GLOBAL PAYMENTS KNOWLEDGEISO 20022 / SWIFT / SEPA / MT / MX

Sanctions Screening / Learning brief

Screening the payment message

Your notes

What this means in plain language

Transaction screening reads the whole payment message, including debtor, creditor, their agents, and free-text remittance, at a point where the payment can still be stopped. A hit parks the payment in a hold queue for a reviewer to decide.

Transaction screening checks a payment while it is still moving, before the bank completes it. The filter reads every place a name could appear: the debtor (the payer) and creditor (the payee) with their addresses, the banks acting as their agents, the countries involved, and the free-text spaces where a sender writes remittance information or a payment purpose. It runs at the moment the payment engine processes the instruction, because a check after the money has settled can only report a problem, not prevent it. When a field resembles a sanctions-list entry closely enough, the payment does not continue. It parks in a hold queue, and a trained reviewer compares the flagged party with the list entry and records a decision, either release as a false positive or escalate as a possible true match. How the message is structured decides how precisely the filter can read each field.

Understand the full idea, step by step

When a parcel crosses a border, customs does not weigh only the box — it reads the sender, the recipient, the addresses, and the description of what is inside, because a prohibited item can hide in any of those lines. Transaction screening reads a payment message the same way, for the same reason: a listed name can appear in almost any part of it.

Transaction screening

Transaction screening reads the whole payment message at the moment the payment engine processes the instruction — while the payment can still be stopped. It checks the debtor (the payer) and creditor (the payee) with their addresses, the intermediary and agent banks that route the payment, the countries involved, and the free-text spaces where a sender can write almost anything. Amounts and dates are read past: they carry no name to screen. A check performed after the money has settled can only report a breach, not prevent one — timing is as much a part of the control as coverage.

ISO 20022 — ILLUSTRATIVE, NON-PRODUCTION

In this structured ISO 20022 message each party sits in its own labelled field: Dbtr (debtor) and Cdtr (creditor) names, their agents in DbtrAgt and CdtrAgt, and free text in RmtInf. The filter can apply a name test to a name field and a country test to a country code. IntrBkSttlmAmt and IntrBkSttlmDt carry no name, so the filter reads past them. This message travels bank to bank — the customer never sees it.

Free text is where the noise lives

Free-text fields are where reviewers earn their keep. A remittance line is unstructured, so the filter must treat every word in it as a possible name — and ordinary language collides constantly with short list entries. Place names, ship names, and common words trip the filter. These hits are noisy, but the field cannot be skipped: a sanctions target named only in a payment reference is still a sanctions target, and missing it would be a real breach. Position in the chain changes the difficulty too — an intermediary like Meridian holds an alert with the least context and often has to ask another bank for information before it can decide.

SWIFT MT — ILLUSTRATIVE, NON-PRODUCTION

The older line-oriented format tells a harder story for the filter. In field :50K: (the ordering customer) the name, street, and city are packed into free-form lines with no label saying which is which — so a hit is harder to judge than in the structured message above. This is why message structure is itself part of the control, not a cosmetic detail.

How structure changes what the filter can read
Line-oriented MT103Structured pacs.008 (ISO 20022)
Party dataName and address blended into free-form linesEach element in its own labelled field
Filter precisionCannot always tell which word is a nameField-aware: a name test on a name, a country test on a code
Effect on false positivesMore noise from address textMeasurably fewer, where senders populate the fields

WHAT IF — A message is truncated or loses its structure as it is translated between formats

What happens: The filter quietly sees less than the sender actually wrote — an unmapped or dropped field is an unscreened field, a coverage gap rather than a visible error.

How it is handled: Institutions actively watch upstream handling for this. Which fields of which message types are screened is a documented risk decision with an owner, and migration periods — such as a rail moving to ISO 20022 under CBPR+ — are exactly when every field mapping must be rebuilt and retested.

STRICTLY SPEAKING

Strictly speaking, the structured format only helps where senders actually populate the labelled fields instead of pasting unstructured text into them, so real usage varies by community. And underpinning all of it is a defensive obligation, not a technique: a payment service provider should not omit or alter debtor or creditor information in a way that would defeat another party's screening. Complete, correctly placed party data is what makes every downstream filter able to do its job — the topic of the transparency lesson ahead.

FOR NOW, REMEMBER

  • Transaction screening reads the whole message — debtor, creditor, their addresses, agent banks, countries, and free text — because a listed name can hide anywhere; amounts and dates carry no name.
  • Screening runs while the payment can still be stopped; a check after settlement can only report a breach.
  • Free-text remittance is the noisiest field but cannot be skipped, and an intermediary screens with the least context of anyone.
  • Message structure is part of the control: labelled ISO 20022 fields let the filter test the right field, where the older format blends name and address.

TRY IT YOURSELF

An operations team suggests moving sanctions screening to a nightly batch that runs after payments have settled, to keep the daytime payment path faster. Why is this the wrong design for sanctions?

It is fine, because the batch would still catch any listed party and the institution could reverse the payment the next day.

Not this one — Once value has settled, the prohibited payment has already been made. Screening after the fact can report a breach but cannot prevent it, and reversal is not guaranteed — the whole point is to stop the payment before it moves.

Screening must run while the payment can still be stopped; a check after settlement can only report a breach, not prevent one.

Correct — Correct. The value of transaction screening lies in its timing — at the moment the engine processes the instruction, before settlement. A post-settlement batch defeats the control's purpose.

Batch screening is wrong only because it would raise more false positives than real-time screening.

Not this one — The false-positive rate is not the issue. The fatal flaw is timing: moving the check after settlement means a prohibited payment has already gone through before anyone looks.

You have seen what gets screened and when. The next lesson steps back to the machine around it: where screening sits in the payment path, and how it holds up under a strict clock.

KEEP GOING

Three things to remember

  1. 01

    Screening reads the whole message, meaning debtor, creditor, their agent banks, countries, and free-text remittance, because a listed name can sit in any field.

  2. 02

    It runs while the payment can still be stopped; a check after settlement can only report, not prevent.

  3. 03

    A hit does not fail the payment silently; it parks it in a hold queue for a reviewer to release or escalate on the record.

Where you would use this

USE CASE 01

A payments operations reviewer works a hold queue, comparing each flagged party against the list entry and clearing or escalating before the rail's cut-off time.

USE CASE 02

An intermediary bank screens traffic where neither the debtor nor the creditor is its customer, and requests information from another bank when it lacks context to close an alert.

USE CASE 03

A screening configuration team maps every field of each message type to a screening attribute and retests those mappings whenever a rail migrates format, so no field goes unscreened.

Put the idea into a real situation

Illustrative example: a fictional bank, Northwind Bank, processes an outbound cross-border payment of USD 62,400.00 from its customer Acme Textiles Ltd to a supplier, Delta Fabrics LLC. The structured party fields are clean, but the free-text remittance line reads 'Order 5567 via Castellan Trading'. The screening filter matches Castellan Trading against a fictional list entry, CASTELLAN TRADING CO, on invented Programme VESTA, at 0.91 against a 0.85 threshold. The payment parks in the hold queue rather than settling. A reviewer sees that the message names a third party in the reference, cannot resolve it from the message alone, and requests details from the sending bank. Because the payment involves a possible listed party, it stays held past its intended value date until the reviewer records a disposition, the control working exactly as designed.

Evidence & review

REVIEWED 2026-07-13

Transaction (payment-message) screening across MT and ISO 20022 formats; field mappings and scope are institution- and rail-specific.

What this brief simplifies: Uses two fictional sample messages to contrast blended and labelled fields. Real screening scope is a documented mapping per message type.

Sources for this brief3
  1. Market practice

    Wolfsberg Group Payment Transparency StandardsThe Wolfsberg Group

    Industry standards on preserving complete and accurate party information through payment chains, expressed in ISO 20022 terminology. · Checked 2026-07-12

    The 2023 standards replace the 2017 version and are supplemented by separate Wolfsberg guidance on roles and responsibilities in payment chains.

  2. Scheme-specific rule

    Cross-Border Payments and Reporting Plus (CBPR+) usage guidelinesSwift (CBPR+ working group)

    Defines how ISO 20022 messages (including pacs.008, pacs.009, pacs.002, pacs.004, and camt investigation messages) are used and validated for cross-border payments on the Swift network. · Checked 2026-07-12

    Full guidelines require MyStandards access; content here relies on public summaries. MT-to-CBPR+ translation rules are published on Swift's translation portal.

  3. Simplified educational illustration

    Payments Signal editorial teaching modelsPayments Signal

    This site's own simplified teaching models. · Checked 2026-07-12

    Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.

Learn this properly

Related briefs

View Sanctions Screening archive

Sanctions screening versus AML and fraud

Sanctions screening is a list check with an immediate stop. Anti-money-laundering monitoring looks for suspicious patterns after the fact, and fraud detection protects against theft in real time. The three share data but differ in purpose, timing, and outcome.

READ BRIEF

The risk-based approach to screening

The duty to freeze is absolute, but how a bank calibrates its screening, which lists, how sensitive the matching, how often it re-screens, is a set of documented, defensible risk decisions proportionate to the bank's exposure.

READ BRIEF

Identifiers and data quality in screening

Strong secondary identifiers, such as dates of birth, passport numbers, and places, let a screening system confirm or clear a party with confidence. This article explains how good data cuts false positives and what weak data costs.

READ BRIEF