Restricted Party Screening: A 2026 Compliance Guide

If your company ships goods, shares technical data, or onboards international customers, restricted party screening is not optional — it's the legal line between routine business and a federal enforcement action. The U.S. government maintains dozens of lists naming individuals, companies, and government entities that American persons cannot freely transact with. Missing a single match can trigger fines, debarment, and in some cases prison time.

This guide explains what restricted party screening is, which lists you must check, what changed in 2025–2026, and how to build a screening process that holds up under audit.

What Is Restricted Party Screening?

Restricted party screening is the process of checking every counterparty in a transaction — customers, vendors, freight forwarders, intermediate consignees, end-users — against government watchlists before goods, services, software, or technical data change hands. Denied party screenings and restricted party screenings are the same exact process, and the terms can be used interchangeably for most purposes, though regulators draw a fine distinction: denied parties, called denied persons by BIS, are individuals and entities that have been denied export privileges, and any dealings with a party on this list that would violate the terms of its denial order are prohibited under Section 764.3(a)(2) of the Export Administration Regulations (EAR). Restricted parties is the broader category — it includes denied persons plus everyone on sanctions, military end-user, and entity lists.

Under federal export control regulations, U.S. persons and entities may not engage with certain international entities, including persons, academic institutions, governments, companies, or other entities. These entities are referred to as restricted parties.

Which Lists Must You Screen Against?

The core U.S. restricted party universe sits across three agencies:

• OFAC (Treasury) — Specially Designated Nationals (SDN) List, sectoral sanctions, and country-based programs
• BIS (Commerce) — Entity List, Denied Persons List, Unverified List, Military End-User (MEU) List
• DDTC (State) — Debarred Parties List under ITAR

Most exporters also screen the Department of Defense's 1260H list and the GSA's System for Award Management (SAM) exclusions. Free sanctions screening tools cover 85+ official lists including OFAC SDN, EU, UN, and UK — but for U.S. compliance, the OFAC, BIS, and DDTC lists are the legal minimum.

The scale matters. There's an easier way to stay compliant without manually checking 140+ lists for every single export transaction, and even university research offices use automated tools because manual screening at that scale is impossible.

What Changed in 2025–2026: The BIS Affiliates Rule

The single biggest change to restricted party screening in years took effect on September 29, 2025. The Affiliates Rule extends Entity List and Military End-User List restrictions to any foreign entity 50% or more owned by a listed party. The 50% threshold cascades through ownership chains, meaning exporters now need to verify ownership structures, not just screen the transacting entity's name.

In practice, this means a clean name-match screen is no longer enough. Company A owns 50% of Company B, which owns 50% of Company C — Company C carries Company A's restrictions even though it has never appeared on any list. We've seen companies pass every name-match screen and still get flagged in an audit because they never checked ownership. Six clean screens on the transacting entity. Zero on the parent company.

The Affiliates Rule added an entire population of unlisted entities to the restricted universe without adding a single name to any list. If your screening process stops at the named customer, you're now systematically undercovered.

When to Screen: The Four-Checkpoint Model

BIS doesn't dictate a screening cadence in regulation, but its enforcement guidance is consistent. Restricted party screening best practices call for four checkpoints per counterparty: account setup, order acceptance, pre-shipment, and pre-payment. The most cost-effective screen is the first one. Catch a restricted party before your sales team invests resources negotiating a deal that compliance will kill at the dock.

This four-checkpoint model comes directly from BIS's guidance on the Elements of an Effective Export Compliance Program. Skipping any checkpoint creates a gap, and enforcement agencies examine those gaps when assessing due diligence.

Between transactions, continuous rescreening matters. Lists update weekly — sometimes daily. A customer who screened clean in January may be designated in April, and your ongoing relationship now violates sanctions even though the original onboarding was clean.

Recordkeeping: Your Get-Out-of-Jail-Free Card

Documenting every screen is the difference between a fine and a defensible position. Retention periods vary by agency: BIS requires 5-year retention of export records under 15 CFR § 762.6. OFAC requires 10 years under 31 CFR § 501.601.

What to keep for each screen:

• Name and identifiers submitted
• Lists checked and their version dates
• Match results (hits, near-misses, clears)
• Reviewer name and decision rationale
• Timestamp of the screen

The payoff is real. A Shipping Solutions client who used the Restricted Party Screening Software was able to show BIS that their international customer was not on one of the denied party lists at the time of their export, even though they were added later, because they documented their screening. As the Office of Export Enforcement officer told them, "That is your get-out-of-jail-free card!"

Penalties for Getting It Wrong

Restricted party violations are among the most aggressively enforced areas in federal regulation. Firms that are found to be doing business illegally with restricted or denied parties face severe legal consequences. These range from financial penalties and the loss of export licenses all the way to potential prison sentences of up to 20 years.

For ITAR-controlled defense work, the numbers climb higher. Failure to comply with ITAR can result in significant fines and penalties including fines up to $1,000,000 per violation, up to 20 years imprisonment, and permanent debarment from participating in ITAR activities. Non-compliance carries severe consequences. Civil fines can reach $500,000 per violation, with criminal penalties on top.

The enforcement environment in 2026 has tightened beyond traditional shipments. The 2026 enforcement environment emphasizes cybersecurity compliance under DFARS 252.204-7012 alongside traditional ITAR requirements. Defense suppliers face increased scrutiny for technical data protection and foreign person access controls throughout their supply chains.

Who Needs to Screen

If you only think of "exporters" as companies shipping containers overseas, you're missing most of the regulated universe. ITAR isn't just for traditional defense contractors. Any company that handles, manufactures, designs, sells, or distributes items on the U.S. Munitions List must comply, including organizations in aerospace, software development, and oil and gas.

Specific situations that trigger screening obligations:

• Defense fabricators and machine shops sharing CAD files with sub-tier suppliers
• SaaS companies onboarding foreign customers (cloud access counts as an export)
• Universities hosting international researchers or sponsoring international travel
• Freight forwarders booking shipments on behalf of named consignees
• E-commerce sellers fulfilling international orders

Compliance extends well beyond physical shipments. Shared files, cloud storage access, collaboration tools, and AI prompts can all trigger unauthorized exports of controlled technical data.

What to Do With a Match

A hit on a screening run isn't automatically a stop order. False positives are common — names repeat across cultures, and fuzzy-matching algorithms intentionally cast a wide net.

The defensible workflow:

1. Pause the transaction. Don't ship, transfer data, or accept payment until cleared.
2. Verify identifiers. Compare addresses, dates of birth, government IDs, and known aliases against the list entry.
3. Document the determination. If it's a false positive, record why. If it's a true match, the transaction stops or requires a license.
4. If a license might apply, contact BIS or OFAC directly. Some Entity List restrictions allow licensed exports for specific end-uses.

If you do get a potential match and decide to move forward with exporting to that party, document how you came to the decision to ship. For example, you reached out to BIS and were notified that it was OK to proceed. By thoroughly documenting every step of the process, you show your willingness to comply with export regulations — attempting to comply is a strong mitigating factor against penalties should you face any compliance issues.

Building a Program That Scales

Manual screening works for a handful of transactions a week. Past that, you need automation that handles fuzzy name matching, alias detection, ownership cascade analysis under the Affiliates Rule, continuous rescreening as lists update, and audit-ready logging.

The key capabilities to look for in any screening tool:

• Coverage of all U.S. lists (OFAC SDN, BIS Entity/Denied/MEU/Unverified, DDTC Debarred) plus relevant foreign lists
• Fuzzy matching to catch transliteration variants and aliases
• Batch screening for vendor lists and customer databases
• Ownership lookups to comply with the 50% Affiliates Rule
• Immutable audit trail with timestamps, list versions, and reviewer notes
• Automated rescreening triggered by list updates

---

ScreenShield runs every screen against the U.S. Consolidated Screening List with fuzzy matching and full audit logging, so you have a defensible record the first time an enforcement officer asks.

Screen your first name free — takes 10 seconds

---

Related: OFAC Screening: A 2026 Guide · How to Screen the Consolidated Screening List · ITAR Subcontractor Screening Guide