If you’re importing from more than one country, you’re on the hook for sanctions compliance — whether you realize it or not. Enterprise tools like Dow Jones Risk Center and Refinitiv World-Check will happily quote you $20,000–$60,000 a year. For an SMB moving $500K–$50M in annual trade, that number is absurd. It’s also unnecessary. Here’s the practical version.
Every regulator in the West ultimately points at the same universe of underlying lists. If you screen against these five, you’ve covered ~98% of your exposure:
1. OFAC SDN (US Treasury) — the most aggressively enforced list on the planet. Touching a Specially Designated National, directly or through an intermediary, triggers US secondary sanctions. Updated multiple times per week.
2. EU Consolidated Financial Sanctions List (CFSP) — EU-wide list. Required for any transaction involving EU counterparties or EU-cleared currency.
3. UK OFSI / FCDO Sanctions — diverged from the EU after Brexit. If your bank is UK-domiciled or you transact in GBP, this list applies.
4. UN Security Council Consolidated List — the global floor. Almost everything here is also on OFAC and EU, but screening it closes a small residual gap.
5. PEP (Politically Exposed Persons) — not technically a sanctions list, but a corruption/AML risk signal. A supplier controlled by a sitting minister of a high-risk country is a red flag before any designation is made.
You don’t need a full compliance department. You need a repeatable six-step flow:
1. Pull the name of every supplier, freight forwarder, customs broker, and end-buyer you invoice or pay. Include parent companies if you know them. For bigger suppliers, pull their known aliases and historical names.
2. Screen that full list against all five sources on onboarding. Hits over 85% confidence pause the relationship until cleared. Hits at 90%+ require documented human sign-off before any payment releases.
3. Re-screen weekly. Lists move faster than you think — OFAC shipped 140+ designation updates in Q1 2026 alone.
4. Keep an audit trail. Every screen, every hit, every decision, stamped with the date the lists were last refreshed. If regulators come knocking, that audit log is your defense.
5. Flag stale data. If the OFAC list was last refreshed more than 48 hours ago, don’t broadcast a clean-screen result — refresh first. Stale compliance is no compliance.
6. Don’t just match the name. Match aliases, transliterations (Cyrillic, Arabic, Chinese), and known corporate structures. A Russian oligarch’s holding company is rarely on the list under the name you’ll find in your ERP.
The $20K tools bolt on everything: adverse media, state-owned enterprise mapping, beneficial ownership graphs, seven other lists you don’t need. Most of that value is for banks and F500 compliance departments. For an SMB importer moving through a handful of jurisdictions, a clean daily refresh of the five lists above, with decent fuzzy matching and an auditable log, gets you 95% of the protection at 1–2% of the cost.
Name-based screening cannot catch front companies, shell structures designed to evade sanctions, or brand-new entities set up this month and not yet designated. No tool at any price can. What it can do is cover the known universe and document your diligence. That’s the bar for SMB compliance, and it’s the bar a small team can actually meet.