SanctionsLookupOFAC Screening: Gaps That Compound Into Millions in Fines
Any business processing USD transactions must screen against OFAC sanctions lists. Violations carry strict liability penalties up to $377,700 per violation, with cumulative fines reaching millions.
This guide explains how OFAC screening works and how to automate it.
- What is OFAC screening
- Who must comply with OFAC
- Penalties for noncompliance
- How OFAC screening works
- Why manual screening fails
- How to automate OFAC screening
What is OFAC screening
OFAC screening is the process of checking customers, counterparties, and transactions against sanctions lists published by the US Office of Foreign Assets Control (OFAC). The purpose is to detect and prevent business with sanctioned individuals and entities.
In practice, screening runs usually at three points in the relationship:
- Customer onboarding — Every new customer, vendor, or counterparty is screened before a relationship begins.
- Transaction screening — Payments, wire transfers, and trades are screened in real time before settlement.
- Continuous monitoring — Existing customers are re-screened whenever OFAC updates its sanctions lists, which are updated irregularly.
A complete OFAC check goes beyond names. It evaluates individuals, companies, vessels, aircraft, and cryptocurrency wallet addresses.
Matching is rarely exact, since sanctioned parties often use aliases, transliterations, shell entities, and intermediaries to obscure their identity.
Most teams run OFAC screening as part of a broader AML (Anti-Money Laundering) and KYC (Know Your Customer) compliance program.
Who must comply with OFAC regulations
OFAC compliance is effectively a global requirement. A company can fall within OFAC's jurisdiction if it:
- Processes USD transactions
- Routes payments through US correspondent banks
- Deals with US persons or counterparties
- Handles US-origin goods and technology
Because US dollar transactions must clear through the US financial system, this captures the vast majority of companies operating in international finance, trade, or payments.
This covers banks, fintechs, payment processors, crypto exchanges, insurers, money service businesses, importers, and exporters.
There is no minimum transaction threshold and no industry exemption. US-incorporated businesses and their foreign branches are subject to OFAC by default.
Special case: under OFAC's 50 Percent Rule, any entity majority-owned by a sanctioned party is itself treated as sanctioned, even if it doesn't appear on any list. Standard name screening alone is not sufficient and must be combined with beneficial ownership screening.
Penalties for noncompliance
OFAC violations carry strict liability. Intent is irrelevant; a single transaction is enough to trigger a civil penalty of up to $377,700 under IEEPA or twice the transaction value, per violation.
The real problem is that penalties are assessed per violation, a pattern of violations compounds fast.
A broken screening process fails silently on every transaction until a blocked payment, an audit, or an OFAC investigation surfaces the problem. By then, the damage is done.
Notable OFAC penalties
| Company | Year | Violations | Penalty | Notes |
|---|---|---|---|---|
| BNP Paribas | 2014 | - | $963M | OFAC share of multi-agency settlement; criminal guilty plea; concealed Sudan, Iran, Cuba transactions |
| Standard Chartered | 2019 | - | $1.1B | Combined settlement; two enforcement actions |
| British American Tobacco | 2023 | - | $508M | Civil settlement; largest non-financial; NK sanctions 2007–2017 |
| Binance | 2023 | 1,667,153 | $968M | Civil settlement; not self-disclosed; theoretical max $592B |
| GVA Capital | 2025 | - | $216M | Civil penalty; largest non-bank FI; sanctioned oligarch investments |
| Bittrex | 2022 | 116,421 | $24M | Civil settlement; multiple sanctions programs |
| Payoneer | 2021 | 2,220 | $1.4M | Civil settlement; cut from $3.9M base for self-disclosure |
| BitPay | 2021 | 2,102 | $507K | Civil settlement; multiple sanctions programs |
Geography is irrelevant; enforcement is global. If dollars moved through the US financial system, OFAC has jurisdiction. Companies that ignore OFAC get added to the SDN List, which cuts them off from the global financial system entirely.
Mitigating factor worth noting: A documented compliance program and voluntary self-disclosure materially reduce penalties. Payoneer's settlement dropped from $3.9M to $1.4M for that reason alone. No program is treated as an aggravating factor.
How OFAC screening works
Every OFAC screening process follows the same six-step pipeline, whether done via a free OFAC search tool or through an automated API. The difference is speed, accuracy, and whether your business can realistically keep up.
Step 1 — Collect and normalize data
Screening starts with a name, but name alone is the weakest input you can provide.
- Hard identifiers: like passport numbers, tax IDs, and national ID numbers dramatically improve matching accuracy.
- Secondary attributes: like date of birth, aliases, address, gender, and nationality help further by reducing false positives.
The more data included in the screening request, the better the outcome. Before matching, screening systems normalize the input data by standardizing formatting, stripping special characters, and applying transliterations so the matching engine works with clean, consistent data.
Step 2 — Match against OFAC lists
The normalized data is checked against OFAC sanctions lists, including the SDN List and Consolidated Sanctions List.
Screening uses two types of matching: exact matching for precise hits, and fuzzy matching to detect phonetic variations, typos, transliterations, aliases, and other attempts to obscure identity.
Every potential match receives a confidence score. Screening systems use configurable match thresholds to decide which results require review.
- Set the threshold too loose and the system generates excessive false positives.
- Set the threshold too tight and the system misses legitimate sanctions matches.
In practice, the vast majority of name matches are false positives, which is why threshold tuning and high-quality input data matter so much.
Step 3 — Review potential matches
Matches above the configured threshold are flagged for review. An analyst, or an automated rules engine, determines whether the result is a true sanctions hit or a false positive.
In practice, manual review at any real transaction volume is not viable. Most screening systems automate the initial disposition process.
- Clear: Score below 80 - no action needed, transaction proceeds automatically. In practice over 95% of matches land here, most are common names with no sanctions connection.
- Review: Score between 80 and 90 - identity is ambiguous. Routed to an analyst who compares date of birth, nationality, ID numbers, and aliases to confirm or dismiss. The more enrichment data sent at screening, the faster this resolves.
- Block: Score above 90 - confirmed hit. Transaction stopped, funds frozen if applicable, and an OFAC report filed within 10 business days.
The threshold you configure upfront determines the ratio between these three buckets. Set it too low and analysts drown in false positives. Set it too high and real hits slip through.
Most production systems start conservative and tune over time based on their own false positive rate.
Step 4 — Block and report
Confirmed sanctions hits stop the transaction immediately. Depending on the situation, the transaction is either blocked or rejected.
In blocked transactions, the funds are frozen and cannot be returned, released, or moved without authorization from OFAC.
From that point, businesses generally have 10 business days to report the blocked transaction to OFAC.
Note: Missing the reporting deadline is itself considered a compliance violation.
If the assets remain blocked, companies must also submit annual reports describing the status and value of the blocked property.
Step 5 — Maintain audit logs
Every screening decision, match result, and disposition must be logged and retained for a minimum of 10 years. OFAC may request these records during investigations or audits.
In practice, API request and response logs alone are not sufficient. Businesses must be able to demonstrate what data was screened, which sanctions lists were used, what result was returned, what decision was made, and who made it.
During investigations, OFAC may also request analyst review notes, disposition records, and the basis for clearing, escalating, blocking, or rejecting a transaction.
Step 6 — Rescreen continuously
Screening does not end at onboarding. A counterparty who was clean yesterday can be designated today, any time, without warning. OFAC does not accept "we hadn't checked yet" as a defense.
How often should you rescreen?
Rescreening frequency depends on your risk profile, but the minimum is:
- Every risk event — ownership changes, adverse media, and PEP status changes should all trigger an immediate rescan of the affected entity
- Every list update — rescreen your full counterparty base whenever OFAC publishes new data, which can happen multiple times a week
- Every transaction — screen at the point of payment or activity, not just at onboarding
High volume businesses should screen in real time on every transaction. Lower volume businesses should at minimum run a full rescreen after every OFAC list update, not on a fixed monthly or weekly schedule.
Real case: In 2020, MidFirst Bank processed $604,000 in transactions for two customers within 6 hours of them being added to the SDN List. The problem was that the customer base was only being rescreened monthly. OFAC issued a Finding of Violation. MidFirst avoided a penalty only because it self-disclosed immediately. The fine for 34 violations under IEEPA alone could have reached $11 million.
Why manual screening fails
OFAC screening sounds simple on paper. In practice, screening thousands of customers, hundreds of thousands of transactions, and monitoring constantly updated sanctions manually will become operationally impossible to maintain reliably.
Manual screening doesn't scale
Spreadsheets and the manual OFAC search work fine up to maybe 50 checks a month. Beyond that, each check takes 10 to 15 minutes of analyst time: pulling the name, reviewing potential matches, documenting the result.
At 500 checks a month that's 75 to 125 hours of compliance work. At a US compliance analyst average of $45/hour, that's $3,375 to $5,625 a month in labor, most of it spent clearing false positives rather than catching real hits.
There's no continuous re-screening, so anyone sanctioned after onboarding stays active in your system. And a manual audit trail of spreadsheet notes, screenshots, and email threads won't hold up under an OFAC investigation.
Treasury's data isn't a real API
OFAC publishes an official API, but it delivers raw XML and CSV files, not a screening service. Everything else becomes a line item on your balance sheet: parsing logic, fuzzy matching, phonetic matching, transliteration, alias handling, multi-script support, list update monitoring, and uptime. That is a full-time infrastructure commitment, not a one-time build.
Expect 50+ developer hours a month to keep it running. At $75 to $150/hour, that's $3,750 to $7,500 in monthly engineering costs. And when you miss a list update or your parser breaks, you won't know until a sanctioned party slips through.
OFAC screening is not a CRUD app you can vibe-code and forget. It's an essential compliance function where a silent failure can trigger a seven figure penalty. A dedicated OFAC API handles all of it.
How to automate OFAC screening
The right way to automate OFAC screening is an OFAC API that runs the same six-step pipeline programmatically. You send in a name or entity, it checks against all OFAC lists in real time and returns scored match results, so your system can make compliance decisions without manual list pulls.
- Onboarding and transaction triggers — your system calls the API at every screening touchpoint instead of manually queuing checks.
- Normalize and match in one call — send a name plus enrichment data; the API standardizes input and runs fuzzy matching against all OFAC lists.
- Disposition logic in your code — below threshold auto-clears, mid-range routes to review, confirmed hits block automatically.
- Block and report workflows — stop prohibited transactions, freeze funds when required, and retain data for OFAC filings within 10 business days.
- Audit logs retained automatically — every request, match, and disposition is logged for the full 10-year retention period.
- Continuous rescreening on list updates — the full counterparty base is rescanned whenever OFAC publishes new sanctions data, with no calendar reminder required.
FAQ
Is OFAC screening legally required?
OFAC never explicitly mandates screening as a specific obligation. What it does mandate is that you never transact with sanctioned parties, under strict liability. At any real transaction volume, the only realistic way to meet that obligation is automated screening. In practice, the requirement to screen is implied by the consequence of not doing it.
Is OFAC screening the same as KYC?
No, OFAC screening is not the same as KYC. KYC is about verifying who your customer is. OFAC screening is about checking whether you are legally allowed to do business with them. The two are related because you cannot screen effectively without good identity data, but they are separate compliance obligations. KYC collects the data; OFAC screening is one of the things you do with it.
What's the difference between OFAC screening and sanctions screening?
OFAC screening checks US sanctions lists only. Sanctions screening is the broader term covering all jurisdictions. If you process USD or serve US persons, OFAC is mandatory. If you operate in the EU, the EU Consolidated Sanctions List applies. UK operations fall under OFSI. Businesses with global exposure typically screen against OFAC, EU, UK, and the UN Security Council Consolidated List as a baseline. A party clean on the SDN List may still be sanctioned elsewhere.
Can individuals get fined too, not just companies?
Yes, OFAC's strict liability applies to people, not just businesses. In November 2024, OFAC imposed a $1,104,408 penalty on a private US citizen for 75 violations of Iran sanctions after he used foreign money services businesses to buy and operate a hotel in Iran, knowing full well it was prohibited. Executives whose companies violate OFAC can also face personal criminal liability if willfulness is proven.
How often should counterparties be rescreened?
OFAC lists can update multiple times a week, sometimes daily during active geopolitical events. Any counterparty who was clean at onboarding can appear on a sanctions list the next day. The only defensible approach is continuous monitoring, where every list update automatically triggers a rescan of your full counterparty base. Batch rescreening once a month is common in practice but leaves weeks of exposure between checks.
What happens when there is an OFAC match?
First, determine if it's a true hit or a false positive. The majority of matches are false positives, so review before acting. If confirmed, block the transaction, freeze associated funds, and report to OFAC within 10 business days. Do not return the funds. Blocked assets must be held and reported to OFAC annually until OFAC instructs otherwise.
What is the difference between blocking and rejecting a transaction?
Blocking applies to transactions involving sanctioned parties. The funds are frozen and held, reported to OFAC within 10 business days, and reported annually until released. Rejecting applies to transactions OFAC prohibits but that don't involve blocked property. The transaction is declined and the funds returned to sender. Both are distinct actions with different reporting obligations.
Does OFAC screening cover crypto wallet addresses?
Yes. OFAC publishes SDN-listed wallet addresses and expects crypto businesses to screen against them. Processing a transaction to or from a blacklisted wallet address is a violation. The pseudonymous nature of blockchain is not a defense. If the wallet is on the list, the transaction is prohibited.
Can Treasury's free tool be used instead of a paid API?
For occasional manual checks, yes. For production use, automated onboarding, transaction screening, continuous monitoring, no. Treasury provides raw data files with no fuzzy matching, no webhooks, no SLA, and no support. The maintenance cost of building on top of it yourself exceeds a dedicated API within months.
How long does OFAC API integration take?
With SanctionsLookup, you can make your first test query in minutes using your 100 free trial calls. Full integration time depends on the complexity of your system, but most teams are production-ready within a day. The API is REST-based with SDKs for major languages. What takes the most time is defining your screening touchpoints, setting match thresholds, and configuring automated disposition logic to fit your existing workflows.