Sanctions Screening API: AML Compliance Made Simple for Developers

If your business moves money, onboards customers, or facilitates transactions of any kind, you are legally required to screen counterparties against sanctions lists. This is not optional. Violating sanctions regulations carries penalties that can reach hundreds of millions of dollars, criminal prosecution for responsible officers, and existential reputational damage. And yet, for most development teams, sanctions screening remains one of the most opaque and difficult compliance requirements to implement correctly.

Edge's Sanctions Screening API makes this straightforward. Send a name, get back a list of potential matches scored by confidence, drawn from 1.2 million entities across 350+ government and regulatory sources. The API handles the fuzzy matching, transliteration, alias resolution, and data aggregation — you handle the business logic of what to do with the results.

Why Sanctions Screening Is Non-Negotiable

The Regulatory Landscape

Sanctions are restrictions imposed by governments and international bodies to cut off designated individuals, organizations, and countries from the global financial system. The major sanctions regimes that affect most businesses include:

• OFAC (U.S.): The Office of Foreign Assets Control maintains the Specially Designated Nationals (SDN) list and several other restricted-party lists. Any transaction that touches the U.S. financial system — which includes any USD-denominated transaction worldwide — falls under OFAC jurisdiction.
• EU Sanctions: The European Union maintains its own consolidated sanctions list, enforced across all EU member states. Financial institutions, payment processors, and any entity operating in the EU must screen against this list.
• UN Security Council: UN sanctions are binding on all member states. The UN Consolidated List includes individuals and entities associated with terrorism, nuclear proliferation, and other threats to international peace.
• HM Treasury (UK): Post-Brexit, the UK maintains its own sanctions regime through the Office of Financial Sanctions Implementation (OFSI). The UK financial sanctions list must be checked independently from the EU list.
• National Lists: Many countries maintain additional domestic sanctions and watchlists — including Australia (DFAT), Canada (OSFI), Switzerland (SECO), and others.

The Legal Obligations

Under anti-money laundering (AML) and counter-terrorism financing (CFT) regulations, financial institutions and designated non-financial businesses have a legal obligation to:

1. Screen customers at onboarding — before establishing a business relationship (Customer Due Diligence under FATF Recommendation 10).
2. Screen ongoing transactions — monitor payments for sanctioned counterparties (FATF Recommendation 16, the "Travel Rule").
3. Screen against updated lists in real-time — sanctions lists change frequently. OFAC alone makes hundreds of updates per year. You must screen against current lists, not a stale copy from last quarter.
4. Maintain records — document your screening process, results, and decisions for regulatory examination (record-keeping requirements vary by jurisdiction but typically require 5-7 year retention).

The Cost of Getting It Wrong

The numbers speak for themselves:

• BNP Paribas (2014): $8.9 billion fine for processing transactions through sanctioned countries (Sudan, Iran, Cuba) over a decade.
• Standard Chartered (2019): $1.1 billion combined settlement with U.S. and UK authorities for sanctions violations related to Iran and other sanctioned regimes.
• Danske Bank (2022): $2 billion settlement related to money laundering and sanctions compliance failures in its Estonian branch.
• Individual liability: Compliance officers and senior management can face personal criminal charges. OFAC can impose civil penalties up to $330,000 per violation (adjusted annually for inflation) even for unknowing violations.

These are not edge cases. These are well-resourced global banks with dedicated compliance departments. For smaller fintechs and payment companies, the margin for error is even thinner because regulators expect the same standard of screening regardless of company size.

What the Edge Sanctions Screening API Covers

Data Sources: 350+ Lists, 1.2M+ Entities

The API screens against a consolidated dataset aggregated from over 350 government and regulatory sources worldwide. This includes:

• OFAC SDN List and all supplementary OFAC lists (Sectoral Sanctions, Non-SDN Menu-Based Sanctions, etc.)
• EU Consolidated Financial Sanctions List
• UN Security Council Consolidated List
• HM Treasury (UK) Financial Sanctions List
• DFAT (Australia) Consolidated List
• OSFI (Canada) Consolidated List
• SECO (Switzerland) Sanctions List
• National terrorism and proliferation watchlists from dozens of additional jurisdictions
• Politically Exposed Persons (PEP) databases — individuals holding or having held prominent public functions
• Adverse media — structured data on individuals and organizations associated with financial crime, fraud, or regulatory enforcement

The total dataset covers over 1.2 million distinct entities with their known aliases, transliterations, dates of birth, nationalities, identity documents, and associated addresses.

Entity Types

The API screens across three entity categories:

• Individuals: Natural persons — sanctioned individuals, PEPs, and persons of interest. The API handles name variations, transliterations from non-Latin scripts, and common aliases.
• Organizations: Legal entities — designated companies, front organizations, shell companies, and entities owned or controlled by sanctioned persons.
• Vessels: Ships and aircraft — particularly relevant for trade finance, maritime insurance, and commodity trading. Vessel screening uses IMO numbers, MMSI numbers, and vessel names.

Fuzzy Matching and Scoring

Exact-match screening is insufficient for real-world compliance. Names are transliterated differently, misspelled, abbreviated, and intentionally obfuscated. The Edge API uses fuzzy matching algorithms that account for:

• Phonetic similarity: "Mohammed" / "Muhammad" / "Mohamed" — these are treated as potential matches.
• Transliteration variants: Arabic, Cyrillic, Chinese, and other non-Latin scripts produce multiple valid Latin transliterations for the same name.
• Abbreviations and initials: "J. Smith" matching "John Smith" or "James Smith".
• Name order variations: Many cultures do not follow the Western "given name, family name" convention. The API considers all permutations.
• Partial matches: Matching against aliases, also-known-as (AKA) names, and formerly-known-as (FKA) names.

Every potential match is returned with a confidence score from 0 to 100, reflecting the strength of the match. Your compliance team defines the threshold for review — a common approach is to auto-clear scores below 70, flag scores between 70-90 for manual review, and escalate scores above 90.

API Usage

Basic Individual Screening

curl -X POST "https://api.edge.bh/v1/sanctions/screen" \
  -H "X-Api-Key: your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Viktor Bout",
    "type": "individual",
    "date_of_birth": "1967-01-13",
    "nationality": "RU"
  }'

Response:

{
  "success": true,
  "data": {
    "query": {
      "name": "Viktor Bout",
      "type": "individual"
    },
    "total_matches": 2,
    "matches": [
      {
        "score": 98,
        "entity": {
          "name": "Viktor BOUT",
          "type": "individual",
          "aliases": [
            "Viktor Butt",
            "Viktor But",
            "Viktor Sergeevich Bout"
          ],
          "date_of_birth": "1967-01-13",
          "nationality": "Russian Federation",
          "sources": [
            "OFAC SDN List",
            "UN Security Council Consolidated List",
            "EU Financial Sanctions List"
          ],
          "listed_on": "2004-06-09",
          "reason": "Arms trafficking",
          "programs": [
            "SDGT",
            "Former Liberia Sanctions"
          ],
          "identifications": [
            {
              "type": "Passport",
              "country": "RU",
              "number": "REDACTED"
            }
          ]
        }
      }
    ],
    "screened_at": "2026-03-10T14:23:01Z"
  },
  "credits_used": 3,
  "credits_remaining": 4200
}

Organization Screening

curl -X POST "https://api.edge.bh/v1/sanctions/screen" \
  -H "X-Api-Key: your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Petrochemical Commercial Company International",
    "type": "organization",
    "country": "IR"
  }'

Vessel Screening

curl -X POST "https://api.edge.bh/v1/sanctions/screen" \
  -H "X-Api-Key: your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "GRACE 1",
    "type": "vessel",
    "imo_number": "9116412"
  }'

Integration Patterns

Customer Onboarding (KYC)

The most common integration point is during customer registration or KYC onboarding. Screen the customer's name before activating their account:

async function screenCustomer(customer) {
  const response = await fetch("https://api.edge.bh/v1/sanctions/screen", {
    method: "POST",
    headers: {
      "X-Api-Key": process.env.EDGE_API_KEY,
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      name: `${customer.firstName} ${customer.lastName}`,
      type: "individual",
      date_of_birth: customer.dateOfBirth,
      nationality: customer.nationality,
    }),
  });

  const result = await response.json();
  const matches = result.data.matches;

  if (matches.length === 0) {
    // No matches — proceed with onboarding
    return { status: "clear", matches: [] };
  }

  const highConfidence = matches.filter((m) => m.score >= 90);
  const mediumConfidence = matches.filter((m) => m.score >= 70 && m.score < 90);

  if (highConfidence.length > 0) {
    // High-confidence match — block onboarding, escalate to compliance
    return { status: "blocked", matches: highConfidence };
  }

  if (mediumConfidence.length > 0) {
    // Potential match — flag for manual review
    return { status: "review", matches: mediumConfidence };
  }

  // Low-confidence matches only — proceed with note
  return { status: "clear_with_notes", matches };
}

Transaction Monitoring

For payment platforms, screen the counterparty of every outbound transaction:

async function screenTransaction(transaction) {
  // Screen the beneficiary
  const beneficiaryResult = await screenCustomer({
    firstName: transaction.beneficiary.firstName,
    lastName: transaction.beneficiary.lastName,
    nationality: transaction.beneficiary.country,
  });

  // Screen the beneficiary's bank (organization check)
  const bankResult = await fetch("https://api.edge.bh/v1/sanctions/screen", {
    method: "POST",
    headers: {
      "X-Api-Key": process.env.EDGE_API_KEY,
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      name: transaction.beneficiary.bankName,
      type: "organization",
      country: transaction.beneficiary.country,
    }),
  }).then((r) => r.json());

  // Decision logic
  if (beneficiaryResult.status === "blocked" || bankResult.data.matches.some((m) => m.score >= 90)) {
    await blockTransaction(transaction.id, "sanctions_match");
    await notifyComplianceTeam(transaction, beneficiaryResult, bankResult);
    return { approved: false, reason: "sanctions_match" };
  }

  if (beneficiaryResult.status === "review") {
    await holdTransaction(transaction.id, "pending_review");
    await notifyComplianceTeam(transaction, beneficiaryResult, bankResult);
    return { approved: false, reason: "pending_review" };
  }

  return { approved: true };
}

Python — Batch Screening

For bulk onboarding or periodic re-screening of your existing customer base:

import requests
import os
import time

def screen_entity(name: str, entity_type: str = "individual", **kwargs) -> dict:
    payload = {
        "name": name,
        "type": entity_type,
        **kwargs,
    }
    response = requests.post(
        "https://api.edge.bh/v1/sanctions/screen",
        json=payload,
        headers={
            "X-Api-Key": os.environ["EDGE_API_KEY"],
            "Content-Type": "application/json",
        },
    )
    response.raise_for_status()
    return response.json()

def batch_screen_customers(customers: list) -> list:
    results = []
    for customer in customers:
        result = screen_entity(
            name=f"{customer['first_name']} {customer['last_name']}",
            entity_type="individual",
            nationality=customer.get("nationality"),
            date_of_birth=customer.get("dob"),
        )
        matches = result["data"]["matches"]
        results.append({
            "customer_id": customer["id"],
            "name": f"{customer['first_name']} {customer['last_name']}",
            "match_count": len(matches),
            "highest_score": max((m["score"] for m in matches), default=0),
            "matches": matches,
        })
        time.sleep(0.1)  # Rate limiting courtesy
    return results

# Re-screen all active customers
flagged = [r for r in batch_screen_customers(active_customers) if r["highest_score"] >= 70]
print(f"Flagged {len(flagged)} customers for review")

Building a Compliance Workflow

Sanctions screening is not just an API call — it is part of a broader compliance process. Here is how mature fintech teams structure their screening workflow:

1. Screen at Onboarding

Every new customer, vendor, or counterparty is screened before the business relationship is established. The API call happens as part of your KYC flow, after identity verification but before account activation.

2. Screen at Transaction Time

Outbound payments are screened against the beneficiary name and the beneficiary's financial institution. Inbound payments from unknown parties may also warrant screening depending on your risk appetite and regulatory requirements.

3. Periodic Re-Screening

Sanctions lists change constantly. OFAC alone updates its SDN list multiple times per month. Customers who were clean at onboarding may be designated later. Best practice is to re-screen your entire active customer base on a regular cadence — weekly for high-risk segments, monthly for standard risk.

4. Record Every Result

Regulators expect to see evidence of your screening program. Every API response should be logged with the query parameters, timestamp, results, and the action taken. The Edge API includes a screened_at timestamp in every response for this purpose.

5. Define and Document Thresholds

Your compliance team should define clear, documented thresholds for match scores:

• Auto-clear (below 70): No matches or very low-confidence matches. Proceed automatically.
• Manual review (70-89): Potential match requiring a compliance analyst to review and make a determination.
• Auto-block (90+): High-confidence match. Block the transaction or account and escalate immediately.

These thresholds should be documented in your AML policy and reviewed periodically. The specific numbers depend on your risk appetite and regulatory environment — some regulators expect thresholds as low as 50 for initial flagging.

Combining with Other Edge APIs

Sanctions screening is most effective when combined with other data validation:

• IBAN Validation: Validate the account structure before screening the account holder. A syntactically invalid IBAN may indicate a data entry error rather than a sanctioned party.
• Commercial Registration Lookup: When onboarding a business entity, verify their commercial registration independently. Cross-reference the registered entity name with your sanctions screening results.
• Email Validation: Verify that the contact email is deliverable and not associated with known fraud patterns, as part of a holistic KYC check.

Regulatory Context by Region

United States

Financial institutions, money services businesses (MSBs), and their technology providers are subject to OFAC regulations. The Bank Secrecy Act (BSA) requires AML programs that include sanctions screening. FinCEN enforces BSA compliance, while OFAC enforces sanctions. Both can impose civil and criminal penalties independently.

European Union

The EU's Anti-Money Laundering Directives (currently the 6th AMLD, with AMLA — the Anti-Money Laundering Authority — becoming operational) require obliged entities to implement customer due diligence including sanctions screening. The EU sanctions regime is enforced at the member-state level, with penalties varying by jurisdiction.

Gulf Cooperation Council (GCC)

GCC countries have been strengthening their AML/CFT frameworks in alignment with FATF recommendations. The Central Bank of Bahrain (CBB), the UAE Central Bank, and the Saudi Arabian Monetary Authority (SAMA) all require licensed financial institutions to screen against domestic and international sanctions lists. The UAE's Executive Office for AML/CFT has been particularly active in enforcement.

United Kingdom

Post-Brexit, the UK operates its own sanctions regime under the Sanctions and Anti-Money Laundering Act 2018 (SAMLA). OFSI enforces financial sanctions, and the FCA supervises AML compliance for regulated firms. UK financial institutions must screen against both the UK sanctions list and (in practice) OFAC and EU lists due to correspondent banking relationships.

Pricing

Sanctions screening costs 3 credits per screening request due to the computational complexity of fuzzy matching across 1.2M+ entities. This reflects the depth of matching — phonetic algorithms, transliteration handling, and scoring across multiple name fields for every entity in the database.

The credit cost is per screening call, not per match returned. A screening that returns zero matches costs the same as one that returns ten matches.

Get started at app.edge.bh with free credits. Test your integration against known sanctioned entities (OFAC publishes its full SDN list publicly, so you can use real names for testing).

Frequently Asked Questions

How often are the sanctions lists updated?

The underlying sanctions data is aggregated from 350+ sources and updated continuously. When OFAC publishes a new SDN designation, EU adds an entity to its consolidated list, or the UN Security Council updates its sanctions committee list, those changes are reflected in the API. You do not need to manage list update schedules yourself — every API call screens against the current state of all lists.

What happens when a name has many low-confidence matches?

Common names like "Mohammed Ali" or "John Smith" will naturally produce more matches. The confidence scoring system is designed to handle this — low-confidence matches (below 70) typically reflect coincidental name overlaps and can be auto-cleared in most compliance frameworks. The additional parameters (date of birth, nationality, country) significantly reduce false positives. Always provide as many parameters as you have available.

Can I use this API for PEP (Politically Exposed Persons) screening?

Yes. The API's dataset includes PEP databases covering current and former heads of state, senior government officials, senior executives of state-owned enterprises, and their immediate family members and close associates. PEP screening is a distinct obligation under FATF Recommendation 12 (for foreign PEPs) and Recommendation 22 (for domestic PEPs).

Is the API sufficient to meet my AML compliance obligations?

The API provides the screening engine, but AML compliance requires more than technology. You need documented policies and procedures, a designated compliance officer, risk-based thresholds for match handling, record-keeping practices, and staff training. The Edge API is a critical component of the technical infrastructure, but it operates within your broader AML program. Consult with a compliance advisor familiar with your jurisdiction to ensure your overall program meets regulatory expectations.

How do I handle false positives?

False positives are inherent to name-based screening. The recommended approach is to define clear escalation tiers based on confidence scores, require manual review by a trained compliance analyst for medium-confidence matches, document the rationale for clearing false positives, and maintain an internal whitelist of reviewed-and-cleared entities to reduce repeated false positive alerts for the same customer. The API's confidence scoring is calibrated to minimize false positives while maintaining regulatory defensibility.

What is the latency of a screening request?

Screening requests typically complete within 1-3 seconds, depending on the number of matches found and the specificity of the query. Providing additional parameters (date of birth, nationality, country) narrows the search space and can reduce response times. The API is designed for real-time integration into onboarding and transaction flows — it is not a batch-only service, though you can certainly use it for batch screening as well.

---

Sanctions compliance does not have to be a black box. Create your Edge account and integrate production-grade sanctions screening into your application today. One API call, 1.2 million entities, 350+ sources — and the confidence scoring to make it actionable.