Sanctions Screening for Payment Firms: Speed vs Accuracy

For payment firms processing thousands of transactions per day, sanctions screening creates a direct tension between two non-negotiable requirements: screening must be comprehensive enough to catch genuine matches, and it must be fast enough not to disrupt the payment processing that customers depend on.

Sanctions screening is a legal obligation for all regulated firms. OFSI requires that firms do not make funds available to designated persons or entities, and the FCA expects firms to have systems and controls adequate to prevent sanctions breaches. For payment firms — particularly those processing real-time domestic and cross-border payments — the challenge is designing those systems to be both effective and operationally sustainable.

Why Payment Firms Face a Particular Tension

Most financial firms screen customers at onboarding and at periodic intervals. Payment firms must do this too — but they also face the additional obligation of screening individual transactions at the point of processing. A payment firm that screens customers thoroughly at onboarding but does not screen the payees in outgoing payments, or does not screen against updated sanctions lists when they are published, has a material gap in its controls.

Real-time payment rails — Faster Payments, SWIFT GPI, card networks — create a specific operational challenge. A transaction that takes more than a few hundred milliseconds to clear a screening check may fail the payment processing SLA. An alert that needs human review may take minutes or hours. The firm must decide: what is the acceptable false positive rate at which human review is operationally sustainable, and what screening methodology produces that rate without materially reducing detection of genuine matches?

Real-Time vs Batch Screening

Payment firms typically operate two layers of sanctions screening. Real-time screening runs at the point of transaction — checking the payer and payee names and account details against the consolidated sanctions list at the moment the payment is submitted. A match at this stage blocks the payment pending manual review. Batch screening runs the full customer base against updated sanctions lists at intervals — daily for most firms, more frequently where the firm has significant exposure to high-risk jurisdictions or operates in volatile sanctions environments.

Real-time screening must be fast. Most implementations use an automated matching engine that returns a clear/alert decision within milliseconds. The quality of the matching algorithm — specifically, how it handles name variations, transliterations, partial matches and phonetic equivalents — determines both the detection rate and the false positive rate. Batch screening is operationally less time-sensitive but must be rigorous enough to catch designations that were published since the last batch run.

The False Positive Problem

False positives — alerts generated for names that match sanctions list entries but belong to unrelated legitimate individuals or entities — are the central operational challenge of sanctions screening. A screening system calibrated to catch every possible variant of a designated person’s name will generate large numbers of false positive alerts. Each alert requires human review to confirm it is a false positive and release the transaction. At high transaction volumes, even a false positive rate of 0.1% can generate hundreds of alerts per day requiring manual disposition.

The cost of false positives is not merely operational. Transactions held pending sanctions review may breach payment SLA commitments, create customer experience failures, and — in the case of business payments — disrupt the commercial relationships the payment firm’s clients depend on. False positives also create alert fatigue: compliance teams inundated with obviously false positive alerts may become less rigorous in their review of genuine potential matches.

Calibrating Fuzzy Matching Thresholds

Most sanctions screening systems use fuzzy matching — matching algorithms that identify names with a specified degree of similarity to sanctions list entries, rather than exact string matches. The matching threshold is a critical calibration decision: too high (requiring very close similarity before an alert is triggered) and genuine matches may be missed; too low (triggering alerts on remotely similar names) and the false positive rate becomes unmanageable.

There is no universal correct threshold — the right calibration depends on the firm’s customer and transaction profile, the payment types it processes, the jurisdictions it serves, and its operational capacity for alert review. What the FCA expects is that the threshold has been deliberately chosen and documented, that the firm has tested its screening against known sanctions list entries to assess detection rates, and that the calibration is reviewed periodically — particularly following significant sanctions list updates or changes to the firm’s business profile.

Data Quality: The Screening Gap Most Firms Underestimate

Even a well-calibrated screening engine cannot compensate for poor data quality. A payment firm that screens against incomplete customer names — truncated business names, missing transliterations, outdated beneficial ownership information — will miss matches that a complete data set would have caught. The most common data quality issues in sanctions screening are: inconsistent name formatting between systems; missing or incomplete beneficial owner data for corporate customers; outdated customer records that have not been refreshed since initial onboarding; and payment instructions that contain abbreviated or coded payee identifiers rather than full legal names.

Sanctions screening effectiveness is ultimately bounded by the quality of the data being screened. A sanctions screening programme that does not include a data quality workstream — regularly auditing the completeness and accuracy of the data inputs — will consistently underperform against the FCA’s expectations, regardless of how sophisticated the matching technology is.

FCA and OFSI Supervisory Expectations

The FCA’s supervisory expectations for sanctions screening at payment firms reflect the particular risks created by high-volume transaction processing. The FCA expects: documented screening methodology, including the matching algorithm and threshold choices and the rationale for them; regular testing of the screening system against known designations; a documented escalation and alert disposition process; monitoring of false positive rates and trends; and a process for ensuring the sanctions list is updated promptly following new designations. OFSI expects firms to have processes that prevent funds being made available to designated persons — and will examine whether a firm’s screening programme was adequate if a sanctions breach occurs.

Key References

• OFSI — Office of Financial Sanctions Implementation
• FCA — Financial sanctions guidance for firms