What is the DFAT Consolidated List and who is on it?

The DFAT Consolidated List is the Australian Government's authoritative list of all individuals and entities designated under Australia's autonomous sanctions regime and all individuals and entities subject to binding UN Security Council sanctions. As of early 2026, the list contains over 2,500 entries. It includes individuals and entities targeted under country-specific sanctions (Russia, North Korea, Iran, Myanmar, etc.) and thematic Magnitsky-style sanctions targeting human rights abusers and corrupt officials. The list is maintained by the Department of Foreign Affairs and Trade (DFAT) and is available for download in CSV, XML, and JSON formats from the DFAT website.

What are the penalties for breaching Australian financial sanctions?

Breaching regulation 14 of the Autonomous Sanctions Regulations 2011 (making assets available to a designated person or entity) carries up to 10 years imprisonment for individuals and fines of up to $2.22 million (10,000 penalty units) per contravention for bodies corporate. Sanctions breaches are strict liability offences — there is no intent requirement and no good faith defence. Each individual dealing with a sanctioned counterparty is a separate contravention. UN sanctions breaches under the Charter of the United Nations Act 1945 carry equivalent or greater penalties.

Do Australian financial institutions need to screen against OFAC as well as DFAT?

Australian institutions are legally required to screen against the DFAT Consolidated List. However, institutions with US dollar correspondent relationships, USD-denominated transactions, or transactions clearing through US financial institutions face US OFAC secondary sanctions exposure for transactions involving Iran, North Korea, and certain Russia-related persons under specific programmes. US correspondent banks typically require Australian counterparties to screen against OFAC. Many Australian institutions with significant international operations now screen against a multi-jurisdictional consolidated list (DFAT + OFAC + OFSI + EU + UN) as industry best practice.

What should a financial institution do when a sanctions match is identified?

When a potential sanctions match is identified, the institution must: (1) immediately freeze the transaction or asset movement — do not complete the transaction while the match is under investigation; (2) investigate whether the match is a true positive by comparing customer data against Consolidated List entry details including name variants, date of birth, nationality, and document numbers; (3) if confirmed as a true match, freeze all relevant assets, report to DFAT immediately, seek legal advice, do not tip off the customer, and consider whether a suspicious matter report is also required under the AML/CTF Act; (4) document the investigation and retain records for at least seven years.

How does sanctions screening integrate with the AML/CTF program?

AUSTRAC's guidance document 'Sanctions and your AML/CTF program' (updated 2023) is explicit that sanctions controls should be documented in and integrated with the AML/CTF program. Part A of the AML/CTF program should describe the sanctions risk assessment, controls framework, list update process, escalation procedure, and governance arrangements. Part B should describe how sanctions screening is integrated into customer identification at onboarding, ongoing due diligence including periodic rescreening when the Consolidated List is updated, and enhanced due diligence for customers from sanctioned jurisdictions.

Sanctions Screening for Australian Financial Institutions: DFAT Consolidated List Compliance

Updated March 2026 | 16 min read | By GoComply

Financial sanctions are strict liability offences in Australia. There is no intent requirement, no materiality threshold, and no good-faith defence for dealing with a designated person or entity. A bank that processes a single payment to a person on the DFAT Consolidated List without a permit commits a criminal offence punishable by up to 10 years' imprisonment for individuals and fines of up to $2.22 million per contravention for bodies corporate. The compliance obligation is binary: you either screen, or you don't.

The Australian sanctions regime has expanded substantially since Russia's 2022 invasion of Ukraine. The DFAT Consolidated List has grown from a few hundred entries to over 2,500 designated individuals and entities. Thematic Magnitsky-style sanctions targeting human rights abusers have added new designations in Myanmar, Iran, Russia, and Belarus. The regime is no longer the peripheral compliance obligation it was treated as by many institutions before 2022 — it is a front-line financial crime risk that requires the same systematic controls as AML/CTF screening.

Have a question about the Autonomous Sanctions Act 2011, UN sanctions implementation in Australia, the DFAT Consolidated List, or what constitutes "making assets available" to a designated person? Ask our AI compliance chatbot — it covers the Act, regulations, DFAT guidance, and AUSTRAC sanctions typologies with specific section references.

The Australian Sanctions Regime: Legal Architecture

Australia's sanctions framework is built from multiple layers of statute and subordinate legislation. Understanding the architecture is essential for mapping your compliance obligations correctly.

Autonomous Sanctions Act 2011 (Cth) and Regulations

The Autonomous Sanctions Act 2011 (Cth) is the foundation of Australia's independently-imposed sanctions regime — "autonomous" because these sanctions are imposed by Australia acting alone (or with allies), rather than pursuant to a UN Security Council resolution. The Act provides the legal authority to make regulations designating individuals and entities and prohibiting dealings with them.

The operative prohibitions are set out in the Autonomous Sanctions Regulations 2011. Regulation 14 is the core financial prohibition: a person must not make an asset available (directly or indirectly) to, or for the benefit of, a designated person or entity, unless authorised by a permit under regulation 16.

Key definitions:

Asset — defined broadly in s4 of the Act as any property or property interest, including funds, financial instruments (securities, bonds, derivatives), economic resources, and any rights in relation to assets. The definition is intentionally expansive.
Designated person or entity — a person or entity listed in the Autonomous Sanctions Regulations or designated by the Minister under the Act. Designations are published in the Federal Register of Legislation and reflected in the DFAT Consolidated List.
Making available — includes any transaction, transfer, or dealing that provides, releases, transfers, or gives access to an asset. Processing a payment, crediting an account, executing a securities trade, or issuing a letter of credit are all "making available" activities for a sanctioned counterparty.

Charter of the United Nations Act 1945 and UN Sanctions

Australia implements binding UN Security Council sanctions through the Charter of the United Nations Act 1945 (Cth) (UNSC Act) and associated regulations. UN sanctions currently target North Korea (DPRK), ISIL/Da'esh, Al-Qaida, the Taliban, South Sudan, Yemen, Somalia, Libya, the Democratic Republic of Congo, the Central African Republic, and Sudan, among other regimes. The UNSC Act makes it an offence to deal with designated individuals and entities, contravene asset-freezing orders, or provide financial services to designated terrorist organisations.

UN designations are also reflected in the DFAT Consolidated List, which means a single list-screening exercise covers both autonomous and UN sanctions obligations. Financial institutions should verify that their sanctions screening data feed includes the full Consolidated List, not just a subset.

Autonomous Sanctions (Thematic) Regulations — Magnitsky-Style Sanctions

The Autonomous Sanctions (Thematic) Regulations 2011, as amended, create the legal basis for Australia's Magnitsky-style thematic sanctions targeting:

Serious violations or serious abuses of human rights (the Magnitsky-equivalent powers)
Significant acts of corruption
Threats to international peace and security (malicious cyber activity)

Thematic sanctions have been used to designate individuals from Russia, Belarus, Myanmar, Iran, and China since 2021. Each thematic designation must still be reflected in the Consolidated List and screened through the same process as country-specific sanctions.

The DFAT Consolidated List

The DFAT Consolidated List is the Australian Government's single, authoritative list of all individuals and entities designated under Australia's autonomous sanctions regime and all individuals and entities subject to binding UN Security Council sanctions. The Department of Foreign Affairs and Trade (DFAT) maintains and publishes the list on its website, with updates whenever a new designation is made or an existing designation is amended or removed.

List Composition and Update Frequency

As of early 2026, the Consolidated List contains over 2,500 entries. The list can be updated at any time following a DFAT designation decision or a UN Security Council resolution. Updates are not predictable or scheduled — a new designation can be added overnight. After Russia's full-scale invasion of Ukraine in February 2022, DFAT added hundreds of entries within a matter of weeks. Financial institutions must subscribe to DFAT update notifications and have a process to refresh their screening databases promptly when the list changes.

DFAT provides the list in multiple formats for direct database integration: CSV, XML, and structured JSON. DFAT's own sanctions list search tool at dfat.gov.au also provides a manual lookup capability, but manual lookup is not a substitute for systematic screening of customer databases and transaction flows.

What Information Is Included

Each Consolidated List entry includes:

Name (with spelling variants and aliases)
Date of birth (where known)
Passport or identity document numbers (where known)
Nationality and citizenship
Address (where known)
Reason for listing (brief description)
Relevant regulation or UN resolution authority
Date added and (if applicable) removed

The quality and completeness of information varies significantly. Some entries contain multiple aliases, multiple passport numbers, and detailed identifying information. Others contain only a name and a broad description. Screening systems must be calibrated to handle sparse-data entries without generating unmanageable false positive rates.

Real-Time Screening: What Is Required

DFAT's guidance and industry practice have converged on the expectation that sanctions screening for financial institutions must be conducted:

At onboarding — before establishing any new customer relationship, all parties must be screened
On a continuing basis — existing customer databases must be rescreened when the Consolidated List is updated, catching existing customers who are newly designated
At the point of transaction — for payment processing, trade finance, securities settlement, and other transactions, parties and beneficiaries must be screened before execution
For beneficial owners — sanctions prohibitions extend to designated persons acting through nominee or shell structures. Screening must look through to beneficial owners, consistent with AML/CTF know-your-customer requirements

Transaction Filtering vs Customer Screening

Financial institutions should understand the distinction between two separate screening functions:

Customer (static) screening — screening customer records, counterparty databases, and beneficial owner registers against the Consolidated List. This is periodic (triggered by list updates) and retrospective over the existing book.
Transaction (dynamic) filtering — real-time screening of individual payment instructions, SWIFT messages, securities settlement instructions, and trade finance documents at the point of execution. This catches transactions where the sanctioned party appears as a beneficiary, originator, or intermediary in the transaction data, even if not already in the institution's customer database.

Both functions are required. A bank that screens its customers at onboarding but does not filter transactions in real time can still process payments to sanctioned persons who are beneficiaries of third-party payments. Transaction filtering is particularly important for correspondent banking, cross-border payments, and trade finance operations.

SWIFT Messages and Structured Payment Data

For international payments, screening must cover all structured fields in SWIFT messages: the ordering customer (field 50), the ordering institution (52), the receiver's correspondent (54), the account with institution (57), the beneficiary customer (59), and the remittance information (70). SWIFT's ISO 20022 migration, which Australian financial institutions are implementing across 2024–2026, provides richer structured data fields that improve screening accuracy but also increase the volume of data that must be processed.

AUSTRAC's guidance on sanctions obligations for reporting entities (Sanctions and your AML/CTF program, updated 2023) sets out the expectation that sanctions controls be integrated into AML/CTF programs. Ask the chatbot how your AML/CTF program documentation should address sanctions screening obligations.

Penalties: Strict Liability and No Good Faith Defence

The penalties for sanctions breaches in Australia are severe and apply on a strict liability basis. There are no exceptions for inadvertent breaches, de minimis amounts, or good faith reliance on incomplete information.

Criminal Penalties

Under the Autonomous Sanctions Regulations 2011, breaching the prohibition in regulation 14 (making assets available to a designated person or entity) carries:

For individuals: up to 10 years imprisonment, a fine of up to $555,000 (2,500 penalty units), or both
For bodies corporate: a fine of up to $2.22 million (10,000 penalty units) per contravention

UN sanctions breaches under the UNSC Act carry equivalent or greater penalties. Note that each individual dealing with a sanctioned person or entity is a separate contravention — a batch of 100 payments to a sanctioned entity could generate 100 separate contraventions, each attracting the maximum penalty.

No Intent Required

The strict liability nature of sanctions offences means the prosecution does not need to prove that the institution knew the counterparty was designated. If a payment was made to a designated person, the offence is complete. The absence of intent may be relevant to sentencing and prosecutorial discretion, but it is not a defence to liability.

This distinguishes sanctions from most AML/CTF obligations, where knowledge or recklessness is a component of serious offences. For sanctions, process failure alone — failure to screen, failure to update the list database, failure to escalate a potential match — can result in criminal liability without any bad faith on the institution's part.

Permit System

Regulation 16 of the Autonomous Sanctions Regulations provides a permit mechanism allowing dealings that would otherwise be prohibited. Permits can be sought from DFAT for specific purposes including:

Humanitarian assistance
Implementation of existing contracts (with restrictions)
Dealing with frozen assets for the maintenance of the designated person (e.g., utility payments for a designated person's property held in Australia)
Diplomatic and consular activities

Permit applications are assessed by DFAT's Sanctions Branch. Financial institutions dealing with a potential match should freeze the relevant funds immediately, report to DFAT, and seek legal advice on whether a permit application is appropriate before taking any further action.

Ownership and Control: Looking Through Corporate Structures

One of the most operationally complex aspects of sanctions compliance is the obligation to look through corporate structures to identify designated beneficial owners. The principle under both Australian autonomous sanctions and UN sanctions is that a designated person cannot circumvent sanctions by acting through a company, trust, or other entity they own or control.

The 50% Ownership Rule

DFAT's guidance adopts the approach that an entity is sanctions-controlled (and must be treated as designated) if one or more designated persons collectively own or control 50% or more of that entity, directly or indirectly. This is consistent with the approach taken by the UK Office of Financial Sanctions Implementation (OFSI) and the US OFAC, though the precise threshold and methodology differ across jurisdictions.

For a bank with a substantial corporate lending book or trade finance operations, this means:

Identifying the ultimate beneficial owners of all legal entity customers to at least the 25% ownership threshold used for AML/CTF purposes (the standard KYC requirement) — but then extending the analysis to assess whether any UBO or group of UBOs who are designated persons together reach 50% control
Re-assessing ownership structures when the Consolidated List is updated — a previously undesignated shareholder who is subsequently listed can flip an otherwise-permitted customer relationship into a prohibited one
Documenting the ownership analysis, particularly for complex structures involving holding companies in multiple jurisdictions

Practical Example: Russian Sanctions

Following the Russia sanctions packages introduced from 2022, numerous Russian oligarchs and state officials were designated under both autonomous and UN sanctions. Entities where these individuals held majority interests — even where the entity itself was not separately designated — became subject to asset-freezing obligations. Australian financial institutions with trade finance facilities, correspondent banking arrangements, or investment securities exposure to such entities were required to screen not just the legal entity counterparty, but its entire ownership chain.

Integrating Sanctions into Your AML/CTF Program

AUSTRAC's guidance on sanctions compliance (Sanctions and your AML/CTF program) is explicit that sanctions controls should be documented in and integrated with the AML/CTF program, even though sanctions obligations technically arise under separate legislation (the Autonomous Sanctions Act and UNSC Act rather than the AML/CTF Act 2006). The practical rationale is clear: both programs rely on the same customer identification, beneficial ownership, and transaction monitoring infrastructure.

Part A and Part B of the AML/CTF Program

AUSTRAC's template for AML/CTF programs divides them into Part A (governing the reporting entity's risk management) and Part B (customer identification and due diligence procedures). Sanctions screening should appear in both:

Part A — describe the sanctions risk assessment (which customer segments, geographies, products, and channels present the highest sanctions exposure), the sanctions controls framework, the escalation and freeze procedure, the list update process, and governance arrangements (who owns sanctions compliance, how is it reported to the board and AUSTRAC?)
Part B — describe the customer identification steps that include sanctions screening at onboarding; describe ongoing due diligence that includes periodic rescreening; describe enhanced due diligence procedures for customers from or with nexus to sanctioned jurisdictions

Sanctions Escalation Procedures

A critical procedural requirement is documenting what happens when a potential match is identified. The procedure must cover:

Immediate freeze — any transaction or asset movement implicated in the potential match must be suspended pending investigation. Do not complete the transaction while a potential match is under review.
Match investigation — compare the match data (name, date of birth, nationality, passport number) against the Consolidated List entry. Apply fuzzy matching rules — "Mohammed Al-Hassan" and "Muhammad Al-Hasan" are potentially the same person. Document the investigation.
True match vs false positive determination — if the investigation concludes this is a false positive (the customer is not the designated person), document the basis for that conclusion clearly and release the transaction. If the investigation cannot exclude a true match, escalate to compliance.
True match procedure — freeze all relevant assets, report to DFAT immediately, seek legal advice, do not tip off the customer, do not process any further transactions, and consider whether a suspicious matter report (SMR) is also required under the AML/CTF Act.
Record retention — retain all investigation records for at least seven years.

Scan your sanctions compliance program

GoComply checks your AML/CTF program, sanctions policy, and transaction filtering procedures against the Autonomous Sanctions Act 2011, UN sanctions obligations, and AUSTRAC guidance — and flags gaps before your next AUSTRAC review.

See pricing — free tier available

Cross-Border Considerations: OFAC, UK OFSI, and EU Sanctions

Australian financial institutions do not operate in a sanctions vacuum. Several cross-border obligations can create exposure beyond DFAT's Consolidated List:

US OFAC Sanctions — Secondary Sanctions Risk

The US Office of Foreign Assets Control (OFAC) administers US sanctions, which include "secondary sanctions" provisions that can apply to non-US entities in certain circumstances. Australian banks with US dollar correspondent relationships, US dollar-denominated transactions, or USD clearing through US financial institutions face OFAC secondary sanctions exposure when dealing with entities or transactions connected to Iran, North Korea, or Russia (under certain programmes).

Secondary sanctions do not apply to all Australian transactions — they require a sufficient US nexus (USD clearing, US person involvement, US-origin goods). However, Australian institutions should assess their OFAC secondary sanctions exposure as part of their sanctions risk assessment and calibrate their US sanctions screening accordingly. US correspondent banks routinely expect their Australian counterparties to screen against OFAC lists.

UK and EU Sanctions

Following Russia's 2022 invasion, the UK (OFSI), EU, US, Australia, Canada, Japan, and other allied jurisdictions coordinated unprecedented sanctions packages. While Australian institutions are only directly bound by Australian law, institutions with UK branches or subsidiaries, EU operations, or transactions routed through UK or EU clearing systems must comply with the sanctions laws of those jurisdictions too.

The practical implication is that many Australian institutions now screen against a consolidated multi-jurisdictional list (DFAT + OFAC + OFSI + EU + UN) rather than DFAT alone. This is the industry best practice for institutions with significant international operations.

Frequently Missed Compliance Requirements

GoComply's compliance scanner identifies the following gaps most frequently in sanctions policy documents and AML/CTF program sections dealing with sanctions:

List update frequency not defined — policies that require "regular" rescreening without defining a specific frequency and SLA for updating the sanctions database after DFAT publishes a new version of the Consolidated List. Best practice is a 24-hour maximum SLA for critical updates (major designation events) and weekly automated refresh for routine updates.
Beneficial ownership screening gap — procedures that screen the legal entity customer name but do not extend to screening ultimate beneficial owners against the Consolidated List. This was the principal gap that led to several enforcement actions in the UK and US against financial institutions that processed transactions involving Russia-sanctioned entities acting through nominees.
Transaction filtering not covering SWIFT structured fields comprehensively — filtering systems that screen originator and beneficiary name but miss correspondent bank fields, account numbers used as name substitutes, or reference fields used to route payments to sanctioned parties.
Jurisdictional risk assessment outdated — sanctions risk assessments based on the pre-2022 list that have not been updated to reflect the dramatically expanded Russia, Belarus, and Ukraine-related designations, the Myanmar Magnitsky programme, or the Iran nuclear deal-related designations.
Freeze procedure not documented — AML/CTF programs that reference sanctions screening but do not contain a step-by-step freeze and escalation procedure, leaving staff without guidance on what to do when a potential match is identified.
No linkage to AUSTRAC SMR obligation — procedures that treat sanctions matches as a DFAT reporting matter only, without cross-referencing the obligation to also file a suspicious matter report with AUSTRAC where the transaction involves funds that may be proceeds of crime or is connected to terrorism financing.

Governance and Board Oversight

APRA's CPS 230 (Operational Risk Management) and CPG 230 expect APRA-regulated entities to manage financial crime risks — including sanctions — as a category of operational risk. The board is expected to approve risk appetite for sanctions exposure, receive regular reporting on sanctions incidents and near-misses, and oversee the adequacy of the sanctions compliance program.

ASIC's regulatory guidance on financial crime governance (including RG 104 on licensing: meeting the general obligations) expects licensees to have adequate compliance arrangements for all applicable laws, which explicitly includes sanctions laws. The board should receive at minimum annual reporting on:

The number of sanctions matches investigated (true matches and false positives)
Incidents where transactions were frozen or permits were sought
Any DFAT or AUSTRAC engagement on sanctions matters
Changes to the Consolidated List with material implications for the institution's customer book or business lines
The adequacy of the sanctions screening system and whether it has been tested against current list complexity

Related Regulations and Obligations

AML/CTF Act 2006 — transaction monitoring, suspicious matter reporting, and customer due diligence obligations that overlap significantly with sanctions compliance infrastructure
APRA CPS 230 (Operational Risk) — sanctions compliance as a legal and regulatory obligation managed within the operational risk framework; service provider risk management for sanctions screening vendors
APRA CPS 234 (Information Security) — security of sanctions screening systems and protection of match investigation records
Privacy Act 1988 — personal information collected and retained during sanctions investigations must comply with the Australian Privacy Principles, including retention limits and access controls
Corporations Act 2001 — director duties of care and diligence require oversight of sanctions compliance risk; officers may face personal liability where sanctions breaches result from governance failures
Foreign Acquisitions and Takeovers Act 1975 — FIRB-regulated investments may involve counterparties subject to sanctions, requiring coordination between sanctions compliance and foreign investment review processes

This guide is for informational purposes and does not constitute legal advice. Consult qualified compliance professionals for specific obligations. GoComply covers 37 Australian financial regulations — ask the chatbot for instant clause-level answers on the Autonomous Sanctions Act, DFAT Consolidated List, AUSTRAC sanctions guidance, and all related frameworks.