OSINT, open-source intelligence, means using publicly available information to work out what a sanctions alert actually is: a real match, a false positive, or a case for escalation. In sanctions work, that information sits in company registries, ownership records, news archives, court files, shipping data, and the company's own website. The screening tool finds the possible match. Open-source research supports the resolution phase to look for contradicting risk signals.

The sanctions alert starts in the screening tool. The investigation starts in the browser. A screening engine can tell you that a name on an order looks like a name on a list. It cannot tell you whether the company in front of you is that party, controlled by it, or simply sharing a common name with it.

An obvious false positive clears in two minutes. A genuinely ambiguous hit can take a full day, sometimes longer. The work that decides which one you are holding is the investigation, and the investigation is the part most screening programs have never standardised.

What does OSINT mean in sanctions compliance?

OSINT means building a picture of a business partner from information anyone can reach. No private databases, no inside contacts. Registries, court records, news, corporate filings, and the open web.

In sanctions compliance, OSINT has one job: turn a possible match into a decision you can defend. A screening system compares the names and details on your transaction against the names and details on the sanctions lists. When something looks close enough, it raises an alert.

For teams still running checks manually, the starting point is not a paid platform. It is knowing how to use official lists properly. That baseline is covered in how to screen business partners for free.

But an alert is a question, not an answer.

It tells you a name resembles a listed name. It does not tell you whether the two are the same entity, whether one owns the other, or whether the resemblance is a coincidence. Answering that is open-source work, and it is done by a person.

How does an analyst actually resolve a hit by hand?

Resolving a hit by hand follows a rough sequence, and most analysts run some version of it.

You start with the identifiers. A name on its own is weak evidence, because many real companies share names and many sanctioned entities trade under several. So you compare what you have against what the list holds: the registration number, the address, the country, the date of incorporation or birth, any known aliases. A clean match on a registration number is strong. A match on name and nothing else is not.

Then you go to the sources. You open the corporate registry in the company's home country to confirm it exists and to read its filings. You check ownership records to see who controls it.

You search news archives in more than one language for anything that ties the company to a sanctioned party or a sanctioned activity. Where the trade matters, you look at shipping records, court filings, procurement notices, and the company's own website and press releases. You save what you find as you go.

The same logic applies after onboarding. A clean check only proves the position at that moment, which is why re-screening cadence matters. We cover that separately in how often companies should re-screen business partners.

None of this is exotic. It is patient, repetitive reading, and it is where the hours go.

Checking the address

A sanctions list does not tell you what is at the address. The open web does, and analysts use it.

Pull the registered address into a map and look. Street view shows whether the site is a working commercial building, a flat, a PO box, or a patch of land that does not match a company generating millions in revenue. None of that is proof on its own. All of it is signal, and signal tells you where to dig.

Geography is part of the read. A business sitting against the border of a sanctioned country, or in a known transhipment hub, is not disqualifying, but it raises the question of where the goods actually end up.

The address can also catch what the lists miss. In one case, an entity came back with no sanctions match on its current name. On the map, the business listing still carried a previous name, and that name was a sanctioned party. The company had rebranded but never cleaned up its own footprint. The screening tool saw a clean name. The open web still held the old one.

That is the whole case for open-source work in one example. A list check confirms a name against a register. It cannot see a company that changed its name faster than the web caught up.

Beneficial ownership: tracing the chain

Ownership is where open-source work pays off most, because a business partner owned or controlled by a sanctioned party is caught even when its own name is clean. The line that triggers that is the OFAC 50% rule, and for EU teams control can count below the threshold.

The trace has an order, and most of it is public.

Start at the national company register: Companies House in the UK, the Handelsregister in Germany, the equivalent in the home country. The filing gives you the direct shareholders, the directors, and usually the parent. For a simple structure, that one step answers the question.

Follow the parent up the chain. It sits in another country, so you open that register, then the one above it. Beneficial-ownership registers, annual accounts, and group-structure filings fill the gaps, and corporate-data aggregators stitch the layers into one view so you are not opening ten registers by hand.

AI now does the slow part. A model translates a foreign register entry, pulls the shareholders out of a forty-page scanned filing, and computes the ownership percentages up the chain in seconds. It can also surface ownership the registers miss, reading it out of news articles, court filings, and company documents that state who owns or controls the entity. The analyst confirms what the register can confirm, judges the rest on the source, and records both.

A great way to prompt AI is to ask the model for the verdict so that it searches in an exhaustive manner. Something like: [Company] has sanctioned ownership. Find the sources that show it. Cite only reputable, named sources with a working link and a date (company registers, court filings, regulators, or established news outlets). If you cannot find one, reply "no source found".

Two things to hold onto when you read what it returns. A reputable, dated, linkable source still has to be opened and checked, because the model can point at a real page about a different company with the same name. And "no source found" is not a clearance. It means nothing public surfaced, which is where the analyst keeps digging rather than closing the file.

Adverse media: where the signal gets buried in noise

Adverse media means searching open sources for negative information about a business partner: links to sanctioned parties, criminal conduct, fraud, evasion.

The problem is not finding results. It is the noise. A common company name returns thousands of articles that have nothing to do with the entity in front of you. A sanctioned network operating under a bland, generic name returns almost nothing. The cases that look easy waste time, and the cases that matter hide.

How far an analyst searches is a choice, and analysts make it differently. One stops at the first page of English-language results. Another searches the local-language spelling, the transliteration, the former name, the parent company, and the names of the directors.

And the open web does not rank sources by reliability. Anyone can publish anything, so an unverified claim from an unknown site is worse than no result at all. It pulls the investigation toward a conclusion that will not survive review.

Two analysts, the same hit, different searches, different findings. The difference is not skill. It is method, and method is the thing nobody wrote down.

What an analyst has to capture to defend the decision

Clearing a hit is only half the task. The other half is being able to show, later, why it was cleared.

An auditor examining a closed alert looks for the same record every time: the search terms used, the sources checked, and the dates they were accessed. Then the identifiers compared, the evidence saved, the reasoning, the decision, and who signed off. A decision without that record is, for audit purposes, a decision that did not happen.

Most teams capture this by hand. The analyst writes a note, saves screenshots into a folder, and pastes a summary into the case. It works, until the customs audit arrives and someone has to reconstruct, from a folder of images, what a colleague was thinking eight months ago.

That is why the case note matters. It is not administrative cleanup after the decision. It is the evidence that the decision was made properly, which is exactly what auditors look for in a sanctions compliance program.

The documentation is not paperwork around the investigation. It is the investigation, made visible.

Why does the same hit get investigated differently across a team?

Give the same alert to three analysts and you will often get three investigations.

They will not search to the same depth, as the adverse-media problem already showed. They will not weigh the lists the same way: one works through the EU list first and treats the rest as secondary, another starts with a different regime entirely. And they will not read geography the same way. An analyst whose domestic news frames a particular country as ordinary will not flag a link to it the way a colleague trained on a different frame would.

On top of that, the screening engine almost never hands over a clean answer. A perfect, hundred-percent name match is rare, and most hits are partial matches on name or address. So interpretation is required every time, and interpretation varies with the person doing it.

The result is not three different opinions about a clear case. It is three different cases, built from the same alert, ending in notes an auditor would struggle to tell came from the same team.

What does it take to standardise sanctions OSINT?

Standardising OSINT does not mean telling everyone to search harder. It means fixing the parts of the method that currently change from one analyst to the next.

The same minimum set of sources for every hit. The same identifiers, compared in the same order. The same evidence, captured the same way. The same reasoning structure, and the same short list of decisions an analyst is allowed to reach.

Done properly, that turns five investigations into one repeatable one. It is also, more or less, what an auditor is testing for: not whether your analysts are clever, but whether your program does the same defensible thing every time.

Here is the catch. A document that describes all of this is not a control that enforces it. An SOP sits in a folder.

The investigation happens under time pressure, on a Tuesday, by whoever is on shift. When the queue is short, everyone follows the standard. When the queue is long and one hit is eating two days, the standard bends to whatever time the analyst has left. The more alerts a program handles, the wider that gap opens.

Standardisation that depends on each analyst choosing to follow it is not standardisation. It is a hope with a filename.

The investigation does not go away

Two things are true at once. The open-source investigation behind an alert has to happen, because the screening tool cannot do it. And in most programs that investigation is manual, captured inconsistently, and different every time it runs.

The number that holds both is the time from a seen match to a documented decision. Take a week with a hundred alerts. Ninety are obvious noise, cleared in two minutes each: three hours. The other ten need a real check at, say, thirty minutes each: five more hours. A long day, but a predictable one.

Then one of those ten turns out to be a company trading under a name that was struck from the register two years ago. That single hit takes two days. The five-hour estimate was right until it was not. What should worry a compliance lead is not the average. It is that you cannot tell, in advance, which alert is the two-minute one and which is the two-day one.

This is the broader post-alert workflow: a match appears, an analyst investigates it, and the organisation has to prove later why the decision was reasonable. That is what happens after a sanctions alert.

Every program already runs on this. The screening tool raises the alert. A person opens the browser and works out what it is. That open-source work is not the weak point. The weak point is that it runs a different way every time with no record of the method.

OSINT is not the weakness in sanctions resolution. Un-standardised OSINT is.