Sanctions Penetration Testing and Exposing Hidden Risks in Partner Networks
In our latest Fireside Chat, Castellum.AI’s Peter Piatetsky spoke with Crystal Noe, Senior Director and Global Head of Sanctions at Kraken Digital Asset Exchange; Danny Schneider, Director of Financial Crimes and BSA Officer at Lead Bank; and Michael Mosier, Partner and Co-Founder at Arktouros PLLC.
The panel discussed a growing compliance risk: the hidden gaps in sanctions controls. They broke down why independent Sanctions Penetration Testing (SPT) is essential for identifying whether sanctioned actors can access your services — either directly or through partners. The conversation focused on how to uncover these vulnerabilities, integrate SPT findings into internal and partner compliance programs, and the importance of real-time reporting and continuous monitoring for fast, effective remediation.
Key Takeaways
From policies to practice: Ensuring real compliance
As consent orders continue to pile up, the message is clear: weak compliance isn’t just a regulatory risk — it’s a business and reputational threat. For banks and fintechs, closing these gaps starts with a risk-based approach, and OFAC’s 2019 Framework for Compliance Commitments lays out how: thorough risk assessments, strong internal controls and regular testing and training. Beyond that, automation is the need of the hour especially for fast-growing BaaS partnerships. As one panelist highlighted,
“Even the best policies mean nothing without real-world validation. Manual testing might work for smaller-scale operations, but as partnerships grow, automation becomes essential. Relying solely on human oversight is inefficient and unsustainable.”
Information sharing and oversight in bank-fintech partnerships
When it comes to information sharing between sponsor banks and fintech partners, entirely relying on a partner’s controls is risky.
To avoid such risks, banks must establish a robust internal audit program and communicate findings clearly to their fintech partners. Both parties should collaborate on a fast, effective remediation plan, whether the issue is an isolated mistake or a systemic failure.
Clear contractual agreements are also important. Every responsibility must be explicitly outlined so both parties understand their respective obligations. Moreover, banks need a defined remediation pathway, ensuring there’s both accountability and corrective action.
Consistent communication is key. Regular dialogue — monthly, quarterly or risk-based meetings — foster transparency, ensuring fintechs proactively disclose mistakes and work together on solutions.
“While collaboration is vital, banks must retain oversight — and that starts with testingIf you outsource it, you must test it. Regular testing ensures issues are identified early — ideally, well before regulators or enforcement agencies raise concerns.”
Sanctions Penetration Testing in action
The need for stronger due diligence and partner validation
On the flip side, fintechs must be just as diligent — selecting the right banking partner is critical for the long-term stability and success of any BaaS relationship. When evaluating banking partners, payment service providers, or M&A opportunities, fintechs must go beyond policy reviews and assess the strength and completeness of control frameworks. Regulators, especially in the EU, emphasize on documented and well-defined control inventories.
Identifying risks, evaluating the controls in place and assessing residual risk is just the starting point. What’s equally essential is determining whether that residual risk aligns with the organization’s documented risk appetite.
“Moving toward a data-driven, tech-forward compliance program requires deep visibility into risk pockets, and potential liabilities. When partners can clearly demonstrate knowledge of their systems, data and processes, it builds confidence in their ability to manage risk.”
Sanctions Penetration Testing (SPT): A new approach to AML/KYC compliance
As automation evolves, the line between compliance and cybersecurity is becoming increasingly blurred. This is especially true in the crypto space, where everything is on-chain and inherently digital — making the need for robust automated controls even more urgent. High-profile breaches, like the $1.4 billion Bybit hack attributed to Lazarus, highlight why real-time penetration testing is no longer optional.
We’re seeing rising demand for automated compliance testing, much like the DDoS penetration tests used in cybersecurity that validates if an organization’s sanctions controls, identity verification systems, risk mitigation tools stand up to real-world threats.
“Financial institutions want to ensure their compliance programs aren’t just well-written policies but real, resilient mechanisms that perform under pressure. The objective is clear: identify and close compliance gaps before money launderers or terrorist financiers exploit them.”
How does Sanctions Penetration Testing (SPT) work?
SPT assesses the compliance infrastructure of regulators, banks and fintechs, focusing on the strength of name screening controls, list integrity and screening data fidelity. The key question is whether a full, accurate sanctions list is being applied, and is client data transmitted without distortion?
The process begins with IP and location testing. It identifies if fintechs and financial institutions allow account creation from sanctioned regions, often revealing VPN use and other obfuscation tactics.
The next layer of testing involves high risk name testing to check if accounts can be opened using sanctioned identities, FBI most-wanted names, or entities flagged in adverse media reports.
This proactive approach eliminates hundreds of hours of manual work and spares internal teams from managing complex testing protocols. Moreover, automated reporting from Castellum.AI’s Sanctions Penetration Testing delivers timely, actionable alerts on compliance gaps, helping organizations strengthen their defenses before regulators step in. For fast-growing companies with evolving risk profiles, this kind of real-time validation is a must.