When sitting firmly in the post-trade environment, it is not immediately clear why firms such as clearinghouses and custodians should be concerned with managing sanctions risk (see sidebar “What are sanctions?”). Surely that would be handled by banks, brokers, and other parties earlier in the trade life cycle. In fact, that’s not the case. Recent regulatory enforcement actions make it clear that securities services firms with exposure to sanctioned countries carry a high level of responsibility. And the cost of noncompliance is high: In the European Union, regulators have levied fines of €480 million since 2017 (compared with approximately €57 million in the United States), including about €90 million in 2024 alone.1
As of March 2025, there were 82,000 persons (individuals and entities) designated for sanctions globally, a nearly fivefold increase from 2017. In the United Kingdom and European Union, the number of designations doubled between 2020 and 2023. Given those numbers, how well equipped are the world’s leading securities services firms to meet their obligations?
The 2025 edition of the International Securities Services Association (ISSA) Sanctions Benchmark Survey, conducted in collaboration with McKinsey, paints a mixed picture (see sidebar “Our survey methodology”). Providers’ awareness of sanctions risk is reported to be high. But still, they face multiple challenges, such as excessive sanctions complexity, significant manual processes, and weak data capabilities.
With these dynamics in mind, and amid focused regulatory scrutiny, leading securities services’ CEOs and chief risk officers are transitioning away from passive, counterparty-reliant sanctions risk management to more proactive and tech-driven ways of working. In this article, we highlight some of their key focus areas, including a growing role for AI, and discuss potential strategies for moving forward.
Firms struggle with evolving demands, and investment varies
Growing geopolitical volatility, market interconnectedness, and an increased focus on regulation compliance mean securities services companies are under rising pressure to ensure their oversight capabilities are fit for purpose. Table stakes are that they must closely screen customers, partners, suppliers, and transactions against sanctions lists, as well as maintain processes and internal controls to prevent and detect circumvention efforts. But the reality, our survey shows, is that firms struggle to manage these basic obligations effectively.
In aggregate, our survey reveals a mixed picture on sanctions risk management. On one hand, firms say they face a number of challenges, including navigating conflicting regimes and standards, getting hold of high-quality data, and putting in place automated solutions (Exhibit 1). In parallel, many executives acknowledge underlying internal weaknesses. For example, expertise is often too concentrated, and resource allocation is not always optimal, with the survey revealing a highly uneven allocation picture across the industry. On the other hand, all surveyed institutions say they regularly evaluate their sanctions compliance budgets, resources, and capabilities, aiming to stay aligned with shifting regulatory demands, technological advancements, and geopolitical dynamics.
Balancing efficiency and compliance in screening
Most surveyed firms conduct daily screening of their direct counterparties and clients against sanctions lists. Leading institutions favor delta-based screening. This means they only monitor changes in data, such as new customers, updated information, and new transactions. Through a more selective approach, they hope to both screen more effectively and boost operational efficiency.
In addition, firms take a range of approaches to screening against list entries that are new or updated within a specified date range. While most consistently screen static data points—such as the names of direct clients, contractual counterparties, ISINs, and control persons—only a few screen prospectuses and entities further down the securities chain. Approaches are influenced by several factors, including data availability, regulatory interpretations, and overall maturity and level of investment over recent years.
Scarce availability of specific metrics to propel decisions
KPIs and key risk indicators help managers across the first and second lines of defense proactively allocate resources, mitigate compliance and operational risks, and enhance the customer experience, the survey shows. However, collecting detailed data remains a significant challenge, with many firms falling short of tracking and internally reporting operational metrics at a granular level. For example, it is relatively uncommon to track and report investigation-handling times segmented by product or alerts segmented by location.
Nascent sophisticated analytics and gen AI adoption
To get a firmer grip on sanctions risk, some institutions are making more concerted use of analytics and AI, applying new tools to both investigations and controls. However, there are considerable differences among firms about the nature, timing, and frequency of activities. While most leverage technology to implement basic anticircumvention controls, only a few adopt more advanced measures, such as circumvention-specific monitoring via network analytics.2
Similarly, more advanced analytical techniques—such as dynamic case assignment, focused on real-time case routing and solving for alert deduplication—remain relatively uncommon (Exhibit 2). That said, the survey reveals a growing interest in the use of gen AI, including agentic AI, though many institutions are still at an early stage of adoption.
The way forward: Six steps toward sanctions-risk-management excellence
The 2025 ISSA Sanctions Benchmark Survey underscores the criticality of sanctions risk management in an increasingly demanding regulatory landscape. It shows that institutions are often turning to analytical tools and techniques to enhance their compliance frameworks. But despite recent progress, industry approaches still lag behind other compliance activities. To address the challenge, leading firms are taking six key steps:
- deploying sophisticated anticircumvention controls to identify circumvention patterns effectively
- implementing AI to improve the efficiency and effectiveness of screening activities
- leveraging gen AI, including agentic AI, to automate manual tasks and improve employee and customer experiences while ensuring adequate safeguards (Exhibit 3)
- enhancing data collection and data availability while adhering to data privacy regulations for better sanctions screening and investigations
- streamlining operations, including working to reduce false positives and improve tracking of KPIs
- ensuring adequate resourcing and optimizing the operating model for sanctions compliance
Through concerted action across these areas, and a strategic focus on new opportunities, security services institutions can elevate their capabilities and significantly reduce the chances of sanctions violations. Moreover, with the support of AI and automation, they can boost process efficiency and the quality and consistency of outputs, creating an extra moat of protection across the organization.
This article is based on findings from the 2025 International Securities Services Association Sanctions Benchmark Survey conducted in collaboration with McKinsey as a knowledge partner.
International Securities Services Association (ISSA) is a global trade association founded in Zurich in 1979 that represents firms active in the securities services industry—including custodians, central securities depositories, broker–dealers, infrastructure providers, and technology firms. ISSA’s mission is to connect industry leaders and stakeholders, collaborate on themes that affect the entire securities services value chain (from issuer to investor), and drive change by developing practical solutions aimed at reducing risk, improving efficiency, and standardizing processes.
