A Guide to Sanctions Compliance in SWIFT and SEPA Payments

In instant payment environments, transactions settle within 10 seconds, leaving very little room for compliance checks. How fast must a sanctions screening system operate to keep up?

That is not a hypothetical situation. This reflects the operating reality for all payment processors in SWIFT corridors and SEPA rails. Sanctions regimes have expanded faster than compliance infrastructure has kept pace. OFAC issued approximately $262 million in penalties in 2025 alone. The United Kingdom’s Financial Conduct Authority (FCA) imposed a fine of £29 million on Starling Bank due to its screening against a small part of the existing sanctions list required, while the customer base increased 80 times. In November 2024, the European Banking Authority (EBA) issued guidelines on sanctions compliance, providing a framework rather than a single unified standard. The Anti Money Laundering Authority (AMLA) commenced its operations in Frankfurt in July 2025.

Payment processors operate at the center of this complexity. This blog describes what each rail requires and where most compliance initiatives fail without detection.

Swift Messaging: What is Required to Screen Actually

SWIFT links more than 11,000 institutions in 200+ countries, and it transmits approximately 44 million messages daily. Sanctions are not imposed by SWIFT itself. That is the burden of all the institutions of the payment chain.

In the case of cross-border transfer, the most important requirement is the screening of all the parties mentioned in the entire message chain. In legacy (MT103 payments), that translates to Field 50 (ordering customer), Field 59 (beneficiary), as well as Fields 56 to 57 (intermediary institutions). The key and most overlooked requirement in the case of MT202 COV cover payments is the Sequence B, underlying customer details, which has to be screened without referring to the interbank Sequence A.

SWIFT introduced ISO 20022 migration with a coexistence period, where MT and ISO 20022 messages continue to operate in parallel. All payments across borders are now required to be made using the ISO 20022 equivalents: pacs.008 in case of customer credit transfer and pacs.009 in case of financial institution transfer. This is important in the screening of sanctions since ISO 20022 breaks down the name of the originator, address, and country into structured machine-readable fields as opposed to free-text strings. A system is also much more likely to get the screening process correct when it is comparing discrete data as opposed to a system of unstructured narrative.

FATF is encouraging broader adoption of the Travel Rule, with timelines varying by jurisdiction, particularly for Virtual Asset Service Providers, although early movers are already conforming to the standard. Only 47 of 194 countries currently comply with existing Travel Rule requirements, a gap that creates correspondent banking exposure for processors routing through non-compliant jurisdictions.

SEPA Payments: The Architecture Has Changed

The EU Instant Payments Regulation (regulation (EU) 2024/886) entered into force on April 8, 2024. For Eurozone payment service providers (PSPs), the Article 5d screening requirement became effective on January 9, 2025.

The change is architectural, not incremental. Article 5d prohibits PSPs from conducting transaction-level EU-targeted financial sanctions screening during the execution of an instant credit transfer. Instead, PSPs must screen their full customer base against EU restricted party lists at least once per calendar day and immediately upon any update to those lists.

This is a shift from per-transaction to customer-level screening, and it closes the compliance window without extending the payment window. The EPC’s SCT Inst rulebook breaks the 10-second execution window into sub-intervals: five seconds for the originator PSP, seven seconds at the CSM level, and nine seconds maximum end-to-end. There is no room for a blocking check mid-flow.

The critical limitation compliance teams often miss: the IPR prohibition applies only to EU-targeted financial sanctions. OFAC SDN list obligations, UK OFSI sanctions, national restrictions, and trade sanctions still require transaction-level screening where applicable. A processor handling both EU and US regulatory exposure cannot rely on daily batch screening alone. The architecture must handle both models simultaneously.

Penalties under the IPR are severe. Legal persons face fines of at least 10% of their total annual net turnover. Under EU Directive 2024/1226, which criminalised intentional sanctions violations, minimum and maximum penalties stand at 5% of global turnover or €40 million, with consequences extending to criminal liability.

The Transfer of Funds Regulation (EU) 2023/1113 became applicable from December 30, 2024, requiring complete originator and beneficiary information for all fund transfers and extending those requirements to crypto-asset service providers.

OFAC Compliance: Strict Liability Across Every Payment Rail

The United States Office of Foreign Assets Control (OFAC) operates on strict liability. There is no intent requirement. Civil penalties under OFAC can reach statutory maximums per violation, depending on the program and transaction value. In 2024, it included 3,135 new entries to the SDN list, with 1,706 of them being located in Russia.

The SDN list is not enough. Processors also have to screen towards the Consolidated Sanctions List and implement the 50% Rule: any party that is owned 50 percent or more by a blocked person is blocked, regardless of being listed or unlisted.

OFAC published specific guidance for instant payment systems in September 2022. Its core principle: faster settlement does not reduce sanctions obligations. For FedNow, now live with over 1,000 participating institutions, OFAC’s guidance positions pre-transaction screening and the “accept-without-posting” feature as the practical compliance mechanism. The FedNow architecture allows institutions to accept a payment for settlement while pausing posting for manual review, without violating settlement finality.

Real-Time Screening: Where Compliance Programs Break Down

The false positive reduction is the industry’s most underreported operational risk. Industry estimates suggest 5–10% of transactions may trigger alerts, most of which are false positives, creating high operational costs.

This is where screening architecture matters more than screening coverage. Batch screening models collapse under instant payment volumes. Legacy systems built for ACH or SWIFT batch cycles cannot meet sub-200ms response requirements without degrading match quality. The solution is a combination of pre-screening at onboarding, daily customer-level rescreening against updated lists, event-driven rescreening on list changes, and a name-matching engine that handles phonetic variants, transliteration across scripts, and alias chains without generating noise.

For correspondent banking specifically, screening must also extend to nested relationships. According to FinCEN reports, US correspondent accounts have been exposed to substantial shadow banking activity, including activity linked to sanctioned jurisdictions. SWIFT gpi processes $300+ billion daily, and its end-to-end transaction traceability does not substitute for sanctions screening but creates the audit trail that enforcement actions examine first.

What Payment Processors Need to Get Right

When SWIFT, SEPA, and FedNow are perceived as individual issues, compliance teams create incomplete programs that operate poorly when a transaction is sent over multiple rails. The regulatory trends, such as the December 2025 guideline on sanctions proposed by EBA, AMLA’s direct supervision of 40 high-risk entities starting from January 2028, and the Single Rulebook is expected to be introduced around July 2027, and AMLA is planning direct supervision of 40 high-risk entities starting in early 2028.”

The screening program that survives regulatory examination in 2025 and beyond covers 215+ sanctions regimes with sub-15-minute list refresh cycles, applies phonetic and transliteration matching to reduce false positives without degrading detection rates, separates customer-level daily screening from event-driven and transaction-level checks based on payment rail, and maintains a complete audit trail for every match decision.

That is the standard. The approach payment processors take to reach it determines whether compliance becomes a cost or a control.

How AML Watcher Assists Payment Processors to Comply with Evolving Sanctions Expectations

Payment processors struggle to align real-time payment speed with evolving sanctions expectations across multiple jurisdictions.

AML Watcher supports this shift with screening capabilities designed for instant payment environments, enabling accurate detection while reducing operational burden.