How to Screen a New Customer Before Onboarding

Restricted party screening is not an annual audit item. The legal obligation applies before every new business relationship begins — before you accept a purchase order, before you sign a distribution agreement, before funds move, and before goods leave the dock. Getting this step wrong at the start is where most export control violations originate, and OFAC's published enforcement history is full of companies that got away with inadequate onboarding screening for years before a single overlooked match produced a six- or seven-figure penalty.

This guide walks through the complete process for screening a new customer before onboarding — including the legal framework that makes screening non-optional, the exact information you need, which lists to check, the 50% ownership rule, non-obvious parties you must also screen, how to evaluate results, how to document them for audit, and how to keep the screening current after onboarding. A worked example at the end shows the full process applied to a fictional customer.

Why You Must Screen Before Onboarding — Not After

The legal architecture is straightforward. Three U.S. regimes govern export-related restricted party screening:

The International Emergency Economic Powers Act (IEEPA), which authorizes OFAC sanctions programs and administers the OFAC SDN List and numerous country-specific programs.
The Export Control Reform Act (ECRA), which gives BIS authority over the Export Administration Regulations (EAR) and the Entity List, Denied Persons List, and Unverified List.
The Arms Export Control Act (AECA), which administers the International Traffic in Arms Regulations (ITAR) and the AECA Debarred List.

Under each of these regimes, the compliance obligation rests on the U.S. person engaging in the transaction — not on the counterparty. If you transact with a sanctioned or denied party, the government does not need to prove you knew. OFAC applies a strict liability standard for civil penalties under IEEPA: the violation is complete the moment the transaction occurs. Ignorance is at most a mitigating factor in calculating the penalty, not a defense to liability.

This is why post-transaction screening is effectively useless as a compliance control. Once the transaction has happened, any violation is already complete. The only screening that reduces risk is screening performed before you are contractually or operationally committed — before the PO is accepted, before the service contract is signed, before funds clear, before product ships.

Understanding Risk Levels: A Risk-Based Approach

Not every new customer carries the same risk, and a mature compliance program allocates scrutiny accordingly. A good rule is to tier incoming customers into three categories and apply proportionate diligence:

Tier 1 — Low Risk. A U.S.-based customer in a non-restricted industry, buying EAR99 commercial goods for domestic use, with clear ownership and an established business history. Standard screening applies — name plus principals against all 13 U.S. lists.

Tier 2 — Medium Risk. A customer in a non-restricted country buying items with an ECCN, or a customer whose ownership structure is complex, or a customer whose end-use profile touches adjacent sensitive industries (energy, telecommunications, medical devices with dual-use potential). Standard screening plus additional due diligence on beneficial ownership and end-use verification.

Tier 3 — High Risk. A customer in a higher-risk jurisdiction (adjacent to a sanctioned country, or a known transshipment hub for diversion), a customer purchasing ECCN-controlled goods, an intermediary or distributor, a customer with opaque ownership, or any case where the end-use is inconsistent with the customer's apparent industry. Enhanced due diligence, including business reference checks, corporate registry verification, and — often — legal counsel review of the relationship before onboarding.

The tier is not a substitute for screening. Every customer, regardless of tier, gets screened against all lists. What the tier determines is how much additional diligence wraps around the screening.

What You Need Before You Start

The quality of your screening output is directly proportional to the quality of your input. Before running a single search, collect the following information from the prospective customer, and do not onboard until it is complete:

Full legal name of the company as registered with its corporate registry. Not the trade name, not an abbreviation, not the DBA — the legal name. Screening a company called "Acme" when its legal name is "Acme Industrial Holdings LLC" misses list entries keyed to the full registered name.
Principal address — country and city at minimum; full address where possible. The address is essential for resolving false positives: a common-name match in a different country is very likely a different entity.
Country of incorporation if different from the operating country. A company operating in Germany but incorporated in the British Virgin Islands is a structural red flag that warrants additional diligence on beneficial ownership.
Business registration number or corporate identifier (D-U-N-S, Companies House number, state-of-incorporation registration). These are dispositive for resolving identity in close-match situations.
Names of all key principals — beneficial owners with any meaningful stake, directors, officers, and anyone who will sign the contract on the customer's behalf. These are not optional; the 50% rule depends on them.
Ownership structure — who owns the owners? If the immediate owner is a holding company, who controls the holding company? Opaque ownership is itself a red flag.
End-use information — what will they do with your product or service? A buyer purchasing precision CNC equipment should be able to describe what they manufacture. A generic or evasive answer is a signal.
End-user identity — if the buyer is a distributor or intermediary, who is the ultimate recipient?
Expected transaction profile — shipment volumes, geographies, frequency. Anomalies relative to stated business profile are red flags.

Do not treat missing information as acceptable on the premise that you will "get it later." Operational pressure to onboard quickly is the most common reason compliance controls fail.

Step 1: Screen the Company Name Against All Relevant Lists

Run the company's full legal name through the complete set of U.S. government screening lists. A complete screening covers the following at minimum:

List	Agency	What It Covers
SDN List	OFAC	Sanctioned individuals and entities — transactions generally prohibited
Non-SDN Lists	OFAC	Sector-specific sanctions programs (SSI, NS-MBS, FSE, PLC, 13599, CAPTA, and others)
Entity List	BIS	Foreign parties requiring additional export licenses — most additions in recent years
Denied Persons List	BIS	Parties whose export privileges have been revoked by BIS order
Unverified List	BIS	Parties whose bona fides BIS could not verify — heightened diligence obligations apply
Military End-User List	BIS	Parties restricted for military end-use items
AECA Debarred List	DDTC	Parties debarred from ITAR-controlled transactions
Nonproliferation Sanctions	State	Parties sanctioned under WMD or missile proliferation authorities
FBI Most Wanted	FBI	Parties wanted for terrorism and related offenses
PEP Data (supplemental)	Various	Politically exposed persons — not always mandatory but often included

The Consolidated Screening List (CSL) on trade.gov combines several of these into a single query interface. It is a useful public resource but is not a complete screening solution on its own. The CSL does not always reflect same-day additions, its search algorithm does not perform sophisticated fuzzy matching, and it does not generate audit-ready logs. For a program that meets OFAC's expectation of a "reasonable" compliance program, the CSL should be a supplement to, not a substitute for, purpose-built screening infrastructure.

Use fuzzy matching rather than exact-name search. Sanctioned parties routinely use name variations, and non-Latin-script names (Arabic, Cyrillic, Chinese) produce multiple valid transliterations. Exact-match search against "Muhammad Hussain" will miss list entries for "Mohammad Hussein" or "Muhammed Husein" — these are the same names, differently romanized.

Step 2: Screen Key Principals Individually

Screening the company name is necessary but not sufficient. The OFAC 50% rule extends the SDN designation to any entity owned — directly or indirectly — 50% or more by one or more sanctioned parties, whether or not the entity itself appears on a list. This means an unlisted company can still be treated as blocked if a sanctioned individual controls it through ownership.

A worked example: suppose a Swiss company called "Alpenlux AG" wants to buy your product. Alpenlux is not on any U.S. sanctions list. However, Alpenlux is 60% owned by a Russian oligarch who is on the SDN List. Under the 50% rule, Alpenlux is itself treated as blocked — and any U.S. person transacting with Alpenlux is violating sanctions, exactly as if Alpenlux were directly named on the SDN List. The only way to catch this is to screen the beneficial owners, not just the company.

For each new customer, screen:

Beneficial owners with 25% or greater ownership stake (you can follow the 50% rule literally, but the safer practice is to screen anyone above 25% because aggregate ownership by multiple sanctioned parties above 50% also blocks the entity)
Directors, officers, and board members listed on the corporate registry
The individual(s) who will sign the contract on the customer's behalf
Any named agent or representative who will interact with your company operationally

Use the same screening lists as Step 1. This step is where manual spreadsheet processes frequently fail — the volume of names makes it easy to skip, rush, or forget. Under a manual process, a customer with five directors and three beneficial owners requires nine separate screenings (company plus eight individuals). Under automation, all nine complete in seconds and are logged automatically.

Step 3: Screen Non-Obvious Parties to the Transaction

The customer is not the only party you must screen. Every party involved in the transaction chain carries potential liability. Depending on the deal structure, you may also need to screen:

End-user, if different from the buyer (for intermediated transactions)
Freight forwarder handling the shipment
Customs broker clearing export
Bank receiving payment (for sanctioned-bank exposure)
Notify party listed on the bill of lading
Consignor or consignee, if those are distinct from the buyer
Agent or broker acting on the buyer's behalf
Trust or nominee holding the shares, if the direct owner is a fiduciary
Any beneficial owner not already covered above

This expanded screening scope is what distinguishes a compliant program from a nominally compliant one. Enforcement cases frequently surface violations that slipped through because a downstream party — the freight forwarder, the bank, the consignee — was the actual sanctioned entity while the named buyer was clean. OFAC's expectations have moved toward "screen everyone in the transaction chain" rather than "screen the customer."

Step 4: Evaluate the Country and End-Use Context

Name screening catches listed parties. It does not catch the larger category of prohibited transactions that involve unlisted parties in sanctioned jurisdictions or engaged in prohibited end-uses.

Country risk. Some countries are subject to comprehensive U.S. sanctions programs. Cuba, Iran, North Korea, Syria, and — for most commercial sectors — Russia and Belarus are the primary comprehensive programs. Transactions with parties in these jurisdictions are generally prohibited regardless of whether the specific party appears on a list. A new customer based in, shipping to, or primarily operating in any of these countries requires OFAC license authorization before you can proceed, and in most cases the license will not be granted.

Adjacent to comprehensive sanctions are targeted sanctions programs — Venezuela, Zimbabwe, certain areas of Ukraine, the Balkans, various counter-terrorism programs — that restrict specific activities or industries but not all transactions. These require sector-specific analysis rather than blanket prohibition.

End-use risk. The EAR prohibits exports to parties whose end-use falls into restricted categories regardless of whether the buyer is listed. The two most common end-use restrictions:

Military end-use restrictions, which prohibit exports of specified items for military purposes in certain countries (China, Russia, Venezuela, Burma) unless licensed
WMD and missile proliferation end-use restrictions, which prohibit exports supporting weapons of mass destruction or missile development, globally

An end-use red flag requiring escalation: the product/use combination does not make sense for the stated business. A construction company buying precision semiconductors, a "trading company" with no evident industry focus buying specialized equipment, or a buyer whose stated end-use changes during negotiation — all of these require additional diligence before onboarding.

Step 5: Evaluate the Results

After completing the screening, each match type demands a different response:

No matches found. The customer's name, principals, and related parties are clear across all lists. Country and end-use are not restricted. Document the screening result — including which lists were searched, the parties screened, and the timestamp — and proceed with onboarding. "No match" is a legally meaningful result only if it is documented; an undocumented clean screening is, for audit purposes, indistinguishable from no screening at all.

Potential matches (fuzzy hits). The screening tool returns records that partially match one or more of your customer's identifiers. This is normal — especially for common surnames and generic company names. Every potential match requires human review. For each match, compare:

Country of address (does it match the listed party's known country?)
Date of birth or founding date (if available on the list record)
Additional identifiers (passport numbers, D-U-N-S, registration numbers, aliases)
Business description or activity profile
Sanctions program under which the listed party appears (is it plausibly related to your customer's business?)

If the match clearly refers to a different entity, write out the reasoning in detail — "SDN-listed Ivan Petrov is based in Moscow with DOB 1965; our customer's director Ivan Petrov is based in Tallinn with DOB 1978; these are different individuals with a common Russian-origin name." File this reasoning with the customer record. A written clearance rationale is auditable; a one-line "cleared false positive" note is not.

If the match cannot be definitively ruled out, escalate to legal counsel before proceeding. Under strict liability, being wrong is a violation regardless of good-faith review. When uncertain, err toward non-transaction.

Confirmed match. Do not proceed under any circumstance. A confirmed match against the SDN List, Denied Persons List, AECA Debarred List, or a comprehensively sanctioned program means the transaction is prohibited, or authorized only under a specific OFAC or BIS license that must be obtained before any activity. Notify compliance counsel immediately and follow the process for handling a confirmed hit.

Step 6: Document Everything, to Audit Standards

A screening that is not documented did not happen — at least not in the eyes of an OFAC, BIS, or DDTC examiner. Audit-ready documentation for each screening includes:

Date and time of screening, with timezone
Lists screened against — the specific lists and, ideally, the data version/date
Name(s) and identifiers searched — the exact query, not a summary
Match results — both the matches and the non-matches, with screenshots or exports
Name of the person who performed the screening
Disposition — cleared, escalated, or rejected — with the written reasoning
If cleared: the specific comparison points (address, DOB, identifier) supporting clearance
If escalated or rejected: the specific list entry matched and the action taken
Final approval for proceeding with the transaction, if applicable

Store this documentation with the customer's onboarding file under a retention schedule of at least five years (BIS's explicit requirement; OFAC and DDTC expect equivalent retention). The record should be in a system that survives personnel changes — not in a departing employee's personal email or an abandoned shared drive.

This is the single factor that most distinguishes nominally compliant programs from defensibly compliant ones. When OFAC opens an inquiry, the first request is for screening records. Companies that can produce them quickly, organized, and complete get treated very differently from companies that have to reconstruct them.

Step 7: Set a Re-Screening Trigger

Onboarding screening is a one-time event. The watchlists, however, update daily — OFAC adds to the SDN List multiple times per week, and BIS updates the Entity List regularly. A customer clean on the day of onboarding can be sanctioned six months later without you knowing, unless your program is designed to catch it.

Establish a re-screening schedule commensurate with your risk tier:

At minimum: Re-screen all active customers annually
Better practice: Re-screen before each significant new order or shipment above a defined value threshold
Best practice: Automated continuous re-screening that runs your entire customer base against each new list update, with alerts on any new match

TradeLasso's Saved Profiles feature lets you save customer records and re-run them against current list data automatically, with alerts surfaced on the dashboard if a saved counterparty matches a newly added list entry.

A Worked Example: Screening "Acme Trading LLC"

To make the process concrete, suppose your company receives an inquiry from Acme Trading LLC, based in the UAE, wanting to purchase EAR99 commercial valves for "industrial applications."

Information gathered:

Legal name: Acme Trading LLC
Address: Dubai, UAE (free zone)
Registration: UAE free zone commercial license number
Principals: three owners — one UAE national, one Pakistani national, one British national
Ownership structure: direct, each 33.3%
End-user: Acme states the valves are for an "oil services customer" in the UAE
Transaction size: $180,000 one-time order, with possible follow-on

Risk tier assessment. UAE is a higher-risk jurisdiction due to its role as a transshipment hub to Iran and other sanctioned destinations. The stated end-use is vague ("oil services customer"). Default tier: medium risk, escalating to high if additional red flags emerge.

Screening execution.

Screen "Acme Trading LLC" against all 13 U.S. lists using fuzzy matching. Result: no matches.
Screen each of the three named owners individually. Result: two clear; one potential match on the Pakistani national against a common-name entry on the SDN List.
Review the match. The SDN entry is from a different sanctions program (SDGT), has a different DOB (1961 vs. customer's 1978), and lists an address in Karachi (customer's address is Lahore). The names share common Pakistani-origin elements but the identifiers differ. Written clearance: "SDGT-listed Tariq Khan DOB 1961 Karachi is a distinct individual from customer's principal Tariq Khan DOB 1978 Lahore. Common Pakistani name, different dates and locations. Cleared as false positive."
Screen the stated end-user — but Acme has not provided a specific end-user name, only "oil services customer." Red flag. Request specific end-user identity before proceeding.
Country evaluation. UAE is not comprehensively sanctioned, but its role as a transshipment hub to Iran raises additional diligence requirements. Confirm the valves will not be re-exported to Iran via end-use certification.
End-use evaluation. Commercial valves for oil and gas have no specific end-use restriction, but vagueness is a red flag.

Decision: Escalate. The owner-level screening cleared, but the end-user is unspecified and the transaction profile has red flags consistent with diversion. Before onboarding, require: (a) a named end-user with address, (b) an end-use statement confirming no re-export to a sanctioned jurisdiction, (c) and a re-screen against the named end-user. If any of these are refused, decline the relationship.

Documentation: Save all screening results, the clearance reasoning for the potential match, the red flag assessment, and the escalation decision in the customer file. If the relationship ultimately does not proceed, retain the records for five years regardless.

Red Flags That Require Extra Due Diligence

Certain patterns in a new customer inquiry warrant escalation to enhanced due diligence — and sometimes to declining the relationship. These are the signals OFAC and BIS expect exporters to recognize:

Buyer is unfamiliar with the product or cannot describe its intended use specifically
Buyer is an intermediary in a jurisdiction different from the stated end-user
Shipping instructions are unusual — request to ship via multiple legs to disguise the ultimate destination, or to deliver to a freight forwarder without further destination disclosure
Payment structure is unusual — cash, crypto, third-party wire transfers from unrelated entities, or payments from jurisdictions unrelated to the stated buyer
Buyer resists providing owner or principal information or provides contradictory information
Specifications are requested that are inconsistent with stated end-use (military-grade specs for commercial applications, for example)
Transaction is time-pressured with urgency that is not explained by business fundamentals
Buyer insists on no inspection, site visit, or end-use certification where such verification is industry-normal
Buyer has no web presence, no industry references, or a corporate history that does not match the size of the inquiry

No single red flag is dispositive. Two or more together typically warrant escalation. All of them together almost certainly indicate diversion and warrant declining.

When Information Is Incomplete

What do you do when the prospective customer will not or cannot provide complete information? There are three acceptable paths:

Request the missing information and delay onboarding until it is provided. This is the right default. Operational pressure to accept an incomplete customer file is the single most common reason compliance controls fail.
Decline the relationship. Refusal to provide information needed for compliance screening is itself a red flag. Many compliance programs treat repeated refusal as grounds to decline. Document the decision and retain the records.
Escalate to counsel for a risk-based override — with documented reasoning — only in narrowly defined situations where the missing information is genuinely unavailable (e.g., the party is a listed public company whose beneficial ownership is diffuse and publicly documented).

What is not acceptable is onboarding with incomplete information on the assumption that it will be completed later. Once the relationship is operational, the leverage to obtain compliance information disappears.

Common Mistakes to Avoid

Screening only the company name, not principals. The 50% rule makes owner/director screening mandatory, not optional. Over half of OFAC enforcement cases involving missed matches involve a listed beneficial owner behind an unlisted company.
Using the CSL as your only source. The CSL does not include all lists, does not always reflect same-day current data, and does not provide fuzzy matching.
Screening with exact-match only. Name variations, transliterations, misspellings, and reversed word order will all be missed. Always use fuzzy matching with a reasonable similarity threshold.
Not documenting "no match" results. A clear result is only legally meaningful if documented. A screening with no written record is, at audit, indistinguishable from no screening.
Treating onboarding screening as permanent. Lists change daily; your screening goes stale the moment the list updates. Establish a re-screening schedule.
Skipping principals when the company is a well-known name. The assumption that "Siemens" or "Deere" does not need owner screening because the company is a household name misses the point — the 50% rule applies by operation of law, and there is no "famous company" exception.
Accepting vague end-use descriptions. "Industrial applications" or "resale" is not an end-use description. The customer must identify what they will actually do with the product.
Not escalating genuine uncertainty. Reviewers under time pressure default to clearing matches to avoid escalation overhead. This pattern is exactly how violations originate.
Relying on customer representations without verification. An end-use certificate signed by the customer is a useful document, but it does not relieve the exporter of the obligation to assess the plausibility of the stated end-use.

Frequently Asked Questions

Do I need to screen domestic U.S. customers? Yes, in most cases. U.S. persons can appear on the SDN List, and the Denied Persons List includes U.S. individuals and entities. The BIS Entity List is primarily foreign parties but does include U.S.-based affiliates of listed foreign entities. Domestic customers that will re-export your product are also subject to EAR end-use restrictions, so screening them protects against downstream violation risk.

How long should I keep screening records? BIS requires exporters to maintain export control records for five years from the date of the transaction. OFAC does not specify a retention period in most sanctions programs but recommends five years as a minimum. Most mature compliance programs standardize on five to seven years for all export-related records, including screenings that did not result in a transaction.

What if my customer refuses to provide owner or principal information? Refusal to provide information needed for compliance screening is itself a red flag. Many compliance programs treat repeated refusal as grounds to decline the relationship. At minimum, document the refusal and escalate to legal counsel before proceeding. Do not onboard with the assumption that the information will arrive later.

Is screening required for every order from an existing customer? It depends on your compliance program's risk threshold. Most programs require re-screening at a defined interval — annually at minimum, or before each shipment above a defined value threshold, or automatically when a relevant list updates. A customer clean at onboarding can appear on a watchlist in a subsequent update, and enforcement actions have been brought for failure to re-screen across multi-year customer relationships.

What is the OFAC 50% rule in plain English? If a sanctioned person or entity owns 50% or more of another entity — alone or combined with other sanctioned parties — that other entity is also treated as sanctioned, even if it does not appear on any list. This means you cannot transact with a subsidiary, holding company, or owned entity of an SDN without violating sanctions. The only way to detect this is to screen beneficial owners, not just the company itself.

Can I rely on a third-party data provider's "clear" result? You can use a data provider's screening as part of your program, but ultimate compliance responsibility rests with the exporter of record. Review the provider's data sources, update frequency, and matching methodology to confirm they meet your program's standards. Document the provider selection and the reasoning in your compliance program materials.

How quickly must new SDN additions be reflected in screening? OFAC publishes SDN List updates in near real-time. Professional-grade screening data typically reflects new additions within 24 hours, often within the same day. A screening program running against data older than 48 hours is not meeting current compliance expectations.

What if the customer is a publicly traded company? Publicly traded companies are not exempt from screening. They must be screened by company name, their executive officers and directors must be screened, and — for diffuse public ownership — you typically only need to escalate beneficial ownership screening if any single shareholder is known to hold 25% or more. This is one of the narrow cases where incomplete beneficial ownership information can be managed by a risk-based override, provided the reasoning is documented.

What does TradeLasso screen against? TradeLasso screens against all 13 U.S. government export control and sanctions lists, updated daily, including the OFAC SDN List, BIS Entity List, Denied Persons List, Unverified List, AECA Debarred List, Military End-User List, and all major Non-SDN sanctions programs. Every screening is automatically logged with timestamps, the data version, and the reviewer's disposition, providing the audit trail that OFAC and BIS expect to see. See the full list of data sources.