SanctionsLookup

Data last synced:

OFAC Requirements Explained

The Office of Foreign Assets Control (OFAC), part of the U.S. Department of the Treasury, administers and enforces U.S. economic and trade sanctions. These sanctions impose legal obligations on U.S. persons, financial institutions, and, in some cases, foreign entities operating within U.S. jurisdiction. OFAC requirements vary by sanctions program and risk exposure, but generally include screening against the SDN List and other OFAC sanctions lists, blocking, reporting, and recordkeeping obligationsdesigned to protect U.S. national security and foreign policy interests.

Who must comply with OFAC requirements?

OFAC requirements apply broadly to "U.S. persons." A U.S. person generally includes U.S. citizens and permanent residents, wherever located, all individuals and entities within the United States, and entities organized under U.S. law, including their foreign branches.

Financial institutions, including banks, broker-dealers, payment processors, and other regulated entities, must comply with OFAC sanctions in their customer relationships and financial transactions. U.S. companies are responsible not only for their domestic operations but also for their foreign branches.

In certain sanctions programs, foreign subsidiaries owned or controlled by U.S. companies may also be required to comply. In addition, non-U.S. persons can face exposure if they cause, facilitate, or evade violations involving U.S. jurisdiction, reflecting the broad reach of OFAC's enforcement authority.

Core OFAC requirements

Blocking requirements

One of the primary OFAC requirements is the obligation to block (freeze) property and interests in property of individuals and entities subject to blocking sanctions, including those listed on the Specially Designated Nationals and Blocked Persons List (SDN List) When a blocked person has an interest in property that comes within U.S. jurisdiction or the possession or control of a U.S. person, that property must be frozen immediately.

Blocking applies not only to named parties but also to entities owned 50 percent or more, directly or indirectly, by one or more blocked persons. This includes indirect and aggregate ownership under the 50 Percent Rule. Once blocked, the property cannot be transferred, withdrawn, or otherwise dealt in without authorization from OFAC.

Prohibited and rejected transactions

In addition to blocking obligations, OFAC regulations prohibit certain transactions under specific sanctions programs. These prohibitions may apply to dealings with sanctioned countries, sectors, or individuals, even when no blocking requirement is triggered.

When a transaction is prohibited but does not involve a blockable interest, it must be rejected rather than processed. The key distinction is that blocked transactions involve freezing property in which a blocked person has an interest, while rejected transactions are simply not executed because they are prohibited under the applicable sanctions program.

OFAC screening requirements

OFAC regulations require organizations to take reasonable steps to ensure they do not engage in transactions with sanctioned individuals, entities, or jurisdictions. Screening is a core control used to identify potential matches against sanctions lists and prevent prohibited activity.

When is OFAC screening required?

OFAC screening is typically performed during the onboarding of customers, vendors, and other counterparties. Organizations should screen before establishing a business relationship and prior to executing financial transactions that may involve U.S. jurisdiction.

Screening is not a one-time event. Ongoing monitoring is expected, particularly when sanctions lists are updated or when customer ownership structures or transaction patterns change.

Who must be screened?

Screening should extend beyond the primary customer name. Organizations should consider screening:

  • Customers and account holders
  • Beneficial owners and controlling persons
  • Payment beneficiaries and transaction counterparties
  • Vendors, suppliers, and other third parties

The scope of screening should align with the organization's sanctions risk profile.

Is interdiction software required?

OFAC does not mandate the use of specific interdiction or screening software. There is no prescribed technology requirement. Organizations may use OFAC's Sanctions List Search tool or third-party screening systems as part of their compliance controls.

However, organizations are expected to implement controls that are appropriate for their size, transaction volume, and risk exposure. Smaller entities may rely on manual processes, while financial institutions and high-volume businesses typically use automated screening systems to manage risk effectively.

OFAC reporting requirements

OFAC regulations require timely reporting when property is blocked or transactions are rejected under U.S. sanctions programs. These reporting obligations are separate from internal compliance controls and must be followed precisely.

Reporting blocked property

When property or funds are blocked due to a sanctions match, the blocking must be reported to OFAC within 10 business days of the action. This includes identifying details about the blocked property, the parties involved, and the applicable sanctions program.

In addition to the initial report, organizations must submit an annual report of blocked property, typically covering assets held as of a specified reporting date. Blocked funds must remain frozen until authorized for release by OFAC.

Reporting rejected transactions

If a transaction is prohibited but does not involve blockable property, it must be rejected and reported to OFAC within 10 business days. Rejected transaction reports must include sufficient information to explain why the transaction was not processed and which sanctions provisions applied.

OFAC record retention requirements

OFAC regulations require organizations to maintain full and accurate records related to sanctions compliance for at least five years. Recordkeeping applies to blocked property, rejected transactions, licenses, and supporting documentation related to screening and reporting.

For blocked property, records must be retained for the entire period the property remains blocked and for five years after the property is unblocked or released. For rejected transactions, records must be kept for five years from the date the transaction was rejected.

Maintaining proper documentation is essential, as failure to retain required records may itself result in compliance violations.

OFAC licensing requirements

OFAC sanctions programs may prohibit certain transactions unless authorized by license. Licenses allow specific activities that would otherwise be restricted under U.S. sanctions regulations.

General licenses

General licenses are self-executing authorizations published in OFAC sanctions regulations or on OFAC's website. They permit categories of transactions without the need to apply for individual approval, provided all stated conditions are strictly met.

Organizations must carefully review the scope, limitations, and effective dates of a general license before relying on it. If a transaction falls outside the license terms, it remains prohibited.

Specific licenses

Specific licenses are issued by OFAC on a case-by-case basis. They authorize a particular transaction or set of transactions that would otherwise be prohibited.

When no applicable general license exists, parties must apply directly to OFAC and obtain written approval before proceeding. The transaction must conform exactly to the terms and conditions stated in the specific license.

OFAC compliance program requirements

While OFAC does not prescribe a single mandatory compliance model, organizations are expected to implement a risk-based sanctions compliance operating model and OFAC compliance program appropriate to their size, products, services, customers, and geographic exposure.

A sound compliance program should include clearly documented internal controls and written policies that address blocking, screening, reporting, and recordkeeping obligations. Screening procedures must be tailored to the organization's sanctions risk and applied consistently across relevant business lines.

Organizations should also establish a defined reporting framework for identifying and escalating potential sanctions issues. Employee training is essential to ensure staff understand OFAC obligations and recognize red flags.

Independent testing or audit functions should periodically evaluate the effectiveness of the program. Finally, a designated individual or team should have clear responsibility and authority for overseeing OFAC compliance, consistent with the principles outlined in OFAC's Framework for Compliance Commitments.

Additional OFAC requirements for banks and financial institutions

Financial institutions are subject to heightened OFAC expectations due to the volume, speed, and cross-border nature of their transactions.

  • Screen customer accounts and financial transactions
  • Monitor international wires and trade finance activity
  • Block accounts and segregate blocked funds when required
  • Apply enhanced controls to higher-risk products and services
  • Manage correspondent banking sanctions exposure
  • Maintain controls sufficient to meet regulatory examination standards

Consequences of failing to meet OFAC requirements

Failure to comply with OFAC requirements can result in significant legal and business consequences.

  • Civil monetary penalties, which may apply even to unintentional violations under Appendix A to 31 CFR Part 501 (Economic Sanctions Enforcement Guidelines)
  • Criminal penalties for willful misconduct, including fines and potential imprisonment
  • Regulatory enforcement actions, particularly for financial institutions
  • Reputational damage and loss of business relationships