OFAC sanctions screening is a legal requirement for every U.S. fintech that moves money — no exceptions. Here is what OFAC is, what the SDN list requires, and how to build a compliant screening program.
What Is OFAC Sanctions Screening? A Compliance Guide for Fintechs
Unlike many compliance requirements that apply only above certain transaction thresholds or to businesses in specific regulated industries, OFAC sanctions rules apply to every U.S. person and every U.S. business — including every fintech, at every stage of growth, regardless of transaction volume.
There is no de minimis exception. There is no startup grace period. There is no industry carve-out for technology companies. If your fintech processes a payment to or from a sanctioned individual, entity, or country, you have potentially violated U.S. federal law — whether you knew the party was sanctioned or not.
This is not a hypothetical risk. OFAC has assessed penalties against companies of all sizes — including well-funded technology companies — for processing transactions involving sanctioned parties that their compliance programs failed to detect.
This article explains what OFAC is, what sanctions lists require, how to build an effective screening program, and what the consequences look like when violations occur.
What Is OFAC?
OFAC stands for the Office of Foreign Assets Control, a division of the U.S. Department of the Treasury. OFAC administers and enforces U.S. economic and trade sanctions programs — legal prohibitions on conducting business with specific individuals, entities, governments, and geographic regions that have been identified as threats to U.S. national security, foreign policy objectives, or the integrity of the U.S. financial system.
OFAC maintains a comprehensive body of sanctions regulations and administers more than 30 distinct sanctions programs — targeting everything from state-sponsored terrorism and narcotics trafficking to nuclear proliferation and human rights abuses.
The legal authority for OFAC's programs comes primarily from the International Emergency Economic Powers Act (IEEPA), the Trading with the Enemy Act (TWEA), and numerous specific statutes authorizing particular sanctions programs.
The Sanctions Lists — What You Must Screen Against
The Specially Designated Nationals and Blocked Persons List (SDN List) — The primary and most comprehensive OFAC sanctions list. The SDN List contains thousands of individuals, entities, vessels, and aircraft that have been specifically designated by OFAC. U.S. persons are prohibited from engaging in virtually any transaction with SDN-listed parties, and the assets of SDN-listed parties held within U.S. jurisdiction must be blocked. The SDN List is updated frequently — sometimes multiple times in a single week.
OFAC Consolidated Sanctions List — A combined list incorporating the SDN List and all other restricted party lists maintained across OFAC's various active sanctions programs. Screening against the consolidated list is broader than SDN-only screening.
Country-Based and Geographic Sanctions Programs — In addition to individual SDN designations, OFAC administers comprehensive sanctions programs that prohibit virtually all transactions with entire countries or geographic regions. Currently active comprehensive or near-comprehensive programs include Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine. Transactions with parties in these jurisdictions are generally prohibited regardless of whether the specific party appears on the SDN List.
Sector-Based Sanctions Programs — Some OFAC programs impose targeted restrictions on specific economic sectors of foreign countries rather than on named individuals. The Russian sanctions program, for example, includes significant sector-based restrictions affecting financial services, energy, defense, and technology sectors. Your screening program must account for sector-based restrictions where relevant to your business and customer base.
Who Must Comply — The Universal Obligation
All U.S. persons are legally required to comply with OFAC sanctions. This includes all U.S. citizens and permanent residents wherever located, all individuals and entities physically located in the United States, and all U.S. incorporated entities and their foreign branches — regardless of where they operate.
There is no size threshold. There is no industry exemption for technology companies, startups, or payment processors. There is no grace period for early-stage businesses.
For fintechs specifically, OFAC compliance is particularly consequential because financial transactions are the precise activity that sanctions are designed to restrict, you process potentially high volumes of transactions across diverse customer bases, you may facilitate transactions involving international parties or cross-border payments, and your sponsor bank's OFAC obligations extend to your operations — meaning your failures create their regulatory exposure too.
What a Compliant OFAC Sanctions Screening Program Requires
Screen Every Customer at Onboarding
Before any account is opened or any transaction is permitted, every new customer must be screened against the SDN List and all applicable sanctions lists. This applies to:
- Individual customers — name, date of birth, country, and nationality
- Business customers — legal entity name, jurisdiction of formation, and beneficial owners
- All countries of residence, citizenship, and operation associated with the customer and their beneficial owners
No customer should be permitted to transact before an onboarding screening check has been completed and cleared.
Screen Every Relevant Transaction
Onboarding screening is necessary but not sufficient. Your program must also screen transactions in real time or near-real time as they are processed. This is especially critical for:
- Wire transfers and ACH transactions — the originator and beneficiary information must be screened
- International transactions — all cross-border payments require counterparty screening
- Transactions where the beneficiary, recipient, or counterparty differs from your direct customer
- Any transaction where geographic routing suggests potential sanctions program involvement
The transaction-level screening requirement exists because sanctioned activity frequently involves parties other than your direct account holder — intermediaries, recipients, and counterparties who may be sanctioned even when your customer is not.
Re-Screen Your Customer Base When Lists Update
The SDN List and related sanctions lists are updated regularly, sometimes multiple times per week. An individual who was not designated when they opened their account may be added to the SDN List at any point during the relationship. Your screening program must re-screen your existing customer base and update screening results whenever material list updates occur.
Relying solely on point-in-time onboarding screening is a significant compliance gap that OFAC has cited in enforcement actions.
Manage Screening Hits Appropriately
When your screening system returns a potential match — called a "hit" — your program must have a defined, documented process for handling it:
Review the hit — determine whether it is a true match (the screened party is the same as the designated party) or a false positive (a different individual or entity with a similar name or identifying information).
Block confirmed matches — if a hit is confirmed as a true match, the transaction must not proceed and, depending on the nature of the match, the assets associated with the account may need to be blocked.
Report blocked transactions to OFAC — U.S. persons who block property or reject transactions because of a sanctions violation must report the action to OFAC. Blocked property must be reported within 10 business days of the blocking. Rejected transactions must be reported within 10 business days of the rejection.
Document false positive determinations clearly — every potential match that is reviewed and cleared as a false positive must have documented rationale explaining why the screened party is not the same as the designated party. This documentation must be retained.
The Fuzzy Matching Requirement — Why Exact Name Matching Is Not Enough
One of the most technically important and commonly inadequate aspects of sanctions screening is fuzzy matching — the ability of your screening technology to catch names that are similar to but not identical to SDN List entries.
The SDN List contains names transliterated from Arabic, Russian, Persian, Chinese, Korean, and other non-Latin scripts. The same designated individual may appear under multiple transliterations and spelling variations. Sanctioned parties and those assisting them frequently use slight name variations, misspellings, or alternate forms of their name to evade detection.
Effective sanctions screening technology must use fuzzy matching algorithms that identify name variations, alternate spellings, different transliterations, name component transpositions, and partial matches that warrant review.
Screening only against exact name matches is not compliant. OFAC expects screening systems to catch plausible variations, not just perfect matches. This is one of the most common technical gaps in fintech sanctions screening programs.
OFAC Penalties — Why Getting This Wrong Is Catastrophic
OFAC penalties for sanctions violations are among the most severe in U.S. compliance enforcement. Key characteristics:
Civil penalties — calculated as the greater of $385,000 per violation (indexed annually for inflation) or twice the value of the transaction underlying the violation. For companies that process high volumes of transactions, a pattern of violations can result in penalties reaching into the hundreds of millions of dollars.
Criminal penalties — available for willful violations and include significant monetary fines plus imprisonment for responsible individuals.
Strict liability — this is the most important concept in OFAC compliance. OFAC can and does impose civil penalties for sanctions violations even when the violation was entirely unintentional and the company had no knowledge that the party was sanctioned. Ignorance of a party's sanctions status is not a complete defense. It may be a mitigating factor in penalty calculation, but it does not eliminate liability.
Public enforcement actions — all OFAC enforcement actions are published on OFAC's website in detail. Being named in an OFAC enforcement action has severe and lasting consequences for a company's banking relationships, investor confidence, operating licenses, and ability to attract enterprise customers.
Secondary sanctions risk — for companies with international operations or international counterparties, OFAC secondary sanctions can restrict your ability to conduct business with parties that deal with sanctioned countries — even if those parties are not themselves U.S. persons.
Building a Sanctions Screening Program That Works
A compliant and examination-ready OFAC sanctions screening program requires four components working together:
Screening Technology — Purpose-built sanctions screening software that covers the SDN List and applicable consolidated lists, employs fuzzy matching across all required name variations, updates automatically when lists are revised, and maintains a complete timestamped audit trail of every screening event and its outcome.
Written Screening Policies and Procedures — Documented procedures specifying when screening occurs, which lists are screened against for which customer types, how hits are reviewed and by whom, how false positive determinations are made and documented, the process for blocking transactions and accounts, and OFAC reporting procedures and timelines.
Trained Review Personnel — Designated individuals responsible for reviewing screening hits and making blocking or false-positive clearing decisions. This function requires specific training — it cannot be improvised or assigned ad hoc. Review decisions must be documented with clear rationale.
OFAC Reporting and Recordkeeping Procedures — Defined, documented procedures for reporting blocked transactions and rejected transactions to OFAC within applicable deadlines, and retaining all screening records and blocking/reporting documentation for the required period.
Frequently Asked Questions
Does OFAC sanctions screening apply to domestic-only fintech businesses?
Yes. All U.S. persons and businesses are required to comply with OFAC sanctions, regardless of whether they conduct international transactions. A fintech that processes only domestic U.S. transactions can still have customers, counterparties, or transaction recipients who appear on the SDN List. OFAC's jurisdiction is not limited to international or cross-border transactions.
What is the difference between sanctions screening and AML transaction monitoring?
Sanctions screening checks specific individuals, entities, and transactions against government-maintained watchlists to prevent doing business with designated parties. AML transaction monitoring analyzes customer behavior and transaction patterns over time to identify suspicious activity that may indicate money laundering or other financial crime. Both are required components of a BSA/AML compliance program but serve distinct purposes and are typically implemented through separate technology systems.
How does OFAC's strict liability standard affect fintechs?
Under OFAC's strict liability standard, a company can be penalized for a sanctions violation even if it had no knowledge that the party was sanctioned and had no intent to violate sanctions. This makes robust screening technology and consistent screening procedures essential — not optional. OFAC considers the quality of a company's compliance program as a mitigating factor in penalty calculation, meaning a strong program can reduce penalties even when a violation occurs.
What should a fintech do immediately if it discovers it has processed a transaction with a sanctioned party?
If you discover a potential sanctions violation — a completed transaction with a sanctioned party — you should immediately consult with qualified legal counsel with OFAC compliance expertise. Depending on the circumstances, voluntary self-disclosure to OFAC may be appropriate, and OFAC considers voluntary disclosure as a significant mitigating factor in enforcement. Do not attempt to remediate a potential OFAC violation without legal guidance.
How ComplyOne Helps
ComplyOne helps fintechs implement OFAC sanctions screening programs that satisfy regulatory requirements, integrate with their broader AML compliance infrastructure, and hold up under regulatory examination — through our compliance technology platform, advisory services, or both. From technology selection and configuration to policy development and hit review training, we help you build a screening program that genuinely works.
Talk to the ComplyOne team to get started
The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Consult a qualified compliance professional for guidance specific to your situation.