AML Screening, Sanctions & PEP
Screening is central to what we do. We check customers and transactions against sanctions lists, PEP databases, and adverse media before we let them through. The worst failure this company can have is letting someone through who should have been stopped. Every screening decision must fail closed, be evidenced, and never be silently bypassed.
This guideline shows how screening and sanctions/PEP logic must behave in code. The compliance team defines what to check and the thresholds. Engineering must make sure the checks actually run, that uncertainty is resolved safely, that decisions are recorded so they cannot be changed, and that controls cannot be quietly turned off. It brings together the fail-closed rule (Designing for Failure), evidence (Auditability & Evidence), and human oversight (High-Risk AI) for this one critical area.
The Finperiti audit found the worst version of getting this wrong: KYC/AML webhooks that accepted unsigned, forgeable payloads. This meant a fake "approved" message could pass someone through with no real check. The rules here exist so that a missing, errored, forged, or unrecognised result can never become an approval.
Fail closed, always
- AlwaysBlock and escalate whenever a screening, sanctions, PEP, or KYC check is missing, errored, timed out, or returned a result you do not recognise. The safe default is never "approve".
- AlwaysTreat an unknown or unmapped input (country, document type, industry, risk band) as high risk. Escalate it to a human. Never silently map it to low or medium.
- DoCheck that inbound screening/KYC results are genuine (signed webhooks, verified provider responses) before you act on them. A forged result must never drive a decision (see Trust Boundaries).
- DoRequire a clear "pass" result from a completed check before you proceed. No "hit" is not the same as a completed clear check.
- NeverAuto-approve a customer, transaction, or onboarding when a required check is incomplete, errored, or unverified.
var hit = sanctions.Screen(customer); // throws on timeout
// caught upstream and treated as: no hit -> proceed
A provider timeout becomes a silent approval. A sanctioned person could be onboarded with no screening. This is the most dangerous AML failure, and exactly what failing closed prevents.
var r = await sanctions.ScreenAsync(customer, ct);
if (r.Status != Completed) return Decision.BlockAndEscalate("screening incomplete");
if (r.HasHit) return Decision.Escalate(r); // human review
audit.Record("Sanctions.Clear", customer, r.ListVersion, actor);
return Decision.Proceed;
Only a completed, recognised clear result proceeds. Anything else is held for a human. The decision and the list version are recorded as evidence.
Evidence and keep control
- AlwaysRecord every screening decision so it cannot be changed. Save the inputs, the lists/provider and their versions, the result, who or what decided, and when. This lets you rebuild and defend the decision later (see Auditability & Evidence).
- DoKeep a human involved for matches, escalations, and overrides. Record the reviewer and the reason (see High-Risk AI).
- DoRe-screen on the right triggers (list updates, periodic review, major changes), not just at onboarding. Sanctions status changes over time.
- DoMake any screening kill-switch or threshold change a controlled, approved, audited action with a clear owner.
- NeverDisable, bypass, or weaken a screening/monitoring control, including the kill-switch, without authorisation and a permanent audit record.
- NeverSuppress, edit, or delete a Suspicious Activity Report, alert, or other statutory AML/KYC evidence. It is append-only.
Self-review checklist
- AskIf this check errors, times out, or returns something unexpected, is the customer approved or held? (It must be held.)
- AskIs the result genuine and from a completed check, not assumed, forged, or just "no hit so far"?
- AskIs the decision recorded so it cannot be changed, with inputs, list versions, actor, and time?
- AskCould this control be turned off or weakened without authorisation and an audit trail?