TABLE OF CONTENTS
     
     

    The growing complexity and frequency of sanctions updates involving Iran are creating significant operational challenges for financial institutions. Driven by escalating conflict in Iran and other geopolitical hotspots around the globe, Know Your Customer (KYC) programs are under continued pressure to quickly incorporate sanctions changes, maintain accurate customer profiles and risk assessments, and identify potential exposure before it becomes a regulatory issue.

     

    For compliance teams, speed and accuracy in responding to sanctions developments matter as much as the controls themselves. It’s not just about keeping sanction lists up to date; the challenge sits in how quickly firms can absorb those changes into their KYC processes and understand the impact across customers, ownership structures, and relationships.

    Key Highlights

    • Iran sanctions are evolving rapidly across U.S., EU, and UK regimes
      Frequent updates and limited notice increase operational and compliance risk for financial institutions.
    • KYC expectations have shifted from periodic review to continuous risk management
      Institutions must continuously assess exposure across customers, beneficial owners, and third parties.
    • Iran-related sanctions risk is increasingly indirect and embedded in ownership structures
      Firms must identify exposure through intermediaries, minority holdings, and complex control relationships.
    • Third-party and supply-chain relationships are a key source of Iran sanctions exposure
      Vendors and service providers can introduce hidden links to sanctioned entities and networks.
    • Continuous screening and auditability are required to meet regulatory expectations
      Firms must detect changes as they occur and maintain clear records of how risks are identified and managed.

    How Do Iran Sanctions Increase KYC and Regulatory Expectations for Financial Services Firms?

    The regulatory expectation is clear: institutions must demonstrate that their KYC programs can identify Iranian exposure even when activity is deliberately obscured through complex corporate structures, intermediaries, and jurisdictional arbitrage.

    Financial institutions now face heightened exposure across all customer touchpoints—from retail banking customers with complex ownership structures to corporate clients with global supply chains. Traditional KYC approaches that rely on annual reviews and point-in-time screening are no longer sufficient to manage this risk.

    In 2025, OFAC sanctioned more than 875 persons, vessels, and aircraft as part of its Iran sanctions campaign. This enforcement surge follows President Trump's February 4, 2025, National Security Presidential Memorandum (NSPM-2), which imposes a policy of maximum pressure on Iran. The U.S. Treasury's sanctions campaign has extended to Iran's missile and UAV procurement networks, reflecting the targeting of both financial institutions and weapons proliferation networks.

    In the UK, the Office of Financial Sanctions Implementation (OFSI) updated its statutory guidance for the Iran sanctions regime in May of 2026, emphasizing obligations related to asset freezes, ownership and control assessments, transaction screening, reporting, and circumvention risks under the Iran (Sanctions) Regulations 2023.

    At the EU level, sanctions activity has expanded beyond traditional financial restrictions to include measures tied to Iran’s missile, drone, and human rights-related activities, including additional restrictive measures announced by the Council of the European Union in 2025.

    FinCEN has emphasized that OFAC screening alone is not sufficient, since Iranian actors can use front companies and facilitators precisely because those entities are not necessarily on the SDN List. This reflects a clear regulatory expectation that KYC programs operate continuously, not episodically. To keep pace, compliance teams must implement KYC frameworks that are dynamic, risk-based, and fully auditable. This requires high-quality data, continuous monitoring capabilities, and the responsible use of advanced analytics and AI to detect patterns that evade traditional screening.

     

    How Are U.S. and EU Sanctions on Iran Evolving—and What Does This Mean for KYC Compliance?

    The velocity and scope of sanctions designations relating to the conflict in Iran have accelerated dramatically.

    In December 2024, February 2025, March 2025, and April 2025, OFAC sanctioned a total of 86 individuals and entities in more than 25 countries and identified 85 tankers as blocked property. This reflects a coordinated campaign targeting not just Iranian entities, but the global networks that facilitate sanctions evasion.

    On the EU side, a snapback of UN sanctions occurred on September 27, 2025, following the E3's notification that Iran was in significant non-performance of its commitments under the JCPoA. The EU reimposed both UN-mandated and autonomous sanctions through Council Regulation (EU) 2025/1975 and related implementing regulations, effective September 29-30, 2025.

    These parallel but not identical sanctions regimes create compliance complexity for firms conducting business across global jurisdictions. The EU reintroduced targeted export restrictions on dual-use items, energy equipment, naval equipment, and industrial software, with limited wind-down exemptions until January 1, 2026. Meanwhile, U.S. sanctions continue to expand with minimal advance notice. This limited notice materially increases operational risk, reducing the time available to assess exposure and implement controls—and making access to continually updated sanctions data even more critical.

    For KYC programs, this means that regulatory change management must become a core operational capability, not a periodic compliance exercise. Institutions need systems that can rapidly ingest new designations, assess customer and transaction exposure, and trigger appropriate remediation actions—often within hours, not days or weeks.

    Why Iran-Related Customer and Beneficial Ownership Risk Is Increasing

    Iran sanctions risk is its increasingly indirect nature.

    Iranian exposure rarely appears as a direct customer relationship with an Iranian entity; instead, it's embedded in complex ownership structures, control arrangements, and commercial relationships designed to obscure the ultimate beneficial owner or source of funds.

    FinCEN has specifically warned institutions to scrutinize beneficial ownership information for customers with ties—even indirect—to Iranian exchange houses or entities, particularly where documentation appears inconsistent, incomplete, or suggestive of layered ownership designed to obscure ultimate beneficiaries. The advisory stated that these networks thrived in environments where company registers either lack public access or permit nominee shareholders.

    Customers connected through intermediaries, joint ventures, or minority shareholdings now require enhanced due diligence, including where exposure is indirect or non-controlling. The complexity increases when Politically Exposed Persons (PEPs) or state-linked individuals are involved, as these relationships present elevated risks of both capital flight and sanctions evasion.

    Traditional periodic review schedules—annual or biennial assessments—are insufficient in this environment. Institutions must consider event-driven triggers, where geopolitical developments, updated sanctions, or regulatory announcements can necessitate immediate re-evaluation of customer risk profiles, regardless of when the last scheduled review occurred.

    How Third-Party and Supply-Chain Relationships Create Indirect Iran Sanctions Risk

    Customer due diligence represents only one dimension of Iran sanctions risk. Vendors, suppliers, payment processors, and service providers can create indirect sanctions exposure even where direct customer relationships appear low-risk.

    OFAC's 2025 sanctions actions have targeted private and public sector entities around the world that engage in sanctionable conduct, including those involved in transporting and selling petroleum and petroleum products from Iran. These enforcement actions have extended to entities receiving shipments of Iranian-origin crude oil and providing services to sanctioned vessels.

    The complexity of modern supply chains, combined with sophisticated use of front companies and shell entities, increases the likelihood of hidden links in seemingly legitimate commercial relationships. FinCEN has flagged the involvement of front companies, general "trading companies" with unclear business purposes, or other entities whose beneficial owners either are linked to Iran, have opaque ownership structures, or are located at residential addresses or co-located with other companies that have possible links to Iran.

    Third-party risk management cannot remain a separate compliance silo from sanctions and KYC programs. Third-party risk must be assessed continuously, not just at onboarding or contract renewal. Institutions that manage customer risk and third-party risk within a single, holistic platform improve their ability to detect relationships and patterns that might be invisible when these risks are assessed in isolation.

    This integrated approach becomes critical when customers and third parties share common beneficial owners, addresses, or transaction patterns—connections that may only become apparent when data is analyzed across both populations simultaneously.

    Why Continuous Screening and Auditability Are Critical in a Rapidly Changing Sanctions Environment

    Effective sanctions compliance depends on reliable, structured data. Without comprehensive information on customer relationships, beneficial ownership structures, and transaction patterns, even sophisticated screening technology cannot detect complex relationships and indirect sanctions exposure.

    OFAC's sanctions advisory emphasizes that sanctioned entities frequently employ deceptive practices, including turning off vessel tracking systems to help obfuscate illegal transfers. This level of evasion means that one-time screening at account opening is insufficient.

    Financial institutions must implement continuous screening of both customers and third parties. When OFAC adds a new entity to the SDN List, or when the EU issues implementing regulations designating additional persons, institutions need to immediately identify any matches against their entire customer and third-party populations and take appropriate action.

    FinCEN has emphasized that compliance measures must remain dynamic and intelligence-led, with enhanced due diligence mandatory for clients operating from free zones, offshore jurisdictions, or non-resident accounts.

    Regulators also expect clear, documented audit trails showing how risks were identified, how they were assessed, what risk rating was assigned, what enhanced due diligence was performed, and what ongoing monitoring or restrictions were implemented. These records must demonstrate not just compliance with technical screening requirements, but sound risk-based judgment applied consistently across the customer and third-party populations.

    The audit trail must also capture decision-making around ambiguous situations—instances where screening produced potential matches that required human judgment, where escalation was necessary, or where risk assessments changed based on new information or geopolitical developments.

    How Can AI Be Used Responsibly to Manage Iran Sanctions Risk Without Increasing Regulatory Exposure?

    Artificial intelligence offers powerful capabilities for sanctions compliance, but only when deployed thoughtfully and with appropriate governance. AI can help reduce false positives by adding context and relevance to screening alerts—distinguishing between meaningful matches that require investigation and administrative noise that consumes compliance resources without adding real insight.

    Advanced analytics enable deeper risk insights across interconnected customer and third-party data. Machine learning models can identify patterns of behavior, relationships, and transaction characteristics that suggest sanctions evasion even when traditional name-matching fails to flag a direct hit. Network analysis can reveal hidden connections between seemingly unrelated entities.

    However, AI must support human expertise, not replace it. AI-driven insights are valuable when they enhance compliance productivity and highlight risks that would otherwise remain hidden—but they create additional risk when they operate as black boxes that produce unexplainable results.

    All AI-driven insights must be explainable, reviewable, and fully auditable to meet regulatory expectations. When an AI model flags a customer relationship as high-risk, compliance teams must be able to articulate why the model reached that conclusion, what data informed the assessment, and what investigative steps were taken in response.

    How MyComplianceOffice Helps Firms Manage Sanctions Compliance

    MyComplianceOffice supports sanctions compliance by embedding third-party screening, risk assessment, and ongoing monitoring into a single, integrated KYC and third-party risk management framework. Rather than treating sanctions as a point-in-time check at onboarding, MCO enables firms to assess and monitor sanctions risk continuously across customers, beneficial owners, and third parties.

    The platform supports continuous screening against global sanctions lists, automatic risk reassessment when new designations are issued, and comprehensive audit trails that document risk decisions from initial assessment through ongoing monitoring. By unifying customer and third-party risk data, MCO helps compliance teams detect hidden relationships and patterns that would remain invisible in siloed systems.

    As Iran sanctions continue to evolve with speed and complexity, financial institutions need compliance infrastructure that can keep pace. MCO's integrated approach helps firms manage this dynamic risk environment while maintaining the auditability and transparency that regulators expect.

    Ready to learn more? Request a demo today to see how MCO can help your firm effectively manage sanctions and KYC obligations.

    This post was written by Daragh Tracey, Director of Product Management for KYC and Third-Party Risk at MCO.

     

    Related Resources

    Frequently Asked Questions

     Iran sanctions increase expectations for KYC programs to identify both direct and indirect exposure across customers, beneficial owners, and third parties. Institutions are expected to operate continuous, risk-based, and auditable KYC frameworks rather than relying on periodic reviews or point-in-time screening.
    The reforms remove some formal approval and disclosure requirements, such as shareholder votes for certain transactions, but core obligations around timely market disclosure and transparency remain unchanged.  
    U.S. and EU sanctions on Iran are expanding in scope and frequency, targeting financial institutions, global networks, and sectors such as energy, shipping, and technology. Changes can occur with limited notice, requiring firms to adapt quickly to new designations and regulatory requirements
    Iran-related risk is often indirect, embedded in complex ownership and control structures designed to obscure the ultimate beneficial owner. Firms must scrutinize intermediary relationships, minority shareholdings, and connections involving politically exposed or state-linked individuals
     
    Vendors, suppliers, and service providers can introduce Iran sanctions risk even when direct customers appear low risk. Hidden links through supply chains, front companies, or shared ownership structures increase the likelihood of indirect exposure.
    Regulators expect clear, documented audit trails that show how risks were identified, assessed, and managed over time. This includes evidence of due diligence, risk ratings, escalation decisions, and ongoing monitoring activities

     

    Recent Posts