Sanctions Screening / Learning brief
The risk-based approach to screening
Your notes
In simple terms / 01
What this means in plain language
The duty to freeze is absolute, but how a bank calibrates its screening, which lists, how sensitive the matching, how often it re-screens, is a set of documented, defensible risk decisions proportionate to the bank's exposure.
Airport security checks everyone, but not identically: the rules about what is forbidden on a plane are the same for every passenger, while the intensity of the check varies with route and risk signals. Sanctions screening works the same way. The prohibition itself is absolute and applies to every customer and every payment, but the intensity of checking is calibrated to the risk of the business: which lists are screened, how sensitive the name matching is, how often the customer base is re-checked, and where in the payment flow screening happens. A small domestic savings bank and a bank that clears dollars for other banks face very different exposure, so they are expected to make different, and documented, choices. A risk-based approach does not weaken the obligation; it directs effort where the exposure is, and it records the reasoning so that a supervisor can inspect it later.
Complete lesson / 02
Understand the full idea, step by step
Two well-run banks can screen the same payment differently and both be right. That is not a contradiction — it is the risk-based approach, and it rests on a careful line between the duty and the machinery built around it.
What is risk-based, and what is not
Start by drawing the line. The obligation — to freeze a listed party's assets and make no funds available to them — is not risk-based; it applies in full to every customer and every payment. What is risk-based is the machinery built around that obligation: which lists are screened, which data attributes are compared, how much name variation the matching tolerates, how often the customer base is re-screened, and where in the payment flow the screening sits. To calibrate that machinery, an institution assesses its own exposure and designs the programme in proportion. The point is not to check less, but to direct effort toward where the risk actually is.
Risk-based approach — calibrating controls to assessed risk rather than a universal template
The risk-based approach expects the calibration to follow from the institution's own risk assessment. Industry guidance frames screening as one control within a wider financial-crime programme, calibrated to the bank's exposure — its customers, products, geographies, currencies, and delivery channels. A direct consequence: two banks with different exposures can make genuinely different, and equally defensible, choices.
The exposure a bank assesses
- Customers
- Who they are, and what activity is expected of them
- Products
- Which services carry more financial-crime risk
- Geographies
- Which markets and counterparties the bank touches
- Currencies
- What it clears — and whose expectations that imports
- Channels
- How payments reach the bank, and how directly
The decisions that must be written down
In practice the risk-based decisions are specific, and each has to be written down. A programme decides, for example, whether to screen lists from jurisdictions where it has no direct legal obligation but its correspondents insist on coverage; whether weak aliases generate their own alerts or only enrich an investigation already under way; and whether low-risk domestic retail payments run a lighter matching configuration than higher-risk cross-border flows. Every one of these trades alert volume against the chance of missing a true match, and every one needs a named owner, a written rationale, and a review date. Auditors and supervisors ask for the risk assessment behind a setting, not just the setting itself.
WHAT IF — A matching threshold is quietly tuned down to clear a backlog, and then never revisited — silent drift.
What happens: The live configuration no longer matches any decision anyone can point to. A control the institution cannot account for is treated as a finding regardless of whether the setting happened, in fact, to be reasonable.
How it is handled: Change control fixes this: a record of who approved each calibration and on what evidence, plus explicit, documented risk acceptance where the bank chooses not to screen something. The judgment is not removed — it is made inspectable after the fact.
Is "risk-based" just a polite way of saying the bank checks less?
No. The freeze duty is absolute and untouched by any risk assessment — it applies to every customer and payment. The risk-based part governs only how the surrounding control is tuned, and its aim is to concentrate effort where exposure is greatest, not to do less overall. A programme can be both risk-based and demanding; a lighter configuration on genuinely low-risk flows is what lets scrutiny land harder where it matters.
COMMON CONFUSION
“You can read the bank's risk appetite off whatever the filter happens to be doing today.”
That reverses the logic. The risk assessment is supposed to drive the configuration, not be inferred backwards from it. Inferring appetite from the live settings is exactly the move supervisors reject — a control the bank cannot explain from its own risk assessment is one it cannot show it is managing.
STRICTLY SPEAKING
Strictly speaking, this simplifies a broad subject: a real programme calibrates dozens of interacting settings rather than one dial, and supervisory expectations differ by jurisdiction. The connective tissue supervisors probe is the same everywhere, though — a documented risk assessment, a mapping from each risk to the control that addresses it, and change control over every calibration.
FOR NOW, REMEMBER
- The freeze obligation is absolute; only the machinery around it — lists, attributes, matching tolerance, re-screening, placement — is risk-based.
- Calibration follows from a documented assessment of the bank's own exposure: customers, products, geographies, currencies, channels.
- Every risk-based decision needs a named owner, a written rationale, and a review date; the common failure is silent drift.
- Supervisors ask for the risk assessment behind a setting — a control the bank cannot explain is treated as a finding.
TRY IT YOURSELF
The auditor asks Kabir why cross-border payments run tighter name matching than domestic retail payments. Which answer holds up?
Screening enforces the sanctions duty; monitoring hunts a different quarry. The next lesson steps back to the crime the wider programme exists to detect — how money laundering moves criminal proceeds through three classic stages.
KEEP GOINGKey takeaways / 03
Three things to remember
- 01
The freeze obligation is absolute; only the screening control around it is calibrated to risk.
- 02
Risk-based choices include list selection, matching sensitivity, re-screening frequency, and screening points in the flow.
- 03
Each calibration needs an owner, a written rationale, and periodic review, so a supervisor can inspect the judgment.
Practical use cases / 04
Where you would use this
A compliance team writes a sanctions risk assessment covering customers, products, geographies, currencies, and channels.
A screening manager decides whether weak aliases raise alerts or only enrich an investigation, and records the reasoning.
An internal auditor traces each screening setting back to the risk it addresses, treating an unexplained setting as a finding.
Worked example / 05
Put the idea into a real situation
Illustrative example: a fictional bank, Meridian Trust, runs two payment channels. For low-risk domestic retail transfers averaging EUR 250.00, its documented policy uses a tighter name-match configuration that produces roughly 30 alerts per 100,000 payments. For cross-border payments, where exposure is higher, it widens the matching so weaker name variants also alert, accepting about 220 alerts per 100,000 payments and staffing a review team to clear them within a 24-hour service target. Each setting names an owner and cites the risk assessment behind it. When the bank adds a new correspondent in a higher-risk market, the assessment is refreshed and the cross-border threshold is reviewed, and the change is recorded with who approved it and why.
Evidence & review / 07
Evidence & review
Risk-based calibration of sanctions-screening controls; supervisory expectations differ by jurisdiction.
What this brief simplifies: Treats calibration as a few illustrative decisions where a real programme tunes dozens of interacting settings; the absolute freeze duty is deliberately held constant throughout.
Sources for this brief3
- Market practice
Wolfsberg Group Sanctions Screening Guidance ↗ — The Wolfsberg Group · Risk-based calibration of a screening programme from the institution's own risk assessment
Wolfsberg guidance is industry market practice, not law; institutions vary in how they apply it.
- Official requirement
The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation ↗ — Financial Action Task Force · The risk-based approach as a foundational principle
Adopted in 2012 and updated regularly since; the June 2025 FATF plenary agreed revisions to Recommendation 16 on payment transparency. Consult the live consolidated text for the current wording.
- Simplified educational illustration
Payments Signal editorial teaching models — Payments Signal · Auditor scenario and the written-decision framing
Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.