Blog Login
Compliance

How to Conduct OFAC Sanctions Screening: A Practical Guide for Fintechs

A

Anzar Dewani

6 days ago

OFAC sanctions screening is required for every U.S. fintech. Here is how to actually run a compliant screening program — what to screen, when, how to handle hits, and what technology you need.

How to Conduct OFAC Sanctions Screening: A Practical Guide for Fintechs

Understanding that OFAC sanctions screening is required is one thing. Actually running a compliant screening program is another. Many fintechs have sanctions screening technology in place but are not using it correctly — screening at onboarding but not for ongoing transactions, using exact-name matching when fuzzy matching is required, or having no documented process for reviewing hits.

This guide covers the practical side of OFAC sanctions screening — exactly what you need to screen, when you need to screen it, how to handle a potential match, and what your program documentation should look like.

What OFAC Sanctions Screening Is

OFAC sanctions screening is the process of checking individuals, entities, and transactions against government-maintained sanctions lists — primarily OFAC's SDN List — to ensure you are not doing business with prohibited parties.

OFAC's jurisdiction is broad. All U.S. persons and all U.S. businesses are required to comply with OFAC sanctions — there are no size thresholds, no industry exemptions, and no grace periods for early-stage companies.

What You Must Screen

A compliant OFAC sanctions screening program must screen several categories of information.

Customer Identity at Onboarding

Every new customer must be screened against the SDN List and other applicable sanctions lists before their account is opened or any transaction is permitted. For individual customers, screen name, date of birth, and country. For business customers, screen the entity name, jurisdiction, and each beneficial owner individually.

Transaction Counterparties

For transactions where counterparty information is available — wire transfers, ACH payments, and certain other payment types — screen the counterparty against sanctions lists in real time or near-real time as transactions are processed. A customer who is not sanctioned can still conduct a transaction with a sanctioned counterparty, which is why transaction-level screening is necessary beyond onboarding screening.

Existing Customers When Lists Update

The SDN List is updated frequently — sometimes multiple times per week. Your screening program must re-screen your existing customer base whenever the SDN List is updated. A customer who was not sanctioned when they opened their account may be added to the SDN List at any point during the relationship.

Relying solely on point-in-time onboarding screening is a significant gap. OFAC has cited this as a basis for enforcement actions.

When to Screen

At Onboarding — Before Any Transaction

Screen every new customer before the account is opened and before any transaction is permitted. This is a non-negotiable baseline. No customer should be able to transact on your platform before an initial onboarding screening check has been completed and cleared.

At Transaction Processing — In Real Time

For covered transaction types, screen counterparty information as transactions are processed. For most fintechs, this means screening the beneficiary of outgoing transfers and the originator of incoming transfers where that information is available.

When Lists Update — Automated Re-screening

Configure your screening technology to automatically re-screen your customer base when the SDN List is updated. This process should be automated — manual re-screening at any meaningful customer volume is not operationally viable and creates gaps.

How to Handle a Potential Match — Hit Review

When your screening system identifies a potential match between a customer or transaction counterparty and a sanctions list entry, it generates a hit that requires review. Not all hits are true matches — common names, similar spellings, and transliteration variations produce false positives that must be cleared through a documented review process.

Step 1 — Initial Hit Review

Assign the hit to a trained compliance analyst for review. The analyst compares the information in your system against the information in the SDN list entry — name, date of birth, address, identification numbers, and any other identifying information available. The goal is to determine whether the screened party and the listed party are the same individual or entity.

Step 2 — True Match Determination

If the available information confirms the screened party is the same as the SDN-listed party — consistent name, matching date of birth, same country, corroborating identification numbers — it is a confirmed match.

If the information is inconsistent — similar name but different date of birth, different country, different identification numbers — and no further information suggests the parties are the same, it is likely a false positive.

Document your analysis for every hit — both true matches and false positives — with specific reasoning for the determination.

Step 3 — Actions for Confirmed Matches

If a hit is confirmed as a true match, you must take immediate action. Block the transaction — the transaction cannot proceed. Do not complete any pending transactions involving the sanctioned party. Freeze the account if applicable — OFAC regulations require blocking the property and accounts of SDN-listed parties subject to certain sanctions programs. Report to OFAC within 10 business days — blocked transactions and rejected transactions involving sanctioned parties must be reported to OFAC within 10 business days of the blocking or rejection. Retain documentation of the entire process including the hit, the review, the determination, and the blocking action.

Step 4 — Actions for False Positives

If a hit is determined to be a false positive, document your analysis specifically — do not use generic language. Your documentation should explain exactly why you concluded the screened party and the listed party are different individuals or entities.

Retain this documentation. In an OFAC examination, you may be asked to explain why you cleared a screening hit.

Fuzzy Matching — Why Exact Matching Is Not Sufficient

The SDN List contains names from many languages and scripts — Arabic, Russian, Chinese, Persian, Korean, and others — that must be transliterated into Latin script. The same individual may appear under multiple name variations. Sanctioned parties and those assisting them sometimes use slight variations of their names to evade detection.

Screening only for exact name matches is not compliant with OFAC's expectation that screening programs catch plausible variations. Your screening technology must use fuzzy matching algorithms that identify name variations, alternate spellings, different transliterations, and partial matches that warrant review.

Test your screening technology's fuzzy matching capability during implementation and periodically thereafter.

Screening Program Documentation

Your written OFAC sanctions screening policy must document when screening occurs, which lists are screened, what technology is used, how the fuzzy matching threshold is set, who conducts hit review and within what timeframe, how true matches are handled, how false positive determinations are documented, and how OFAC reporting is triggered and completed.

This documentation is what regulators and sponsor banks review when they assess your sanctions compliance program.

Frequently Asked Questions

Does OFAC screening apply to domestic-only transactions?

Yes. OFAC sanctions apply to all U.S. persons and businesses regardless of whether they conduct international transactions. Sanctioned individuals and entities can be customers of domestic-only platforms. OFAC's jurisdiction is not limited to cross-border activity.

How quickly must a potential sanctions match be reviewed?

OFAC does not specify a precise timeline for hit review, but the practical requirement is that transactions cannot be processed while a potential match is unresolved — and transactions cannot be delayed indefinitely. Most compliance programs target same-day or next-business-day review for routine hits, with escalation procedures for high-priority or high-risk hits.

What is the difference between a blocked transaction and a rejected transaction?

A blocked transaction involves property or funds that must be frozen because they belong to a sanctioned party — the funds are held and cannot be returned to the sender or paid to the intended recipient. A rejected transaction involves a transaction that cannot be processed because it would involve a sanctioned party — the transaction is declined and the funds are not held. Both types require reporting to OFAC within 10 business days.

How ComplyOne Helps

ComplyOne helps fintechs implement OFAC sanctions screening programs that meet regulatory requirements — from technology selection and configuration to hit review workflow design and OFAC reporting procedures — through advisory services, compliance technology, or both.

 

 

 

Talk to the ComplyOne team to get started.

The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Consult a qualified compliance professional for guidance specific to your situation.

Share this article:

Related Articles