Sanctions Risk Assessment Checklist
A structured checklist for conducting a sanctions risk assessment at your organization.
Customer risk
- Customer base geographic distribution
- High-risk jurisdictions represented
- Crypto vs fiat exposure
- PEP and sanctioned-party exposure
Product risk
- Cross-border payment capabilities
- Wallet-to-wallet transfer features
- Anonymous account features
- High-value transaction thresholds
Channel risk
- Onboarding channels (online, in-person, broker)
- Distribution partners and their controls
- Reseller and marketplace exposure
Controls assessment
- Screening solution in place and tested
- Ongoing monitoring vs point-in-time
- Investigation workflow documented
- Reporting procedures current
Why this checklist exists
This checklist was built for teams handling OFAC screening API. Each item addresses a common failure mode we've seen in real workflows. Skipping a step doesn't save time — it creates rework, disputes, or missed signals downstream.
Related resources
1. Velocity risk
How many unattended transactions can your agent execute per day? An agent processing 500 payments/day carries dramatically higher exposure than one processing 5/day — each payment to a sanctioned counterparty is a separate violation. Score this on the agentmail SEI calculator.
2. Jurisdiction overlap
What percentage of your counterparties are in or near the 16 comprehensively embargoed jurisdictions? Even if your primary market is the US, if your agent can receive transactions from anywhere, your jurisdiction overlap is your total addressable geography. Rate this honestly — an "available globally" product has 100% jurisdiction overlap.
3. Asset class exposure
Crypto carries the highest SDN wallet coverage and the most OFAC enforcement activity. Fiat payments through regulated rails have lower screening exposure because banks perform some screening. If your agent handles stablecoins, native tokens, or cross-chain transfers, your asset class exposure is maximum.
4. Screening posture
Do you screen before every payment? After payment in batch? Not at all? Pre-payment inline screening with an audit trail is the gold standard. Batch screening after the fact means violations have already occurred. No screening at all is the highest-risk posture — OFAC treats this as operating without controls, which is an aggravating factor in penalty calculations.
5. Disclosure readiness
If OFAC contacted you today about a transaction from 3 months ago, could you produce the screening record, the counterparty identity, the payment amount, and the OFAC list version within 5 days? If the answer is no, your disclosure readiness is low. A timestamped audit trail is the single biggest lever for reducing this risk factor.