SanctionsLookupOFAC Compliance: What it is and Who Must Comply
OFAC compliance is mandatory for any business processing USD transactions. Violations carry strict liability penalties up to $377,700 per violation, with cumulative fines reaching millions.
This guide covers what OFAC compliance requires and how to automate it.
- What is OFAC compliance
- Who must comply with OFAC regulations
- OFAC requirements
- Industry-specific requirements
- OFAC penalties for non-compliance
- Building an OFAC compliance program
- How to automate OFAC compliance
What is OFAC compliance?
OFAC compliance is the process of ensuring that a business does not engage in prohibited transactions with sanctioned individuals, entities, or jurisdictions. It requires screening customers, counterparties, and transactions against official sanctions lists before any transaction is processed.
It is administered and enforced by the Office of Foreign Assets Control under a strict liability standard, meaning a violation can occur regardless of intent, knowledge, or transaction size.
OFAC compliance is not a one-time check at onboarding. It is an ongoing obligation that applies to every transaction, every counterparty, and every update OFAC makes to its sanctions lists.
Who must comply with OFAC regulations?
OFAC compliance applies to all US persons, businesses, and many international companies operating outside the United States. OFAC regulations apply to:
US persons and businesses
- US citizens and permanent residents, regardless of where they live
- All individuals and entities physically located within the United States
- US-incorporated businesses and their foreign branches
- Foreign subsidiaries owned or controlled by US companies under certain sanctions programs
International companies
- Any business processing USD transactions
- Companies routing payments through US correspondent banks
- Businesses serving US customers or handling US-origin goods
Processing a single USD payment is enough to trigger OFAC obligations. There is no industry exemption and no minimum transaction threshold. Physical presence in the United States is not required.
OFAC requirements
OFAC compliance is an ongoing process made up of five core requirements: screening, blocking, rejecting, reporting, and recordkeeping.
1. Screening
Businesses must screen customers, counterparties, and transactions against the SDN List and Consolidated Sanctions List before any transaction is processed.
Screening is required at three points: customer onboarding, at the point of payment, and continuously as OFAC updates its lists.
OFAC does not prescribe a specific screening method, but strict liability means every missed hit is your responsibility regardless of how it happened. Our OFAC screening guide covers the full process and how to automate it.
2. Blocking
Blocking applies when a transaction involves property in which an SDN-listed party has an interest, including entities caught by the 50 Percent Rule.
When a confirmed blocking obligation arises, all property must be frozen immediately and placed into an interest-bearing blocked account.
Funds cannot be returned to the sender, transferred, or released without explicit OFAC authorization. Releasing blocked property without authorization is itself a separate violation.
Blocked transactions must be reported to OFAC within 10 business days, and all blocked assets held as of June 30 must be reported annually by September 30.
3. Rejecting
Rejecting applies when a transaction is prohibited by OFAC sanctions but does not involve blocked property. This covers transactions with Consolidated Sanctions List parties, country-based program prohibitions, and sectoral sanctions restrictions that do not trigger full blocking.
Unlike blocking, rejected funds are returned to the originator rather than frozen. A rejected transaction must still be reported to OFAC within 10 business days. The distinction matters: blocking creates an ongoing custody obligation, rejecting does not.
4. Reporting
Two types of reports are required. Blocking reports must be filed within 10 business days of freezing assets. Rejected transaction reports are also due within 10 business days.
Additionally, all blocked assets held as of June 30 must be reported annually to OFAC by September 30.
Reports are filed through the OFAC Reporting System or by email to [email protected].
5. Recordkeeping
All records related to transactions subject to OFAC sanctions must be retained for a minimum of 10 years under 31 CFR 501.601, updated in March 2025.
This covers screening decisions, match results, disposition records, and analyst review notes. API request and response logs alone are not sufficient. OFAC expects a full audit trail demonstrating what data was screened, what result was returned, and what decision was made.
Industry-specific requirements
OFAC compliance applies across all industries with no exemptions. Because banks, fintechs, and crypto exchanges carry the highest OFAC compliance risk, they also have specific obligations and face the most active enforcement.
| Obligation | Banks | Fintechs | Crypto |
|---|---|---|---|
| Customer onboarding screening | Yes | Yes | Yes |
| Transaction screening | Yes | Yes | Yes |
| Wallet address screening | No | No | Yes |
| Correspondent bank screening | Yes | No | No |
| Wire transfer screening | Yes | Yes | No |
| ACH payment screening | Yes | Yes | No |
| FFIEC examination | Yes | No | No |
| BSA integration required | Yes | Partial | No |
| Real-time screening required | Yes | Yes | Yes |
| Continuous monitoring required | Yes | Yes | Yes |
Banks and credit unions
Banks face the highest regulatory scrutiny of any sector, with FFIEC examiners treating OFAC failures as safety and soundness issues.
- Every wire transfer, ACH payment, and account opening is a screening touchpoint
- Correspondent banking obligations require screening the foreign financial institutions they service
- BSA and AML controls do not satisfy OFAC obligations, they are separate legal frameworks
Fintechs and payment processors
Fintechs face the same OFAC obligations as banks despite operating under lighter regulatory oversight.
- Payment rails settle in seconds, making real-time screening non-negotiable
- Onboarding screening alone is not sufficient, continuous monitoring is required
- If USD transactions flow through your platform, OFAC applies regardless of banking license status
Crypto exchanges
OFAC explicitly extended sanctions obligations to crypto in 2018, covering both customer identities and blockchain wallet addresses.
- Designated wallet addresses are published directly on the SDN list and must be screened
- Pseudonymity is not a defense — transacting with a designated wallet is a violation
- Bittrex paid $24M across 116,421 violations and BitPay paid $507K across 2,102 violations
OFAC penalties for non-compliance
OFAC violations carry strict liability. Intent is irrelevant, there is no minimum transaction size, and a single prohibited transaction is enough to trigger a civil penalty of up to $377,700 or twice the transaction value, whichever is greater.
The real danger is compounding. A broken screening process does not fail once, it fails on every transaction that passes through it, silently, until OFAC investigates. By that point the violation count is rarely in single digits.
One factor that materially reduces penalties: voluntary self-disclosure and a documented compliance program. Payoneer's base penalty dropped from $3.85M to $1.39M because they self-disclosed and cooperated. Running no compliance program at all is treated as an aggravating factor.
For a full breakdown of enforcement cases and penalty ranges, see our OFAC penalties guide.
Building an OFAC compliance program
Every business subject to OFAC regulations needs a documented compliance program, regardless of size. Absence of a program is an aggravating factor in enforcement: Binance's $968M penalty was classified as egregious in part because its compliance program was deliberately kept ineffective.
OFAC's 2019 Framework for Compliance Commitments identifies five core components: management commitment, risk assessment, internal controls, testing and auditing, and training.
A compliance program does not need to be complex. It needs to be documented, tested, and proportionate to your risk profile.
How to automate OFAC compliance
Manual screening works for occasional checks. At any real transaction volume, it breaks down. Continuous monitoring, real-time transaction screening, and 10-year audit trail requirements make automation not optional but necessary.
The sanctions screening software handles screening against both the SDN list and Consolidated Sanctions List in a single call, returns scored match results, and logs every decision automatically.
List data is synced every 15 minutes so every call runs against current OFAC designations. Start with 100 free API calls, no credit card required.
FAQ
Who is responsible for OFAC compliance inside an organization?
Responsibility sits with senior management and ultimately the board. Most organizations designate a Chief Compliance Officer or BSA Officer as the primary owner, but OFAC's framework makes clear that management commitment from the top is a core component of any compliant program. In enforcement actions, OFAC has pursued personal liability against executives who were aware of violations and failed to act.
Which entities must comply with OFAC?
All US persons must comply, including citizens, permanent residents, US-incorporated businesses, and their foreign branches. Non-US companies are also in scope if they process USD transactions, use US correspondent banks, serve US customers, or handle US-origin goods. There is no industry exemption and no minimum transaction size.
Can a company be fined for a violation it did not know about?
Yes. OFAC operates under strict liability, meaning intent and knowledge are irrelevant. A company that unknowingly processes a transaction with a sanctioned party is still liable. The only question is whether mitigating factors like voluntary self-disclosure or a documented compliance program reduce the penalty amount.
What is the difference between OFAC compliance and AML compliance?
AML compliance focuses on detecting and reporting suspicious activity related to money laundering under the Bank Secrecy Act. OFAC compliance focuses on ensuring transactions do not involve sanctioned parties or jurisdictions. They are separate legal frameworks with separate obligations. AML controls do not satisfy OFAC requirements and OFAC compliance does not satisfy AML requirements. Both must be maintained independently.
What is voluntary self-disclosure and how does it affect penalties?
Voluntary self-disclosure is the act of proactively reporting an apparent OFAC violation before OFAC discovers it through its own investigation. OFAC treats self-disclosure as a significant mitigating factor and typically halves the base penalty calculation. Payoneer's settlement dropped from $3.85M to $1.39M in part because they self-disclosed promptly and cooperated fully. Companies that do not self-disclose and are found egregious face the statutory maximum, as GVA Capital learned when it received a $216M penalty in 2025.
Do small businesses need an OFAC compliance program?
Yes. OFAC does not scale requirements by company size. A small business that processes a single USD payment to a sanctioned party faces the same strict liability as a large bank. The complexity of the program should be proportionate to the risk profile, but the obligation to have documented policies, screen counterparties, and maintain records applies regardless of size. Absence of any compliance program is an aggravating factor in enforcement.
What is the difference between blocking and rejecting a transaction?
Blocking applies to transactions involving SDN-listed parties. The funds are frozen, held in an interest-bearing blocked account, and reported to OFAC within 10 business days. The funds cannot be returned without OFAC authorization. Rejecting applies to prohibited transactions that do not involve blocked property, such as Consolidated Sanctions List matches or country-based prohibitions. The funds are returned to the originator. Both require reporting to OFAC within 10 business days but create different ongoing obligations.
Does OFAC compliance apply to real estate transactions?
Yes. Buying, selling, leasing, or financing property involving a sanctioned party is prohibited. Real estate professionals, title companies, settlement agents, and mortgage lenders are all expected to screen parties before closing. The 50 Percent Rule also applies, meaning a property owned by a company majority-owned by an SDN is blocked property even if no SDN name appears on the transaction documents.