AI Analytics

Technical writing

Compliance Screening Across 30+ Federal Enforcement Lists: How the Risk Score Works

· 10 min read· AI Analytics
Regulatory dataComplianceOFACEntity resolution

The standard compliance workflow for a new vendor, counterparty, or acquisition target looks like this: check OFAC, check SAM.gov exclusions, check OIG exclusions, maybe check SEC enforcement actions, maybe check CFPB. Each check is a separate API call to a separate government source with a different schema. The analyst does this manually or stitches together five separate vendor integrations.

The screening endpoint on the Federal Regulatory Data Hub collapses all of that into one call returning a 0–100 risk score with per-list hit details. This post documents what's in the score, how it's weighted, and what the entity resolution layer underneath does.

The lists

Thirty-plus enforcement and exclusion lists are queried in parallel. They fall into five categories:

Sanctions and financial exclusions

  • OFAC SDN list — Specially Designated Nationals. The primary US sanctions list; any match here is an automatic regulatory prohibition.
  • OFAC Non-SDN Consolidated Sanctions — SSI, sectoral sanctions, CAATSA designations, Palestinian Legislative Council, and other non-SDN programs.
  • FinCEN 314(a) — money-laundering and terrorist-financing referrals from law enforcement to financial institutions.
  • OFAC civil penalty settlements — entities that have previously settled an OFAC enforcement action (current and historical).

Government contracting and healthcare exclusions

  • SAM.gov exclusions — debarred, suspended, and otherwise excluded from federal contracts and grants. The authoritative source for government contractor screening.
  • HHS-OIG exclusions — individuals and entities excluded from Medicare, Medicaid, and all federal health programs. 76,000+ current exclusions.
  • GSA debarment list — entities barred from GSA schedules specifically.

Securities and financial regulation

  • SEC administrative proceedings — enforcement actions by the SEC's Division of Enforcement. 18,000+ proceedings since 1999.
  • CFPB enforcement actions — consumer finance enforcement; often involves large financial institutions and fintechs.
  • FDIC enforcement actions — formal enforcement against FDIC-supervised banks and their institution-affiliated parties.
  • OCC enforcement actions — national bank and federal savings association enforcement (consent orders, CMPs, cease-and-desist).
  • Federal Reserve enforcement actions — enforcement against bank holding companies and state member banks.
  • NCUA enforcement actions — credit union enforcement.
  • FINRA BrokerCheck — disciplinary events, regulatory actions, and customer complaints for broker-dealers and registered reps.
  • CFTC enforcement actions — derivatives market enforcement; covers crypto intermediaries under new jurisdiction.
  • PCAOB disciplinary orders — public accounting firm and auditor sanctions.

DOJ, courts, and law enforcement

  • DOJ press releases — 240,000+ press releases from all 94 US Attorney districts; the fastest signal for new indictments, convictions, and civil settlements.
  • DOJ antitrust cases — civil and criminal antitrust proceedings from the Antitrust Division.
  • DOJ False Claims Act settlements — civil fraud recoveries; significant for government contractors and healthcare companies.
  • IRS Criminal Investigation press releases — tax fraud and financial crime prosecutions.
  • DEA enforcement actions — drug manufacturing and distribution enforcement; relevant for pharmaceutical and chemical companies.

Regulatory and safety enforcement

  • EPA enforcement cases — 135,000+ civil and criminal cases under Clean Air Act, Clean Water Act, RCRA, and Superfund.
  • MSHA violations — mine safety enforcement; Significant and Substantial (S&S) citations are the highest-risk tier.
  • OSHA inspections and citations — worker safety enforcement; willful violations carry the highest penalties.
  • NHTSA investigations and recalls — vehicle safety; active investigations are early-warning signals for unannounced recalls.
  • FDA warning letters — formal regulatory compliance failures; typically precede injunctions or consent decrees if unresolved.
  • CPSC recalls — consumer product safety enforcement.
  • FTC enforcement actions — consumer protection and competition enforcement; includes data privacy and deceptive-practice cases.

Export control and trade

  • Trade.gov Consolidated Screening List (CSL) — aggregates BIS Entity List, OFAC SDN, State AECA Debarred List, and several other export control lists in one feed.
  • UFLPA entity list — entities with rebuttable-presumption forced-labor risk in supply chains from Xinjiang.
  • BIS Entity List — export license requirements for dual-use technology.
  • CISA KEV — Known Exploited Vulnerabilities; relevant for technology vendors in critical infrastructure.

The risk score

The 0–100 score is a weighted sum across three dimensions:

score = (
  hit_weight * list_severity_multiplier
  + recency_weight * recency_score
  + volume_weight * hit_count_score
)

List severity multiplier

Not all hits carry the same legal or regulatory weight. The multipliers reflect the actual compliance consequence of each list:

  • 1.0× — OFAC SDN, FinCEN 314(a), SAM.gov active exclusion, HHS-OIG active exclusion. Active prohibition; zero-tolerance in regulated industries.
  • 0.8× — OFAC Non-SDN, OFAC civil penalty (last 5 years), PCAOB disciplinary. High severity; direct regulatory obligation.
  • 0.6× — SEC enforcement, CFPB enforcement, FDIC/OCC/Fed enforcement, DOJ FCA settlement, BIS Entity List. Enforcement history; signals active or recent regulatory conflict.
  • 0.4× — EPA enforcement, MSHA S&S violations, OSHA willful citations, FDA warning letters. Regulatory compliance failure; significant in M&A and lending due diligence.
  • 0.2× — NHTSA investigations, CPSC recalls, FTC enforcement, DOJ press release mentions. Elevated risk signal; may not directly affect regulated business activity.

Recency weighting

Hits decay exponentially with age. A settlement closed 10 years ago is far less actionable than an open case. The recency function:

recency_score = exp(-0.15 * years_since_event)

# Examples:
# Active (0 years):    1.00 × hit_weight
# 2 years:             0.74 × hit_weight
# 5 years:             0.47 × hit_weight
# 10 years:            0.22 × hit_weight

Volume component

Multiple hits on the same list, or hits across many lists, increase the score non-linearly. This captures pattern-of-conduct risk: an entity with 40 EPA enforcement cases is qualitatively different from one with a single resolved case.

hit_count_score = log(1 + total_hits) * 10

Entity resolution

Every list uses different identifiers and name formats. OFAC lists entities with aliases. SAM.gov uses UEI. SEC uses CIK. DOJ press releases use free-text firm names. The screening endpoint feeds into the same entity_master bridge described in the entity graph post, with one addition: the screening resolver also runs phonetic normalization and token-sorted cosine similarity against the query string before falling through to the entity bridge.

The resolution pipeline:

Input: "Wells Fargo" (name string, no structured ID)

1. Exact normalized match → entity_master.aliases array
2. Phonetic expansion (Metaphone) → catch "Well's Farago" typos
3. Token-sorted cosine similarity (TF-IDF) → partial name matches
4. Ticker / CIK / UEI / LEI lookup (if structured ID provided)
5. Fan-out to all 30+ lists using resolved entity identifiers + aliases

Return: {
  score: 74,
  matches: [
    { list: "ofac_civil_penalties", hit: "Wells Fargo Bank, N.A.", year: 2022, amount_usd: 30_000_000 },
    { list: "cfpb_enforcement",     hit: "Wells Fargo, N.A.",      year: 2022, amount_usd: 3_700_000_000 },
    { list: "occ_enforcement",      hit: "Wells Fargo Bank, N.A.", year: 2023, amount_usd: 97_800_000 },
    { list: "fdic_enforcement",     hit: "Wells Fargo Bank, N.A.", year: 2020 },
    ...
  ]
}

What the score means in practice

  • 0–20. No material hits or very old resolved cases. Standard monitoring posture. No additional diligence required for most use cases.
  • 21–50. One or more enforcement actions, older OFAC-adjacent hits, or repeat low-severity findings. Escalated review warranted. Document your diligence.
  • 51–75. Multiple lists, recent enforcement, or pattern-of-conduct signals. Material regulatory tail. Due-diligence memo required before onboarding in regulated contexts.
  • 76–100. Active OFAC / SAM / OIG exclusion, open SDN designation, or active criminal prosecution. Halt and escalate. Transaction-blocking risk in most regulated jurisdictions.

Calling the endpoint

# By name (fuzzy-matched)
curl https://api.ai-analytics.org/api/v1/screening/all?name=Wells+Fargo

# By ticker (precise entity resolution via entity_master)
curl https://api.ai-analytics.org/api/v1/screening/all?ticker=AAPL

# By CIK (EDGAR company)
curl https://api.ai-analytics.org/api/v1/screening/all?cik=72971

# All results for a named entity, full detail
curl https://api.ai-analytics.org/api/v1/screening/all?name=Purdue+Pharma&detail=true

The response includes the aggregate score, the per-list breakdown (including hit count, most recent event, and total penalty amounts where available), a confidence field (high / medium / low, based on entity resolution certainty), and each matching record's original government URL in the _source envelope.

Limitations

  • Name-only queries are probabilistic. Without a structured identifier, the entity resolution can produce false positives for common company names. The confidence field flags this; low-confidence matches are flagged for human review rather than auto-blocked.
  • Individual persons vs. entities. Some lists (OFAC, HHS-OIG, DEA) designate individuals as well as organizations. The screening endpoint handles both, but individual name disambiguation is harder — common names like “John Smith” produce noisy results without a date-of-birth or ID number to anchor resolution.
  • Non-US persons and foreign subsidiaries. The entity bridge covers US-registered entities well. Foreign subsidiaries without a US CIK, UEI, or OFAC designation are harder to resolve across lists. GLEIF LEI helps for globally-registered entities; coverage is ~80% for large multinationals.
  • Score is not legal advice. The score is a data-driven summary of federal enforcement history. It does not substitute for legal review of whether a particular transaction is prohibited or requires a license.

The MCP surface

The screening endpoint is also available as an MCP tool at https://api.ai-analytics.org/mcp, callable from Claude, GPT, or any agent framework that supports the Model Context Protocol. The screening_all tool accepts the same parameters as the REST endpoint and returns the same structured response, so compliance screening can be wired into agent workflows without writing custom API integration code.

# Claude / agent usage via MCP
tool: screening_all
args: { name: "Boeing", detail: true }

# Returns: score, per-list breakdown, entity resolution confidence,
# and each matching record's original government source URL

For the entity resolution layer the screening endpoint calls into: Building the cross-agency regulatory entity graph: 50M+ records, one join →

For how the REST and MCP API surfaces the screening endpoint lives on: The Federal Regulatory API: REST, MCP, and JSON-LD for 208 federal datasets →

For the Cloudflare D1 database that stores the 30+ enforcement lists: Building the Federal Regulatory Data Hub on Cloudflare D1: 50M+ records at the edge →

For the OFAC SDN ingest deep-dive — conditional GET delta detection, alias explosion, name normalization, and the three-pass FTS5 + Jaro-Winkler screening pipeline: OFAC SDN integration: conditional GET, entity normalization, and sub-second screening →

For how entity identity is resolved across the 30+ lists to reduce false positives — three-stage pipeline, confidence-to-action mapping, and weekly analyst-feedback calibration: Entity resolution for multi-list compliance screening: reducing false positives without sacrificing recall →