Sanctions & Watchlist Screening Log: Prove You Screened Every Vendor
Load your vendors and key principals, record each screening run against the lists you use, have a compliance reviewer adjudicate every potential match with a logged rationale, schedule re-screening, and export an immutable audit-ready screening log.
An internal web tool where you load names to screen, record each screening run and its results against named lists, have a compliance reviewer adjudicate every potential match (true hit vs false positive) with a logged rationale, clear or escalate/block, schedule re-screening, get emailed on hits, and export the full immutable screening and adjudication log for audit.
Before you start
- A Supabase account (free)
- A Vercel account (free)
- Your vendor / principal list (name, country, ID) as a CSV or Google Sheet
- Screening results from your screening source or list, pasted or imported as CSV
- Your re-screening cadence and your hit-handling rules
- Claude Code or any AI coding agent
The problem this kills
When an auditor or regulator asks "did you screen this vendor against the sanctions and denied-party lists, and what did you do about the potential match?" — the honest answer for most teams is a shrug, a folder of screenshots, and an email thread. You probably do screen. You run names through a screening source, you eyeball the results, you move on. But the proof falls apart: nobody recorded which lists were checked, on what date, who looked at the hit, why they decided it was a false positive, or whether you ever re-screened when the vendor's name changed.
That gap is the whole risk. Sanctions, export-control, and AML obligations don't just require that you screen — they require that you can prove you screened, prove a person adjudicated every potential match, and prove nothing was quietly cleared without a reason. A potential hit that gets auto-dismissed because "it was probably the wrong John Smith" is exactly the kind of thing that turns into a finding, a fine, or a headline.
You don't need an enterprise compliance platform to fix the proof problem. You can build the screening log and governance layer yourself, this afternoon. (This tool records and governs your screening — it is not itself a sanctions database; you bring the screening results.)
What you'll build
An internal web tool your compliance and procurement team logs into. You load the vendors and key principals you need to screen — name, country, and any ID you have — and you record a screening run: which lists you checked them against, the date, and the results you got back from your screening source (pasted or imported as CSV). The tool stores each run as an immutable record so the history can never be quietly rewritten.
Any name that comes back with a potential match lands in an adjudication queue. A compliance reviewer opens each one and decides: true hit or false positive — and must type a logged rationale before the status moves. Clear ones become "screened — clear." Real concerns get escalated or blocked. Nothing auto-clears. The tool then schedules the next re-screening on your cadence (and flags vendors whose name or country changed so they get re-screened), emails the right people the moment a potential hit is recorded, and exports the full screening and adjudication log as a clean CSV you can hand straight to an auditor.
What's inside the Implementation Plan
The downloadable plan is a single markdown file you paste into an AI coding agent. It opens by interviewing you about your own screening process — which lists you check (OFAC SDN, EU, UN, UK, denied-party, PEP, your own internal blocklist), what your vendor and principal records actually look like and how you name and ID them, your typical and peak screening volumes, your re-screening cadence, and your exact rules for handling a potential hit — and then it reads a short spec back for your thumbs-up before it builds anything. That's the difference between a log shaped to your obligations and a generic template you have to fight.
From there it walks the agent through the data model (vendors/principals, screening runs, list catalog, potential matches, adjudications), the importers, the duplicate guard, the adjudication-and-disposition screen with its hard reviewer gate, the re-screening scheduler, the Resend hit alerts, and the audit-log export. Every step ends with a ready-to-copy prompt. There's a full "No API yet?" path: import names and results from CSV or a Google Sheet, export a clean audit-log CSV, and you never have to wire up an API to ship.
The governance it includes (this is the point)
For sanctions screening, the controls are the product. The plan builds them in: a login so only your team can use it; row-level security so each organization only ever sees its own vendors and screenings; a complete audit trail of who screened, who adjudicated, what they decided and why, and when; a hard human-in-the-loop adjudication gate so no potential match is ever auto-cleared — a compliance reviewer must record a rationale before a status changes; and duplicate guards (keyed on vendor + screening date) so the same screening can't be logged twice. Every screening run is written as an immutable record of the lists used and the date, so your "we screened, here's the proof" story holds up under audit.
Who it's for
Compliance officers, sanctions/export-control and AML teams, and procurement people who own third-party risk and need to prove screening happened — not just that it probably did. If you can explain to a new hire what lists you check and how you decide whether a potential match is real, you can build this — no developer required.
You've got this — open the plan, paste the first prompt, answer a few questions about how your screening actually runs, and you'll have an audit-ready screening log before the afternoon's out.