How Governments Build Sanctions Lists: The Designation Process Explained

Sanctions lists get treated like static reference databases — something you check once and move on. That framing causes problems. A designation can land on a Friday afternoon with no advance notice, no press release, and no grace period. By Monday morning, any open transaction with that party is potentially unlawful. The question isn't whether your screening tool has the list. It's whether you understand what the list actually is and how fast it changes.

What a Sanctions List Actually Is Under Law

A sanctions list is a legally binding instrument, not a curated database. Its authority comes from a specific legal source: an executive order, a congressional statute, or a UN Security Council resolution.

OFAC's SDN List draws authority from the International Emergency Economic Powers Act (IEEPA) and multiple executive orders issued under it. When OFAC adds an entity to the SDN List, it isn't updating a spreadsheet. It's issuing a legal determination that triggers asset freezing and transaction prohibitions for any U.S. person, regardless of where the transaction occurs.

That last point catches a lot of SMB exporters off guard. OFAC's jurisdiction doesn't stop at the U.S. border. "U.S. persons" includes U.S.-incorporated companies and their foreign subsidiaries in many cases.

If your company is incorporated in the U.S. and you've structured an overseas entity to handle international sales, that entity may not be outside OFAC's reach the way you think. When companies assume the overseas entity operates in a separate legal environment, that's usually where exposure starts. We've seen manufacturers believe their Singapore-based subsidiary sat outside OFAC's reach. It doesn't.

The EU Consolidated List operates under Council Regulation (EU) No 269/2014 and subsequent amendments, with extraterritorial reach for EU-nexus transactions. These two systems aren't parallel frameworks pointing at the same parties. They're separate legal regimes that can produce different outcomes for the same counterparty on the same day.

When a government updates a "sanctions database," it's amending a legal record. The obligations attach at the moment of publication, not when your compliance team opens the Monday morning alerts.

How a Person or Entity Gets Added to a Sanctions List

Getting added to a sanctions list isn't the end of a legal process. It's the public announcement of one that's already been running for months.

At OFAC, a case typically begins with an investigation, either initiated internally, referred by another agency such as the FBI or FinCEN, or developed from allied intelligence. Investigators assemble what OFAC internally calls an "evidentiary package": transaction records, corporate filings, shipping manifests, financial intelligence, and available open-source data on the target's activities. This work happens entirely out of view. It can run for months or years before any public designation. By the time the SDN List updates, the decision has already been made.

The legal threshold for designation under IEEPA-based programs is "reasonable basis to believe" the target meets the program criteria. That standard is lower than most people realize. Not proof beyond reasonable doubt. Not even the preponderance-of-evidence bar used in civil litigation. Closer to administrative probable cause. A company doesn't need to have completed a prohibited transaction. Substantial assistance can clear it. Attempted deals can clear it. Structural ownership ties to already-designated parties can too.

Once the evidentiary package clears internal review, OFAC submits a recommendation to senior Treasury staff and, for major designations, to Treasury leadership or the National Security Council. In cases involving UN Security Council designations (such as those under the North Korea or Iran frameworks), the U.S. is bound to implement those decisions domestically, adding the entities to the SDN List within 30 days of adoption.

What doesn't happen: prior notification to the target. No public hearing. No opportunity to contest before the designation takes effect. The entry appears in the Federal Register and simultaneously on OFAC's public SDN List. From that moment, U.S. persons are prohibited from transacting with that party. No grace period. No transition time.

Which Government Agencies Control Sanctions Lists

The answer is more complicated than most compliance programs reflect, and the gap between "which lists exist" and "which lists your team actually screens" is where exposure lives.

OFAC administers the SDN List along with more than a dozen program-specific lists, including the Sectoral Sanctions Identifications (SSI) List and the Non-SDN Menu-Based Sanctions List (NS-MBS List). As of early 2026, the consolidated SDN and related lists contain over 15,000 entries across 30+ sanctions programs (U.S. Treasury, OFAC). An SDN designation triggers asset freezing and blanket transaction prohibitions. A sectoral designation under SSI is narrower: it restricts specific transaction types with certain sectors of a sanctioned economy, not everything involving that entity.

BIS, sitting at the Commerce Department, runs three lists under the Export Administration Regulations. The Entity List and Denied Persons List are the most operationally significant. The Unverified List covers parties whose bona fides BIS hasn't been able to confirm through end-use checks. BIS designations work differently from OFAC's: no asset freezing, no financial prohibition. They restrict export transactions. A party on the Entity List triggers a license requirement for any EAR-controlled item, and that application is presumed denied before it's reviewed. The Denied Persons List cuts off export transactions entirely, regardless of what you're shipping or where. No licensing path out.

State Department's AECA Debarred List covers companies and individuals sanctioned under the Arms Export Control Act, which applies to anyone exporting ITAR-controlled defense articles or services. The Nonproliferation Sanctions lists cover parties designated under proliferation-related statutes.

Outside the U.S., the relevant lists shift depending on which markets your goods touch. EU-origin goods and EU customers bring the EU Consolidated List into scope, maintained under EUR-Lex. UK operations post-Brexit mean OFSI's UK Sanctions List, a separate instrument maintained under the Sanctions and Anti-Money Laundering Act 2018 and not a copy of OFAC's list. Australia's DFAT list and Singapore's MAS list carry their own jurisdictional authority and their own penalties for violations by companies operating in those markets.

Running names against the SDN alone is not a sanctions screening program. It's one check against one agency's one list. The BIS Entity List and EU Consolidated List carry independent legal weight alongside OFSI's register. Different agencies, different update schedules, different penalty frameworks.

How Often Sanctions Lists Are Updated

More often than most compliance calendars are built to handle. OFAC updated the SDN List 47 times in 2025, roughly once per week on average, but that average hides a distribution that makes monthly screening structurally inadequate (U.S. Treasury, OFAC Actions Archive, 2025). Some weeks see nothing. Others see three actions in five days, including emergency designations tied to breaking geopolitical developments.

OFAC publishes without advance notice. When OFAC drops a Friday afternoon designation, there's no courtesy email to compliance teams. The Federal Register notice goes live. The SDN List updates. Any open transactions with that newly listed party become immediately problematic. One electronics distributor we spoke with in early 2025 found out about a newly designated Chinese components supplier only when their bank flagged an outgoing wire, three days after the designation. Two invoices had already cleared by then.

BIS moves in batches. The January 2025 Federal Register notice added 140 entities across 28 countries in a single action. The EU updates its Consolidated List through Official Journal publications on any business day, including the Friday before a public holiday when your team is already offline.

We've talked to export managers who make that argument confidently, and who've never had a sanctions compliance problem. Yet. The honest version: a 30-day cycle leaves a window where a newly designated counterparty can receive a shipment, an invoice, or a payment with no internal alert. Companies screening quarterly have transacted with newly listed entities for 60-plus days before anyone caught it. The screening wasn't broken. The cadence was. That distinction matters in an OFAC enforcement conversation, but it doesn't eliminate the underlying exposure.

How a Designated Party Can Challenge a Designation

The reconsideration process exists. Getting any traction through it is genuinely hard.

Under 31 C.F.R. Part 501, a designated party can file a reconsideration request arguing factual error, changed circumstances, or that they no longer meet the program criteria. OFAC must respond, but on its own timeline. Twelve to 18 months is common in complex cases. That clock starts when OFAC considers the submission complete, which means an incomplete filing resets it.

Fewer than 5% of administrative challenges result in removal or modification, based on published delisting actions through 2025. Most wins come from misidentification: a wrong name, a shared surname with an unrelated party, a transliteration that matched the wrong entity. Challenging the underlying factual basis of a designation is a different problem. The evidentiary record typically includes classified intelligence. You're arguing against a file you can't see, under a legal standard that doesn't require OFAC to show you how they reached their conclusion.

Misidentification is more common than compliance teams expect, and the clearing burden falls on the screener. Every OFAC SDN entry carries aliases and spelling variants, plus transliterated versions of names from non-Latin scripts. All of them potential hits against legitimate companies. A medical device manufacturer in Shenzhen with a name phonetically close to a designated entity will generate a screening hit. That hit needs to be investigated and cleared, with written documentation, even when the mismatch is immediately obvious. We've seen that process consume four to six hours per false positive when the documentation trail has gaps.

We've reviewed documentation packets from companies who cleared these in under an hour, and from others where the same type of false positive consumed a full day and three rounds of internal review.

EU delistings travel through the Foreign Affairs Council, a slower and more political track. OFSI in the UK has a formal review process under SAMLA 2018, but removal without a court order is uncommon in practice.

FAQ

Does being on one country's sanctions list automatically put you on another country's list?

No. Each jurisdiction issues and maintains its own list under separate legal authority. An OFAC designation doesn't automatically trigger a parallel entry on the EU Consolidated List, UK OFSI list, or Australia's DFAT list, even when the underlying reasons are identical. Allied governments sometimes coordinate and act simultaneously, but the legal instruments remain distinct. A company with U.S., EU, and UK customers faces three independent screening obligations. Clearing one list doesn't clear the others.

Can a subsidiary of a designated company be treated as designated even if it isn't named?

Yes. Under OFAC's 50 Percent Rule, any entity owned 50% or more (directly or indirectly) by one or more SDN-listed parties is treated as sanctioned, whether or not it appears on the list by name. The rule applies cumulatively: if two designated parties each own 26% of a company, their combined 52% stake makes that company subject to the same prohibitions as a named SDN. This is one of the most frequently missed points in due diligence on foreign counterparties. BIS applies a similar but legally distinct ownership analysis for Entity List purposes.

What's the practical difference between an OFAC SDN designation and a BIS Entity List designation?

They come from different agencies and impose different restrictions. An SDN designation freezes assets and prohibits any transaction involving U.S. persons, whether financial, commercial, or otherwise. A BIS Entity List designation restricts export transactions on items subject to the EAR, with no financial sanctions component. The two can coexist: a company can appear on both simultaneously, triggering overlapping obligations under OFAC and BIS simultaneously. A screening program that covers only one misses the other entirely, which is a common gap in tools built primarily around financial compliance.

What happens operationally when a new designation is published while a shipment is already in transit?

The obligation attaches at publication, not at delivery. If a consignee is designated after cargo departs but before it arrives, U.S. persons involved face potential exposure for the delivery leg. OFAC has issued guidance on specific scenarios like this (OFAC FAQ #646 and related guidance under 31 C.F.R. Part 538 and other program regulations), but the general principle is consistent: obligations apply from the moment of designation, not the moment you become aware of it. Exporters moving goods to high-risk jurisdictions or counterparties operating near sanctioned networks check updates daily. Not because it's best practice. Because the alternative is this exact scenario.

How long does an entity typically stay on the SDN List once designated?

Indefinitely. No OFAC designation expires automatically. Some entries have been active for 15 or more years. Removal requires affirmative action: a successful reconsideration petition under 31 C.F.R. Part 501, a policy-level executive decision, or a statutory change eliminating the underlying program. In practice, entries persist until the geopolitical rationale shifts enough for an administration to act. For entities designated under active high-priority programs like Russia, Iran, and North Korea, that's often not a realistic near-term outcome.

Can a U.S. company face OFAC liability for a transaction completed entirely by its foreign subsidiary?

Generally not automatically, but the analysis is fact-specific. OFAC's jurisdiction covers U.S. persons, including entities organized under U.S. law and their foreign branches. Foreign subsidiaries incorporated abroad typically fall outside OFAC's direct reach unless a U.S. nexus exists: dollar clearing, U.S.-origin goods, a U.S. financial institution, or a U.S. person who directed the deal. The Cuba and Iran programs reach further than most. Companies with foreign subsidiaries operating near sanctioned markets need jurisdiction-specific legal counsel, not a general policy.

The designation process has one structural feature that rarely gets explained plainly: it's asymmetric by design. Governments can add entities in hours. Removal takes years, when it happens at all. A company that discovers a long-standing supplier was quietly designated 18 months ago, while transactions continued undetected, faces a materially different OFAC conversation than one that caught the designation within days. That gap between designation date and discovery date appears directly in the penalty calculation framework under 31 C.F.R. § 501.805. Time elapsed matters. Transaction volume matters. Whether a compliance program existed matters. Screening frequency isn't procedural housekeeping. It's a direct input into the penalty calculus, and it's entirely within your control. Lenzo monitors all major sanctions and restricted party lists continuously, flagging new designations at source publication level, so the gap between a Friday afternoon SDN update and your team's awareness is minutes, not a billing cycle.