GLOBAL PAYMENTS KNOWLEDGEISO 20022 / SWIFT / SEPA / MT / MX

Sanctions Screening / Learning brief

Sanctions evasion typologies

Your notes

What this means in plain language

Sanctions evasion is attempted through front companies, transhipment, dual-use goods, ownership webs, and obscured party data. This defensive article describes the red flags and detection methods that let controls surface these patterns for review.

Sanctions restrict dealings with certain countries, entities, or people, and some parties try to hide when a transaction breaches those rules. This article is defensive: it explains the recognised patterns so that controls can detect them, not so anyone can copy them. Common patterns include using a front or shell company to stand between a sanctioned party and a bank, routing goods through a third country to disguise their true origin or destination, and shipping dual-use goods that have both civilian and restricted military applications. Others involve deliberately complex ownership webs that bury a sanctioned owner beneath several layers, and payment messages with vague or altered party details that make screening harder. The common thread is concealment of a true party or purpose. Detection therefore looks for the fingerprints of concealment: mismatches, missing information, unusual routing, and links that only appear when data is combined. Each red flag is a prompt for a human review, not an automatic conclusion.

Understand the full idea, step by step

Controls do not read minds; they read patterns. When someone tries to keep a sanctioned interest out of sight, the attempt tends to leave the same kinds of traces — a company that does not add up, a route that makes no commercial sense, an ownership trail that never quite names anyone. This lesson is about those traces, described strictly as what controls look for. It is a detection guide, not a method.

Detection reads the combination

Every typology in this lesson is framed the same way: as the signs a reviewer looks for, so controls can surface a case, never as instructions for constructing one. A single red flag rarely settles anything, because legitimate activity can produce it too. The strength of the control lies in cross-checking sources — registries, ownership data, screening, and transaction patterns — and in asking for clarification. A transaction held pending answers is the system working correctly, not a failure.

Front and shell companies — what controls watch for

No business history
A company with no discernible trading record behind large activity
Shared address
A registered address held in common with many unrelated firms
Nominee directors
Directors who appear as nominees across numerous unconnected entities
Activity mismatch
Financial flows that do not match the stated line of business
Counterparty clustering
Counterparties clustered around a sanctioned jurisdiction

Trade routing and dual-use goods — what controls watch for

Illogical routing
Shipping that detours through a transhipment hub with no commercial reason
Vague goods description
A description too imprecise to test against controls or value
End-user mismatch
An end-user whose business does not fit the product
Price that does not fit
A declared price out of step with the stated goods
Dual-use character
Items with ordinary civilian uses that also fall within a dual-use control list — certain electronics, chemicals, or precision components

Ownership webs and obscured data — what controls watch for

Layered ownership
A party sitting beneath several holding companies, sometimes across jurisdictions, so no single document names the ultimate owner
Unexplained complexity
Structure elaborate beyond any apparent business need — a reason for enhanced due diligence, not reassurance
Abbreviated party names
Message party fields shortened or phrased in ways that could slip past a name filter
Missing mandatory fields
Absent addresses or identifiers that completeness checks flag

Look-through ownership reviewtesting whether ownership aggregates back to a listed party

Sanctions rules commonly reach entities that are owned or controlled, above a threshold, by a listed party — so the defensive task is to look through the layers rather than stop at the immediate counterparty. Analysts use beneficial-ownership data, corporate registries, and link analysis to test whether ownership aggregates back to a listed interest. The exact ownership thresholds and control tests vary by regime, so a programme documents which rule it applies.

How controls counter obscured party data

When party information is blurred, modern screening answers with fuzzy matching that tolerates spelling variation, transliteration handling for names rendered from other scripts, and completeness checks that flag missing mandatory fields. Structured data in newer message formats helps by making party information richer and harder to blur. None of this replaces judgement: when a message is incomplete or a match is uncertain, the payment is held and reviewed rather than released on assumption.

COMMON CONFUSION

A single red flag — a shared address, a new company, an unusual route — proves an attempt to evade sanctions.

It proves nothing on its own; legitimate business produces these facts routinely. Detection depends on the combination and on cross-checking sources, which is why a reviewer assembles a picture before reaching a view rather than acting on one indicator.

WHAT IF — A payment message arrives with incomplete party data, or a match against the picture remains uncertain

What happens: The payment is held and reviewed rather than released on assumption; the case may be escalated for a formal decision.

How it is handled: The relationship can be held while questions are answered, with the request for clarification and the evidence gathered recorded. Where the assembled picture suggests a hidden sanctioned interest, the case goes to a formal decision — the same defensible escalation the earlier lessons described.

STRICTLY SPEAKING

Strictly speaking, the control lists, licensing rules, ownership thresholds, and available registry data all differ by regime and change over time. That is why detection never rests on a fixed checklist applied mechanically: a reviewer combines current registry data, screening results, and transaction behaviour, and treats unexplained complexity as a reason to look harder rather than as proof either way. The red flags in this lesson are detection signals for review, not conclusions.

FOR NOW, REMEMBER

  • Evasion typologies are taught here strictly as detection signals — what controls look for — never as methods.
  • No single red flag is decisive; legitimate activity produces the same facts, so detection reads the combination and cross-checks sources.
  • Ownership reviews look through layered structures because sanctions can reach entities owned or controlled by a listed party, above thresholds that vary by regime.
  • Where party data is incomplete or a match is uncertain, the payment is held and reviewed, and unresolved cases are escalated for a formal, documented decision.

TRY IT YOURSELF

A new company with no trading history, a mass-registration address, and counterparties near a sanctioned jurisdiction sends a large first payment. How should Kabir treat this combination?

Treat the combination as a reason to assemble a fuller picture from registries, ownership data, and transaction behaviour, hold the payment for clarification, and escalate if a hidden sanctioned interest is suggested.

Correct — No single flag is decisive, but the combination warrants a documented review that cross-checks sources. Holding pending answers and escalating unresolved cases is the control working as designed.

Release the payment, because a new company with a shared address is completely normal and none of these facts is illegal.

Not this one — Each fact alone can be innocent, but ignoring the combination skips the review the pattern calls for. Detection reads several signals together, not each in isolation.

Immediately report the company as an evader, since the red flags are conclusive.

Not this one — The red flags are detection signals, not proof. Reaching a conclusion before cross-checking sources and seeking clarification is exactly the leap the defensive approach avoids.

You have now seen how alerts are worked, how PEP and adverse-media risk feed due diligence, and how evasion patterns are detected. The governance topic ties them together: the policy, ownership, and audit trail that make the whole programme defensible.

KEEP GOING

Three things to remember

  1. 01

    Evasion works by concealing a true party, origin, or purpose.

  2. 02

    Red flags include vague party data, odd routing, and layered ownership.

  3. 03

    Each flag prompts human review rather than an automatic judgement.

Where you would use this

USE CASE 01

Screening analysts recognise concealment red flags when reviewing alerts.

USE CASE 02

Trade-finance teams check goods, routing, and end use against restrictions.

USE CASE 03

Investigators trace ownership webs to identify a hidden sanctioned interest.

Put the idea into a real situation

Illustrative example: a payment for USD 480,000.00 names a fictional buyer, Northwind Trading, in a neutral country, but the goods ship through 2 ports before a final destination near a sanctioned region, and the beneficiary field reads only "machinery parts". Screening flags the vague description and the indirect routing. A trade-finance analyst at a fictional bank, Meridian Trust, requests the end-user certificate, finds Northwind is 60% owned by a listed entity, and escalates the case.

Evidence & review

REVIEWED 2026-07-13

Defensive detection of sanctions-evasion typologies in payments and trade finance; control lists, ownership thresholds, and registry data vary by regime and change over time.

What this brief simplifies: Red flags are grouped for teaching and described only as detection signals for review; real controls combine more data sources and case-specific judgement. The company and payment are synthetic.

Sources for this brief4
  1. Market practice

    Wolfsberg Group Sanctions Screening GuidanceThe Wolfsberg Group · Sanctions evasion red flags and detection

    Industry guidance on the elements of an effective sanctions screening programme: the risk-based approach, list management, matching technology, alert generation, and alert handling. · Checked 2026-07-12

    Wolfsberg guidance is industry market practice, not law; institutions vary in how they apply it.

  2. Official requirement

    Revised guidance on entities owned by persons whose property and interests in property are blocked (the 50 Percent Rule)US Department of the Treasury, Office of Foreign Assets Control · Entities owned by blocked persons

    Explains that entities owned 50 percent or more in the aggregate by one or more blocked persons are themselves blocked, even when not listed by name. · Checked 2026-07-12

    The rule speaks to ownership, not control; OFAC FAQs 398-402 elaborate on aggregation and indirect ownership.

  3. Official requirement

    OFAC Frequently Asked QuestionsUS Department of the Treasury, Office of Foreign Assets Control · Ownership and control guidance

    OFAC's official interpretive guidance on US sanctions programs, list maintenance, blocking, and compliance expectations. · Checked 2026-07-12

    FAQs are added, amended, and renumbered over time; always check the live page for current numbering and text.

  4. Simplified educational illustration

    Payments Signal editorial teaching modelsPayments Signal

    This site's own simplified teaching models. · Checked 2026-07-12

    Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.

Learn this properly

Related briefs

View Sanctions Screening archive

What sanctions are and why payments are screened

Sanctions are legal restrictions on dealing with listed people, entities, and places. Screening is the control that enforces them, checking every customer and payment against official lists before money is allowed to move.

READ BRIEF

Who issues sanctions: regimes and authorities

Several authorities issue sanctions: the United Nations, the United States, the European Union, and the United Kingdom among them. Their lists overlap but are not identical, so a bank must decide which regimes its business obliges it to apply.

READ BRIEF

Sanctions screening versus AML and fraud

Sanctions screening is a list check with an immediate stop. Anti-money-laundering monitoring looks for suspicious patterns after the fact, and fraud detection protects against theft in real time. The three share data but differ in purpose, timing, and outcome.

READ BRIEF