Sanctions Risk Assessment Checklist

A structured checklist for conducting a sanctions risk assessment at your organization.

How to use: work through each section in order. Don't skip steps — the order matters.

Customer risk

Product risk

Channel risk

Controls assessment

Why this checklist exists

This checklist was built for teams handling OFAC screening API. Each item addresses a common failure mode we've seen in real workflows. Skipping a step doesn't save time — it creates rework, disputes, or missed signals downstream.

Automate it: SanctionsAI handles most of these checklist items automatically through its OFAC screening API workflow.

1. Velocity risk

How many unattended transactions can your agent execute per day? An agent processing 500 payments/day carries dramatically higher exposure than one processing 5/day — each payment to a sanctioned counterparty is a separate violation. Score this on the agentmail SEI calculator.

2. Jurisdiction overlap

What percentage of your counterparties are in or near the 16 comprehensively embargoed jurisdictions? Even if your primary market is the US, if your agent can receive transactions from anywhere, your jurisdiction overlap is your total addressable geography. Rate this honestly — an "available globally" product has 100% jurisdiction overlap.

3. Asset class exposure

Crypto carries the highest SDN wallet coverage and the most OFAC enforcement activity. Fiat payments through regulated rails have lower screening exposure because banks perform some screening. If your agent handles stablecoins, native tokens, or cross-chain transfers, your asset class exposure is maximum.

4. Screening posture

Do you screen before every payment? After payment in batch? Not at all? Pre-payment inline screening with an audit trail is the gold standard. Batch screening after the fact means violations have already occurred. No screening at all is the highest-risk posture — OFAC treats this as operating without controls, which is an aggravating factor in penalty calculations.

5. Disclosure readiness

If OFAC contacted you today about a transaction from 3 months ago, could you produce the screening record, the counterparty identity, the payment amount, and the OFAC list version within 5 days? If the answer is no, your disclosure readiness is low. A timestamped audit trail is the single biggest lever for reducing this risk factor.

Try SanctionsAI

Free OFAC sanctions screening API.

Get started →