GLOBAL PAYMENTS KNOWLEDGEISO 20022 / SWIFT / SEPA / MT / MX

Sanctions Screening / Learning brief

Testing and tuning a screening system

Your notes

What this means in plain language

A screening system must catch true sanctions matches without burying analysts in false alerts. This article explains how synthetic test cases and careful threshold tuning balance those aims, and why each change is documented and re-tested.

A screening system is only useful if it catches the entries it is meant to catch while raising a manageable number of false alerts. Testing checks the first half of that promise. Analysts feed the system synthetic cases — invented records built to look like real sanctioned entities, including misspellings, reordered names, and transliterations — and confirm that each one produces an alert. Tuning addresses the balance. The match threshold is the dial that decides how close a resemblance must be before the system flags it. Setting it higher reduces alerts but risks missing a genuine match written in an unusual way. Setting it lower catches more variants but produces more noise for analysts to clear. The right setting keeps detection strong while keeping the alert volume reviewable. Because either move changes how the control behaves, every adjustment is documented and the system is re-tested afterwards, so the institution can show that a change improved efficiency without weakening detection.

Understand the full idea, step by step

A screening system that never raises an alert looks efficient. It might also be catching nothing at all. You cannot tell which by watching the alert count alone — you have to feed the system cases whose right answer you already know, and see what it does with them. That is the difference between testing a control and trusting it.

What a good test pack covers

Transliteration
A surname carried across from another script
Name order
First and last name reversed
Partial data
A missing or incomplete date of birth
Aliases
A known alias rather than the primary name
Misspellings
Common spelling variants of a listed name

Recall and precisionhow much the system catches, and how clean its alerts are

Recall is the share of true matches the system actually flags. Precision is the share of its alerts that turn out to be real. Raising the threshold improves precision — fewer, cleaner alerts — but lowers recall, because a genuine match written unusually may now fall below the line. Lowering it does the reverse. Tuning is the act of choosing where that line sits, and the controlling principle is that recall comes first: reduce noise, never suppress detection.

The two ways screening fails
FailureWhat it isWhy it matters
False positiveAn alert on an innocent partyCosts analyst time, but is caught in review
False negativeA genuine match the system never flagsPasses silently and defeats the control entirely
True sanctioned entities seeded in the test pack40
Correctly flagged by the system38
Recall (share of true matches caught)38 / 40 = 95%
Missed — genuine matches that did not fire2 false negatives

These are synthetic test-pack counts, not live statistics. Two seeded matches slipping through is the signal that matters far more than the alert volume: a threshold change that lifts precision but drops even one true match below the line has weakened the control, whatever it does to the queue.

Test on both sides of the line

To set the threshold well, the team tests above it and below it. Above-the-line testing samples alerts that did fire, to see how many were plainly false — that measures precision. Below-the-line testing samples near-misses that scored just under the threshold, to confirm the system is not quietly discarding genuine matches. If a true match is found sitting below the line, that is strong evidence the threshold is too high, whatever raising it did to volume. Live customer records are never repurposed as test targets; the data is always synthetic and labelled as such.

WHAT IF — Below-the-line testing finds a genuine seeded match scoring just under the proposed threshold

What happens: The proposed change is rejected. A tuning move that lowers alert counts but also lowers detection is a failure, not an efficiency.

How it is handled: The finding is documented with the before-and-after test results, and the threshold is left where detection holds or moved only where evidence shows recall is preserved. Reducing noise so analysts can concentrate is the aim; suppressing alerts for their own sake is not.

COMMON CONFUSION

A lower alert count after tuning proves the system got better.

A lower count could mean cleaner alerts — or a hidden loss of coverage. The two look identical on a dashboard. Only the documented before-and-after test results tell them apart, which is why every tuning change is measured against a known-answer pack rather than judged by volume.

STRICTLY SPEAKING

Strictly speaking, a tuning change is never finished when the new number is entered. The rationale, the test results before and after, the approver, and the date are all recorded, and the configuration and the test pack are kept under version control so the institution can reconstruct exactly how the system behaved at any past moment. After any change, the full detection test is re-run — not just the part that prompted it — because fixing one gap can quietly reopen another. This regression discipline is what connects tuning back to governance.

FOR NOW, REMEMBER

  • Detection testing uses synthetic, known-answer cases to prove the system flags the hard variations it must catch.
  • Recall — catching true matches — comes first; a false negative defeats the control silently, unlike a false positive.
  • Tuning tests both above and below the threshold; a true match found below the line means the threshold is too high.
  • Every change is documented, version-controlled, and followed by a full regression test, so efficiency can be shown not to have cost detection.

TRY IT YOURSELF

After a proposed threshold rise, Meridian's below-the-line testing finds a seeded true match now scoring just under the new line, while the overall alert count drops by a fifth. What should the team conclude?

The proposed threshold is too high; a genuine match falling below the line means detection was weakened, so the change should not go live as-is.

Correct — Recall comes first. A true match dropping below the line is direct evidence of lost coverage, and no reduction in alert volume justifies letting a genuine match pass silently.

The change is a success, because a twenty-percent drop in alerts is exactly the efficiency the tuning aimed for.

Not this one — The lower count is indistinguishable from a hidden loss of coverage — and here the test proves it is a loss. Judging the change by volume alone is the precise failure mode testing exists to catch.

Ship the change but delete the below-the-line finding, since it is only one synthetic case.

Not this one — A single missed true match is the most serious result a test can return, and suppressing the evidence destroys the documented before-and-after trail that keeps tuning defensible.

Testing and tuning assumed the target was a sanctions match — a hard legal stop. The next lesson turns to a different kind of hit that the same engine can raise: a politically exposed person, where the outcome is a closer look, not a block.

KEEP GOING

Three things to remember

  1. 01

    Testing uses synthetic sanctioned records to confirm the system alerts on name variants and misspellings.

  2. 02

    The match threshold trades alert volume against the risk of missing a genuine match.

  3. 03

    Every tuning change is documented and re-tested so preserved detection can be demonstrated.

Where you would use this

USE CASE 01

A tuning team seeds synthetic test entities before go-live to confirm the system detects known variants.

USE CASE 02

An analyst samples alerts just below the threshold to check the line is not hiding true matches.

USE CASE 03

A model owner records each threshold change and its re-test results for later review by audit.

Put the idea into a real situation

Illustrative example: a fictional bank, Cedar Point Bank, tests a proposed threshold change on a synthetic list containing 200 invented sanctioned entities, such as an individual named Marcus Venn with three recorded spelling variants. At a threshold of 90 out of 100, the system detects 184 of the 200 test entities and produces 5,000 alerts a day. Lowering the threshold to 85 detects all 200 but raises daily alerts to 8,000. The tuning team keeps 85, because missing 16 of 200 known targets is unacceptable, and records that the extra 3,000 alerts are the accepted cost of full detection. The change, its test results, and its approval are stored together and scheduled for re-test after six months.

Evidence & review

REVIEWED 2026-07-13

Testing and threshold tuning of a name-screening system; the specific metrics engines expose and thresholds used vary by vendor and configuration.

What this brief simplifies: Recall and precision are introduced in a clean form; the test-pack counts are synthetic illustrations, not real performance figures. Real programmes use larger packs and more matching controls than a single threshold.

Sources for this brief2
  1. Market practice

    Wolfsberg Group Sanctions Screening GuidanceThe Wolfsberg Group · Screening testing and tuning

    Industry guidance on the elements of an effective sanctions screening programme: the risk-based approach, list management, matching technology, alert generation, and alert handling. · Checked 2026-07-12

    Wolfsberg guidance is industry market practice, not law; institutions vary in how they apply it.

  2. Simplified educational illustration

    Payments Signal editorial teaching modelsPayments Signal

    This site's own simplified teaching models. · Checked 2026-07-12

    Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.

Learn this properly

Related briefs

View Sanctions Screening archive

Sanctions screening system architecture

A screening platform connects list management, a matching engine, hold queues, and case-management tools inside the payment path. Its design answers hard questions about latency and availability, because a filter that silently stops checking is the dangerous failure.

READ BRIEF

Sanctions screening versus AML and fraud

Sanctions screening is a list check with an immediate stop. Anti-money-laundering monitoring looks for suspicious patterns after the fact, and fraud detection protects against theft in real time. The three share data but differ in purpose, timing, and outcome.

READ BRIEF

The risk-based approach to screening

The duty to freeze is absolute, but how a bank calibrates its screening, which lists, how sensitive the matching, how often it re-screens, is a set of documented, defensible risk decisions proportionate to the bank's exposure.

READ BRIEF