In today’s interconnected global economy, organisations face mounting pressure to ensure their third-party relationships do not inadvertently violate sanctions regulations. As per McKinsey, the landscape has grown more complex, with the number of globally designated sanctioned persons and entities rising almost fivefold from approximately 17,000 in 2017 to 82,000 in March 2025. This dramatic expansion, driven largely by geopolitical tensions, has made sanctions compliance a critical component of third-party risk management (TPRM).
The evolving sanctions environment
The sanctions landscape has undergone significant transformation over recent years. According to Moody’s analysis of 2024-2025 compliance trends, geopolitical tensions and ensuing sanctions targeting specific individuals and entities have dominated the regulatory environment. The Russia-Ukraine war has necessitated ongoing vigilance in sanctions screening, monitoring and detection of evasion tactics.
Organisations now grapple with an ever-expanding list of restricted parties, forcing them to investigate complex ownership structures, adding layers of difficulty to compliance efforts. Since engaging with third parties is practically unavoidable for operational efficiency and success, organisations face increased difficulties in ensuring all relationships are clear and above board.
Sanctions compliance
Sanctions compliance does not mean complying with international laws and regulations alone; it also means safeguarding the organisation from potential reputational damage and financial crimes, such as terrorism financing and money laundering. Effective TPRM requires following a comprehensive and structured strategy playbook. Listed here are five effective strategies.
- Comprehensive screening and due diligence
- Technology-driven solutions
- Continuous monitoring and reassessment
- Recent enforcement lessons
- Building organisational capacity
The foundation of effective sanctions compliance begins with thorough screening processes. In the US, the Federal Reserve’s 2024 guidance on TPRM emphasises that organisations must screen against the Office of Foreign Assets’ (OFAC) Specially Designated Nationals and Blocked Persons (SDN) list and all other sanctions lists to ensure third parties and their employees, contractors or grantees are not sanctioned by the US government.
However, screening alone is insufficient. Sanctions.io recommends a multi-layered approach incorporating different levels of screening processes to ensure comprehensive coverage of sanctions lists, thereby providing a robust defense against financial crimes. This aligns with broader anti money laundering (AML) services that address various financial crime risks.
Due diligence extends beyond merely checking names against sanctions lists. According to compliance management solutions provider GAN Integrity, the process requires a thorough examination of the third party’s background, operations and relationships, including assessment of geopolitical, financial and reputational risks associated with their location and operations. Companies must evaluate whether suppliers operate in countries with known human rights violations or political instability, as these factors elevate the risk of sanctions exposure.
Since 2025, geopolitical risk intelligence has become integral to vendor due diligence. Organisations are implementing Ultimate Beneficial Ownership (UBO) analysis to enhance transparency into who owns and controls third-party entities, preventing exposure to sanctioned organisations. Companies are also mapping their vendor ecosystems to identify overreliance on specific countries or industries prone to geopolitical disruptions. The objective is to diversify supplier bases to reduce dependence on vendors concentrated in high-risk regions.
Sanctions compliance increasingly relies on technological solutions to manage the volume and complexity of screening requirements. Technology enables organisations to automate screening, monitoring and data analysis, allowing real-time risk assessments and enhanced due diligence.
Automated screening solutions capable of tracking recent sanctions lists can significantly streamline compliance efforts. These systems, commonly integrated within AML financial services, utilise exact matches, fuzzy logic for partial matches and phonetic matching for similar-sounding names to identify potential risks. Through deep automated investigation during post-processing and enrichment with third-party data, automated decision-making and faster alert investigation become possible, reducing overall sanctions risks. Many organizations are turning to Know Your Customer-as-a-Service (KYCaaS) providers to access sophisticated screening capabilities without building costly in-house infrastructure.
However, technology implementation must be accompanied by proper governance frameworks. As software firm 3rdRisk notes in its 2025 best practices guidance, organisations must be able to demonstrate their due diligence processes through proper documentation, showing regulators evidence that all vendors were screened against sanctions lists during specified quarters.
A critical mistake many organisations make is conducting thorough checks during onboarding only but failing to update due diligence over time. Research shows that over 80% of legal and compliance leaders have identified third-party risks after initial onboarding, showing that if continuous monitoring is not implemented, many issues will go unnoticed.
Best practices require implementing both ongoing passive monitoring through external data sources and news alerts, as well as periodic active reviews. For high-risk third parties, due diligence should be renewed every 2–3 years at least. Risk-based refreshing schedules should be established, with annual updates for high-risk entities and bi-annual reviews for medium-risk relationships.
The importance of robust sanctions compliance was underscored by OFAC’s 2024 enforcement actions. Morrison Foerster’s analysis of these cases revealed several critical lessons. In one notable case, OFAC emphasised that even when outsourcing parts of the business, it is important to have controls in place to prevent any further engagement with blocked or sanctioned parties immediately upon discovery.
Companies were also cautioned to carefully consider any risks arising from arrangements involving third parties who had a different approach to compliance. This highlights the necessity of accounting for third-party risk preferences in periodic risk assessments and incorporating questions about risk appetite into third-party KYC and onboarding procedures. Organisations increasingly leverage KYCaaS solutions to streamline these processes while maintaining compliance standards.
Effective sanctions compliance requires more than technology — it demands investment in human capital, whether through internal teams or outsourced AML services. Organisations should build well-equipped compliance teams capable of navigating complex sanctions environments and mitigating risks effectively. Relationship managers should be given formal responsibilities for anti-bribery due diligence, training and monitoring of high-risk third parties. These responsibilities should be addressed through job descriptions, appraisals and performance reviews.
Conclusion
As sanctions regimes continue to expand and evolve, organisations must adopt comprehensive, technology-enabled approaches to TPRM. Such an approach forms the cornerstone of effective sanctions compliance. With regulatory enforcement becoming more strict and the cost of non-compliance increasing, these strategies are no longer optional but essential for organisations operating in the global marketplace.
How can Infosys BPM help?
Infosys BPM’s Comprehensive Financial Crime Compliance Solutions combines advanced technology and expert advisory services to help organisations manage financial crime regulatory compliance. With advanced analytics and AI/ML/RPA-driven automation, we help our clients detect fraud and suspicious transactions in real time and meet compliance requirements.
