Vendor Sanctions Screening Questionnaire Template

Your vendor just triggered a sanctions alert. Now what?

Without a structured sanctions screening questionnaire, you're scrambling through emails, chasing down ownership charts, and hoping your vendor's compliance team understands what "beneficial ownership" actually means. The result: 3-week assessment cycles, inconsistent responses, and regulatory exposure that keeps you up at night.

A properly designed vendor sanctions screening questionnaire transforms this chaos into a repeatable process. It captures the exact evidence regulators expect: screening frequency, list coverage, match resolution procedures, and ownership structures down to the 25% threshold. More importantly, it translates vague vendor assertions ("we screen regularly") into verifiable control points ("daily automated screening against OFAC SDN, UN Consolidated, and EU Asset Freeze lists with 85% fuzzy match threshold").

Financial services firms processing 500+ vendor assessments annually report most reduction in follow-up questions when using standardized sanctions questionnaires. Healthcare organizations cite faster onboarding for international suppliers. Technology companies eliminate redundant requests across business units.

Core Questionnaire Architecture

Your sanctions screening questionnaire needs five non-negotiable sections:

1. Entity Identification & Ownership Structure

Start with precision. Generic company information wastes cycles.

Required data points:

• Legal entity name (including all DBAs)
• Registration jurisdiction and number
• Primary business address (not mailing address)
• Beneficial ownership chart showing all 25%+ stakeholders
• Ultimate parent company identification
• Politically Exposed Persons (PEP) disclosure for all directors/officers

Evidence requirements:

• Certificate of incorporation
• Ownership structure diagram
• Board resolution or equivalent for ownership changes in past 24 months

2. Screening Program Components

Move beyond "yes/no" checkboxes. Capture implementation details.

Technical screening capabilities:

Question	Evidence Required	Risk Indicator
Sanctions lists screened	Screenshot of configured lists	Missing critical jurisdictions
Screening frequency	System configuration proof	Less than daily = high risk
Fuzzy matching threshold	Algorithm settings documentation	Below 80% = gaps likely
False positive rate	12-month metrics	Above 40% = poor tuning
Manual review process	SOP with escalation matrix	No documented process = critical

Geographic exposure assessment:

• Countries of operation (with revenue percentages)
• Customer geographic distribution
• Supply chain touchpoints in high-risk jurisdictions

3. Control Testing & Remediation

Procedures mean nothing without proof of execution.

Operational evidence collection:

• Sample screening results from past 90 days
• False positive resolution documentation
• True match escalation examples
• Management reporting samples
• Training records for screening personnel

Remediation protocols:

• Maximum hours to resolve potential matches
• C-suite notification thresholds
• Customer/transaction blocking procedures
• Regulatory reporting timelines

4. Third-Party Dependencies

Your vendor's vendors matter. Capture the full chain.

Subcontractor screening requirements:

• Critical supplier sanctions screening confirmation
• Fourth-party risk assessment scope
• Contractual flow-down provisions
• Right-to-audit clauses

5. Regulatory Compliance History

Past behavior predicts future risk.

Compliance track record:

• Sanctions violations in past 5 years
• Regulatory examinations/findings
• Remediation actions completed
• Current monitoring agreements

Industry-Specific Applications

Financial Services

Banks and asset managers face enhanced requirements under Section 311 of the USA PATRIOT Act. Your questionnaire must capture:

• Correspondent banking relationships
• Shell bank prohibitions
• Enhanced due diligence for foreign financial institutions
• SWIFT RMA (Relationship Management Application) controls

Add sections for:

• Transaction monitoring integration with sanctions screening
• Trade finance screening procedures
• Securities lending counterparty verification

Healthcare

Medical device manufacturers and pharmaceutical companies navigate both sanctions and export control regimes. Augment standard questions with:

• FDA debarment list screening
• Clinical trial site verification in sanctioned countries
• Humanitarian exemption procedures
• Medical device re-export controls

Technology

Software and cloud providers face unique challenges with global accessibility. Include:

• IP address blocking for sanctioned countries
• Source code access restrictions
• Encryption export compliance
• Data residency controls

Framework Alignment

Your sanctions questionnaire directly supports multiple compliance frameworks:

SOC 2 Type II

• CC3.2: Board oversight of risk (sanctions exposure)
• CC4.1: COSO principle alignment (control environment)
• CC7.1: System boundary definition (third-party touchpoints)

ISO 27001:2022

• A.15.1.2: Addressing security within supplier agreements
• A.15.2.1: Monitoring and review of supplier services
• A.15.2.2: Managing changes to supplier services

GDPR Article 28

• Processor due diligence requirements
• Cross-border transfer restrictions to sanctioned countries
• Right to audit processor compliance

Implementation Best Practices

1. Risk-Based Questionnaire Depth

Don't torture low-risk vendors with 200 questions.

Critical vendors (payment processors, core infrastructure):

• Full 150-question assessment
• Quarterly attestation updates
• Annual on-site validation

High-risk vendors (offshore development, emerging market suppliers):

• 75-question focused assessment
• Semi-annual updates
• Remote validation acceptable

Medium/Low risk vendors:

• 25-question baseline
• Annual updates
• Self-attestation with spot checks

2. Evidence Validation Protocol

Trust but verify. Build validation into your workflow:

1. Automated checks: Run vendor-provided registration numbers through government databases
2. Document authentication: Require apostille for foreign certificates
3. Cross-reference testing: Compare screening lists against published sources
4. Timestamp verification: Ensure screenshots show current dates

3. Continuous Monitoring Integration

Static questionnaires become stale within months. Build refresh triggers:

• Ownership change notifications (10% threshold)
• New geographic expansion alerts
• Regulatory action monitoring
• M&A activity tracking

Common Implementation Failures

1. Accepting Generic Policies

"We comply with all applicable sanctions" tells you nothing. Demand specific procedures, thresholds, and evidence. If they can't show you their screening interface, they probably don't have one.

2. Ignoring Beneficial Ownership Layers

The a significant number of rule means you need visibility through shell companies. One vendor's "clean" screening meant nothing when their 51% owner was a sanctioned oligarch through three holding companies. Require full ownership trees.

3. Overlooking Sectoral Sanctions

Comprehensive SDN screening isn't enough. Sectoral Sanctions Identifications (SSI) create debt and equity restrictions that standard screening misses. Include specific questions about Russian energy sector exposure, Venezuelan debt, and Chinese military company investments.

4. Static Point-in-Time Assessment

Sanctions change daily. That clean vendor from January could be radioactive by March. Build mandatory update triggers for material changes and geopolitical events.

5. Weak Geographic Risk Scoring

"Global company" responses hide critical exposure. Require revenue breakdowns by country and specific identification of any business touching Iran, North Korea, Syria, Cuba, or the Crimea region.

Frequently Asked Questions

How often should vendors complete sanctions screening questionnaires?

Critical vendors require quarterly updates, high-risk vendors semi-annually, and standard vendors annually. Any material change (ownership, geographic expansion, regulatory action) triggers immediate reassessment regardless of schedule.

What's the minimum acceptable fuzzy matching threshold for sanctions screening?

85% for individual names, 80% for entity names. Lower thresholds generate excessive false positives while higher thresholds miss transliteration variations and intentional obfuscation.

Can we accept vendor self-attestations without evidence?

Only for low-risk vendors in low-risk industries. Critical and high-risk vendors must provide system screenshots, sample outputs, and third-party audit reports. Self-attestation without evidence fails regulatory scrutiny.

How do we handle vendors who claim "proprietary" screening methods?

Require disclosure of lists screened, frequency, and match resolution processes at minimum. If they won't share methodology, mandate SOC 2 Type II or equivalent third-party validation of their sanctions controls.

Should our questionnaire cover both primary sanctions and secondary sanctions?

Yes. Primary sanctions affect US persons directly, but secondary sanctions can impact your non-US operations. Include questions about Iran petroleum, Russian defense sector, and Chinese military-industrial complex exposure.

What evidence proves beneficial ownership for privately held companies?

Accept cap tables, operating agreements, shareholder registers, or statutory declarations from company secretary. For complex structures, require legal opinion letters confirming ownership percentages.

How do we score vendors who outsource their sanctions screening?

Treat them as higher risk initially. Require evidence of contractual SLAs, right-to-audit provisions, and subprocessor breach notification terms. The vendor remains liable for their service provider's failures.