Sanctions Screening for Payment Service Providers

In 2025, OFAC enforcement actions generated more than $265 million in penalties, up from $48.8 million across 12 actions in 2024, with regulators explicitly naming financial intermediaries and payment-adjacent businesses as primary targets. Payment service providers are no longer treated as passive pipes in the transaction chain. This guide covers which sanctions lists PSPs must screen against, what penalties apply for violations, and how screening frequency is changing under new instant payments rules.

Sanctions screening for payment service providers means checking customers, counterparties, and transactions against government-maintained lists of sanctioned individuals, entities, and jurisdictions before processing or permitting a payment. A PSP’s sanctions check may cover the originator, the beneficiary, the underlying business, or all three, depending on the transaction type and the applicable regulatory regime.

Why PSPs face unique sanctions compliance pressure

Payment service providers sit at the intersection of multiple regulatory regimes at once. A single PSP operating across the EU and US may be subject to the FATF Recommendations, OFAC’s programme-specific rules, and the EU Instant Payments Regulation, each carrying distinct list-coverage requirements that do not overlap cleanly. The FATF Recommendations, specifically Recommendations 6 and 10, treat PSPs as obligated entities, meaning sanctions screening and customer due diligence are baseline obligations, not discretionary controls.

Transaction volume makes this harder to manage. A mid-market payment service provider processing tens of thousands of daily payments cannot rely on manual review queues. When Regulation (EU) 2024/886, the EU Instant Payments Regulation, came into force, it shifted EU-based PSPs from transaction-level screening to customer-level screening. Under that regime, a PSP must re-screen its entire client base against EU sanctions lists every time those lists are updated, per the Hogan Lovells analysis of the Regulation.

PSPs that underinvest in screening infrastructure face that cost twice: once in compliance operations and again when enforcement gaps surface.

Which sanctions lists must PSPs screen against?

Most cross-border payment service providers maintain screening coverage across five primary regimes. The answer to which lists apply depends on where a PSP operates and where its customers are located, but screening one regime does not satisfy obligations under another. Divergence between US and EU designations is a documented compliance gap, and enforcement agencies have taken action based on exactly that kind of list-coverage shortfall. For a full breakdown of how these global frameworks differ, see the guide to AML sanction lists and global regimes, which covers the structure of each.

OFAC Specially Designated Nationals (SDN) list

Any PSP with US-dollar clearing exposure, US-based customers, or US correspondent banking relationships falls under OFAC’s jurisdiction. The OFAC SDN list covers individuals, companies, and vessels across programmes for Iran, Russia, North Korea, Cuba, Venezuela, and others. OFAC applies a strict liability standard. Processing a single payment to a listed entity is sufficient grounds for an enforcement action, regardless of intent.

UN Security Council consolidated list

The UN Security Council’s consolidated list covers designations agreed by member states across terrorism, proliferation, and country-specific programmes. Most national authorities translate UN designations into domestic law, but PSPs with cross-border client bases need direct coverage of the consolidated list as a baseline, not only the domestically transposed version.

EU Consolidated Sanctions List

The EU list covers asset freezes and travel bans under EU Council Regulations. For EU-based PSPs and payment institutions, the obligation runs directly to this list. Under Regulation (EU) 2024/886, that screening obligation now applies at the client-base level rather than at the point of each payment. PSPs must re-screen all existing clients each time the EU list updates, not only when a new customer joins.

UK Financial Sanctions List

Post-Brexit, the UK Office of Financial Sanctions Implementation (OFSI) maintains a separate consolidated list. UK-registered PSPs and those serving UK clients must run screening against the OFSI list independently of EU coverage. OFSI designations do not mirror EU designations in every case, which means relying on EU list coverage alone leaves UK-exposed PSPs with a live gap.

Domestic and programme-specific lists

PSPs operating in specific markets face additional national lists. The UAE Central Bank, Saudi Arabia’s SAMA, and Australia’s AUSTRAC each maintain domestic screening obligations. Domestic list coverage layers on top of international frameworks, not in place of them.

What penalties apply if a PSP violates sanctions?

Sanctions violations expose payment service providers to penalties that scale with the severity and volume of the breach, and enforcement agencies have shown limited appetite for lenience when failures are systemic. The OFAC civil penalties framework sets a maximum civil penalty of the greater of $356,579 per transaction or twice the transaction value for egregious violations under most programmes. In practice, enforcement actions aggregate across multiple violations rather than treating each transaction in isolation.

The pattern in recent enforcement actions illustrates this directly. An electronic brokerage platform settled with OFAC for $11.8 million after regulators identified 12,367 apparent violations spanning seven different sanctions programmes over eight years. The case arose from periodic screening gaps, not deliberate evasion. Systematic real-time controls would have surfaced most of those violations before they occurred.

As of April 2026, OFAC collected approximately $48.8 million in civil penalties across 12 enforcement actions in 2024, per OFAC’s published 2024 enforcement data. That total rose sharply to more than $265 million across 14 actions in 2025, driven in part by increased scrutiny of non-bank financial institutions, as documented in Sidley Austin’s 2025 sanctions enforcement review. The direction of travel is clear: enforcement intensity is rising, and payment-adjacent intermediaries are explicitly in scope.

EU-based PSPs face enforcement under member-state competent authorities. From 2028 onward, the EU Anti-Money Laundering Authority (AMLA) is expected to introduce direct supervision of certain cross-border payment institutions, creating more consistent enforcement across the bloc. Beyond financial penalties, PSPs risk revocation of their payment institution licence and loss of correspondent banking relationships, both of which take considerably longer to rebuild than any single fine.

How often should PSPs conduct sanctions screening?

Screening frequency has moved from a periodic question to a continuous one. Current regulatory requirements tie screening cadence to three distinct operational triggers, not to a fixed weekly or monthly cycle, and a PSP whose controls do not match those triggers is operating with a live compliance gap regardless of how often the batch runs.

Customer onboarding is the first point of obligation. Every new customer must be screened before a payment account is opened or a transaction is processed. FATF Recommendation 10 sets this as a baseline obligation. No PSP should activate a new account before completing a full sanctions check against applicable lists.

List updates create the second trigger. The EU Instant Payments Regulation created an ongoing obligation to re-screen the full client base whenever the EU Consolidated Sanctions List changes, not only at new customer onboarding. OFAC updates the SDN list without a fixed schedule, sometimes multiple times in a single day. A PSP running weekly batch screening operates with a compliance gap every day the list changes between runs.

Instant payment services add a third, more demanding requirement. PSPs offering SEPA Instant credit transfer services face the most demanding requirement. Regulation (EU) 2024/886 prohibits per-transaction screening for these payments because the 10-second processing window makes it impractical. The obligation shifts instead to maintaining an already-screened, continuously monitored client population, which requires automated monitoring of list changes rather than scheduled batch runs. For a fuller breakdown of how transaction-level screening differs from ongoing monitoring obligations, the guide to transaction screening vs. transaction monitoring covers the distinction in detail.

How Shufti helps PSPs meet sanctions screening obligations

PSPs managing sanctions requirements across OFAC, EU, UN, and domestic lists need screening infrastructure that keeps pace with list updates, not one that introduces delay between a new designation and a live screening result. Shufti’s AML screening draws on 3,500+ global watchlists covering 215+ sanction regimes, with list data refreshed every 15 minutes. When OFAC revises the SDN list mid-afternoon, the change is visible in screening results within the hour, not at the next scheduled batch cycle.

For PSPs managing both individual and business clients, Shufti’s Sanctions screening runs alongside ongoing customer monitoring, producing a single audit trail that covers onboarding checks, list-update triggers, and payment-level controls in one place. When an enforcement agency requests evidence of continuous monitoring, a timestamped log showing checks within 15 minutes of a list update is a far stronger compliance position than a weekly batch report with gaps between runs.