The recent easing of sanctions on Syria by the United States, European Union and United Kingdom has prompted a necessary rethink in compliance teams worldwide.
While headlines focus on the political shift - the fall of Assad and emergence of a transitional government-those responsible for financial crime risk know the more immediate impact lies in how these changes ripple through client due diligence, transaction monitoring and enterprise risk models.
The lifting of sanctions isn't a green light. It's a call to reassess.
What's changed-and what hasn't
In May 2025, following Assad's departure in late 2024, multilateral sanctions relief measures were announced across major jurisdictions. The US Treasury's OFAC issued General License No. 25, authorising a broad set of transactions involving Syrian state-linked entities, including construction, energy and banking, provided they support "reconstruction and stabilisation".
The EU has lifted major economic sanctions whilst retaining restrictive measures against individuals and entities responsible for serious human rights violations. The UK government similarly amended the Syria (Sanctions) (EU Exit) Regulations 2019, signalling support for stabilisation and humanitarian access, but maintaining asset freezes and travel bans on key figures.
But here's the crucial point: the underlying risk profile hasn't reset. Even with sanctions “relief”, Syria remains heavily restricted and high‑risk. Crucially, the US, EU and UK all emphasise that bans on terrorism‑related activity, arms and security controls and human‑rights violations still stand. Syria remains geopolitically volatile, economically fractured and partially controlled by non-state actors. Much of the financial infrastructure is underdeveloped, under-regulated, or untested in a post-sanctions context. The Central Bank of Syria, for instance, is no longer sanctioned in the US, but many compliance teams are rightly treating it with extreme caution.
Risk recalibration in practice
This shift requires a layered response, not just policy updates but operational rethinking. Here are five areas already under review in many programmes:
1. Re-weighting Syria in geographic risk models
Review any country‑risk ratings or scoring. Syria may no longer be fully sanctioned, but it is far from low-risk. Organisations that previously excluded Syrian exposure outright now face decisions about whether and how to re-engage. Geographic risk matrices should reflect this new complexity: permissibility doesn't mean safety.
Any exposure should be tested against new thresholds with regional overlays e.g. Syria-Lebanon corridors or Turkey-based intermediaries, factored in. Where full exclusion was once the norm, firms must now consider tiered permissions, with high thresholds for approval and narrowly defined exceptions. Blanket exclusions may be replaced with tightly governed exceptions, but only with a clear audit trail.
Compliance teams should document the rationale for any change in rating and ensure monitoring and controls stay robust.
2. Go beyond the watchlist
Do not assume de-listing means clearance. Many sanctioned Syrian entities remain SDNs; GL 25 explicitly authorises dealing with them, but does not remove their blocked status. One of the trickier consequences of sanctions relief is that the tools many teams rely on, static lists and automated screening engines, become less decisive. A former SDN or UK asset freeze target may no longer be designated but still holds influence in sectors like construction, oil or phosphate mining.
Screening tools that prioritise list-matching need to be augmented with behavioural insights and geopolitical context. Behavioural red flags will become just as important as list matches.
Where once a hit was a block, now the absence of a hit might require deeper analysis. Each Syria‑related counterparty should trigger alerts and be reviewed manually. Counterparty vetting needs to lean harder on relationship mapping, regional intelligence and third-party due diligence. Screening tools that prioritise list-matching need to be augmented with behavioural insights and geopolitical context. Behavioural red flags will become just as important as list matches.
3. Enhanced due diligence (EDD) as a baseline
Given the persistent risks, treat all Syrian exposures as high‑risk and apply EDD on onboarding and transactions. Permitted dealings don't reduce the need for enhanced scrutiny. If anything, they increase it. EDD should be applied by default for any dealings with a Syrian link. Identifying beneficial ownership, mapping transaction purpose and verifying source of funds are now table stakes.
This is particularly true in sectors likely to see rapid re-engagement such as humanitarian aid, infrastructure and logistics. With new players entering the market and legacy entities repackaging under new names, surface checks won't cut it. Structure tracing and network analysis become operationally critical.
4. Monitoring thresholds and controls need adjustment
Sanctions relief may increase transaction volumes and change the profile of activity. Compliance teams should reassess alert thresholds. The baseline for what constitutes "unusual" behaviour is shifting. Previously, most Syria-linked transactions triggered automatic red flags. But in a post-sanctions context, some of these flows are permissible, though still high-risk.
Risk indicators need to become more nuanced. Round-dollar trades, commodity mis-invoicing, new counterparties with weak digital footprints and inconsistent documentation may now be stronger signals than basic geography flags.
Rules designed for total prohibitions will generate noise. Risk indicators need to become more nuanced. Round-dollar trades, commodity mis-invoicing, new counterparties with weak digital footprints and inconsistent documentation may now be stronger signals than basic geography flags.
Expect more manual reviews and more scrutiny on the rationale behind escalations and approvals. Ensure your monitoring scenarios treat unlisted intermediaries or opaque transactions in new geographies with scepticism, and regularly update scenarios as both business and regulatory guidance evolve.
5. Internal alignment and communication are essential
Sanctions relief often leads to commercial pressure to move quickly. The role of the compliance function is to inject proportional caution, not blanket vetoes. The commercial imperative to re-engage with Syria, particularly in logistics, development, and humanitarian supply chains, is real. But compliance needs to guide the pace and boundaries of that re-entry.
All parts of the organisation, front-line staff, compliance, legal, risk and business units, must have a shared understanding of the changed sanctions landscape.
Misalignment can cause both risk and missed opportunities. For example, credit teams setting limits may not realise that an entity has been delisted or vice versa. Update all policies, procedures and training to reflect the eased and remaining sanctions. Cross‑functional governance bodies, e.g. risk committees, should review the changes together.
Key questions to resolve
- Which types of exposure are in-scope or out-of-scope?
- Who approves what and under what conditions?
- What documentation is required and when?
Cross-team training, policy updates and escalation frameworks should all reflect the post-sanctions ambiguity. Compliance teams should treat this as a time-limited licence with evolving conditions, not a blanket authorisation.
Navigating the grey. Risk judgement over checklist compliance
What's unfolding in Syria is not a return to business as usual; it's a shift into new territory. These sanctions changes create a complex grey zone. No automated system or rigid checklist can cover every scenario. Risk appetite may increase, but so must control strength. The challenge lies in managing that trade-off with precision, especially as regulatory guidance will likely lag behind real-world developments.
The situation in Syria is dynamic, and programmes that succeed will be those that rely less on static controls and more on professional judgement, good data and disciplined governance frameworks.
Above all, compliance professionals should remember; permissibility is not equivalent to low risk. Just because something can be done doesn't mean it should or that it can be done without careful documentation, rationale and review.
As always, permissibility is just the starting point. The work lies in interpreting the risk and documenting how you did it.
About First AML
First AML comes from the perspective of both a technology provider, but also as compliance professionals. Prior to releasing, First AML’s all-in-one AML workflow platform, we processed over 2,000,000 AML cases ourselves. Understanding the acute problem that faces firms these days as they try to scale their own AML, is in our DNA.
That's why First AML now powers thousands of compliance experts around the globe to reduce the time and cost burden of complex and international entity KYC. Source stands out as a leading solution for organisations with complex or international onboarding needs. It provides streamlined collaboration and ensures uniformity in all AML practices.
Keen to find out more? Book a demo today!