Sanctions screening is not just a checkbox on a compliance form. It is a race between regulators and clever actors who constantly find new loopholes. The goal is simple: stop bad money from moving through the global system.
But the methods are getting trickier. Old keyword matching does not catch evasion anymore. Let's look at the core detection types and how they work in the real world.
| Evasion Typology | How It Works | Detection Approach |
|---|---|---|
| Trade-Based Laundering | Over/under-invoicing goods to move value across borders | Dual-use goods screening and unit price anomaly checks |
| Ownership Concealment | Layering shell companies to hide ultimate beneficial owners (UBOs) | Graph analytics and network link analysis |
| Structuring (Smurfing) | Splitting large transactions into small batches to avoid reporting | Sequence monitoring and velocity checks |
| Crypto Mixing / Tumbling | Obscuring the trail of digital assets | Blockchain forensics and wallet clustering |
You see, the old ways fail here. A simple name search will miss a shipment of circuit boards that is actually meant for a missile program. It will also miss a shell company owned by a shell company.
Evasion is a dynamic behavior, not a static label. Detection must look at patterns, not just names.
Combining transaction data with public records is the only way to see the full picture.
A company ships $50,000 worth of "agricultural equipment" to a high-risk area. The actual market value of the metal alone is $200,000. This is a classic over-invoice to move hidden cash.
Transaction screening itself has changed a lot. It used to look only at the sender and receiver. Now, the context of the payment matters just as much as the name.
False positives are a huge problem here. Banks often block thousands of legitimate payments for every one real sanction hit. This creates a massive workload for investigators.
| Generation | Logic Used | Main Weakness |
|---|---|---|
| First Gen (Legacy) | Exact name matching against static lists | Misses fuzzy matches, typos, or transliteration tricks |
| Second Gen (Fuzzy) | Levenshtein distance and Soundex algorithms | High false-positive rate, especially for common names |
| Third Gen (AI-Assisted) | Entity resolution and behavioral risk scoring | Requires large, clean datasets to train effectively |
| Fourth Gen (Contextual) | Graph-based linking of counterparties, vessels, and locations | Complex integration across internal and external data sources |
Shipping is a nightmare to monitor. A sanctioned vessel can simply turn off its Automatic Identification System (AIS) system. This is called a "dark activity" event.
Then, the ship-to-ship transfers happen in the middle of the ocean. Cargo goes from a sanctioned tanker to a "clean" one. Suddenly, there is no paper trail linking the oil to the bad actor.
A shipping firm turns off its transponder near a port in Iran. It reappears hours later carrying crude oil. The captain claims there was a "digital glitch." Investigators spot the gap and flag the shipment.
Financial institutions must also watch out for sectoral sanctions. These ban certain types of business activity, not specific people. For example, you cannot help a Russian bank raise money through equity swaps, even if the bank itself is not "blocked."
It is about what the money is for, not just who sends it. This requires deep knowledge of the customer's business. If a construction company suddenly starts trading in oil futures, that is a red flag.
Focus on the "use case" of the funds, not just the identity of the holder.
Changes in customer corporate structure often signal an attempt to bypass sectoral debt or equity restrictions.
| Red Flag Scenario | Why It Is Suspicious | Suggested Response |
|---|---|---|
| Last-minute beneficiary changes | Indicates "fresh" shell companies or rerouting pressure | Hold funds, verify UBO, ask for contract evidence |
| Inconsistent routing codes | Goods shipped to a safe country but billing is in a risky zone | Cross-check shipping manifests with payment SWIFT codes |
| Payments via "nested" correspondents | Small foreign banks processing for sanctioned entities | Demand know your customer's customer (KYCC) data |
| High-value luxury asset purchases | Used to store value and bypass banking restrictions | Flag transactions with art dealers or luxury yacht brokers |
Modern compliance teams are using graph technology to fight this. A graph database connects a person to a phone number, to a director position, to a supplier. It does not just see one name — it sees the whole family tree of risk.
When a new sanctions package drops, the map updates instantly. It shows every hidden link. This is much faster than a human digging through PDFs.
A compliance officer gets an alert for "ABC Holdings." It is not on the list. But the graph shows the founder also owns a sanctioned factory in Asia. The system catches the indirect ownership link instantly.
Crypto assets have added a whole new layer to this challenge. Mixers like Tornado Cash have been sanctioned directly. But new tools pop up to hide the origin of funds.
A wallet can swap coins billions of times to create distance from the original crime. The only way to keep up is with on-chain analysis that follows the flow of money in real time.
Crypto does not respect borders. Sanctions screening here relies on wallet clustering, not national IDs.
Even if a wallet is "clean" today, checking its history for high-risk exposure is critical.
Finally, we must talk about the human element. Insider threats help bad guys get around screens. An employee at a bank might change a customer's name by one letter. They might enter a wrong country code.
Internal security and access controls are part of the screening process. You have to trust your own data before you can block external threats.
| Threat Vector | Example Action | Mitigation Strategy |
|---|---|---|
| Data Corruption | Deliberate alteration of customer spelling to avoid flagging | Dual-entry controls and immutable audit logs |
| Override Abuse | Managers approving "false positives" without proper review | Random sampling of overrides by a second-line team |
| Bypass Collusion | Using internal accounts to process payments for sanctioned clients | Segregation of duties and anomaly detection on staff accounts |
Good screening is layered. You have the first filter for hard matches. Then a fuzzy layer for typos. Then a behavioral layer for trade-based crime. And finally, a human layer for complex investigations.
If you miss one layer, the criminals will find the gap. It is not about being perfect. It is about closing the gaps faster than the other side can find them.
A bank blocks a payment for "Muhammad Ali" because it matches a sanctions entry. The real customer is a child in London. A one-step fuzzy check would release the funds, but a two-step human check is needed to be safe.
No single system catches everything. Overlap your name matching, shipping data, and graph checks for solid protection.
Remember that timing matters. A clean check today can look dirty tomorrow based on new information.
Key Takeaways
| Key Point | What It Means | Action Item |
|---|---|---|
| Evasion is behavioral | Look for trade patterns and vessel dark periods, not just names | Integrate shipping AIS data into your screening workflow |
| Fuzzy matching is not enough | Good matching stops common fraud but fails on shell ownership layers | Use graph tools to map ultimate beneficial ownership (UBO) |
| Crypto needs new tools | Mixers and cross-chain bridges obscure the source of funds | Deploy real-time blockchain analytics for wallet screening |
| Insider risk is real | Staff can overwrite or corrupt the screening software inputs | Apply dual control and audit all manual override actions |
| Context beats exact matches | Payment purpose and trade documents matter more than spelling | Screen for dual-use goods keywords in invoice descriptions |