Why the OFAC SDN List Alone Will Not Save Your Compliance Program

A common mistake — visible inside compliance teams of mid-market banks, smaller P&I clubs, and most freight forwarders — is to treat the U.S. OFAC SDN list as if it were the sanctions universe. It is not. It is one list among many, and it is frequently neither the first nor the broadest to add a name.

A useful exercise for any compliance head: take last quarter's designated entities from the EU Consolidated List, the UK OFSI list, and the UN Security Council Consolidated List. Cross-reference each against the OFAC SDN list on the date of designation. You will routinely find names that appeared on the EU list 60–120 days before OFAC picked them up. Sometimes they never appeared on OFAC at all.

The minimum viable stack

Any compliance program with serious exposure to maritime, aviation or correspondent banking should be screening against at least the following:

• U.S. OFAC SDN list
• EU Consolidated Sanctions List
• UK OFSI Consolidated List
• UN Security Council Consolidated List
• Canadian SEMA / Special Economic Measures
• Australian DFAT Consolidated List
• Swiss SECO list

That is seven lists, refreshed at different cadences, exposed through different file formats, with different name-matching conventions. Building this manually is a full-time job. Outsourcing it to a list aggregator is fine if the aggregator updates daily and exposes the source list per hit — anything less and you are screening against yesterday's reality.

The 50-percent rule and why it matters

The OFAC 50-percent rule states that any entity owned 50% or more — directly or indirectly — by one or more SDNs is itself sanctioned, even if it never appears on a list. The European 50-percent rule under EU Council Regulations works similarly. Compliance teams that only screen against the published list are blind to the entire shell layer above and below it.

This is where the OSINT workflow becomes a compliance tool. Building the ownership chain — corporate registries, beneficial owner declarations, leaked records — and cross-referencing each node against every sanctions list is the work. It is dull. It is also the difference between a clean audit and a fine.

What screening tells you, and what it does not

List screening is necessary. It is not sufficient. A vessel that screens clean today can still be the wrong vessel to do business with. The signals to add on top:

• AIS gap history. Frequent dark periods near sanctioned-jurisdiction ports.
• Flag-changing pattern. More than three flag changes in 18 months is unusual outside fleet restructurings.
• Owner-change pattern. Same MMSI, different registered owner every six months, all through shell companies in the same handful of jurisdictions.
• STS pattern. The vessel routinely conducts ship-to-ship transfers in zones known for sanctions evasion.

None of these are sanctions in themselves. They are the texture around the sanctions decision. A compliance team that watches the texture catches problems six to twelve months before the list does.

The cost of getting it wrong

The fines published by OFAC are public record. They are large. They are also, increasingly, levied against firms whose only failure was outsourced screening with stale data and no audit trail. The pattern is consistent: the firm relied on a list, the list was missing a name, the transaction went through, the regulator noticed.

A serious sanctions program is built backwards from the regulator's question. "Show me how you decided." If the answer is not reproducible, defensible, and quick to retrieve, the answer is not enough.