The Dark Side of Sanctions Screening
Authoritarian governments have found a way to weaponise our compliance infrastructure. The screening tools and de-risking practices we rely on daily are being used to extend political repression across borders — and the system is working exactly as designed.
Authoritarian governments have found a way to weaponise our compliance infrastructure. The screening tools and de-risking practices we rely on daily are being used to extend political repression across borders — and the system is working exactly as designed.
If you work in AML or sanctions compliance, you've spent years building and refining screening processes designed to catch the right people. Sanctioned individuals, terrorists, money launderers. The system is supposed to protect the financial system from bad actors.
But what happens when an authoritarian government turns that same system into a weapon against its own citizens?
That's exactly what's happening right now, and it raises uncomfortable questions for every compliance officer who relies on automated screening.
How the mechanism works
The process is disturbingly simple. A government — Russia is the clearest example, but Belarus, Turkey, and China use similar tactics — designates political opponents as "terrorists" or "extremists" under its domestic law. These designations then flow automatically into the global compliance databases that we all use: Dow Jones Risk & Compliance, LexisNexis, Refinitiv World-Check.
From there, our screening systems pick them up. An alert fires. The compliance team sees a terrorism flag. And in most banks, the response is predictable: request additional documentation, escalate, and — more often than not — exit the client. Because that's what our policies tell us to do.
Consider what this looks like from the other side. Mikhail Khodorkovsky — the former political prisoner turned opposition figure — is officially classified as a terrorist by Russian courts. So are his colleagues at the Russian Anti-War Committee, and the Committee itself. No European government takes these designations seriously as security matters. Everyone understands what they are: punishment for opposing the war. Yet as Khodorkovsky told the European Parliament's Special Committee on the European Democracy Shield earlier this month, on every trip through Europe and in every interaction with a bank, the terrorism marker is in his file. Compliance officers see it. The Russian designation carries real weight inside European institutions — not because anyone believes it, but because the systems were never designed to distinguish between an actual terrorist and a Putin critic the Kremlin decided to call one.
The result is that a Russian journalist who criticised the Kremlin, a Belarusian human rights worker, or a teenager who posted something online gets treated by our systems exactly the same way as someone with genuine links to terrorist financing. Their accounts are frozen or closed. Their financial life in Europe becomes impossible. And the authoritarian regime that targeted them has achieved its goal — using our infrastructure.
The scale is significant
This isn't a handful of edge cases. Russia's list of designated "terrorists and extremists" has grown to over 20,000 names, with hundreds being added every month. Many are ordinary people whose only offence was political dissent. Reports indicate that around one in ten of those designated is a minor.
And the consequences extend beyond banking. Russia is refusing to renew passports for many exiles, turning them into de facto stateless persons — unable to travel legally unless they return to Russia, where prison awaits. Without recognised identity documents, they live a half-life in Europe, caught between a regime that wants to silence them and a compliance system that treats them as a threat.
These aren't names that most compliance teams will ever look at individually. They flow through automated screening, generate alerts, and trigger standard de-risking procedures. The system works exactly as designed — and that's the problem.
Why we struggle with this
The compliance industry has a well-known asymmetry: there are severe penalties for missing a genuine risk, but essentially no consequences for being overly cautious. When a screening alert fires on a politically designated individual, the rational decision for any bank is to exit the relationship. It's cheaper than investigating, and no regulator will ever fine you for being too careful.
Khodorkovsky put the point bluntly in Brussels: retail banking carries a public responsibility — including the responsibility to absorb the additional compliance work needed to keep the accounts of activists and NGOs open. Otherwise, the European financial system becomes an unwitting instrument of the very repression the EU is trying to counter.
This incentive structure, combined with the fact that screening processes are heavily automated, means that the system is structurally incapable of distinguishing between a genuine terrorist and a political dissident. We screen against lists. We don't — and largely can't — assess whether the underlying designation was legitimate.
The data providers themselves are in a similar position. They aggregate information from official sources. When a government designates someone, that's a fact. Whether the designation was politically motivated isn't something a data aggregator is set up to evaluate.
What FATF doesn't check
At the root of this is a gap in how international AML standards work. FATF sets the global framework. Its recommendations require countries to designate terrorists and freeze their assets. FATF then evaluates whether countries are implementing these procedures correctly — whether accounts are frozen on time, whether screening is in place.
What FATF does not assess is whether the terrorism charges themselves are justified. It checks the process, not the substance. This is the systemic blind spot that authoritarian regimes exploit.
What should practitioners think about?
I don't have a neat solution. This is a genuinely hard problem that sits at the intersection of compliance, geopolitics, and human rights. But I think there are a few things worth considering:
First, awareness matters. Most compliance officers process screening alerts without ever questioning where the underlying data comes from or whether a designation might be politically motivated. That's understandable — we're busy, and the volume of alerts is relentless. But developing a basic awareness of which countries are known to weaponise their terrorism designations would help teams make better-informed decisions.
Second, the industry needs to talk about de-risking more honestly. We know that blanket de-risking of entire nationalities or categories of clients is a blunt instrument. Regulators have said as much. But the incentive structure still pushes banks in that direction. Until there's some form of regulatory safe harbour for servicing individuals with asylum or protected status, banks will keep making the rational but harmful choice.
Third, data providers could do more. Adding context to designations — flagging countries with patterns of political abuse, or noting when a designation comes from a jurisdiction with a known track record of weaponising its terrorism lists — would help compliance teams make better judgments. Some of this is starting to happen, but it's not yet standard practice.
Finally, it's worth noting that the political conversation is moving. The European Parliament's new Special Committee on the European Democracy Shield is actively examining blacklists as a hybrid warfare tool. Proposals on the table include requiring banks to distinguish between genuine security threats and politically motivated designations, creating harmonised EU travel documents for victims of transnational repression, and reforming how member states handle Russian extradition requests involving opposition figures. None of this has been adopted yet, but the fact that it's being discussed at the parliamentary level suggests the gap between compliance practice and political reality may eventually narrow.
The uncomfortable truth
As AML practitioners, we've built a system that's very good at what it does. But "what it does" includes enabling authoritarian governments to extend their repression across borders, using our screening tools, our databases, and our risk-averse compliance culture as the delivery mechanism.
Khodorkovsky calls it the part of Russia's hybrid war on Europe that doesn't get the attention it deserves. Drone incursions and cyberattacks make news, while the slow, systemic transfer of Kremlin enforcement power into European banking bureaucracies does not. He's right — and we are part of the system that makes it possible.
That's not a comfortable thought. But it's one we need to sit with, because this problem is only going to grow.
Further reading:
- Mikhail Khodorkovsky, "I'm on Putin's Terrorist List. I Wouldn't Care If the EU Weren't Helping Him," How to Slay a Dragon (Substack), May 2026
- Alexandra Prokopenko, "The Kremlin Has Weaponized Western Financial Checks to Punish Russian Dissidents," Carnegie Politika, November 2025
- Alexandra Prokopenko, "How Russia weaponised global banking to silence dissidents," Financial Times, February 2026
This article was first published on April 24, 2026. It was rewritten on May 8 to include the information from Mikhail Khordovskys testimonial to the European Parliament.
