GLOBAL PAYMENTS KNOWLEDGEISO 20022 / SWIFT / SEPA / MT / MX

Sanctions Screening / Learning brief

Sanctions screening versus AML and fraud

Your notes

What this means in plain language

Sanctions screening is a list check with an immediate stop. Anti-money-laundering monitoring looks for suspicious patterns after the fact, and fraud detection protects against theft in real time. The three share data but differ in purpose, timing, and outcome.

These three controls are easy to confuse because they all read payment data, but they answer different questions on different clocks. Sanctions screening compares customer records and payment messages against official lists; a confirmed match enforces a legal prohibition, so it must stop the relationship or the payment, and it runs before or during processing. Anti-money-laundering (AML) monitoring studies behaviour across many transactions to spot patterns consistent with laundering; it usually produces a report to the authorities rather than an immediate stop, and it often runs after payments have settled. Fraud detection protects the customer and the bank from theft and manipulation, frequently in real time. Related screening sits alongside sanctions: politically exposed person (PEP) screening flags customers who need closer due diligence, and being a PEP is not prohibited, while adverse-media screening surfaces negative news as a risk input. Only the sanctions match carries a hard legal stop.

Understand the full idea, step by step

Three teams can read the same payment and each ask a completely different question. Confusing their questions is one of the most common mistakes in financial-crime work — so it is worth pulling them firmly apart.

Three controls, three questions
Sanctions screeningAML monitoringFraud detection
The questionIs a party on a list?Does behaviour over time look like laundering?Is the customer or bank being robbed or manipulated?
When it runsBefore or during processingAfter the fact, over accumulated historyOften in real time, as it happens
Typical outcomeA hard legal stop — freeze or rejectA report to the authorities (SAR / STR)Protecting the victim — block, hold, or challenge
Data it needsClean party data in each messageAggregates, counterparty links, historyBehaviour, device, and channel signals

Different clocks, different designs

The timing differences drive real design choices. Sanctions screening sits in the payment path, so it needs a tight latency budget, hold queues for items awaiting review, and staff available to clear alerts while payments wait. AML monitoring can run overnight against a data warehouse, because it is looking back at behaviour rather than gating a live payment. Fraud detection often acts in real time to protect the victim. The economics of false positives differ too: a sanctions filter tuned too tight delays every payment it touches, while an over-sensitive monitoring scenario wastes investigator time but delays no payment.

Suspicious activity report (SAR)the report an AML investigation files to the authorities; also called an STR

AML monitoring accumulates transactions, runs detection scenarios across that history, and an alert that survives investigation ends in a SAR (or Suspicious Transaction Report). By then the payment itself has usually long settled — which is the point. Monitoring is a post-event pipeline that reports patterns; it does not gate the live payment the way screening does.

PEP screeningpolitically exposed person screening

Two screening types sit beside sanctions but behave differently. PEP screening flags customers who warrant closer due diligence — and being a PEP is entirely lawful, not prohibited. Adverse-media screening surfaces negative news as a risk input. A PEP or adverse-media hit feeds a risk review and hardly ever stops a payment. Only the sanctions match carries a hard legal stop; the others feed judgment, reporting, or protection.

COMMON CONFUSION

All three controls block the payment — they are one system tuned to different sensitivities.

Only sanctions screening is a hard legal stop. AML monitoring reports; fraud detection protects. Placing a control on the wrong clock — gating what should report, or reporting what should gate — is a design mistake with operational and legal consequences, not a matter of taste.

If all three read the same payment data, why not merge them into one engine?

Because neither substitutes for the other. The screening gate sees no patterns — it checks a party against a list in the moment — while the monitoring engine cannot stop a prohibited payment before it leaves, because it works over accumulated history. Some institutions run a single screening utility across all list types; others keep sanctions separate precisely because its legal stakes and its timing are unlike everything around it. Either way, the questions stay distinct.

STRICTLY SPEAKING

Strictly speaking, this is a clean picture of a blurrier reality. Some monitoring runs close to real time, some fraud controls do block payments, and organisational structures vary widely — one bank's single financial-crime team is another's three separate functions. The durable idea is the three questions, not any one org chart.

FOR NOW, REMEMBER

  • Sanctions screening asks whether a party is on a list, and a confirmed match is a hard legal stop.
  • AML monitoring asks whether behaviour over time looks like laundering, and ends in a report, not an immediate stop.
  • Fraud detection asks whether someone is being robbed, and often acts in real time to protect the victim.
  • The three share data but differ in question, timing, and outcome — putting a control on the wrong clock is a real design error.

TRY IT YOURSELF

An account shows an unusual pattern — many small transfers moving in and out over several weeks — but no party on it matches any sanctions list. Which control is this for, and what does it do?

Sanctions screening should freeze the account, because the pattern is suspicious.

Not this one — Sanctions screening acts on a list match, not on a behaviour pattern. With no listed party present it has nothing to stop; freezing on a pattern would be using the wrong control, and a freeze is reserved for a confirmed sanctions match.

This is an AML monitoring concern — a pattern over time that an investigator reviews and, if suspicion remains, reports through a SAR; it is not a sanctions hold.

Correct — Right. Behaviour across many transactions is exactly what monitoring is built to see. It looks back over history, an analyst reviews the pattern, and the outcome is a report to the authorities rather than a live payment stop.

Nothing should happen, because no name matched a list.

Not this one — A list match is only what sanctions screening looks for. AML monitoring works on patterns, not names, so the absence of a list hit does not mean the pattern goes unexamined — it belongs to a different control.

You have separated the three controls. The next lesson looks inside sanctions screening itself: the freeze duty is absolute, but how a bank calibrates the control around it is a set of documented, risk-based decisions.

KEEP GOING

Three things to remember

  1. 01

    Sanctions screening is a list check that must stop a payment or relationship on a confirmed match.

  2. 02

    AML monitoring analyses patterns after the fact and typically ends in a report, not an immediate stop.

  3. 03

    Fraud detection protects against theft in real time; a PEP or adverse-media hit informs risk review but rarely stops a payment.

Where you would use this

USE CASE 01

A systems architect places sanctions screening in the payment path with a latency budget and hold queues, while AML monitoring runs overnight on stored data.

USE CASE 02

An investigator files a suspicious activity report (SAR) from an AML alert, but freezes and reports a confirmed sanctions match under a different obligation.

USE CASE 03

A financial-crime lead decides whether to run one screening utility for all list types or keep sanctions separate because its timing and legal stakes differ.

Put the idea into a real situation

Illustrative example: a fictional bank, Aldermarket Bank, processes a cross-border payment of USD 9,800.00. Three controls see it. Sanctions screening checks the parties against lists in under 3 seconds and, finding no match, lets it continue. Fraud detection confirms the customer's device and location look normal and does not intervene. Weeks later, anti-money-laundering monitoring notices this account has sent 14 payments of just under USD 10,000.00 to the same counterparty in 30 days, raises an alert, and an investigator reviews the pattern and files a suspicious activity report. No single payment was blocked by monitoring, because that control reports patterns rather than stopping transactions, so the sanctions gate is the only one that would have halted a payment outright.

Evidence & review

REVIEWED 2026-07-13

The distinction between sanctions screening, AML monitoring, and fraud detection as operated by payments banks.

What this brief simplifies: Presents clean boundaries where real programmes blur them: some monitoring runs near real time, some fraud controls block payments, and organisational structures vary.

Sources for this brief3
  1. Market practice

    Wolfsberg Group Sanctions Screening GuidanceThe Wolfsberg Group · Sanctions screening as one control within a wider financial-crime programme

    Industry guidance on the elements of an effective sanctions screening programme: the risk-based approach, list management, matching technology, alert generation, and alert handling. · Checked 2026-07-12

    Wolfsberg guidance is industry market practice, not law; institutions vary in how they apply it.

  2. Official requirement

    The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism & ProliferationFinancial Action Task Force · Customer due diligence, suspicious-transaction reporting, and PEP treatment

    The global standards countries implement against money laundering, terrorist financing, and proliferation financing, including targeted financial sanctions and payment transparency under Recommendation 16. · Checked 2026-07-12

    Adopted in 2012 and updated regularly since; the June 2025 FATF plenary agreed revisions to Recommendation 16 on payment transparency. Consult the live consolidated text for the current wording.

  3. Simplified educational illustration

    Payments Signal editorial teaching modelsPayments Signal · Same-payment scenario and the three-controls comparison

    This site's own simplified teaching models. · Checked 2026-07-12

    Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.

Learn this properly

Related briefs

View Sanctions Screening archive

Customer screening versus transaction screening

Two sanctions controls guard different populations. Customer screening checks the people and entities a bank onboards; transaction screening checks every party named in a payment message in flight. Both are needed because neither control sees what the other sees.

READ BRIEF

The sanctions screening lifecycle

The stages a payment or customer record passes through in a screening engine: normalising the input, generating candidate matches, scoring them against a threshold, disposing of each alert as cleared or escalated, and recording every step for later reconstruction.

READ BRIEF

Sanctions screening system architecture

A screening platform connects list management, a matching engine, hold queues, and case-management tools inside the payment path. Its design answers hard questions about latency and availability, because a filter that silently stops checking is the dangerous failure.

READ BRIEF