SanctionsLookupOFAC Sanctions List Service API Overview (2026)
The OFAC Sanctions List Service (SLS) is the official Treasury API for retrieving SDN and Consolidated Sanctions list data. SLS is not a sanctions screening API, it is a file delivery service. It delivers raw XML and CSV files and stops there. Parsing, normalizing, indexing, fuzzy matching, and staying current with list updates are all on your engineering team to build and maintain indefinitely.
- Does the U.S. Treasury have an official OFAC API?
- Sanctions List Service API endpoints
- Sanctions List Service data formats
- Sanctions List Service vs real-time screening APIs
- The infrastructure debt of the SLS
- When to use a real-time screening API
Does the U.S. Treasury have an official OFAC API?
Yes. The U.S. Department of the Treasury provides official OFAC sanctions data through the Sanctions List Service (SLS). It is free, requires no authentication, and has no published rate limits.
The Sanctions List Service API is the official OFAC data distribution service. It delivers structured sanctions list files for the SDN List and Consolidated Sanctions List.
The SLS is not a sanctions screening API. It does not provide identity matching, fuzzy logic, scoring, or transaction-level screening results. Everything it does not do, your team has to build and maintain.
Sanctions List Service API endpoints
The SLS API supports only GET requests and is free to use with no authentication or API key required. However, all requests must include a User-Agent header identifying the client. Requests missing this header will receive a 403 error.
GET /entities
What it does Query entities by ID, list, or program. Returns structured JSON.
When to use it Looking up a specific entity or filtering by program (e.g. IRAN, CUBA) without downloading the full list.
GET /api/download/{filename}
What it does Download full list files: SDN_ADVANCED.XML, SDN.CSV, CONS_ADVANCED.XML, CONS_PRIM.CSV.
When to use it Initial data ingestion or full list refresh.
GET /changes/latest
What it does Returns a delta file of the most recent list changes.
When to use it Incremental list updates.
GET /changes/history/{year}/{month}/{day}
What it does Returns all publication IDs for a given date.
When to use it Auditing list changes or backfilling missed updates.
GET /sanctions-lists
What it does Returns all list names as JSON array.
When to use it Validating which lists are available before filtering entity queries.
GET /sanctions-programs
What it does Returns all program names as JSON array.
When to use it Building program-based filtering logic.
GET /api/Customize/GetCustomizeList
What it does Returns a custom XML dataset filtered by list type and publication date.
When to use it Targeted ingestion when you only need SDN or consolidated data, not both.
GET /alive
What it does Returns HTTP 200 if the API is up.
When to use it General uptime monitoring.
All file download endpoints follow the pattern https://sanctionslistservice.ofac.treas.gov/api/download/{filename}. OFAC can change file names without notice, so use the /sanctions-lists endpoint to retrieve available list names programmatically rather than hardcoding them.
The SLS has no push notifications, no webhooks, and no SLA. Polling, missed updates, and data sync are your responsibility. The service is also notably slow, which compounds the overhead of any ingestion pipeline built on top of it.
OFAC Sanctions List Service data formats
The SLS delivers sanctions list data in four formats. Regardless of which you choose, the data must be parsed, normalized, and indexed into your own database before it can be used for screening.
| Format | Description | Best for |
|---|---|---|
| Advanced XML | Modern standard based on XSD schema. Richest entity data including aliases, multiple identifiers, vessel data, and original script names | Production systems requiring full entity detail |
| Legacy XML (sdn.xml) | Simplified XML structure with fewer fields | Systems not yet adapted to the advanced schema |
| CSV | Flat file, easier to ingest but does not fully represent complex entity relationships | Quick ingestion, prototyping, or spreadsheet analysis |
| Fixed-width (.FF) | Legacy column-delimited format | Older compliance systems with fixed-width parsers |
Matching logic, scoring, and screening infrastructure are entirely on you to build on top of whichever format you choose.
OFAC Sanctions List Service vs real-time screening APIs
The Sanctions List Service is the official source for OFAC data, but it is fundamentally different from a screening API.
The Treasury provides raw data files, whereas a screening API provides the logic to search that data.
| Feature | Treasury SLS API | Modern screening API |
|---|---|---|
| Primary goal | Bulk file download | Real-time identity search |
| Search logic | None (manual build) | Built-in fuzzy matching |
| Response | Raw XML/CSV files | JSON match results & scores |
| Maintenance | High (server + database) | Low (plug-and-play) |
| Data scope | U.S. lists only | Global lists (UN, EU, UK, etc.) |
The infrastructure debt of the SLS
The SLS delivers files. Everything else is yours to build and maintain indefinitely.
- Fetching, parsing, and indexing: raw XML and CSV files need to be ingested, cleaned, normalized, and loaded into a database before they are usable for anything. This is not a one-time build. Every format change OFAC makes without notice breaks your parser.
- Fuzzy matching and scoring: the SLS has none. You build it, you maintain it, you fix it when it produces false negatives.
- Ongoing maintenance: expect 10 to 20 developer hours per month to keep the pipeline reliable. At $75 to $150/hour that is $750 to $3,000 in monthly engineering cost, indefinitely.
- Silent failure risk: when your parser breaks or a list update gets missed, nothing alerts you. A sanctioned party slips through undetected until an audit or OFAC investigation surfaces it.
- No SLA, no support: OFAC technical support covers their systems, not yours. When something breaks, you are on your own.
OFAC screening is a critical compliance function. A DIY build that fails silently is not a technical problem, it is a regulatory violation.
Most teams find a dedicated screening API significantly cheaper than the engineering hours, maintenance, and compliance risk of building the same thing from scratch.
When to use a real-time screening API
If building and maintaining a screening pipeline on top of raw data files is not your core business, a dedicated screening API handles everything the SLS does not.
Fuzzy matching, scoring, alias detection, continuous list updates, and audit-ready logs come built in. No parser to maintain, no ingestion pipeline to babysit, no silent failures.
For a full breakdown of how automated OFAC screening works, see our OFAC screening guide.
To screen against the SDN list and Consolidated Sanctions List in one API call, get started with SanctionsLookup: 100 free calls, no credit card required.