TL;DR: UK compliance teams now face 50+ fragmented sanctions lists requiring real-time monitoring. Without orchestration and proper match testing, alert volumes double overnight. This article walks through the technical problem, how match tuning reduces false positives by 50-70%, and how no-code orchestration keeps your team above water.
Your compliance team screened 200 alerts yesterday. 140 were false positives. Today, you are adding 15 more sanctions lists to monitor in real-time. Without changing your approach, that is 350 alerts tomorrow, 245 of them pointless. This is not sustainable, and regulators will not accept "we are drowning in data" as an excuse for missing actual matches.
I am Stuart Watkins, CEO of Zenoo. We build compliance orchestration infrastructure, and we see this exact scenario playing out at firms across the UK right now. Let me walk you through what is actually happening, why it is happening, and what you can do about it without tripling your headcount.
The 50+ source problem is not theoretical
OFAC's SDN list grew by 3,135 entries in 2024 alone, a 25% increase year on year. That is one list. UK compliance teams must align HMT lists with OFAC, EU, and UN databases, plus sector-specific watchlists, PEP databases, adverse media feeds, and now blockchain analytics sources. The total easily exceeds 50 discrete data sources requiring real-time integration.
Post-Brexit list divergence makes this worse. HMT and EU consolidated lists are no longer in sync. A designation that appears on the EU list on Monday might not hit the UK list until Wednesday. Or it might never appear at all. Your screening infrastructure needs to handle both, plus the jurisdictional logic to know which applies to which transaction.
Then there is the transliteration problem. Arabic, Cyrillic, and Chinese names transliterate differently depending on the source. "Muhammad" has at least 15 common Latin-script variants. When you are screening across 50+ lists, each with its own transliteration conventions, the false positive rate compounds dramatically.
A Head of Compliance at a UK payments firm told us recently: "We went from manageable to unmanageable in about three months. Every new list we added did not just add new names. It multiplied the noise from every existing name."
Daily screening is already obsolete
Here is the technical reality that most screening architectures were not built for: daily batch checks are no longer sufficient. Iranian entities are using P2P crypto and DEX platforms for real-time evasion. By the time your nightly batch runs, the exposure window has been open for hours.
VASPs achieving 97% KYC success rates are combining wallet-aware screening with FATF Travel Rule adherence and enhanced due diligence for illicit address histories. They are not doing this with batch jobs. They are doing it with event-driven architectures that trigger screening on every relevant state change.
The economics are stark. Crypto firms reduce KYC onboarding costs by up to 90% through digital verification. But non-compliance risks daily fines up to £25,000. And that is before you consider the £4 billion settlement precedent that demonstrates just how seriously regulators take enforcement.
Match testing is the highest-use fix most teams skip
Before you rearchitect anything, there is a step that most compliance engineering teams skip entirely: properly testing your match settings.
Fuzzy matching, alias expansion, transliteration handling, phonetic matching. These all have configurable thresholds. Most teams deploy with vendor defaults and never revisit them. The result is a false positive rate that makes the entire screening pipeline operationally useless.
Proper testing of match settings (aliases, fuzzy logic thresholds, transliteration rules) can reduce false positives by 50-70%. That is not a marginal improvement. On a base of 200 alerts per day, a 70% reduction takes you from 140 false positives to 42. At 350 alerts, it is the difference between 245 wasted reviews and 73.
Here is how we think about match testing as a structured engineering problem:
interface MatchConfig {
fuzzyThreshold: number; // 0.0 to 1.0, where 1.0 is exact
aliasExpansion: boolean;
transliterationMode: 'strict' | 'phonetic' | 'hybrid';
phoneticAlgorithm: 'soundex' | 'metaphone' | 'doublemetaphone';
scriptNormalisation: boolean; // normalise Arabic/Cyrillic to Latin
}
interface TestCase {
inputName: string;
expectedMatches: string[]; // known true positives from your list
expectedNonMatches: string[]; // known false positives you want eliminated
listSource: 'OFAC' | 'HMT' | 'EU' | 'UN' | string;
}
interface TestResult {
config: MatchConfig;
truePositiveRate: number;
falsePositiveRate: number;
missedMatches: string[]; // these are the dangerous ones
alertVolume: number; // projected daily alerts at this config
}
function evaluateMatchConfig(
config: MatchConfig,
testSuite: TestCase[],
listsUnderTest: string[]
): TestResult {
// Run each test case against each list with the given config
// Compare actual matches against expected matches and non-matches
// Return aggregate metrics
// The key: you want to MINIMISE falsePositiveRate
// while keeping missedMatches at ZERO
}
The critical insight: you are not optimising for a single threshold. You are optimising per list source, per script, per name origin. An OFAC fuzzy threshold of 0.75 might be perfect for Latin-script names but catastrophic for transliterated Arabic names. Your test suite needs to reflect this.
Build a test corpus from your own historical alerts. Tag every alert from the past 90 days as true positive or false positive. Then run your match config permutations against that corpus. The 50-70% false positive reduction comes from finding the config that eliminates noise without introducing missed matches.
Orchestration over integration
Once your match settings are tuned, the architectural question is: how do you screen against 50+ sources without building 50+ point-to-point integrations?
The answer is orchestration. A single workflow layer that centralises risk scoring and audit trails across jurisdictional variances without breaking existing transaction flows.
This is where no-code workflow automation becomes genuinely valuable. Not as a marketing buzzword, but as an engineering decision. Every bespoke integration you build is a maintenance liability. Every list-specific adapter you hand-roll needs updating when the list format changes (and they change constantly).
The orchestration layer handles:
- Parallel screening across multiple list sources in a single workflow step
- Jurisdictional routing so UK transactions screen against HMT whilst US-facing transactions hit OFAC
- Consolidated risk scoring that weighs matches across sources rather than treating each as independent
- Audit trail generation that regulators can actually follow during an examination
- UBO mapping using AI-driven document verification and shell company detection to identify beneficial ownership patterns in sanctions evasion schemes
The UBO mapping challenge is particularly acute. Enhanced KYB integration requires tracing ownership through layers of corporate structure, often across jurisdictions with different disclosure requirements. Without orchestration, this becomes a manual research task that can take days per entity.
What actually changes when you get this right
We have seen teams go from 200 alerts per day (70% false positives) to the same coverage with 50-70% fewer false alerts. The maths is straightforward: fewer false positives means more analyst time on genuine matches, which means better regulatory outcomes and lower risk of the kind of enforcement action that generates £4 billion settlement precedents.
The 90% cost reduction in crypto KYC onboarding is not magic. It is the compound effect of digital verification, automated screening, and proper match tuning replacing manual processes that were designed for a world with five sanctions lists, not fifty.
"We used to treat every new sanctions list as a project," a compliance engineering lead at a UK VASP told us. "Now it is a configuration change. The difference in team capacity is night and day."
Where to start
If you are building compliance flows and facing this exact problem, here is the pragmatic order of operations:
- Audit your current match settings. Most teams cannot tell you what fuzzy threshold they are running. Find out.
- Build a test corpus from historical alerts. Tag true positives and false positives. This is your ground truth.
- Run config permutations. Find the settings that cut false positives by 50-70% without introducing missed matches.
- Evaluate orchestration. If you are maintaining more than three list-specific integrations, the maintenance cost already justifies a workflow layer.
- Automate continuous screening. Batch processing is not sufficient for real-time evasion patterns. Move to event-driven screening.
If you are building compliance infrastructure and want to see how orchestration works with your own data, check out zenoo.com. We built Zenoo specifically for this problem: centralising KYC, KYB, and AML screening with built-in testing frameworks for match accuracy, so your team spends time on genuine risk instead of chasing noise.
Stuart Watkins is CEO of Zenoo, where we build compliance orchestration infrastructure for firms that would rather catch real matches than drown in false positives.
Top comments (0)