Governments increasingly encourage private companies to self-regulate and voluntarily avoid risky businesses to comply with economic sanctions. Does state-led private governance work, and if so, how? Drawing on elite interviews and industry analysis, I argue that state-directed private governance improves prudence among firms with high perceived business-specific and transaction-specific risks. Focusing on a 2019 framework by the Office of Foreign Assets Control (OFAC), which prompted global firms to develop internal sanction compliance systems, I examine private sanction compliance through due diligence in cross-border mergers and acquisitions (M&As)— an important form of international investment. Empirically, I first develop a novel, sector-based measure of business-specific sanction risk perception using past OFAC enforcement cases. I then conduct transaction-level analyses on 7,749 cross-border M&As from the Orbis dataset. After the OFAC framework, M&As involving risky-sector acquirers are, on average, 18% less likely to succeed if due diligence extends beyond five months, indicating significant transaction-specific risks. This reduction in success could reach 68% when due diligence lasts 33 months. However, the difference between deals in risky and non-risky sectors is insignificant pre-framework. These findings suggest that private self-regulation complements state regulatory oversight in economic statecraft, enabling firms to make more informed business decisions.