Your screening system returns a potential match. The customer you were about to onboard — or the supplier you were about to pay — shows as a possible hit against the OFAC SDN List or another government watchlist. What happens in the next thirty minutes determines whether your company is protected or exposed.
Most compliance programs have a screening process. Far fewer have a documented hit-response process — a written, step-by-step workflow that tells every reviewer exactly what to do when the screen returns something. That gap is where violations happen. OFAC's published enforcement actions are full of companies that had compliance programs that caught matches but then handled them inconsistently, undocumented, or incorrectly. The screen itself did its job. The response did not.
This guide walks through the complete hit-response workflow used by professional compliance programs. Follow the steps in order. The earlier steps produce the documentation and reasoning that justify the final decision — skipping ahead to the conclusion before completing the review is one of the most common mistakes in sanctions compliance.
Understanding What the Screen Actually Returned
Before running the workflow, it helps to understand what your screening system is actually telling you. A screening alert is not a confirmed violation — it is a signal that requires human review. Screening systems apply fuzzy-matching algorithms against watchlist records. They are intentionally tuned to return potential matches rather than confirmed matches, which means they catch variants, typos, transliterations, and similar names that a rigid string match would miss.
The result: most hits in a well-tuned system are false positives. Compliance programs at large exporters routinely report false positive rates of 90–95%. This is not a system failure — it is working as designed. The purpose of your review workflow is to separate the false positives from the genuine matches quickly and with documented reasoning.
What the screen may have matched against varies by list:
| List | Agency | Match Implication |
|---|---|---|
| SDN List | OFAC | Transactions generally prohibited; strict liability applies |
| Non-SDN Lists (SSI, NS-MBS, etc.) | OFAC | Sector-specific prohibitions — narrower in scope |
| Entity List | BIS | Export license required for listed EAR-controlled items |
| Denied Persons List | BIS | Export privileges revoked — any export activity prohibited |
| Unverified List | BIS | Cannot proceed without additional due diligence steps |
| AECA Debarred List | DDTC | ITAR-controlled transactions prohibited |
The response workflow below applies primarily to OFAC matches — where the stakes are highest and the regulatory framework is most prescriptive — but the core steps (pause, review, document, decide) apply to BIS and DDTC hits as well.
First Rule: Pause the Transaction
The moment a potential match appears, all activity with that counterparty stops. No payment release, no shipment authorization, no contract execution, no further substantive communication beyond essential clarification.
This is not paranoia — it is necessary for two reasons:
- Legal protection. Proceeding with a transaction while a hit is under review and later being found to be a true match is treated by OFAC as a facilitation violation separate from the underlying transaction. You compound your exposure by continuing.
- Evidence preservation. Additional communication with the counterparty before the review is complete may disclose information they could use to alter their identity documentation or cover their tracks. Keep the interaction minimal until you understand what you are dealing with.
Notify the relationship owner to put the transaction on hold immediately. A simple "we need to complete some compliance verification before proceeding" is sufficient. Do not tell the counterparty they triggered a sanctions list match. This is both a disclosure concern and a tipping-off risk — in some programs, alerting a sanctioned party that they have been identified is itself a violation.
Step 1: Review the Match Carefully
A potential match is not a confirmed match. Your screening system flagged something that partially resembles the counterparty — your job is to determine whether it is the same entity or a coincidence of naming.
Work through these comparison points in order, stopping when you have a definitive answer:
Name Analysis
Compare the exact legal name of your counterparty against the sanctioned party's name as it appears in the list record, including any listed aliases. Ask:
- Is this a transliteration variant of the same name (same entity, different script rendering)?
- Is this a common name that appears across many unrelated individuals?
- Is there a corporate suffix difference — Inc. vs. Ltd. vs. LLC — that would indicate a different legal entity?
For corporate names, a close variant with a different country of incorporation is often a different legal entity, not a pseudonym. For individual names, common names — particularly in languages where romanization produces many variants — require additional identifiers before a disposition can be made.
Geographic Comparison
Does the counterparty's registered address or operating country match the country associated with the sanctioned record? A name match between a Dubai-registered company and a Russia-based SDN-listed entity is a much weaker match than one where both are in the same country.
Identifying Numbers and Dates
If your counterparty has provided any of the following, compare them directly to the sanctioned record:
- Individual: Date of birth, passport number, national ID number
- Corporate: Tax identification number, D-U-N-S number, corporate registration number, SWIFT/BIC code
A single identifier mismatch — a different date of birth, a different national ID — is ordinarily sufficient to clear a name-only match. A match on any identifier is a strong indicator of a true hit and requires escalation even if the names are not identical.
Business Activity
Does what you know about the counterparty's business activity match the sanctioned entity's profile? An agricultural equipment exporter and an SDN-listed arms trafficker who share a common name are almost certainly not the same entity. A defense-technology distributor who name-matches an SDN-listed weapons broker is not so easy to dismiss.
Step 2: Document Your Review Before You Record the Disposition
Before you mark the hit as cleared, escalated, or rejected, write down your analysis in detail. This step is the one most commonly shortchanged — and it is the one that protects your company during an audit or enforcement investigation.
Your review note must include:
- The exact screening result (export the record or take a screenshot with a timestamp)
- The counterparty's identifying information you used in the comparison
- What information matched and what did not, with specifics
- Your reasoning for the conclusion, stated in full sentences
- The date, time, and name of the person performing the review
- Whether any additional due diligence steps were taken
The difference between defensible documentation and undefensible documentation is specificity. Compare these two entries for the same clearance decision:
Not defensible: "Reviewed. False positive. Cleared."
Defensible: "The SDN record for Mohammed Al-Rashid lists a date of birth of 1971-03-14 and a Yemeni passport number. Our counterparty Mohammed Al-Rashid submitted a UAE business license and passport showing DOB 1985-09-22. The names are common in the Gulf region. These records refer to different individuals. Cleared on the basis of DOB mismatch and passport number mismatch."
An audit examiner who reviews the second note understands exactly what was compared, what was found, and why the reviewer concluded no match. The first note provides none of that. After a violation is discovered, OFAC will review your clearance documentation for every prior hit involving that counterparty or similar entities. Inadequate documentation retroactively undermines every clearance you have ever made.
Step 3: Decide — Clear, Escalate, or Reject
Based on your documented review, one of three outcomes applies.
Outcome A: Clear the Match (Confirmed False Positive)
If the comparison confirms the potential match refers to a different entity, clear the hit. Record the reasoning as described above, attach the clearance note to the counterparty's compliance file, and proceed.
Do not delete the match record. An examiner wants to see that your program caught the potential match, reviewed it properly, and documented the clearance. A file with no record of a potential hit is a file that looks like the screening was never done.
Outcome B: Escalate to Counsel (Ambiguous Match)
If you cannot confidently determine whether the match is a false positive — for example, the name is a close variant, the country is consistent, and additional identifiers are unavailable — escalate to legal counsel before taking any further action.
OFAC's strict liability standard means that "I thought it was probably a false positive" does not reduce liability if you were wrong. Uncertainty means the transaction stays paused. Set a specific timeline for the escalation — counsel should respond within 24–48 hours for routine escalations, same-day for anything involving active fund movement.
Outcome C: Reject the Transaction (Confirmed Match)
If the review confirms the match — same entity — the transaction is prohibited. Do not proceed.
Immediate steps:
- Document the confirmed match in full
- Do not return any funds or property already received — these are likely blocked property that must be held under 31 C.F.R. Part 501
- Notify your compliance officer and legal counsel immediately
- Preserve all transaction records, communications, and counterparty documentation
- Do not communicate the reason for rejection to the counterparty beyond "we are unable to proceed with this transaction"
The last point matters: tipping off a sanctioned party that they have been identified — by telling them they matched a sanctions list, or by providing information that reveals your screening program caught them — can constitute a separate violation under OFAC's prohibitions.
Step 4: Handle Blocked Property
If you received funds or property from a party subsequently determined to be sanctioned — before the screen caught it — those assets are blocked. Blocked property cannot be transferred, returned, applied to a liability, or released without an OFAC license. Returning it to the counterparty is itself a violation.
Blocked property obligations under 31 C.F.R. § 501.603:
- Report blocked property to OFAC within 10 business days of the blocking using the TDFR (Transaction and Disclosure of Frozen/Blocked Property) form
- File an annual report on blocked property held as of June 30 each year, due by September 30
- Hold blocked funds in an interest-bearing account segregated from operating funds
- Maintain records of all blocked property transactions for five years
If the situation is ambiguous — you are not certain whether the property is legally blocked or whether the counterparty is genuinely the sanctioned party — engage counsel before taking any action. These reporting obligations are not flexible, and failing to report blocked property on time is itself a regulatory violation.
Step 5: Evaluate Voluntary Self-Disclosure
If the confirmed match reveals that a prior transaction already completed — meaning you shipped goods or transferred funds before the screening caught the hit — you face a separate and significant decision: whether to voluntarily disclose the apparent violation to OFAC.
Voluntary self-disclosure (VSD) typically reduces the base civil penalty by 50% under OFAC's enforcement guidelines. For willful violations, it is also treated as a significant mitigating factor that can reduce a Finding of Violation to a No Action Letter in borderline cases. For large or complex cases, the difference between VSD and no disclosure can be measured in millions of dollars.
Real enforcement actions demonstrate the scale of this difference. In 2019, UniCredit Bank AG settled with OFAC for $611 million after failing to voluntarily disclose transactions involving Iranian counterparties that were later discovered through OFAC's own investigation. In contrast, many companies that voluntarily disclosed comparable violations received substantially lower penalties — in some cases receiving No Action Letters after disclosure. The pattern is consistent across OFAC's published enforcement history: disclosure before discovery is rewarded, discovery before disclosure is not.
Factors that weigh in favor of VSD:
- The violation is likely to be discovered by OFAC through independent means (bank records, trade data, counterparty disclosure)
- The transaction is significant in dollar amount or involves multiple transactions over time
- The company's compliance program is substantive and the violation is an isolated lapse
- The violation involves a program area where OFAC has active enforcement focus (Iran, Russia, North Korea)
Factors that may weigh against VSD (though rarely determinative in serious cases):
- The transaction is genuinely de minimis and isolated
- No independent means of OFAC discovery exist
Voluntary self-disclosure is one of the highest-stakes decisions in export compliance. Do not make it without legal counsel — and do not delay engaging counsel out of a hope that the issue will go away. OFAC's statute of limitations for civil violations is five years.
Step 6: Build and Refine Your Hit-Response Protocol
The steps above describe a complete hit-response workflow. If your compliance program does not have this written down as a formal protocol — with assigned roles, decision authorities, escalation contacts, documentation templates, and turnaround time standards — you have an incomplete compliance program.
A documented hit-response protocol serves three purposes:
- Consistency. Different reviewers will make different decisions on ambiguous matches unless they are working from the same framework. Consistency is what makes your program defensible.
- Speed. A reviewer who has to figure out what to do when a hit appears will be slower and more uncertain than one who has a workflow to follow. Speed matters — transactions are time-sensitive.
- Evidence of program adequacy. When OFAC evaluates a violation, one of the first things it looks for is whether the company had an adequate compliance program. A documented hit-response protocol is direct evidence that it did.
Your protocol should address at minimum:
- Who receives a hit notification and in what timeframe
- Who is authorized to clear a false positive, and at what match score threshold escalation is required
- How clearance decisions are documented and stored
- Who must be notified of a confirmed match (compliance officer, legal counsel, management)
- What the standard response language is to counterparties during a hold
- What the escalation path is for ambiguous matches, with a turnaround time requirement
- How blocked property is handled and reported
- How VSD decisions are initiated and managed
Review and test this protocol at least annually, and update it after any significant hit — especially a confirmed match or near-miss.
Common Mistakes in Handling Hits
- Treating all matches as false positives by default. Alert fatigue degrades review quality. Every match deserves a genuine, documented review.
- Clearing matches with no written reasoning. "Cleared — FP" is not documentation. It will not survive an audit.
- Notifying the counterparty that they triggered a sanctions match. This can constitute tipping off a sanctioned party, which is itself a violation.
- Returning blocked property. Returning blocked funds or goods to a sanctioned party is a separate violation. Hold them and engage counsel.
- Not escalating ambiguous cases. Uncertainty is not a basis for clearance. If the review is not sufficient to clear the match confidently, the transaction stays paused.
- Failing to update program documentation after a hit. Every hit is a data point. Programs that do not learn from hits are programs that repeat the same exposure.
Frequently Asked Questions
Is every screening hit a real problem? No. Most potential matches are false positives — particularly for common names. Professional screening programs typically see false positive rates of 90% or higher. The review workflow exists to separate genuine matches from coincidental name similarities, and to document that separation in a way that is defensible.
Can I just ignore a match if I'm confident it's a false positive? No. Every match must be reviewed and documented, even obvious false positives. Ignoring a match — or clearing it without a written record — leaves no evidence that the screening program functioned at all. In an audit, an undocumented clearance looks the same as no screening.
What is "blocked property"? Blocked property is any asset held for or on behalf of a sanctioned party. If you receive funds, goods, or other property from a party subsequently determined to be sanctioned, those assets are frozen — you must hold them, report them to OFAC within 10 business days, and cannot transfer or return them without an OFAC license.
Do I have to report every match to OFAC? No. Reporting obligations attach specifically to blocked property (31 C.F.R. § 501.603) and to rejected transactions involving SDN-listed parties in specific programs (31 C.F.R. § 501.604). Cleared false positives do not require OFAC reporting, though your internal documentation should be retained.
What if the counterparty asks why we stopped the transaction? Use a generic response: "We are unable to proceed with this transaction at this time." Do not explain that the counterparty triggered a sanctions match. Providing specific reasons can constitute tipping off a sanctioned party.
Should we refund payments already received from a blocked party? No. Once property is blocked, it must be held — returning it to the sanctioned party is a separate OFAC violation. Deposit the funds in a segregated interest-bearing account, report to OFAC within 10 business days, and engage counsel immediately.
How long do we have to complete a hit review? OFAC does not specify a turnaround time for match review, but the practical standard is that the review should complete before the transaction proceeds. For ambiguous escalations, most programs set an internal standard of 24–48 hours. Transactions should remain on hold until the review concludes.
What's the difference between a rejected transaction and a blocked transaction? A rejected transaction is one that you decline to proceed with before any exchange of funds or goods — you catch the match before the deal closes. A blocked transaction is one where funds or property have already moved and must be frozen and reported. Both require documentation; blocked transactions additionally require OFAC reporting and annual disclosure.
What if a counterparty was added to the SDN List after we onboarded them? This is why ongoing re-screening matters. If a counterparty you already have a relationship with is added to the SDN List, any open transactions, pending deliveries, or unresolved balances immediately become subject to the blocking rules. You must pause all activity, block any relevant property, and engage counsel. Most programs handle this by screening the full counterparty database against updated lists daily or weekly.
How does TradeLasso help with match review? TradeLasso flags potential matches with detailed source data — including country, addresses, and available identifiers — so reviewers can make informed clearance decisions quickly. Every review action is logged with timestamp and user attribution for audit purposes. See how match review works in TradeLasso.