happen on any business day. A vendor clean at onboarding may be designated six months later. If your next payment to them goes out before your next screening run, you've made a prohibited transaction.

The risk is not hypothetical. Enforcement actions have specifically cited companies that failed to re-screen vendors after designation, including cases where the initial onboarding screen was clean. OFAC noted in at least one 2024 enforcement action that re-screening at payment was a mitigating factor it considered — its absence was an aggravating one.

What ongoing screening should look like:

  • Periodic bulk re-screening of the full active vendor list — monthly is a reasonable baseline for most companies; weekly for higher-risk vendor populations
  • Trigger-based re-screening for specific events: bank account changes, ownership changes, contact information changes, or any vendor update that suggests a change in the underlying business
  • Payment-level screening for high-risk transactions or jurisdictions — checking immediately before a payment is processed rather than relying on a prior screening run

The record-keeping requirement extended to 10 years as of March 2025. Every screening result, match review, and clearance decision needs to be documented and retained.

Sanctions Screening and TIN Matching: Why They Belong Together

For AP teams, sanctions screening and TIN matching address different risks on the same vendor record:

  • TIN matching answers: is this vendor's tax identity legitimate? Will paying them create IRS reporting problems?
  • Sanctions screening answers: is this vendor on a government watchlist? Is it legal to pay them at all?

Running them separately — TIN matching in October, sanctions screening at onboarding, neither connected to the other — creates a gap between your compliance checks and your actual payment decisions. Running them together on the same vendor file means every payment decision is informed by both pieces of information simultaneously.

TIN Comply's bulk file processing runs TIN matching, EIN lookup, and sanctions screening against 250+ global watchlists from a single file submission. The result is a single output that shows, for each vendor, both their TIN validation status and their sanctions screening status — with no separate workflow, no separate portal, no gap between when one check ran and the other.

What the 250+ Lists Actually Cover

TIN Comply screens against 250+ global watchlists. The major categories relevant to US-based AP teams:

US government lists:

  • OFAC SDN (Specially Designated Nationals and Blocked Persons)
  • OFAC Sectoral Sanctions Identifications (SSI)
  • OFAC Foreign Sanctions Evaders (FSE)
  • OFAC Non-SDN Consolidated Sanctions List
  • BIS Entity List (Bureau of Industry and Security)
  • FBI Most Wanted / Terrorist Screening
  • DEA Fugitives
  • FinCEN Section 311 Special Measures
  • OIG LEIE (HHS Office of Inspector General exclusions - critical for healthcare)
  • GSA SAM.gov Excluded Parties

EU and UK lists:

  • EU Consolidated Sanctions List
  • UK Office of Financial Sanctions Implementation (OFSI) list
  • EU Financial Sanctions Framework (FSF)
  • European Securities and Markets Authority (ESMA)
  • Country-level EU member state lists

International lists:

  • UN Security Council Consolidated List
  • Interpol Red Notices
  • World Bank Debarred Parties
  • Country-level lists for high-risk jurisdictions

Politically Exposed Persons (PEPs):

  • Global PEP databases covering current and former government officials, their immediate family, and known associates

For a full breakdown of US and EU list coverage, see TIN Comply's help center pages on US sanctions lists and EU sanctions lists.

Building a Defensible Screening Program

OFAC evaluates compliance programs on a spectrum from inadequate to strong. The elements that consistently distinguish programs that receive mitigated penalties from those that receive maximum penalties:

Management commitment — senior leadership visibly engaged with sanctions compliance; documented policies; board-level awareness.

Risk assessment — written assessment of which vendor categories, jurisdictions, and transaction types present elevated sanctions risk; updated at least annually.

Written policies and procedures — who screens, when, against which lists, how matches are reviewed, who has authority to clear or escalate, what happens when a confirmed match is found.

Training — staff who handle vendor onboarding and payment processing understand what sanctions are, why screening matters, and what to do with a potential match.

Testing and auditing — periodic internal audit of whether screening is actually being performed according to policy; results documented.

Voluntary self-disclosure — if a violation is discovered, disclose it to OFAC before OFAC discovers it. Self-disclosure is the single most impactful mitigating factor available.

None of these elements require a large compliance team. They require documentation, consistency, and the right screening tool running on the right schedule.

How TIN Comply Supports Your Screening Program

OFAC and Sanctions Screening at TIN Comply covers 250+ global watchlists with bulk screening, ongoing monitoring, API integration for real-time onboarding checks, and a full audit trail for your 10-year retention requirement.

Combined with IRS TIN Matching, EIN Lookup, and W-9 Collection, TIN Comply gives AP teams a single platform for both the tax identity and the sanctions compliance side of vendor validation.

Start a free trial or request a demo.

This article is for informational purposes only and does not constitute legal or tax advice. Consult qualified legal counsel for guidance on sanctions compliance specific to your organization.