GLOBAL PAYMENTS KNOWLEDGEISO 20022 / SWIFT / SEPA / MT / MX

Sanctions Screening / Learning brief

The risk-based approach to screening

Your notes

What this means in plain language

The duty to freeze is absolute, but how a bank calibrates its screening, which lists, how sensitive the matching, how often it re-screens, is a set of documented, defensible risk decisions proportionate to the bank's exposure.

Airport security checks everyone, but not identically: the rules about what is forbidden on a plane are the same for every passenger, while the intensity of the check varies with route and risk signals. Sanctions screening works the same way. The prohibition itself is absolute and applies to every customer and every payment, but the intensity of checking is calibrated to the risk of the business: which lists are screened, how sensitive the name matching is, how often the customer base is re-checked, and where in the payment flow screening happens. A small domestic savings bank and a bank that clears dollars for other banks face very different exposure, so they are expected to make different, and documented, choices. A risk-based approach does not weaken the obligation; it directs effort where the exposure is, and it records the reasoning so that a supervisor can inspect it later.

Understand the full idea, step by step

Two well-run banks can screen the same payment differently and both be right. That is not a contradiction — it is the risk-based approach, and it rests on a careful line between the duty and the machinery built around it.

What is risk-based, and what is not

Start by drawing the line. The obligation — to freeze a listed party's assets and make no funds available to them — is not risk-based; it applies in full to every customer and every payment. What is risk-based is the machinery built around that obligation: which lists are screened, which data attributes are compared, how much name variation the matching tolerates, how often the customer base is re-screened, and where in the payment flow the screening sits. To calibrate that machinery, an institution assesses its own exposure and designs the programme in proportion. The point is not to check less, but to direct effort toward where the risk actually is.

Risk-based approachcalibrating controls to assessed risk rather than a universal template

The risk-based approach expects the calibration to follow from the institution's own risk assessment. Industry guidance frames screening as one control within a wider financial-crime programme, calibrated to the bank's exposure — its customers, products, geographies, currencies, and delivery channels. A direct consequence: two banks with different exposures can make genuinely different, and equally defensible, choices.

The exposure a bank assesses

Customers
Who they are, and what activity is expected of them
Products
Which services carry more financial-crime risk
Geographies
Which markets and counterparties the bank touches
Currencies
What it clears — and whose expectations that imports
Channels
How payments reach the bank, and how directly

The decisions that must be written down

In practice the risk-based decisions are specific, and each has to be written down. A programme decides, for example, whether to screen lists from jurisdictions where it has no direct legal obligation but its correspondents insist on coverage; whether weak aliases generate their own alerts or only enrich an investigation already under way; and whether low-risk domestic retail payments run a lighter matching configuration than higher-risk cross-border flows. Every one of these trades alert volume against the chance of missing a true match, and every one needs a named owner, a written rationale, and a review date. Auditors and supervisors ask for the risk assessment behind a setting, not just the setting itself.

WHAT IF — A matching threshold is quietly tuned down to clear a backlog, and then never revisited — silent drift.

What happens: The live configuration no longer matches any decision anyone can point to. A control the institution cannot account for is treated as a finding regardless of whether the setting happened, in fact, to be reasonable.

How it is handled: Change control fixes this: a record of who approved each calibration and on what evidence, plus explicit, documented risk acceptance where the bank chooses not to screen something. The judgment is not removed — it is made inspectable after the fact.

Is "risk-based" just a polite way of saying the bank checks less?

No. The freeze duty is absolute and untouched by any risk assessment — it applies to every customer and payment. The risk-based part governs only how the surrounding control is tuned, and its aim is to concentrate effort where exposure is greatest, not to do less overall. A programme can be both risk-based and demanding; a lighter configuration on genuinely low-risk flows is what lets scrutiny land harder where it matters.

COMMON CONFUSION

You can read the bank's risk appetite off whatever the filter happens to be doing today.

That reverses the logic. The risk assessment is supposed to drive the configuration, not be inferred backwards from it. Inferring appetite from the live settings is exactly the move supervisors reject — a control the bank cannot explain from its own risk assessment is one it cannot show it is managing.

STRICTLY SPEAKING

Strictly speaking, this simplifies a broad subject: a real programme calibrates dozens of interacting settings rather than one dial, and supervisory expectations differ by jurisdiction. The connective tissue supervisors probe is the same everywhere, though — a documented risk assessment, a mapping from each risk to the control that addresses it, and change control over every calibration.

FOR NOW, REMEMBER

  • The freeze obligation is absolute; only the machinery around it — lists, attributes, matching tolerance, re-screening, placement — is risk-based.
  • Calibration follows from a documented assessment of the bank's own exposure: customers, products, geographies, currencies, channels.
  • Every risk-based decision needs a named owner, a written rationale, and a review date; the common failure is silent drift.
  • Supervisors ask for the risk assessment behind a setting — a control the bank cannot explain is treated as a finding.

TRY IT YOURSELF

The auditor asks Kabir why cross-border payments run tighter name matching than domestic retail payments. Which answer holds up?

Domestic retail payments are low-risk enough that they do not really need screening, so the difference does not matter.

Not this one — The freeze duty applies in full to every payment, domestic ones included — they are still screened. The risk-based approach tunes how the matching behaves, but it never switches the obligation off, so "they don't need screening" is not a defensible line.

It is a documented risk-based decision — cross-border flows carry higher exposure — with a named owner, a written rationale, and a review date; the freeze obligation itself is identical for both.

Correct — Exactly. A defensible calibration ties the setting to assessed exposure and records who owns it and why. That is what makes the difference between the two flows inspectable rather than arbitrary, while the underlying duty stays the same for both.

The threshold is wherever it needed to be to clear the alert backlog fastest.

Not this one — That is silent drift — a setting tuned for operational convenience and detached from any risk decision. Supervisors treat a configuration that cannot be traced to the risk assessment as a finding, regardless of whether it happens to be reasonable.

Screening enforces the sanctions duty; monitoring hunts a different quarry. The next lesson steps back to the crime the wider programme exists to detect — how money laundering moves criminal proceeds through three classic stages.

KEEP GOING

Three things to remember

  1. 01

    The freeze obligation is absolute; only the screening control around it is calibrated to risk.

  2. 02

    Risk-based choices include list selection, matching sensitivity, re-screening frequency, and screening points in the flow.

  3. 03

    Each calibration needs an owner, a written rationale, and periodic review, so a supervisor can inspect the judgment.

Where you would use this

USE CASE 01

A compliance team writes a sanctions risk assessment covering customers, products, geographies, currencies, and channels.

USE CASE 02

A screening manager decides whether weak aliases raise alerts or only enrich an investigation, and records the reasoning.

USE CASE 03

An internal auditor traces each screening setting back to the risk it addresses, treating an unexplained setting as a finding.

Put the idea into a real situation

Illustrative example: a fictional bank, Meridian Trust, runs two payment channels. For low-risk domestic retail transfers averaging EUR 250.00, its documented policy uses a tighter name-match configuration that produces roughly 30 alerts per 100,000 payments. For cross-border payments, where exposure is higher, it widens the matching so weaker name variants also alert, accepting about 220 alerts per 100,000 payments and staffing a review team to clear them within a 24-hour service target. Each setting names an owner and cites the risk assessment behind it. When the bank adds a new correspondent in a higher-risk market, the assessment is refreshed and the cross-border threshold is reviewed, and the change is recorded with who approved it and why.

Evidence & review

REVIEWED 2026-07-13

Risk-based calibration of sanctions-screening controls; supervisory expectations differ by jurisdiction.

What this brief simplifies: Treats calibration as a few illustrative decisions where a real programme tunes dozens of interacting settings; the absolute freeze duty is deliberately held constant throughout.

Sources for this brief3
  1. Market practice

    Wolfsberg Group Sanctions Screening GuidanceThe Wolfsberg Group · Risk-based calibration of a screening programme from the institution's own risk assessment

    Industry guidance on the elements of an effective sanctions screening programme: the risk-based approach, list management, matching technology, alert generation, and alert handling. · Checked 2026-07-12

    Wolfsberg guidance is industry market practice, not law; institutions vary in how they apply it.

  2. Official requirement

    The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism & ProliferationFinancial Action Task Force · The risk-based approach as a foundational principle

    The global standards countries implement against money laundering, terrorist financing, and proliferation financing, including targeted financial sanctions and payment transparency under Recommendation 16. · Checked 2026-07-12

    Adopted in 2012 and updated regularly since; the June 2025 FATF plenary agreed revisions to Recommendation 16 on payment transparency. Consult the live consolidated text for the current wording.

  3. Simplified educational illustration

    Payments Signal editorial teaching modelsPayments Signal · Auditor scenario and the written-decision framing

    This site's own simplified teaching models. · Checked 2026-07-12

    Used wherever diagrams, scenarios, figures, or example values are didactic constructions rather than sourced facts; every such use carries a simplifications disclosure. All people, companies, banks, and list entries in examples are fictional.

Learn this properly

Related briefs

View Sanctions Screening archive

Sanctions screening versus AML and fraud

Sanctions screening is a list check with an immediate stop. Anti-money-laundering monitoring looks for suspicious patterns after the fact, and fraud detection protects against theft in real time. The three share data but differ in purpose, timing, and outcome.

READ BRIEF

Identifiers and data quality in screening

Strong secondary identifiers, such as dates of birth, passport numbers, and places, let a screening system confirm or clear a party with confidence. This article explains how good data cuts false positives and what weak data costs.

READ BRIEF

Customer screening versus transaction screening

Two sanctions controls guard different populations. Customer screening checks the people and entities a bank onboards; transaction screening checks every party named in a payment message in flight. Both are needed because neither control sees what the other sees.

READ BRIEF