Sanctions Evasion Red Flags: 12 Patterns Compliance Teams Miss

Every major sanctions enforcement case in the past decade has involved evasion rather than direct violation. The pattern is consistent: a designated party, an Iranian or Russian or DPRK entity under sanctions, conducts business through intermediary structures specifically designed to be unrecognisable as the sanctioned party. The financial institutions in the chain screen the immediate counterparty, the screening passes, and the transaction processes — because the screening was looking for the designated party itself, not for the structural fingerprints of evasion.

OFAC, OFSI and FinCEN have published extensive evasion typology guidance because the regulators understand that name screening alone is structurally insufficient. The expectation is that mature sanctions programmes layer behavioural and structural detection on top of name matching — looking for the patterns that recur across cases regardless of which specific names appear.

The patterns below appear repeatedly in published OFAC, OFSI and FinCEN advisories on sanctions evasion typologies. None is conclusive on its own; the presence of multiple patterns in a single relationship or transaction is the signal that warrants escalation.

Counterparty company formed within the past 12–24 months in a jurisdiction known for company-formation services (BVI, Cayman, Hong Kong, Dubai, Belize) but with declared operational presence in a higher-risk jurisdiction. The pattern is the registration of a clean-looking entity specifically to act as an intermediary for the underlying sanctioned activity.

A shipment of goods routed through a port that has no commercial logic — significantly out of the natural geographic route, or through a port with known historic role in transhipment of sanctioned cargo. UAE ports, Turkish ports and select Black Sea ports recur in case data. The transhipment break is where the cargo origin documentation is changed.

Multiple ostensibly unrelated customers sharing a registered address — particularly a corporate-service-provider address in a small jurisdiction. The pattern is the use of nominee company structures from a single service provider to layer the sanctioned party's transactions across multiple legal entities.

Vessels involved in the underlying trade going AIS-dark (transponder switched off) during specific portions of their voyage — often in the vicinity of sanctioned ports. AIS data is publicly available and increasingly machine-readable; programmes screening trade finance counterparties should monitor vessel transponder behaviour as part of routine due diligence.

Payments routed through more banks than commercially necessary — particularly with intermediaries in jurisdictions with weaker sanctions enforcement, or with intermediary banks known to have correspondent relationships with sanctioned-jurisdiction institutions. The pattern is engineered complexity to obscure the originator and beneficiary path.

Bills of lading inconsistent with invoices, port-of-loading not matching the declared origin, weights and volumes not matching the underlying cargo type, unit prices significantly above or below market for the declared product. These inconsistencies are the operational fingerprints of falsified trade documentation.

Shipments of technical goods with both civilian and military applications (semiconductors, certain industrial equipment, specific materials) routed to or through risk jurisdictions. Export controls overlap with sanctions in this space, and a customer shipping dual-use goods through ambiguous trade chains warrants enhanced scrutiny regardless of whether any specific party is sanctioned.

A corporate customer's beneficial ownership structure changes materially in the months immediately preceding their account application — typically with previously named owners being replaced by jurisdictions or structures that produce cleaner screening results. The pattern is restructuring specifically to enable banking relationships that would otherwise fail due diligence.

Apparently unrelated corporate customers sharing directors, beneficial owners or signatories — particularly when those individuals appear on a high number of corporate registers across multiple jurisdictions. This is the nominee-director pattern that recurs in front-company structures.

Customer instructions to omit, alter or shorten payment message fields — typically the originator's name or the underlying purpose of the payment. The pattern is the deliberate stripping of identifying information from the payment chain to avoid downstream screening.

Large round-number payments (USD 5 million, USD 10 million) that do not align cleanly with any specific invoice or shipment — particularly between counterparties with thin trade history or in industries that do not produce round-number commercial settlements naturally.

Adverse media covering the customer that references — even indirectly — connections to sanctioned jurisdictions, designated individuals, or known evasion networks. The negative coverage is itself a signal the underlying due diligence missed. Open-web and licensed adverse media should both surface this category of content.

A defensible programme covering sanctions evasion has four operational layers:

• Name-match screening as the baseline. Every customer and counterparty screened against current sanctions lists; this catches direct violations but not structured evasion.
• Ownership and control analysis. UBO discovery on every corporate customer, with attention to nominee-director patterns, recent restructuring, jurisdictional risk in the ownership chain. Connects to the firm's UBO discovery methodology.
• Behavioural transaction monitoring. Patterns of transaction routing, counterparty geography, payment instructions and trade-documentation consistency monitored against typology rules and behavioural baselines. The transaction-monitoring component of evasion detection is as material as the customer-due-diligence component.
• Trade-finance specific monitoring where applicable. For firms with trade-finance exposure, vessel AIS monitoring, cargo manifest reconciliation, and dual-use goods controls layered on top of the standard programme.

Each layer is independently necessary; none alone is sufficient. Programmes that rely on a single layer (typically name screening) consistently produce the enforcement findings that drive the multi-hundred-million-dollar settlements.