Sanctions Screening for Crypto Businesses: Wallets, Transactions, Customers, and Counterparties
On October 15, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control published its first industry-specific brochure on sanctions compliance for the virtual currency industry, setting out the components it expects to see in a sanctions program: management commitment, risk assessment, internal controls, testing and auditing, and training — with explicit references to sanctions list screening, transaction monitoring, geolocation, and IP blocking as part of those controls.
That guidance ended a quiet debate. Until 2021, some crypto businesses still treated sanctions screening as a name-check exercise borrowed from banking — run the customer’s name against a list at onboarding, store the result, move on. The OFAC brochure made clear that for crypto businesses, screening has to extend to the assets and the flows: wallets, transactions, counterparties, and the entities sitting behind them. A customer can pass KYC cleanly and still create sanctions exposure through a single deposit from a sanctioned service, a swap routed through a blocked address, or a payment partner whose own controls have failed upstream.
This article is about how that broader workflow actually works. It walks through what a crypto business needs to screen, the difference between direct and indirect exposure, when screening should happen across the customer lifecycle, what to do when an alert appears, and where automation belongs. The goal is not to summarize sanctions law — that is what lawyers and the official regulator guidance are for — but to make sanctions exposure visible, reviewable, and manageable inside an operational AML setup.
What Is Sanctions Screening in Crypto?
Sanctions screening in crypto is the process of checking customers, companies, beneficial owners, wallets, transactions, and counterparties against sanctions lists, blocked addresses, sanctioned services, and restricted jurisdictions. The result of the check is a risk signal that feeds into a structured review.
In traditional finance, sanctions screening usually starts with the name of the customer or the counterparty institution and proceeds through a relatively well-defined list-matching exercise. In crypto, that name layer remains necessary, but it is no longer sufficient. The same workflow has to cover four overlapping types of screening:
- Name-Based Screening: checking the names of customers, directors, authorised representatives, and beneficial owners against sanctions lists and watchlists.
- Entity-Based Screening: identifying the companies behind transactions or partnerships and assessing whether they, their parents, or their controllers are subject to sanctions.
- Wallet-Based Screening: checking crypto addresses for direct listings, attribution to sanctioned services, or exposure through known clusters and counterparties.
- Transaction-Based Screening: evaluating the flow of funds — source, destination, distance from any risk node, and pattern over time — for indirect exposure that may not appear in a static check.
All four layers feed the same decision: whether a customer, a transaction, or a counterparty can be onboarded, processed, or continued with, and under what conditions. A team that runs only one of these layers has, at best, a partial view.
The OFAC Guidance is worth reading in full for any business with U.S. exposure and the same logical pattern (lists plus wallet and transaction analysis) underpins the EU, UK, and UN regimes, even where the procedural details differ.
Why Sanctions Risk Is Different in Crypto
The structural difference between sanctions risk in crypto and in traditional finance comes down to one fact: an address does not carry an identity on the chain itself. The blockchain records transactions between pseudonymous addresses, not transactions between named legal persons. Identity has to be inferred from off-chain context, behavioral patterns, and attribution data — and that inference can change as new information arrives. This means three things that founders and compliance leads should internalize before designing a screening program:
- A Customer Can Pass KYC and Still Carry Wallet Risk. The person presenting an ID is real, the documents check out, and yet the wallet they are using to deposit may have a history of interaction with a sanctioned mixer or service. KYC alone cannot detect this; it answers a different question.
- An Address Does Not Always Reveal Legal Identity. Addresses can be attributed to services, clusters, or known actors, but the attribution is probabilistic and depends on the quality of the underlying data. For a fuller explanation of how this attribution actually works, see our explainer on wallet and entity identification in blockchain analytics.
- Risk Changes After Onboarding. Sanctions designations are added or updated, wallet labels are refined, transaction patterns evolve, and previously unremarkable addresses can become exposed to a new risk source overnight. A point-in-time check does not capture this drift.
The result is that crypto sanctions screening has to be both broader (covering wallets and transactions, not only names) and continuous (re-checked over time, not only at onboarding). It also has to distinguish between direct and indirect exposure — a distinction that often does not arise in traditional name-based screening but is central to how risk actually appears on-chain.
What Crypto Businesses Need to Screen
A sanctions screening program should cover several overlapping subjects: people, companies, wallets, transactions, and partner institutions. Each subject has its own checks, its own data sources, and its own failure modes.
Customers, Companies, and UBOs
The customer layer is the most familiar one and the closest to traditional finance practice. For individual customers, it covers the customer themselves, any authorized representatives, and the jurisdictions involved. For corporate customers, it extends to directors, beneficial owners, and the business activity itself — a clean entity name does not mean clean ownership, and ownership structures can hide exposure several layers up.
In practical terms, this layer is what answers the question: who, in legal terms, is on the other side of this relationship? It typically involves identity verification, document checks, sanctions and PEP screening, and an assessment of business activity and geographic exposure. It also has to be repeated periodically, because designations and beneficial ownership are not static. For the operational side of identity and business verification, see KYC and KYB Checks for Crypto Businesses.
Wallets and Crypto Addresses
Wallet screening sits on top of customer screening rather than replacing it. The question here is whether a specific address is linked to sanctions, scams, mixers, sanctioned services, or other risk categories — either directly (the address itself appears on a list or is clearly attributed to a sanctioned entity) or indirectly (through the address’s transaction history and counterparties). A wallet check should cover, at minimum:
- Direct Sanctions Match: is the address itself on a sanctions list?
- Exposure to Sanctioned Funds: has the address received or sent value from or to a sanctioned source, directly or via short hop distances?
- Connection to a Sanctioned Service: does the address belong to a cluster attributed to a sanctioned exchange, mixer, ransomware operator, or similar service?
- High-Risk Category: does the address sit in a known high-risk classification such as darknet markets, scams, or fraud-linked services?
- History and Counterparties: what does the address’s broader interaction pattern look like?
Attribution is never absolute. A useful screening result tells the team the probability and the basis of a finding — not a binary verdict — and lets the analyst decide how to weight it.
Crypto Wallet Screening exists to make that check repeatable and consistent across deposits, withdrawals, and onboarding rather than dependent on whichever analyst happens to look at a given case.
Transactions and Fund Flows
The transaction layer extends screening from the static state of an address to the dynamic flow of value into and out of it. This is where indirect exposure usually surfaces: a wallet that looks clean at the surface can have a fund history that touched a sanctioned service two or three hops back. Whether that history matters depends on factors like distance, amount, timing, pattern, and the type of entity involved.
Transaction screening typically covers deposits, withdrawals, swaps, transfers, and payments — the events at which a crypto business actually controls or processes value. For each event, the relevant questions are similar:
- Source of Funds: where did the incoming value originate, directly and across recent hops?
- Destination of Funds: where is value being sent, and what is the risk profile of that destination?
- Hop Distance and Amount: how close to a known risk node is the flow, and how material is the exposed portion?
- Timing and Pattern: does the activity match expected behavior for the customer profile, or is it anomalous?
- Counterparty Type: is the counterparty a regulated VASP, a non-custodial wallet, a mixing service, or something else?
This is where sanctions screening overlaps most heavily with general AML risk detection. Detecting sanctions exposure during deposits, withdrawals, and transfers is one of the core functions of Continuous Transaction Monitoring — it is the same plumbing applied to the specific question of whether value is moving in or out of sanctioned exposure.
Counterparty VASPs and Business Partners
The fourth layer is partners. Crypto businesses do not operate in isolation: they connect to other exchanges, OTC desks, liquidity providers, custodians, payment partners, and on-ramps and off-ramps. Sanctions risk can travel along any of these relationships. A partner with weak controls, exposure to risky jurisdictions, or interaction with sanctioned entities is a channel through which exposure reaches the business’s own customers and flows.
The standard for this layer is no longer “they have a license, so they are fine.” A partner’s license tells you which regulator authorized them; it does not tell you how their controls perform in practice.
Direct vs Indirect Sanctions Exposure
The single most useful conceptual distinction in crypto sanctions screening is between direct and indirect exposure. The same alert can carry very different weight depending on which side of this line it sits.
Direct Sanctions Exposure
Direct exposure means that the customer, a beneficial owner, a specific wallet, a service, or a counterparty appears on a sanctions list or is clearly attributed to a sanctioned entity. The signal is unambiguous: the screening result identifies a match between the subject of the check and a designated person, entity, or address.
Typical examples include a wallet that itself appears on a sanctions list, a transaction to or from a blocked address, or a counterparty institution that has been designated under a sanctions regime. Direct exposure does not, by itself, dictate any single action — the obligations depend on the jurisdiction, the nature of the customer relationship, and the underlying facts — but it is the category that almost always requires immediate escalation, careful documentation, and a decision based on internal policy and applicable obligations rather than analyst discretion.
Indirect Sanctions Exposure
Indirect exposure is more common and more ambiguous. It means that funds have interacted with sanctioned entities through intermediary wallets, bridges, nested services, or earlier transactions, even though the immediate counterparty in the current transaction is not itself sanctioned. Several variables determine how seriously to treat indirect exposure:
- Hop Distance From the Risk Source: exposure one or two hops away is materially different from exposure ten hops away.
- Amount Involved: the proportion of the transaction or balance that is exposed.
- Timing: recent exposure typically carries more weight than older history, though older patterns can still be relevant.
- Pattern and Behavior: a single low-value hop is different from a repeated routing pattern that suggests deliberate layering.
- Entity Type: exposure through a regulated exchange differs from exposure through a mixer or a sanctioned service.
- Confidence Level: how reliable the underlying attribution is for the entities involved in the chain.
Indirect exposure rarely produces a binary answer. The job of the compliance team is to weigh the variables, document the reasoning, and make a risk-based decision — not to treat every indirect link as a violation, but also not to ignore patterns that suggest deliberate routing through risk.
When Sanctions Screening Should Happen
A screening program that runs only at onboarding misses most of the risk. The OFAC guidance, and the way mature programs are actually structured in practice, treats screening as a continuous activity across the customer lifecycle. In practical terms, four moments matter:
- Before Onboarding: customer, company, UBO, and jurisdiction checks before the relationship begins. This is where most direct name-based and entity-based exposure is caught.
- Before or During Transactions: deposits, withdrawals, transfers, swaps, and payments. Wallet and transaction screening at this point catches exposure that customer screening does not see.
- During Ongoing Monitoring: risk does not stay still. Sanctions lists are updated, wallet labels are refined, and transaction patterns evolve. Continuous Transaction Monitoring exists precisely because wallet risk can change after onboarding.
- During Trigger-Based Reviews: a new wallet linked to an existing customer, a new counterparty in the flow, a volume spike, a fresh high-risk alert, or a new sanctions designation should each trigger a re-check — not a re-confirmation of the original onboarding decision, but an active review of current exposure.
The cadence of ongoing monitoring depends on the business model and risk profile. A high-volume exchange will run continuous monitoring with frequent re-screening; a low-volume B2B model may rely more on trigger-based reviews. There is no universal frequency that fits every product.
What to Do When a Sanctions Alert Appears
A sanctions alert is a signal that requires a structured review — not a panic response, an automatic block, or an assumption that the underlying facts are settled. The point of the review is to determine what the alert actually means and what the appropriate action is under applicable obligations and the business’s own policy. For the broader workflow that surrounds this kind of review, see our guide on How to Handle High-Risk Crypto Transaction Alerts.
In practical terms, an effective alert review covers a small but consistent set of questions:
- Direct or Indirect Exposure: what kind of exposure has the system flagged, and how strong is the underlying signal?
- Match Confidence: how reliable is the attribution? A high-confidence direct match is materially different from a low-confidence indirect link.
- Entity Attribution: who, specifically, is the system saying is on the other side — and how was that determined?
- Source and Destination of Funds: where did the value come from, and where is it going? The answers are often more informative than the single-hop alert itself.
- Jurisdiction and Customer Profile: what is the customer’s relationship to the business, and which regulatory regime governs the decision?
- Internal Policy: what does the business’s own approved procedure say about this category of finding?
Depending on the answers, possible outcomes include escalating to a senior reviewer or compliance officer, documenting the case and continuing the relationship under updated risk monitoring, updating the customer’s risk profile, restricting certain activities, rejecting the transaction, freezing or blocking funds where required, or reporting under applicable obligations.
None of these are universal defaults — the right outcome depends on the facts and the regime. What is universal is that the decision and the reasoning have to be documented so that a partner bank, an auditor, or a regulator can reconstruct the team’s logic later.
Where Automation Fits: KYC, KYT, Wallet Screening, and API
Manual screening works at very small volumes and breaks down quickly as activity grows. By the time a team is processing dozens of deposits a day across multiple chains, the workflow has to move from spreadsheets to integrated tooling — not because automation is glamorous, but because consistency and audit trails cannot be maintained any other way. A complete operational stack typically connects five layers:
- KYC and KYB: customer, company, and UBO screening at onboarding and on a periodic basis. KYC and KYB Verification covers the people-and-entities layer that other layers later build on.
- Wallet Screening: address-level and entity-level risk assessment, applied at the point a wallet enters the system.
- KYT and Transaction Monitoring: ongoing exposure tracking as funds move. Crypto Transaction Monitoring is what extends point-in-time wallet checks into continuous oversight.
- API Integration: checks embedded inside onboarding, deposits, withdrawals, and internal workflows so that compliance results gate product actions instead of running alongside them.
- Case Review: the human layer where alerts are interpreted, evidence is collected, decisions are recorded, and outcomes are documented for later reference.
The point of the stack is not that every business needs every layer in full from day one. It is that the layers have to connect. A KYC system that does not feed into transaction monitoring, or a transaction monitoring system whose alerts do not show up in a case review queue, produces gaps that no individual tool can close on its own.
Common Sanctions Screening Mistakes in Crypto
Recurring mistakes in this area are well known. The list below is not exhaustive, but it covers most of the patterns that show up when reviewing a screening program that is not performing the way the business assumed it was:
- Screening Only Customer Names, Not Wallets: a clean customer record does not establish a clean wallet. Both layers are needed.
- Checking Wallets Once, Not Monitoring Them Later: a single onboarding check does not survive contact with a year of activity. For why this matters, see KYC vs KYT Explained: Key Differences for Crypto Compliance.
- Ignoring Indirect Exposure: treating only direct matches as relevant misses most real-world routing patterns through risky services.
- Relying Only on Generic Sanctions Lists Without Crypto Address Intelligence: name lists do not cover wallet attribution. Both are necessary.
- Not Documenting Alert Decisions: a decision without a documented basis cannot be defended to a partner or regulator later.
- Treating Every Alert as a Final Legal Conclusion: alerts are signals to review, not verdicts. Some are false positives; others require careful weighing.
- Ignoring Counterparty VASP Risk: sanctions exposure can arrive through partners, not only through end customers.
- Separating KYC, KYT, and Case Review: running these as isolated systems produces gaps where context is needed most.
The common factor across these mistakes is the same: treating sanctions screening as a series of disconnected one-off checks rather than as an integrated, ongoing workflow. The fix is rarely a new tool. It is usually rewiring how existing checks connect to each other and how their results land in front of an analyst with the context to act on them.
Where AMLBot Fits in Sanctions Screening Workflows
AMLBot supports the operational side of this workflow: wallet screening, transaction monitoring, KYT, risk scoring, API integration for embedding checks inside product flows, and case review with documented evidence. The role is to help compliance teams run a repeatable screening process rather than to substitute for legal counsel on questions of designation, applicability, or jurisdiction-specific obligations.
The value of any sanctions tooling is judged by what happens after an alert appears: whether the analyst has the context, the data, and the workflow to make a defensible decision in a reasonable amount of time. That, rather than the number of lists checked or the size of the database, is the relevant test. For a broader discussion of operational and regulatory sanctions risk — including how compliance leads think about programmatic responsibility, governance, and risk appetite — listen to our podcast on Sanctions Risk Management for Crypto Businesses.
Conclusion
Sanctions screening in crypto is a workflow that runs across customer identity, company and beneficial-owner checks, wallets, transactions, counterparties, alerts, and audit evidence — with continuous monitoring on top of all of it, because the underlying risk does not stay still. In reality, the goal of the workflow is modest and important: to make sanctions exposure visible, reviewable, and manageable. No tooling and no process eliminates sanctions risk outright — that promise is not a real one. What a good screening program does is ensure that when exposure appears, the business sees it, understands what kind it is, decides what to do based on policy and applicable obligations, and leaves behind a clear record of why the decision was made.
FAQ
How Can a Crypto Business Check if a Wallet Is Sanctioned?
A crypto business can screen a wallet against sanctioned addresses, sanctioned entities, blocked services, and related high-risk clusters using a dedicated wallet screening tool. A proper check should look not only for a direct match, but also for exposure through previous transactions, counterparties, bridges, mixers, or nested services. The result is a risk signal that feeds into a structured review, not a final legal verdict.
What Is Sanctions Screening in Crypto?
A crypto business can screen a wallet against sanctioned addresses, sanctioned entities, blocked services, and related high-risk clusters using a dedicated wallet screening tool. A proper check should look not only for a direct match, but also for exposure through previous transactions, counterparties, bridges, mixers, or nested services. The result is a risk signal that feeds into a structured review, not a final legal verdict.
What Is Sanctions Screening in Crypto?
Sanctions screening in crypto is the process of checking customers, companies, beneficial owners, wallets, transactions, and counterparties for links to sanctions lists, blocked addresses, sanctioned services, or restricted jurisdictions. Unlike traditional name-based screening, crypto sanctions screening also requires wallet-level and transaction-level analysis, because exposure can arrive through assets and flows rather than through identity alone.
Do Crypto Businesses Need Wallet Screening if They Already Run KYC Checks?
Yes. KYC checks verify the customer or company but do not reveal where crypto funds come from or where they go. A customer can pass KYC cleanly while their wallet or transaction flow still creates sanctions exposure through prior interaction with sanctioned services, mixers, or blocked addresses. The two layers answer different questions and are both needed.
What Is the Difference Between Direct and Indirect Sanctions Exposure?
Direct sanctions exposure means a customer, company, wallet, service, or counterparty is itself listed or clearly attributed to a sanctioned entity. Indirect exposure means funds have interacted with sanctioned entities through intermediary wallets, bridges, nested services, or earlier transactions. Direct exposure usually triggers immediate escalation; indirect exposure requires a risk-based review that weighs hop distance, amount, timing, pattern, and entity type.
Can a Crypto Transaction Be Risky Even if the Wallet Is Not Directly Sanctioned?
Yes. A wallet may not appear on any sanctions list and still carry indirect exposure to sanctioned entities, blocked services, or high-risk counterparties through its transaction history. That is why effective screening evaluates fund flow, distance from the risk source, amount, timing, and entity attribution rather than relying solely on a static address-level match.
When Should Crypto Companies Run Sanctions Screening?
Sanctions screening should happen before onboarding, before or during deposits, withdrawals, and transfers, during ongoing monitoring of existing customers, and during trigger-based reviews when new wallets, counterparties, volume spikes, alerts, or sanctions designations appear. Risk does not stay static after onboarding, which is why point-in-time screening alone is insufficient.
What Should a Compliance Team Do When a Sanctions Alert Appears?
A sanctions alert should trigger a structured review rather than an automatic action. The team should determine whether the exposure is direct or indirect, evaluate match confidence and entity attribution, assess the source and destination of funds, review the customer profile and jurisdiction, document the decision, and escalate according to internal policy and applicable obligations. Outcomes range from continuing under updated monitoring to restricting, rejecting, freezing, or reporting, depending on the facts.
Can Sanctions Screening Be Automated With an API?
Yes. Crypto businesses can use an AML API to screen wallets, transactions, and counterparties inside onboarding, deposits, withdrawals, swaps, payments, and internal risk workflows. API integration helps teams apply sanctions checks consistently as part of the product flow, instead of relying on manual reviews that scale poorly and produce inconsistent records.
What Should a Sanctions Screening Tool for Crypto Businesses Include?
A sanctions screening tool should support wallet screening, transaction monitoring, direct and indirect exposure detection, entity attribution, risk scoring, alerts, case review, audit logs, and API integration. For B2B crypto businesses, counterparty VASP screening is also important because partner risk can introduce sanctions exposure that customer-level screening does not capture.
Does Sanctions Screening Software Guarantee Compliance?
No. Sanctions screening software is an operational tool that helps a compliance team detect, review, and document exposure consistently — it does not replace legal counsel on questions of designation, applicability, or jurisdiction-specific obligations, and no provider can guarantee absence of sanctions risk on behalf of a business. Compliance remains the responsibility of the business itself, supported by tooling and informed by qualified legal advice for specific decisions.