Counterparty Risk Screening: Due Diligence Beyond the SDN List

On March 31, 2026, OFAC published its Guidance on Sham Transactions and Sanctions Evasion, and the document did something that most compliance teams had been dreading for years. It put in writing what enforcement actions had already been proving since late 2024: the 50% ownership rule is a floor, not a ceiling. Running a counterparty risk screening check against the SDN list and walking away when the name comes back clean is no longer a defensible compliance posture. OFAC now expects companies to look past equity percentages and formal ownership charts to assess whether a sanctioned person retains any practical or economic interest in a counterparty. For SMB exporters processing 50 to 200 shipments a month, that landed without an instruction manual.

The SDN list covers names — not relationships, control, or routing

Your SDN list check tells you whether a specific name appears on a specific roster. That is exactly what it was designed to do. What it was not designed to do: map the ownership structure behind the name, trace the routing of goods after delivery, or flag that a counterparty's managing director also sits on the board of a separately designated entity. Name in, result out. Nothing more.

OFAC maintains roughly 13,000 entries on the SDN list as of early 2026. Every watchlist screening tool on the market can match against those entries. Matching works. Problems sit upstream. A Dubai-based trading company with zero SDN hits can still be majority-controlled by a designated Russian oligarch through a Cayman holding structure. A Turkish freight forwarder can clear every denied party screening check while routing semiconductor components to an end-user in a sanctioned jurisdiction.

Harman International's 2024 case showed this pattern in full. Their UAE distributor passed every name-matching screen. Products ended up in Tehran anyway. OFAC characterized the conduct as egregious because internal records showed the U.S. manager knew about Iranian end-customers and kept shipping. So the screening tool did its job. Nobody built anything around it.

We talked to three compliance managers at mid-market electronics exporters in Q1 2026. All three ran Descartes Visual Compliance or a similar platform. All three screened at order entry. None of them could answer a basic question: who owns your distributor's parent company? The answer was buried in corporate registries they did not have access to, or it was not in the registries at all.

OFAC's March 2026 sham transaction guidance raised the diligence floor

Published March 31, 2026, OFAC's Sham Transaction Guidance lays out red flags that should trigger deeper counterparty investigation. At its simplest, the guidance targets arrangements where formal ownership records mask a sanctioned party's actual economic interest.

Those red flags fall into identifiable categories. Transfers completed close in time to a designation. Transfers to family members or close associates. Commercially unreasonable transactions where the stated purpose does not match the economics. Evasive or incomplete responses to diligence questions. Multi-layered holding structures domiciled in jurisdictions with weak supervisory controls. None of these are new to experienced compliance teams. What is new: OFAC wrote them down.

Each of these red flags already appeared in OFAC enforcement actions throughout 2025. GVA Capital ($215.9 million, June 2025) involved a venture capital firm managing investments through a sanctioned oligarch's nephew. OFAC determined the firm knew the nephew functioned as a proxy. IPI Partners confirmed OFAC expects firms to scrutinize whether blocked parties retain decision-making authority through proxies. And the December 2025 individual settlement? An attorney who served as fiduciary for a blocked person's family trust.

What changed in March 2026 was not the enforcement posture. That had been building for eighteen months. What changed was the documentation. OFAC now has published guidance that compliance teams can be measured against during an investigation. Before March 31, a company could argue that sham transaction detection was not formally required. That argument is gone.

For SMB exporters, the operational impact centers on one question: what diligence do you perform on counterparties beyond running their name through a sanctions screening platform? If the answer is "nothing," the March 2026 guidance means your screening program has a documented gap that OFAC has told you to close.

Five counterparty dimensions that list-based screening cannot reach

List-based screening answers one question: does this name appear on a government roster? Counterparty risk screening, done properly, answers five additional questions that no watchlist covers.

Beneficial ownership beyond the 50% threshold. Under the OFAC 50% rule, entities owned 50% or more by sanctioned parties are automatically blocked. But OFAC's March 2026 guidance makes clear interests below 50% still matter when combined with control indicators. A sanctioned person holding 30% equity plus board appointment authority plus veto rights over major transactions retains practical control. Standard UBO screening tools do not map this. BIS's Affiliates Rule, paused until November 10, 2026, will add another layer: it automatically restricts entities with 50% or greater ownership by Entity List or MEU List parties without requiring a separate designation.

Control without equity. Proxy arrangements, management agreements, side letters granting operational authority. GVA Capital showed what this looks like: the nephew held the equity position while the oligarch retained economic benefit and decision-making influence. No equity stake registered in his name anywhere.

Geographic routing after delivery. Your counterparty receives the goods in Dubai. Where do the goods go from there? End-use monitoring provisions under 15 CFR 744 and EAR Part 758 make the exporter responsible for knowing the final destination. Supply chain screening tools check the delivery address. They do not check the forwarding address.

End-use and end-user verification. A medical device manufacturer shipping oscilloscopes to a Singaporean integrator has a due diligence screening obligation to verify whether those oscilloscopes end up in military applications in a restricted jurisdiction. Your customer clears every sanctions list. Your customer's customer might not. End-use statements and post-shipment verification are where this dimension gets covered, and most SMB exporters skip both.

Historical transactional patterns. A counterparty ordering 200 units per quarter suddenly places a 2,000-unit PO with urgent delivery to a new address. No list-based screen catches this. BIS Red Flag Guidance (Supplement No. 3 to Part 732 of the EAR) lists this pattern explicitly. Clean screen result. Still a problem. We have seen compliance teams dismiss order spikes because the name matched clean, and the dismissal ended up in an OFAC investigation file eighteen months later.

Where screening vendors stop and internal diligence starts

Every due diligence risk management conversation at a mid-market exporter eventually hits the same wall. Your third party screening vendor covers list matching, fuzzy name resolution, batch processing, and audit trail generation. Coverage ends at the boundary of publicly available watchlists.

Descartes Visual Compliance, the largest platform in this category, screens against 100+ government watchlists across 180+ countries. It offers OFAC 50% rule screening, beneficial ownership checks, and adverse media modules. What it does not offer: primary-source verification of ownership structures in jurisdictions where corporate registries are unreliable or paywalled. China, the UAE, and Turkey fall into this category.

We see this play out in practice. A compliance officer at a Michigan auto parts manufacturer ran a new Turkish distributor through Visual Compliance in February 2026. Clean result. But the distributor had been incorporated four months earlier, had no web presence, and listed a single individual as both director and shareholder. The customer screening software did what it was asked to do. It searched lists. The compliance officer had to do the rest manually: calling the Turkish trade registry, requesting incorporation documents, asking the distributor for an ownership chart and bank references.

Where exactly does vendor capability end and internal responsibility begin? Vendors handle: list data aggregation, name matching algorithms, screening workflow management, audit log retention, and risk and compliance screening alerts when lists update. Internal teams handle: ownership verification from primary sources, end-use statement collection and verification, on-site or reference-based counterparty validation, post-shipment monitoring, and pattern analysis across historical orders. Nobody advertises that second list on a pricing page.

When a screening platform runs a counterparty check, the name-matching layer executes in seconds. Some platforms also generate a counterparty profile tracking ownership data and historical screening results. Better than a blank spreadsheet. Not a substitute for the five dimensions above.

Building a counterparty file that survives an OFAC subpoena

OFAC's March 2025 extension of record-keeping requirements from five to ten years (effective immediately, 31 CFR Parts 500-599) means every counterparty diligence file created in 2026 needs to hold up under scrutiny through 2036. Ten years. Most of the compliance managers we talk to have not thought about what that means for files they are creating right now.

Six components make up a defensible counterparty file. Missing any one of them creates a gap that OFAC's enforcement division will identify.

First, the initial screening record with timestamp, platform used, lists screened, and match result. Every re-screen record thereafter, with the same data points, dated and stored.

Next: an ownership disclosure from the counterparty. Not a verbal confirmation over email. A signed document identifying all natural persons with 10% or greater beneficial ownership, plus any person with management control regardless of equity percentage. The 10% threshold is not an OFAC requirement. Most compliance consultants and trade law firms use it to stay ahead of the 50% rule, particularly after the March 2026 sham transaction guidance.

Then the end-use statement for controlled products. If the goods fall under EAR jurisdiction with an ECCN other than EAR99, the statement should specify intended application, facility location, and a declaration the goods will not be re-exported without authorization.

Jurisdiction exposure comes after that. Even if the counterparty clears every name screen, the question remains: does the counterparty operate in, transship through, or have subsidiaries in sanctioned jurisdictions? Iran, North Korea, Cuba, Syria, Crimea, and the so-called Donetsk and Luhansk People's Republics still carry full blocking sanctions. Russia carries sectoral sanctions that vary by industry. Document the answer.

A re-screen schedule. OFAC does not specify a screening frequency. But OFAC updates the SDN list three to four times per week. A counterparty screened in January and not re-screened until December has eleven months of unmonitored exposure. Lenzo automates re-screening on a configurable cadence with alerts tied to list version changes. Weekly or event-triggered re-screening is the operational standard that enforcement actions have implicitly set.

A negative finding log. When a re-screen produces a potential match that the compliance officer clears as a false positive, that decision and its reasoning must be documented. Lenzo stores each false positive resolution with the officer's notes and a timestamp, creating an auditable record that OFAC's enforcement division can review. Here is what most teams miss: the false positive resolution is often more important to OFAC than the clean match. It shows the compliance team actually engaged with the data rather than auto-dismissing alerts.

FAQ

What does counterparty risk screening cover that the SDN list does not?

Counterparty risk screening goes beyond name matching to include ownership analysis, geographic routing assessment, end-use verification, and historical transaction pattern review. An SDN list check answers whether a name appears on a government roster. Counterparty screening answers whether the relationship behind the name creates sanctions exposure through control, proxy arrangements, or downstream diversion. OFAC's March 2026 sham transaction guidance formalized this distinction.

How often should I re-screen existing counterparties?

OFAC does not mandate a frequency, but the SDN list updates three to four times weekly. Weekly batch re-screening for active counterparties plus event-triggered re-screening at each new order or shipment is where industry practice has landed. Monthly re-screening leaves gaps that OFAC has flagged in settlement agreements.

Does the OFAC 50% rule still apply after the March 2026 guidance?

Yes, as a bright-line test: entities owned 50% or more by blocked parties are automatically blocked. What the March 2026 guidance changed is the sufficiency of this threshold as a safe harbor. OFAC now explicitly states ownership below 50% combined with control indicators, proxy arrangements, or economic benefit retention can still constitute a blockable interest. Companies can no longer argue a counterparty is clean solely because no single sanctioned party holds a majority stake.

What records does OFAC expect in a counterparty due diligence file?

OFAC's Framework for Compliance Commitments (May 2019, updated guidance) calls for risk-based due diligence proportional to the company's exposure profile. In practice, enforcement settlements reveal OFAC expects: timestamped screening records, ownership disclosures, end-use statements for controlled products, jurisdiction exposure checks, re-screen logs, and documented resolution of any potential matches or red flags. March 2025's record-retention extension to ten years means these files must be maintained through 2036 for anything created in 2026.

Can screening software alone satisfy OFAC's counterparty diligence expectations?

No. OFAC has stated in multiple enforcement notices that a screening program is one element of a compliant sanctions program, not the entire program. IPI Partners and GVA Capital both screened counterparties and still got hit because neither investigated control relationships or proxy structures behind the names that cleared. Software handles list matching and workflow automation. Ownership verification, end-use confirmation, and red flag investigation require human judgment and primary-source research that no screening platform currently automates.

What keeps catching mid-market exporters in 2026 is not a screening failure. Screening works. Everything around it does not. A re-screen trigger tied to shipment release rather than order entry would have caught at least three of the 2025 OFAC enforcement cases involving counterparty diversion. Ten-year record-keeping means the diligence file you build this quarter is the file OFAC reads in 2034. Most ERPs do not generate it automatically. Your compliance officer has to build it, maintain it, and own the re-screen cadence. IT cannot own this workflow because IT does not know when a counterparty relationship changes character. One operational detail we keep running into: companies re-screen the counterparty entity name but not the individuals behind them. A managing director leaves one distributor and joins another. His name never hit a list. But his prior employer did, six months after he left, and OFAC's enforcement division will ask why nobody connected those dots when the new distributor's first PO arrived.