Watchlists & Sanctions: Basics
Sanctions and watchlist screening is a critical compliance requirement for financial institutions, fintech companies, and businesses handling payments or extending credit. This guide explains how Baselayer performs watchlist checks, where to find results in the API response, and how to interpret them for your compliance workflows.
For a deeper understanding of sanctions compliance concepts, see the Watchlists, Sanctions & Compliance Screening guide.
What Are Watchlist Checks?
Watchlist checks compare business names and individual names against official government sanctions lists, law enforcement databases, and politically exposed persons (PEP) registries. These checks help organizations identify entities or individuals who may pose regulatory, financial, or reputational risks.
Common watchlists include:
- OFAC (Office of Foreign Assets Control): U.S. sanctions list for blocked entities
- PEP (Politically Exposed Persons): Individuals in prominent political positions (requires opt-in)
- FBI Wanted List: Individuals wanted for criminal activity
- CSL (Consolidated Screening List): Aggregated from multiple U.S. government sources for export control
- CNS (Consolidated Canadian Autonomous Sanctions List): Canadian sanctions
- IEO (IRS Exempt Organizations List): Tax-exempt organizations (requires TIN input)
Organizations are legally required to screen against these lists before onboarding customers, processing payments, or extending credit. A positive match typically requires enhanced due diligence or outright rejection.
How Watchlist Checks Work in Baselayer
Baselayer automatically performs watchlist screening as part of every Business Search. Most watchlist checks run by default, while a few require specific inputs or opt-in (detailed below).
What Gets Checked
When you submit a Business Search, Baselayer runs watchlist checks on:
- Business name submitted in the search
- Alternative business names submitted in the search via the
alternative_namesfield (if provided) - Officer names submitted in the search via the
officer_namesfield (if provided) - Business legal name found in the Baselayer business profile (from Secretary of State records)
- Alternative business names found in the Baselayer business profile (from Secretary of State records)
- All officers found in the Baselayer business profile (from SoS records or other sources)
This means even if you don't provide officer names or alternative business names in your search input, Baselayer will still check any names and officers it identifies in the business profile against all watchlists.
Automatic vs. Conditional Checks
Most watchlist checks run automatically with every Business Search:
- OFAC (Office of Foreign Assets Control) – Always runs
- CSL (Consolidated Screening List) – Always runs
- CNS (Consolidated Canadian Autonomous Sanctions List) – Always runs
- FBI (FBI Wanted List) – Always runs
Two watchlist checks require specific conditions:
- IEO (IRS Exempt Organizations) – Only runs when a
tinis provided in the search request - PEP (Politically Exposed Persons) – Only runs when
Order.Pepis included in search options (see below)
PEP Checks Require Opt-In
While most watchlist checks (OFAC, FBI, CSL, CNS) run automatically, PEP (Politically Exposed Persons) checks require you to opt in by including Order.Pep in the search options:
{
"name": "Acme Corporation",
"address": "123 Main St, New York, NY 10001",
"options": ["Order.Pep"]
}Without this option, PEP checks will not be performed.
Independent Watchlist Checks
If you need to run sanctions screening separately from a business search — for example, to check a person's name in isolation — Baselayer offers dedicated endpoints:
- POST /ofac/searches – Check names against OFAC sanctions lists
- POST /pep/searches – Check names against PEP databases
These independent checks are useful for:
- Individual KYC workflows
- Batch processing of names
- Re-screening existing customers
- Custom compliance workflows
Understanding the Response: Two Watchlist Locations
When Baselayer returns a Business Search response, watchlist results appear in two separate locations. Understanding this structure is essential for correctly identifying all potential matches.
1. Top-Level watchlist_hits (Search-Level)
watchlist_hits (Search-Level)The top-level watchlist_hits array contains matches for the data you submitted in your search request:
- Business name you provided
- Alternative names you provided via
alternative_names - Officer names you provided via
officer_names
Example location in the response:
{
"id": "search-id-123",
"name": "11420 CORP.",
"address": "5599 NW 23rd Ave, Boca Raton, FL 33496",
"tin": "270746046",
"watchlist_hits": [
{
"code": "OFAC",
"name": "Department of Treasury, Office of Foreign Assets Control",
"count": 2,
"details": [...]
}
],
"business": {...}
}2. Business-Level watchlist_hits (Profile-Level)
watchlist_hits (Profile-Level)The watchlist_hits array nested inside the business object contains matches for data found in Baselayer's business profile:
- The business's legal name from Secretary of State records
- Alternative names from Secretary of State records
- Officers identified in Secretary of State registrations and other sources
Example location in the response:
{
"business": {
"id": "business-id-456",
"name": "11420 CORP.",
"watchlist_hits": [
{
"code": "CSL",
"name": "Department of Commerce, Consolidated Screening List",
"count": 1,
"details": [...]
}
]
}
}Why Two Locations?
The two-location structure helps you distinguish between:
- What you submitted (search-level): useful for understanding if the applicant's provided information (business name, alternatives, officers) matches a watchlist
- What we found (business-level): useful for understanding if the verified business entity itself has sanctions exposure based on official records
In practice, you should check both locations for any positive matches. If either location shows a count > 0, that's a compliance flag.
Important: No Split Between Business Names and Officers
Within each watchlist_hits array, matches are not separated by type. Business names, alternative names, and officer names all appear together in the same list.
For example, if the business name matches OFAC and one of its officers matches OFAC, you'll see:
{
"code": "OFAC",
"count": 2,
"details": [
{"name": "11420 CORP.", ...},
{"name": "SARRIA DIAZ, Rafael Alfredo", ...}
]
}Visual Representation in the Console
In the Baselayer Console, watchlist results are displayed side-by-side:
- Left panel: "Your Search" – shows matches for the data you submitted
- Right panel: "Business Name" – shows matches for the Baselayer business profile
This mirrors the two-location structure in the API response.
Watchlist Types Explained
Baselayer checks against multiple official watchlists. Here's what each one represents:
OFAC (Office of Foreign Assets Control)
Code: OFAC
Full Name: Department of Treasury, Office of Foreign Assets Control
Purpose: U.S. sanctions list identifying individuals, entities, and vessels with whom U.S. persons are prohibited from doing business. This includes terrorists, drug traffickers, and sanctioned governments.
CSL (Consolidated Screening List)
Code: CSL
Full Name: Department of Commerce, Consolidated Screening List
Purpose: Aggregated list from multiple U.S. government agencies for export control enforcement. Includes entities restricted from receiving U.S. exports.
Sub-sources include:
- DDTC – Debarred List
- DoS – Non-Proliferation Sanctions
- DoC BIS – Denied Persons List, Unverified List, Entity List, MEU List
- DoT – OFAC
CNS (Consolidated Canadian Autonomous Sanctions List)
Code: CNS
Full Name: Consolidated Canadian Autonomous Sanctions List
Purpose: Canadian government sanctions list for individuals and entities subject to Canadian economic sanctions.
FBI (FBI Wanted List)
Code: FBI
Full Name: FBI Wanted List
Purpose: Individuals wanted by the FBI for crimes including terrorism, fraud, and violent offenses.
PEP (Politically Exposed Persons)
Code: PEP
Full Name: Politically Exposed Persons
Purpose: Individuals holding prominent public positions (government officials, judges, military leaders) or their close associates. PEPs present higher risk for bribery, corruption, and money laundering.
IEO (IRS Exempt Organizations)
Code: IEO
Full Name: IRS Exempt Organizations List
Purpose: Organizations granted tax-exempt status by the IRS (501(c)(3) nonprofits, charities, etc.).
The Similarity Threshold
Baselayer uses fuzzy name matching to identify potential watchlist matches. Because names can be spelled differently, abbreviated, or contain typos, exact string matching would miss many legitimate matches.
Default Threshold: 0.9 (90%)
For Business Search requests, Baselayer uses a default similarity threshold of 0.9 (90%). This means a name must be at least 90% similar to a watchlist entry to be flagged as a match.
Adjusting the Threshold for Independent Checks
When using the independent watchlist endpoints (POST /ofac/searches or POST /pep/searches), you can specify a custom similarity_threshold:
{
"name": "John Smith",
"similarity_threshold": 0.85
}Valid range: 0.0 to 1.0 (0% to 100% similarity)
Choosing the Right Threshold
The 0.9 default works well for most organizations, balancing false positives and false negatives. Consider adjusting based on your risk tolerance.
Recommendation: Start with the default 0.9 threshold. If you're seeing too many false positives (names that look similar but aren't actually matches), consider raising it. If you're in a highly regulated industry and want maximum coverage, consider lowering it slightly to 0.8 or 0.7 - but expect false positives to increase.
Reading Watchlist Results
Watchlist results are structured to make it easy to identify matches and understand their details.
Structure of a Watchlist Hit
Each entry in the watchlist_hits array follows this structure:
{
"code": "OFAC",
"name": "Department of Treasury, Office of Foreign Assets Control",
"count": 2,
"details": [
{
"source": "SDN",
"entity_number": "24430",
"type": "Entity",
"programs": "VENEZUELA",
"name": "11420 CORP.",
"title": null,
"addresses": [
"5599 NW 23rd Avenue, Boca Raton, FL, 33496, US"
],
"alt_names": [],
"source_list_url": "https://sanctionslist.ofac.treas.gov/Home/SdnList"
},
{
"source": "SDN",
"entity_number": "24427",
"type": "Individual",
"programs": "VENEZUELA",
"name": "SARRIA DIAZ, Rafael Alfredo",
"title": null,
"addresses": [...],
"alt_names": ["SARRIA-DIAZ, Rafael A", "SARRIA, Rafael"],
"source_list_url": "https://sanctionslist.ofac.treas.gov/Home/SdnList"
}
]
}Key Fields
code: The watchlist identifier (OFAC, PEP, CSL, etc.)name: Human-readable name of the watchlistcount: Number of matches found (0 means no matches)details: Array of individual matches, including names, addresses, and sanctions program information
Identifying Matches
Rule: Any watchlist entry where count > 0 indicates a positive match requiring review.
Even if only one name matches, this is a compliance flag that must be investigated.
Example: Real Watchlist Hit
Let's examine the test case from our sandbox environment:
Search Input:
- Name:
11420 CORP. - Address:
5599 NW 23rd Ave, Boca Raton, FL 33496 - TIN:
270746046
Watchlist Response:
{
"watchlist_hits": [
{
"code": "CSL",
"name": "Department of Commerce, Consolidated Screening List",
"count": 2,
"details": [
{
"name": "11420 CORP.",
"entity_number": "24430",
"type": "Entity",
"programs": "VENEZUELA",
"addresses": ["5599 NW 23rd Avenue, Boca Raton, FL, 33496, US"]
},
{
"name": "SARRIA DIAZ, Rafael Alfredo",
"type": "Individual",
"programs": "VENEZUELA",
"addresses": [...],
"alt_names": ["SARRIA-DIAZ, Rafael A"]
}
]
},
{
"code": "OFAC",
"name": "Department of Treasury, Office of Foreign Assets Control",
"count": 2,
"details": [...]
}
]
}Interpretation:
- The business
11420 CORP.matches both the CSL and OFAC lists - The count of
2for CSL indicates two distinct matches: the business itself and an associated officer (SARRIA DIAZ, Rafael Alfredo) - Both matches are tied to the
VENEZUELAsanctions program - This business should be rejected or flagged for enhanced due diligence
Technical Implementation
This section provides code examples for parsing and handling watchlist results in your application.
Example 1: Check for Any Watchlist Hits
def has_watchlist_hits(search_response):
"""
Check if there are any watchlist matches at either the search
or business level.
Returns: (bool, list of watchlist codes with hits)
"""
hits = []
# Check search-level watchlist hits
for watchlist in search_response.get('watchlist_hits', []):
if watchlist.get('count', 0) > 0:
hits.append(watchlist['code'])
# Check business-level watchlist hits
business = search_response.get('business', {})
for watchlist in business.get('watchlist_hits', []):
if watchlist.get('count', 0) > 0:
hits.append(watchlist['code'])
return len(hits) > 0, hits
# Usage
search_response = {} # Your Business Search response
has_hits, watchlist_codes = has_watchlist_hits(search_response)
if has_hits:
print(f"⚠️ Watchlist hits found: {', '.join(watchlist_codes)}")
# Trigger manual review or reject
else:
print("✅ No watchlist hits")Example 2: Independent Sanctions Check
import requests
def check_ofac(name, similarity_threshold=0.9):
"""
Perform an independent OFAC sanctions check.
"""
url = "https://api.baselayer.com/ofac/searches"
headers = {
"X-API-Key": "your-api-key",
"Content-Type": "application/json"
}
payload = {
"name": name,
"similarity_threshold": similarity_threshold
}
response = requests.post(url, json=payload, headers=headers)
response.raise_for_status()
data = response.json()
total_matches = data.get('total_matches', 0) # API returns 'total_matches'
return {
'has_hit': total_matches > 0,
'hit_count': total_matches,
'hits': data.get('matches', []) # API returns 'matches'
}
# Usage
result = check_ofac("John Doe", similarity_threshold=0.85)
if result['has_hit']:
print(f"⚠️ OFAC hit found: {result['hit_count']} hits")
for hit in result['hits']:
print(f" - {hit['name']} (Program: {hit.get('program')})")Best Practices
1. Always Check Both Locations
Don't just check the top-level watchlist_hits — also check the business.watchlist_hits array. A match in either location is a compliance flag.
2. Treat Any Count > 0 as a Flag
Even a single match (count = 1) requires investigation. Don't ignore low counts.
3. Review the Details
Don't stop at the count, examine the details array and share it with the case reviewers to understand:
- What matched (business legal name, alternative name, or officer name)
- Which sanctions program they're tied to
- Their addresses and alternative names
This context helps you determine if it's a true match or a false positive.
4. Consider Match Type
Matches marked as "type": "Individual" are people, while "type": "Entity" are businesses. This distinction matters for your review process.
5. Use PEP Checks for Higher-Risk Scenarios
If you're onboarding high-value customers or operating in regulated industries (banking, crypto, lending), always include Order.Pep in your search options to check for politically exposed persons.
6. Don't Rely Solely on Automated Screening
Watchlist screening is part of a broader compliance program. Combine it with:
- Manual review for all positive matches
- Enhanced due diligence for high-risk matches
- Ongoing monitoring (see Portfolio Monitoring)
7. Keep Records
Log all watchlist screening results, including timestamp, input data, and match details. Regulators may require proof of screening.
8. Handle False Positives Gracefully
Not every match is a true positive. Common false positives include:
- Common names (e.g., "John Smith")
- Similar business names in different industries
- Entities with the same name but different locations
Always investigate before rejecting.
Next Steps
- Learn the fundamentals: Read Watchlists, Sanctions & Compliance Screening for compliance concepts
- Explore Business Search: See the Business Search Guide for full API details
- Set up monitoring: Use Portfolio Monitoring to continuously screen your customer base
- Run independent checks: Review the API reference for POST /ofac/searches and POST /pep/searches
For questions or support, contact your Baselayer representative.
Updated about 1 month ago