← Essays
Cross-borderCross-Border PaymentsJune 12, 2026 · 9 min read

SWIFT, AML/CFT, and Sanctions Screening in Practice

Sanctions screening is where compliance theory meets throughput reality. The product decisions live in the list overlay, the matcher, and the review queue.

By Rizwan Zafar
Briefing note

How AML/CFT and sanctions screening actually work on SWIFT-instructed cross-border payments, and the product decisions that decide false-positive rates.

Operator-written9 min read8 sectionsRecruiter-readable

The policy answer is simple; the production system is not. A SWIFT-instructed payment has names, addresses, banks, intermediaries, purpose text and sometimes poor transliteration. The screening product has to decide which ambiguity blocks money and which ambiguity goes to review.

The product decisions inside that compliance envelope determine whether throughput survives, false positives are bearable, and the customer experience is acceptable.

The screening stack

A real screening implementation has four layers:

  1. List management. The lists themselves, OFAC, UN, EU, UK HMT, country-specific, internal, with versioned updates.
  2. Matcher. The algorithm that compares payment parties to list entries.
  3. Decision logic. What automatic actions follow a match (block, hold, allow with logging).
  4. Review queue. The human surface for ambiguous matches.

Each layer is a product. The quality of each determines the false-positive rate and the customer experience.

Which lists, when, and why

The list overlay must reflect:

  • The jurisdictions the platform operates in.
  • The jurisdictions of every party to the payment.
  • Any contractual obligations to sponsoring banks and scheme partners.
  • Any internal sanctions or restricted-counterparty lists.

A platform that screens only against OFAC is non-compliant in most non-US jurisdictions. A platform that screens against every global list with no jurisdictional logic produces an unbearable false-positive rate.

The matcher problem

Sanctions matchers are fuzzy by necessity, names transliterate across scripts, identifiers are inconsistent, and the same person appears multiple ways in different lists.

The product decisions are:

  • Match tolerance. Tighter tolerance reduces false positives but risks misses. Looser tolerance is the reverse.
  • Field weighting. Should a date-of-birth match outweigh a partial name match? In which jurisdictions?
  • Alias handling. Lists include known aliases; the matcher must use them, but with careful tolerance.
  • Negative news. Adverse media screening is a different product than sanctions screening and should not share thresholds.

The right answer varies by program. The wrong answer is to leave the vendor's defaults unchanged.

The review queue is a product

A sanctions hit that requires human review enters a queue. That queue is the highest-stakes UX in the compliance product:

  • Decision support. Reviewers need the matched fields, the candidate list entries, the payment context, and the platform's prior decisions on the same party.
  • SLAs. Every hold has a clock, both the customer's clock and the regulatory clock.
  • Audit trail. Every decision, every reviewer, every justification, append-only.
  • Feedback loop. Every confirmed false positive informs matcher tuning.

A queue without these properties degrades, slower reviews, inconsistent decisions, audit findings.

AML/CFT monitoring vs sanctions screening

The two are often conflated. They are different:

  • Sanctions screening is per-payment, list-based, and largely deterministic.
  • AML/CFT monitoring is pattern-based, behavioral, often model-driven, and operates across many payments and many customers.

Both are required. They need separate engineering, separate metrics, and separate review queues.

ISO 20022 and the data advantage

Structured party data in ISO 20022 messages reduces the matcher's ambiguity. Full structured names, addresses, identifiers, and purpose codes feed cleaner inputs into screening. False positives fall. True positives become easier to confirm.

This is one of the most underrated reasons to take the ISO 20022 migration seriously.

Operator notes

  • The compliance theory is simple; the product decisions are not.
  • Lists, matcher tuning, decision logic, and the review queue are each separate product surfaces.
  • Sanctions screening and AML/CFT monitoring are different products that share infrastructure.
  • ISO 20022 gives the matcher cleaner inputs and reduces false positives at the source.

FAQ

Can fuzzy matching be safely tuned tighter? Only with telemetry, confirmed false positives and confirmed misses over a long enough window.

Is automated decisioning acceptable for sanctions? Auto-block on confirmed exact matches is standard. Auto-clear on partial matches without human review is generally not.

How often should lists be updated? As frequently as the issuing authority publishes, for some lists this is daily.

Tags
AMLCFTsanctions screeningSWIFTcompliance
Rizwan Zafar
Written by
Rizwan Zafar

Chief Product Officer · Payments, Fintech & AI

Payments product & program leader — scaled a regulated multi-rail platform from $0 to $1B+ GTV across five frontier markets. These essays are the public version of how I think through the work.

Continue the conversation

This writing is the public version of how I think through product, programme and payment-infrastructure decisions in regulated markets.

Contact Rizwan
Hiring for a senior payments product role?

Rizwan ZafarChief Product Officer · Payments, Fintech & AI.

Payments Infrastructure Notes

One operator email a week. No filler.

Payment acceptance, settlement and product delivery notes from running $1B+ annual GTV across frontier markets — written for founders and payment leaders.

Weekly at most. Unsubscribe with one reply.