Your field teams have just registered a new logistics supplier in Goma. The purchase order is moving forward for signature. At this stage, no one has checked whether the supplier appears on a sanctions list maintained by the European Union, the US OFAC or the United Nations Security Council. Six months later, during the annual audit by an institutional donor, the auditor asks for proof that you screened every third party — partners, suppliers, sensitive beneficiaries — against the official lists. You have no tool, no audit trail and no formal procedure. The verdict lands: "non-compliant".
This scenario, far from being theoretical, is becoming a frequent trigger for cost disallowance, partial funding suspension or even loss of donor accreditation. Sanctions screening is no longer optional for NGOs: it is a prerequisite demanded by most institutional donors (European Union, AFD, USAID, FCDO, Global Affairs Canada, World Bank) and by the French anti-money-laundering framework. In this article, we detail the applicable framework, the lists to integrate, a concrete operational process, and how Abvius industrialises screening while preserving the agility of humanitarian teams on the ground.
NGO sanctions screening: mastering compliance without slowing down humanitarian action
Reading time: ~14 min
Table of contents
- Why screening has become a major compliance issue
- Regulatory framework: international sanctions and humanitarian exemptions
- Which sanctions lists to integrate into your system
- Building an operational screening process
- Manual screening, Excel or integrated tool: a comparison
- How Abvius industrialises third-party screening
- Best practices: 5 steps to deploy a robust framework
- Mini FAQ
1. Why screening has become a major compliance issue
Since 2014, and even more so since 2022, the international sanctions landscape has expanded considerably: Russia, Belarus, Iran, Syria, the Democratic People's Republic of Korea, Yemen, Sudan, as well as thematic regimes (terrorism, proliferation, cybersecurity, human rights). Each month, the European Union, the US Treasury (OFAC) and the UN Security Council add, modify or remove hundreds of names. An NGO operating in more than ten countries, with hundreds of local suppliers and dozens of implementing partners, is mechanically exposed to the risk of a prohibited transaction.
For donors, third-party screening is not an administrative formality: it is a condition for releasing funds. Standard grant contract clauses now require beneficiary organisations to maintain a documented system for screening their partners, suppliers, service providers and — depending on the operating context — beneficiaries. Failing this, related expenses may be declared ineligible and the donor can trigger a recovery clause. The stakes go beyond a simple contractual obligation: they affect the reputation and the very sustainability of the organisation.
Who should be screened?
The scope depends on contractual requirements and the country risk level, but generally includes:
- implementing partners (sub-grantees, consortium members);
- suppliers and service providers (above a financial threshold typically defined in internal policy);
- beneficiaries when the project requires it (cash transfers, distributions to an identifiable adult population, programmes in conflict zones);
- key individuals at partner organisations (legal representatives, signatories, ultimate beneficial owners);
- exposed staff and consultants (programme managers, procurement officers, bank signatories).
The term NGO screening refers to this cross-cutting discipline: organising, documenting and tracking the checks performed to demonstrate to donors that your financial flows do not benefit any sanctioned entity, directly or indirectly.
2. Regulatory framework: international sanctions and humanitarian exemptions
French and European NGOs navigate a multi-layered framework that has recently been clarified to better reconcile collective security with the humanitarian imperative.
International and European level
The United Nations Security Council adopts targeted sanctions (asset freezes, travel bans, embargoes) that the European Union transposes into directly applicable regulations. Security Council Resolution 2664 (2022), followed by Council Regulation (EU) 2024/1485, introduced a cross-cutting humanitarian exemption: funds and economic resources may be made available by certain categories of humanitarian actors — UN agencies, the ICRC and partner organisations — for the delivery of humanitarian assistance in countries under sanctions regimes, subject to strict traceability and accountability conditions.
French level
The French Monetary and Financial Code (Articles L. 562-1 et seq.) requires every French legal entity to immediately freeze the assets of persons and entities designated by the EU Council or by the Directorate General of the Treasury. NGOs are subject to this obligation in the same way as banking institutions. In February 2023, the Conseil d'Etat overturned the government guidelines that had imposed systematic screening of final beneficiaries of humanitarian aid. The practical consequence: beneficiary screening remains possible — and is sometimes required by certain donors — but it is not a general legal obligation in France.
Donor level
Beyond the legal framework, each donor defines its own contractual requirements:
- USAID applies Partner Vetting and requires screening against the SDN, PLC and Reuters World-Check lists, depending on the country context.
- ECHO and the European Commission require screening against the EU consolidated list, with a humanitarian exception formalised by notification.
- AFD and the French Ministry of Europe and Foreign Affairs require a documented anti-money-laundering and counter-terrorism financing policy that includes the screening of implementing partners.
- The FCDO (United Kingdom), Global Affairs Canada, Germany's GIZ and Swiss cooperation have similar requirements, sometimes strengthened in certain countries.
Any organisation applying for institutional funding must therefore have a formal internal procedure, a tool or register and an audit trail. Our article on AML-CTF compliance complements this framework by addressing anti-money-laundering and counter-terrorism financing from a broader perspective.
3. Which sanctions lists to integrate into your system
The choice of lists depends on funding donors, countries of operation and activity sensitivity. Here are the main sources to consider in a robust screening framework.
| List | Issuer | Scope | Update frequency |
|---|---|---|---|
| EU consolidated list | European External Action Service | All persons and entities sanctioned by the EU | Daily |
| National asset-freeze register | Directorate General of the Treasury (France) | French measures and EU transpositions | Regular (in line with EU updates) |
| SDN List (OFAC) | US Treasury | Specially Designated Nationals — applies as soon as a US dollar transits | Several times a week |
| UN consolidated list | Security Council | Thematic and geographic UN sanctions | Regular |
| UK Sanctions List | OFSI (HM Treasury) | UK sanctions (post-Brexit) | Regular |
| World Bank Debarred List | World Bank | Companies excluded from contracts financed by the World Bank Group | Continuous |
| PEP lists | Private databases (Dow Jones, Refinitiv, Acuris) | Politically exposed persons | Continuous |
For NGOs receiving US funding, the SDN List and the PLC (Foreign Sanctions Evaders) list are mandatory, and they apply to any US-dollar-denominated transaction, even outside US territory. For organisations relying mainly on European and French funding, the EU consolidated list and the French Treasury register form the minimum baseline.
Multi-list coverage: an operational challenge
Manually consolidating these lists — often published in XML, JSON or PDF — is a major source of errors. Formats vary, names can be transliterated differently (for example, an Arabic name written in six Latin variants), dates of birth are frequently missing and multiple aliases complicate matching. A modern screening solution must handle these variations with approximate-matching algorithms (fuzzy matching, Levenshtein distance, soundex) while limiting the false-positive noise that would otherwise overwhelm compliance teams.
4. Building an operational screening process
A solid screening framework rests on four pillars: a reliable third-party master data set, clear triggers, an appropriate matching engine and a complete audit trail.
A centralised third-party master data set
Before you can screen, you need to know who to screen. Third-party data — legal name, trade name, aliases, registration number, country, address, legal representative, ultimate beneficial owner — must be centralised and kept up to date. Without a single source of truth, screening is partial: only third parties known to headquarters are checked, not those recorded by field missions in a local Excel file. This fragmentation is the Achilles heel of many NGOs and the first issue raised by donor auditors.
Screening triggers
Screening must run at key, automatable moments:
- when a third party is created (supplier, partner, sub-grantee);
- before signing a significant contract or purchase order;
- before any disbursement above a threshold set by your internal policy;
- at the annual renewal of contractual relationships;
- on every major update of the sanctions lists (deferred rescreening across the entire existing master data set).
Matching engine and hit management
Every exact or approximate match triggers a "hit" to be analysed. The vast majority of hits are false positives (namesakes, common names, different transcriptions). A formal disposition process must be documented: who reviews the hit, based on which elements (date of birth, address, identifiers), with which decision (false positive, true positive, request for additional information), and with which evidence preserved. The maturity of a framework is often measured by the quality of this disposition process, more than by the number of hits generated.
Audit trail and retention
Every screening run, every hit and every decision must be dated, time-stamped and tracked in an immutable manner. The audit trail directly feeds donor audits and annual internal controls. Without this traceability, your framework has no evidentiary value. To dig deeper, see our dedicated article on the digital audit trail.
5. Manual screening, Excel or integrated tool: a comparison
Many NGOs start their screening framework with an Excel file and searches on the official authority websites. This is an acceptable starting point for small structures, but it quickly becomes unmanageable beyond a few dozen third parties or several countries of operation.
| Criterion | Manual search | Excel + downloaded lists | Integrated tool (e.g. Abvius) |
|---|---|---|---|
| Multi-list coverage | Limited to one or two lists | Possible but maintenance-heavy | All relevant lists, continuously |
| Data freshness | At the time of the search | Depends on manual downloads | Automatic updates |
| Approximate matching | No, exact search only | Difficult (VLOOKUP is limited) | Fuzzy matching, transliteration, aliases |
| Audit trail | Screenshots, fragile | Manual tabs, unreliable | Automatic, immutable time-stamping |
| Hit management | Unstructured | Comment cells | Formal disposition workflow |
| Payment integration | None | None | Automatic blocking of at-risk payments |
| Scalability | ~10 third parties | Up to ~200 third parties | Several thousand third parties |
| Hidden cost | High HR time, operational risk | HR time plus corrupted-file risk | Predictable licence cost, controlled risk |
Our article Excel and NGO financial management: the 5 major risks details the structural limits of Excel for this kind of critical, audit-subject process.
6. How Abvius industrialises third-party screening
Screening only works sustainably when it is built into the heart of financial management, procurement and programme processes. That is the approach we have chosen at Abvius. Our Finance, Operations and MEAL ERP platform embeds screening as a cross-cutting service, not as an isolated module disconnected from teams' day-to-day work.
A single headquarters-to-field third-party master
Each supplier, partner or sub-grantee is recorded only once in Abvius, with its legal and operational information. The headquarters-to-field centralisation ensures that a supplier registered in Goma is immediately visible in Paris, and that screening is performed before any expenditure commitment, without depending on manual information reporting.
Real-time screening at every trigger
As soon as a third party is created, Abvius queries the sanctions lists activated in your configuration (EU, UN, French Treasury, OFAC, OFSI, World Bank, etc.). The engine applies approximate-matching algorithms to limit false negatives while reducing noise. A hit triggers a disposition workflow that engages the compliance officer, the finance director or headquarters, with a defined target turnaround time.
Payment blocking and validation workflows
A third party with an "unresolved hit" status is automatically blocked in the platform: no purchase order, no payment and no electronic signature can be triggered until the status is confirmed. This integration with real-time budget monitoring prevents workarounds and ensures that screening is not a formality disconnected from financial management.
Audit trail and automatic donor reporting
Every screening run, every decision and every humanitarian exemption is time-stamped and preserved in an immutable manner. The audit trail can be exported in one click in the format requested by donors. Automatic donor reporting includes, where relevant, the screening certificate for the third parties concerned by the funds committed to the grant in question.
To discover the full set of features, visit abvius.org.
7. Best practices: 5 steps to deploy a robust framework
Step 1 — Formalise the screening policy
Write an internal policy (2 to 5 pages) specifying the scope of third parties to screen, the lists used, the thresholds, the responsibilities, the hit-handling deadlines, the evidence retention method and the management of humanitarian exemptions. This policy is usually the first document requested in a donor audit, and its absence is often a deal-breaker.
Step 2 — Clean and consolidate the third-party master
Before deploying any tool, clean up: duplicates, inactive suppliers, missing data (country, registration number, identity of the legal representative). A clean master data set is the condition for useful screening. Many NGOs underestimate the required effort; plan several weeks of work for a medium-sized organisation.
Step 3 — Choose a tool suited to your maturity
Beyond 50 active third parties or a contractual threshold imposed by a donor, a dedicated tool becomes essential. Choose a solution able to manage several lists simultaneously, approximate matching, decision history and payment integration. Assess its ability to absorb your future volumes, not only your current ones.
Step 4 — Train field and headquarters teams
Screening is everyone's business: procurement, finance, programmes, HR. Raise field teams' awareness of completing third-party records rigorously (exact legal name, aliases, date of birth for sensitive individuals), and train approvers on hit handling. Annual continuous training, embedded in the internal capacity-building plan, anchors best practices for the long term.
Step 5 — Test, measure, improve
Once the framework is in place, measure the hit rate, the average disposition time and the false-positive rate. Carry out an annual blind test: a fictitious supplier with a name close to a sanctioned entity should trigger an alert. Document the test for your internal and donor audits. This continuous-improvement approach distinguishes a merely compliant organisation from a mature one.
8. Mini FAQ
Is beneficiary screening mandatory in France?
No, since the Conseil d'Etat overturned in February 2023 the guidelines that imposed this generalised screening. However, some donors (USAID in particular, or certain UN agencies for specific programmes) may require it contractually. In that case, you must document the exact scope, the agreed terms and how beneficiaries are informed.
What should we do if a hit is confirmed on a partner during a project?
Immediately freeze any disbursement, alert your compliance focal point and the donor concerned, document the timeline, and request the benefit of the humanitarian exemption provided for by UN Security Council Resolution 2664 where applicable. A declaration to the Directorate General of the Treasury may be required depending on the nature of the third party and the funds involved.
How often should existing third parties be rescreened?
Good practice is to rescreen the entire master data set automatically on every list update (ideally daily) and to perform an annual manual review of contractual relationships. Integrated tools such as Abvius provide this continuous monitoring with no manual intervention.
How can we manage false positives without overloading teams day-to-day?
Three complementary levers: enrich third-party data at the point of entry (date of birth, tax identifier, precise address), calibrate the approximate-matching threshold according to the country context, and document false-positive decisions to avoid reprocessing the same case on each list update. A mature tool memorises decisions and offers an audited "whitelisted" status, distinct from an "unchecked" status.
Summary
Screening partners, suppliers and beneficiaries (depending on the context) has become a pillar of donor compliance for NGOs. Beyond complying with international sanctions, it protects your reputation, secures your funding and demonstrates the maturity of your internal control framework. Implemented with a reliable third-party master data set, an appropriate matching engine and a complete audit trail, screening becomes an operational asset rather than an administrative burden. To go further, explore our articles on AML-CTF compliance, partner due diligence and segregation of duties. To discuss your screening framework and its place within a unified ERP, contact our teams via abvius.org.