Canada has a variety of active sanctions programs that aim to cut off the flow of money to foreign officials and companies. Most of these are executed as regulations under the Special Economic Measures Act. Less commonly, they're regulationed under the United Nations Act (implementing general UN sanctions) or, even less commonly, the Justice for Victims of Corrupt Foreign Officials Act. There can also be sanctions in other legal instruments. An overview of these programs is published by Global Affairs Canada.
The bulk of sanctioned entities, which is individuals or companies, can be found in regulations under the Special Economic Measures Act. Unfortunately, the government doesn't consolidate the list of sanctioned entities and they don't publish the regulations in a standard manner. But that doesn't mean that they can't be automatically assembled.
Standard Practice Is An AML Service
This blog post explains how sanctions enforcement can be automated but the best practice for companies is to simply use a paid service that does this ("sanctions screening"). For most companies, it is easier and better to outsource the collation of sanctioned entities to an AML service. There are many competing vendors. But it's not much of a solution to recommend that someone use a paid service to comply with the law. And it's not the only way to handle this problem.
Download The Regulations And Parse Them
The regulations that contain sanctioned entities can be found in the Canada Gazette, Part 2. For example, this regulation related to Ukraine.
The method for finding all of the sanctions is to start from the index of Part 2 volumes by year and then iterate through to find all of the lists of new regulations. The next step is to filter the regulations for just those that are under the Special Economic Measures Act, download them, and then parse them for the sanctioned entities. There's a fairly regular set of formats used for the sanctioned entities, and the optional data that may be included (birthday, birth year, and sometimes commentary on the individual).
I've written an example program that runs through all of the 2022 (or any other year) Gazette Part 2 index pages, downloads the regulations, and then extracts the sanctioned entities: https://www.cameronhuff.com/blog/_assets/sanctions/index_sanctioned_entities.php.txt.
An example of the output of the program, a JSON file containing all of the sanctioned entities for 2022, can be found here: https://www.cameronhuff.com/blog/_assets/sanctions/sanctioned_entities.json.
Operationalizing This Approach
The sanctioned entities list can be loaded into a database and then checked against for new signups and periodic checks on the customer base. Although it's not likely that international criminals would be signing up with their own identities, it's an obligation under the relevant statutes to detect them. Besides this being the law and a good practice, there are tremendous penalties for breaches of sanctions, so that alone is a good motiviation to enumerate all of the sanctioned entities.
For other countries, this problem is solved by standardized data files containing all of the sanctioned entities. For example, the United States Department of the Treasury publishes a
Consolidated List. Companies those do business in any country need to check to see what sanctions are implemented becuase every country has their own set (and they can even conflict, as countries take different sides in global conflicts).
Manual Review First
A smarter approach would be to feed the automated results into a manual confirmation step to avoid accidentally including incorrect entities. This would be helpful because the government doesn't always publish laws in a standard format (and they're not required to - the government can and does pass laws in any way they want). Manual review can help spot problems with new formats or other odd errors that could interfere with serving non-sanctioned customers. Another approach would be to not bother with filtering out the bad data and just rely on hits against the list which are manually reviewed if flagged.
There are easy-to-use APIs for "entity extraction" that can be used to extract the names of individuals and companies from HTML. That approach could be better for a multi-country automated sanctions system but might also introduce additional false positives. The code in the example program above is designed to match certain formats, which produces a more predictable output that's easier to understand than a machine learning system.
What's This For?
Even if you have a paid service for doing sanctions screening, it's important to test that service against the actual laws that create the sanctions. A program like the one above, while not being used for the sanctions screening itself, could be useful for testing a sanctions screening system. The no-code version would be to simply look up the laws at random and use them to test the sanctions system.
It's particularly worth paying attention to recent sanctions because the sanctions screening service may be slow to update. Sanctions apply as soon as they are law and they can be fast-moving. For example, there's been 11 regulations passed since June that have to do with the war in Ukraine, with the most recent one being only four days ago.