How to reduce false positives in sanctions screening

False positives in sanctions screening drain compliance resources that could be better spent investigating genuine risks. When compliance teams are overwhelmed by low-quality alerts, the most sophisticated bad actors often slip through enhanced due diligence processes

Recent regulatory guidance emphasizes the importance of efficient screening programs. In their 2023 enforcement actions, regulators specifically highlighted how inadequate screening systems led to:

• Missed interdiction opportunities due to alert fatigue
• Delayed identification of true hits
• Insufficient resource allocation to high-risk cases

False positives could be the biggest risk to running an effective sanctions screening program.

This is how we think about it: 

False positives create manual work for compliance officers.

When 95% of that work is a false alarm, 95% of manual effort is wasted. 

This is a reality for most compliance officers and agents today because we’re living in an alert avalanche. Ever since Russia invaded Ukraine, the scale and speed of new names added to watchlists like OFAC, EEAS, and OFSI have been unprecedented. 

Compliance analysts are forced to do reverse lookups against customer CIP and adjacent data (like DOB, address, full vs. nickname matching, etc.). More than 95% of these alerts are false positives, leading to burnout and frustration. Compounding all this, compliance teams lack dedicated engineering support to upgrade the legacy system, so the fix is creating alerts around poor systems. 

Missing true positives. Legacy systems can’t cope. 

Your legacy system is making you waste 95% of your team's time, but you can’t afford to miss the needle in the haystack. The fear is missing true positives. 

The consequences for BSA/AML failures are fines that can run into billions of dollars, reputational damage, and even consent orders that prevent a bank from being able to open new accounts. Often the answer is ever more headcount, but even then it's a temporary fix.

Legacy systems often output an alert based on logic, such as a fuzzy name match or even a name associated with a geographical region. Looking this up against CIP data can take hours, especially if it's in a separate system, nicknames are used or key PII information doesn’t match neatly. 

Compliance teams are trying to battle human trafficking, arms dealing, and state-sponsored terrorism with spreadsheets and legacy systems. It’s not good enough.

The steps to reduce false positives are

1. Build a program that can be rapidly adapted and well-documented
2. Is risk-based and able to drive alerting around risk profiles and factors
3. Have a governance framework that regularly reviews, tests and oversees the program
4. Leverage better data, automation and Gen AI to reduce false positivessome text
   1. Higher quality data means less false positives
   2. Automated alert summaries reduce manual work
   3. AI-agents can pre-decision reducing time spend on obvious false positives
5. Measuring your compliance programs effectiveness

Step 1: Building a sanctions program that can be rapidly documented and adapted.

Financial institutions face increasingly complex sanctions compliance obligations under BSA/AML requirements, OFAC guidelines, and other regulatory frameworks. Recent enforcement actions have highlighted the need for robust screening programs that can:

• Demonstrate a risk-based approach aligned with regulatory expectations
• Maintain detailed documentation of screening methodologies
• Ensure consistent application of screening rules across all business lines
• Provide clear audit trails for regulatory examinations
• Enable quick adaptation to new regulatory guidance and requirements.

Step 2: Focus on more dynamic alert prioritization.

The risk from sanctions is far greater than a user's name, and multiple factors can contribute to that risk. Accordingly, alerts should be set up to capture the data. Leading financial institutions are moving beyond simple name-matching to implement sophisticated risk-based screening programs that consider:

• Customer risk profiles and segmentation
• Geographic risk exposure
• Product and service risk factors
• Transaction patterns and volumes
• Relationship duration and history

In a world where sanctions evasion techniques evolve daily, static rules aren't enough. Modern risk-based screening must dynamically adapt to:

• Emerging typologies in sanctions evasion
• Network analysis of related parties
• Behavioral patterns across transaction corridors
• Real-time changes in risk factors

This multi-factor approach helps prioritize alerts based on actual risk rather than superficial matches.

Step 3: Building a Robust Governance Framework

Successful sanctions screening programs require strong governance structures:

• Clear roles and responsibilities across all three lines of defense
• Documented escalation procedures for potential matches
• Regular testing and validation of screening systems
• Comprehensive training programs for compliance staff
• Periodic independent testing and validation
• Board and senior management oversight

Assuming you have the first three steps in place, then we can layer in the technology.

Step 4: For Less false positives: Improve the data and technology 

1. Real-time data from more sources reduced false positives
2. Automated alert summaries reduce manual work
3. AI Agents pre-decision to avoid working obvious false positives

Here’s how it works 👇

Step 4.1: Better real time data has less false positives

With the right data as a base of the pyramid, we can get much more accurate assessments of an alert: 

• Sourcing data in real-time helps catch true positives early. Ideally this data is sourced at least daily, if not hourly. Often the underlying data sources are static (sorry, no webhooks), so many legacy systems pull the information in batch or scramble to add new names when they’re announced. 
• Combine more 3rd party data with alert data in real-time. Enhance alert data with 3rd party watch lists, data consortia, and data providers to give an alert more context if it becomes an investigation, or needs to be auto-decisioned. Layer in the company's ultimate beneficial owners (UBOs), company filings, and any relevant media or court data, and you begin to build the more complete picture.
• Labeled data feeds risk systems, rules engines, and compliance agents with vital context. For example, simply knowing if a transaction is using a legal name, alias or nickname can be vital to help match an individual against their CIP data. Legacy systems were built when data storage and network capabilities were limited, so they often don’t carry much context about a user. We can add that context with the alert for a case manager to review.
• Measuring alert effectiveness (KPIs and evaluation). Constant testing and evaluation helps measure and improve the accuracy of our automated screening systems. By running thousands of test cases through evaluation frameworks, we can quantify false positive rates, detection accuracy, and edge cases with backtesting. 

Step 4.2: Automate the alert summary with enhanced compliance technology

Today the Sardine dashboard gives analysts a full picture of an alert with this process: 

• Pull CIP data: automatically cross-reference customer identification program (CIP) data against watchlist entries in real-time (on the Sardine dashboard). This includes matching names but also dates of birth, addresses, identification numbers, and other key identifiers that can help confirm or rule out true matches.
• Match it against the transaction: leverage advanced fuzzy matching algorithms that understand common name variations, transliterations, and cultural naming conventions. Our system can distinguish between similar-looking names by considering the full context of the transaction and customer profile.
• Evaluate high-risk rules that fired: assess the specific combination of risk factors that triggered the alert. This includes analyzing whether multiple independent risk indicators are present (like geographic risk + name match + unusual transaction pattern) versus single-factor matches that are more likely to be false positives.

Step 4.3: Use Real Time Transaction Monitoring AI Agents to pre-decision any alert

Our Transaction Monitoring Agent can quickly pull all the relevant data to review an alert and make recommendations on these cases. 

It will check whether their KYC document matches a transaction and whether any high-risk rules are activated (such as a DOB mismatch).

It can then 

• Add to a blocklist/allowlist or 
• Re-KYC or step-up verification is required based on what is found in the data.

Step 5: Measuring Compliance Program Effectiveness (KPIs)

Most compliance programs track these KPIs, but being able to automate them is crucial. Sardine provides this context in a dashboard (as mentioned in 4.3).

• False positive rates by channel and customer segment
• Alert processing times and backlog trends
• Quality assurance results and error rates
• System performance and uptime metrics
• Staff productivity and capacity utilization.

In addition, all ML and AI models should be able to explain the importance of features where possible. If you can measure your program, you then need to be able to change it rapidly, ideally in real time, as new threats emerge daily.

Empower Your Compliance Team

Your compliance team stands between your institution and significant regulatory risk.

We save analysts time and from frustration, so they can work the cases that matter.

Sardine's solution integrates with your existing infrastructure to deliver immediate efficiency gains while supporting your long-term compliance modernization strategy.

We save you time and money and put your resources to best use.

Our agents can work around your existing technology stack and systems and get you uplift today with transformation tomorrow. Want a solution that isn’t hire more bodies or rip and replace your tech stack?

We’re here when you need us.

Sanctions Screening FAQs

What is a sanctions alert?

A sanctions alert is triggered whenever an underlying system (like transaction monitoring or customer onboarding) believes a person or entity is at high risk. High risk can mean their name is the same as / similar to a name on a global watchlist (or sanctions list).

If these rules fire they’re routed to a compliance officer or agent, who then has to manually review this alert by checking multiple data sources and making a determination if this is a true match or a false positive.

What is a sanctions list?

A sanctions list is an official register of individuals, organizations, and countries that are subject to economic and legal restrictions. Major sanctions lists include OFAC's SDN list, the EU's Consolidated List, and the UK's OFSI list. These lists are regularly updated as geopolitical situations evolve.

What are False positives vs True positives?

False positives occur when a screening system flags a transaction or customer as potentially high-risk, but upon investigation, they are found to be legitimate. True positives are actual matches to sanctioned entities that require immediate action. The challenge in sanctions screening is maintaining a high true positive rate while minimizing false positives that consume valuable compliance resources.

‍