Third-Party Screening for Exporters: Beyond Name Matching

On September 3, 2025, OFAC fined freight forwarder Fracht FWO $1.6 million for what it called reckless disregard of sanctions. The names on the paperwork were not the problem. The relationships behind them were. That is the trap with treating third party screening as a string comparison: the tool clears the name, the deal moves, and the exposure sits quietly inside an ownership chain nobody traced. Most SMB exporters carry far more of this than their dashboards admit, because a green checkmark feels like an answer when it is only the first question.

Name matching is the floor, not the program

Name matching answers one narrow question: does this string resemble a string on a list? That is the floor of any screening program, not the program itself. It says nothing about who owns the counterparty, who controls it, what it ships, or whether the entity restructured last quarter to drop a flagged shareholder below the line.

Plenty of exporters treat a green checkmark as proof of diligence. It is not. A clean match means the literal text passed. It does not mean the counterparty is safe to ship to. Enforcement does not turn on whether your software returned a hit. It turns on whether the transaction touched a prohibited party, by any route, direct or indirect. The Haas Automation settlement made that explicit: five of the six blocked entities Haas dealt with were blocked not because their names were listed, but because of who owned them.

The limits show up fast. Aliases and transliterations defeat exact matching. A company spelled three ways across its incorporation papers, its bank records, and its shipping documents will clear under one spelling and fail under another. Fuzzy matching helps with typos but floods the queue with noise, and a team drowning in false hits starts clearing alerts on autopilot. That is how a real match gets dismissed at 4 p.m. on a Friday. We have sat with compliance leads who could not say, six months later, why a particular alert was closed. Nobody could.

Effective denied party screening starts where name matching stops. It treats the matched name as the first data point in a due diligence screening process, not the verdict. The question moves from "did the name match" to "who is actually behind this, and what does the surrounding evidence say."

What third-party screening actually has to cover

Real third party screening covers four dimensions a name check ignores: identity resolution, ownership and control, list coverage across jurisdictions, and the freshness of the data behind every result. A program that handles one or two and skips the rest is not partial coverage. It is a gap that looks like protection.

Identity resolution comes first. Before you can screen a counterparty, you have to know who the counterparty actually is. That means resolving the legal entity behind a trade name, reconciling spellings, tying the shipping party to a registered company with a verifiable address. Skip this and you screen a label, not a party.

List coverage is the dimension exporters most often underestimate. Everyone knows the SDN list. But a real compliance screening program touches dozens of lists across the U.S., the EU, the UK, and the UN, plus sectoral and military end-user lists with their own prohibitions. Watchlist screening that stops at one or two government lists leaves whole categories of restricted parties unscreened. An entity absent from the SDN list can sit on the BIS Entity List, and shipping to it lands you in the same kind of trouble.

Then the dimension nobody likes: freshness. A result reflects the lists at the moment of the scan, and Treasury and Commerce add names continuously. A counterparty can clear at quote time and land on a list before the container leaves the yard, which we have watched happen. The penalty attached to the export date, not the date the screen ran clean. Coverage is a question of recency as much as breadth. Checking the right lists against a stale copy of them is still a stale check. Most teams check breadth once at onboarding and never revisit it, which is precisely backwards.

Ownership is where clean names hide dirty risk

The single largest gap in name-only screening is ownership. Under OFAC's 50 Percent Rule, any entity owned 50 percent or more, directly or indirectly, individually or in the aggregate, by one or more blocked persons is itself blocked, even if it never appears on any list by name. Your invoice can be spotless while the controlling owner sits on the SDN list two layers up.

This is not a theoretical edge case. Consider how the math actually moves. A blocked individual holds 30 percent through one shell and 25 percent through another, and the aggregate crosses 50 percent even though neither stake does alone. Two sanctioned parties at 25 percent each equal one blocked entity. Three at 17 percent each do not, even though the total ownership is nearly identical. The arithmetic is unforgiving and the name-matching tool sees none of it. It finds a company it has never heard of and returns clean. The exporter ships. The transaction was blocked the whole time.

Ownership screening needs beneficial ownership data, not the entity name on its own. You trace the chain through corporate registries, sanctions ownership databases, and adverse-media checks until you reach the natural persons who actually control the counterparty. The kind of risk and compliance screening that holds up under audit records who owns what, to what percentage, and on what date the ownership was verified. Here is what most articles on this topic miss: the hard part is not finding the data. It is dating it. An ownership structure verified in January is a guess by October, and the October regulator does not care what you knew in January.

Control is now its own exposure. On March 31, 2026, OFAC issued guidance on sham transactions that erodes the old bright line between ownership and control. A blocked person who directs an entity through a trust, a proxy, or a side arrangement can trigger blocking without holding 50 percent of anything. This is the counterparty risk screening layer that sits above the SDN list and catches what equity math alone misses. Most automated tools do not look here at all, which is why control review stays a manual step in nearly every program we audit.

The data behind the match decides everything

A screening result is a claim about reality, and a claim is only as good as the data behind it. Two tools running the same counterparty can return opposite verdicts because one consolidates more lists, refreshes more often, or resolves aliases the other does not. The match logic gets the attention. The data feeding it decides the outcome.

Three properties separate a defensible result from a misleading one. List breadth: how many sanctions and denied-party lists across how many jurisdictions feed the scan. Update cadence: how fast a newly designated name reaches the dataset the tool actually queries, because a daily-refreshed list checked against a weekly-stale copy is a weekly-stale check. Source provenance: whether the result traces back to the specific list, version, and date it came from. An audit asks you to reconstruct what you knew and when, and "the tool said so" is not an answer that survives that question.

Provenance is where consumer-grade customer screening software breaks. A free or cheap tool returns a green light with no record of which lists it checked or when those lists were last updated. We tried, on one engagement, to reconstruct a client's clean result from eight months earlier using their old vendor. We could not. The lists had moved, the vendor kept no version history, and the original determination was simply gone. A compliance check that satisfies an auditor and one that merely reassures the operator differ on exactly this point: can you rebuild the result months later from a defensible record, or not.

This is the case for screening infrastructure that treats every result as an auditable artifact. Lenzo records which lists were queried, at what version, on what date, so a counterparty cleared in March can be reconstructed in October without guesswork. The goal is not a faster green light. It is a result you can stand behind when someone with subpoena power asks how you knew.

Provenance also changes how false positives get handled. Carry the source list and version with the result, and a borderline hit gets resolved against the exact entry that triggered it instead of a stripped-down summary. Teams working from a sourced record close alerts faster and document why, which is the part an examiner actually reads. Strip the provenance and the operator has to re-run the search to reconstruct what the tool saw, and the reconstruction rarely matches, because the lists have moved since. Thin data weakens protection, yes, but the quieter cost is the hours a team spends re-deriving decisions it already made.

Building a due diligence tier that scales with exposure

Not every counterparty warrants the same depth, and pretending otherwise either bankrupts the compliance budget or guarantees corners get cut. A risk-based program assigns screening depth to exposure. A one-time domestic buyer of low-control goods gets a baseline scan. A repeat customer in a high-diversion-risk region buying dual-use components gets full ownership tracing and ongoing monitoring. The tiering is the program.

Baseline tier: identity resolution and a multi-list name screen against current data. It runs automatically, returns fast, and writes a logged record. No ownership tracing, because most parties never pose the exposure that justifies it. Keeping the baseline cheap is what makes the deeper tiers affordable, since the budget concentrates on the small share of counterparties that earn the scrutiny.

Enhanced tier adds beneficial ownership tracing, control analysis under the 50 Percent Rule, and adverse-media review. It triggers on risk indicators: high-risk geography, dual-use or controlled goods, opaque ownership, transshipment routing, or any of the classic red flag screening signals, such as a customer reluctant to share end-use details or a freight forwarder listed as the only address. This is where supply chain screening earns its keep, tracing not just the buyer but the intermediaries and end users behind a shipment. A clean direct customer routing goods to a blocked end user is a problem the buyer's name will never reveal.

Continuous tier covers ongoing relationships, where the party was clean at onboarding but the lists moved underneath it. Re-screen at shipment release, not just at order entry. That single trigger catches Treasury's mid-relationship designations that intake-only screening never sees. The entity list and the SDN list change on the government's schedule, not your sales cycle, and a party that cleared at the quote can be restricted by the time the goods move. With the BIS Affiliates Rule expanding ownership exposure to Entity List parties in 2026, the population of names this tier has to track is about to grow, not shrink.

FAQ

What exactly counts as a "third party" I need to screen?

Anyone external to your company who touches the transaction: the customer, the vendor, the freight forwarder, the intermediary consignee, the ultimate end user. The party named on the invoice is rarely the only one that matters, and it is often not the one that gets you in trouble.

Why isn't name matching enough on its own?

Because it only compares text. It cannot see sanctioned ownership behind a clean-named entity, alternate spellings, or control exercised without majority equity. The Haas Automation case turned on exactly this: ownership, not listed names.

What is OFAC's 50 Percent Rule, in plain terms?

Any entity owned 50 percent or more, directly or indirectly, individually or in aggregate, by one or more blocked persons is itself blocked, even when it never appears on a list by name. OFAC's March 2026 sham-transactions guidance went further and treats control through proxies and trusts as exposure too, so the old comfort of "they only own 40 percent" no longer holds the way it used to.

Do I really need to re-screen a customer I cleared last month?

Yes. A party cleared at order entry can be designated before the goods move, and the penalty attaches to the export date.

What makes a screening result defensible if an investigator shows up?

A record of which lists were checked, at what version, and on what date. A green light with no provenance does not survive scrutiny, because the question is never "is this party clean today." It is "prove this party was clean on the day you shipped."

When most teams describe their screening program, they describe the alert queue: how many hits came in, how fast they cleared. The number nobody tracks is the one that predicts trouble. How many counterparties were screened on ownership rather than name alone. In nearly every program we review, that figure sits close to zero, because the ownership step is manual and the manual step quietly gets skipped under volume. So here is the narrow move for the next 30 days. Pull the counterparties added last quarter, and for each one in a higher-risk category, check whether anyone actually traced beneficial ownership or just logged a clean name match. The cleared-by-name-only count is your real exposure, and it is almost always larger than the dashboard implies. That gap, not the alerts you resolved, is where the next enforcement letter starts.