OFAC Screening Requirements: Compliance
A Miami-based export company processed a $120,000 wire transfer to a Dubai supplier in February 2026. Three days later, federal investigators contacted the firm—the recipient’s name matched an entry on the OFAC Specially Designated Nationals List. The company faced civil penalties exceeding $250,000 and a compliance audit that revealed systematic screening failures across 18 months of international transactions.
OFAC screening requirements dictate that businesses must cross-reference clients, transactions, and beneficial owners against US sanctions lists to prevent doing business with blocked entities. Compliance is strictly mandatory for all US persons, any global entity conducting transactions in US dollars, and foreign businesses looking to avoid severe secondary sanctions.
What Are OFAC Screening Requirements and Who Must Comply?
The Office of Foreign Assets Control operates under statutory authority granted by the International Emergency Economic Powers Act (50 U.S.C. §§ 1701–1706) and the Trading with the Enemy Act (50 U.S.C. § 4301 et seq.) to administer and enforce economic sanctions programs targeting specific foreign governments, individuals, groups, and entities.
Compliance obligations are broader than they appear. They apply to all U.S. persons—a term encompassing U.S. citizens and permanent residents regardless of physical location worldwide, all individuals and entities physically present in the United States, and all entities incorporated under U.S. law including their foreign branches. A U.S. citizen living abroad remains bound by OFAC rules. A foreign subsidiary of a Delaware corporation must comply. Even temporary presence in U.S. territory triggers obligations.
Financial institutions bear specific obligations under the Bank Secrecy Act (31 U.S.C. § 5318(h)) to integrate OFAC screening into their Anti-Money Laundering programs. Non-financial businesses conducting international transactions—manufacturers, exporters, importers, logistics providers, professional services firms—must also implement screening procedures when their operations involve U.S.-origin goods, services, or financial system access. Foreign entities that process U.S. dollar transactions, utilize correspondent banking relationships with U.S. institutions, or conduct business with U.S. persons fall within OFAC’s jurisdictional reach even when operating entirely outside the United States.
That said, the scope extends further. Organizations must screen beneficial owners, intermediaries in payment chains, vessel ownership structures in maritime commerce, and any party that could trigger a sanctions violation through indirect dealing. According to OFAC’s published guidance, the agency evaluates compliance programs based on whether organizations adopt a risk-based approach tailored to their specific sanctions exposure profile.
⚠️ Time is critical — every day matters
Get a free case assessment
Our team specialises in cases with an international element. We review applicable treaties, assess risks, and prepare an action plan.
Which Lists Do You Need to Screen Against Under OFAC Requirements?
Start with the Specially Designated Nationals and Blocked Persons List. It contains over 9,000 individuals and entities whose assets must be blocked and with whom U.S. persons are generally prohibited from conducting any transactions. Each SDN entry includes names, aliases, addresses, citizenship information, passport details, and identification numbers where available. When your organization identifies a match, all transactions involving that party must be blocked immediately. You then have 10 business days to report the hit to OFAC using the Blocked Assets and Rejected Transaction Report (Form OFAC 308) if the value meets or exceeds $10,000. Miss that deadline, and you’ve compounded the violation with a failure-to-report offense.
The Consolidated Sanctions List aggregates multiple non-SDN sanctions programs into one searchable database. This includes sectoral sanctions targeting Russian energy, defense, and financial sector entities; the Non-SDN Chinese Military-Industrial Complex Companies List identifying investment-prohibited entities; and country-based sanctions programs covering Iran, North Korea, Syria, Cuba, and others subject to comprehensive or targeted restrictions. Here’s the critical distinction: non-SDN listings may permit certain transactions under specific licenses, unlike SDN designations which impose comprehensive blocking requirements with no exceptions.
OFAC updates its lists continuously, with breaking sanctions programs frequently announced outside regular update cycles. Financial institutions and businesses handling international transactions should download updated list data daily from OFAC’s Sanctions List Search tool or integrate automated feeds that refresh screening databases in real-time. Regulators evaluating your compliance program will examine whether you maintained current list versions and can document which specific version you used for each screening event.
Maritime commerce adds complexity. Vessel registrations must be screened against OFAC’s List of Foreign Vessels. Aircraft transactions require checking the OFAC Specially Designated Nationals Aircraft List. And if your operations touch European Union sanctions, UN Security Council lists, or UK Office of Financial Sanctions Implementation lists, you must screen against those regimes as well.
When Must Screening Occur in the Customer Onboarding Process?
Initial screening must happen before any business relationship commences or any transaction processes. This requirement is established by enforcement precedent under Title 31 U.S.C. § 1705. Financial institutions must screen prospective customers at account opening, capturing sufficient identifying information to conduct meaningful name matching against sanctions lists. This extends to beneficial ownership screening mandated by 31 CFR 1010.230, which requires identifying and verifying individuals owning 25 percent or more of legal entity customers.
Your ongoing screening frequency should depend on customer risk classification. High-risk customers—those operating in sanctioned jurisdictions, dealing in industries subject to sectoral sanctions, or exhibiting transaction patterns associated with sanctions evasion—warrant continuous or monthly rescreening against updated lists. Medium-risk customers typically require quarterly reviews. Low-risk domestic customers with predictable patterns may be rescreened annually. Whatever schedule you choose, document it in written policies. Examiners will ask.
Know Your Customer data quality directly determines screening accuracy. Insufficient information means more false positives consuming investigation resources—and more dangerously, potential true matches might slip through. Capture full legal names, all known aliases and former names, complete addresses including jurisdiction, date of birth or incorporation date, citizenship or jurisdiction of organization, and government-issued identification numbers. The difference between properly matching a sanctioned Syrian national and incorrectly flagging a U.S. citizen of Syrian descent with a similar name lies entirely in KYC data completeness.
Transaction screening must occur before processing payments, wire transfers, trade finance instruments, or any fund movement. Payment processing systems should automatically compare sender, beneficiary, and intermediary bank information against current sanctions lists before releasing funds. When screening technology identifies a potential match above your configured threshold, suspend the transaction pending manual investigation. Determine whether a true sanctions hit exists or the alert represents a false positive that can be cleared and processed.
How Should You Implement OFAC Screening in Daily Operations?
Automated screening technology forms the practical foundation for organizations handling meaningful transaction volumes. Effective screening software compares customer and transaction data fields against current sanctions lists using fuzzy matching algorithms that account for naming variations, transliteration differences, and data entry errors. Configure your matching thresholds based on risk tolerance. Stricter thresholds (85-90% similarity) generate more false positives requiring investigation but reduce missed matches. Looser thresholds (95%+ similarity) decrease operational burden but may allow close-match sanctions violations to slip through undetected. The choice depends on your compliance appetite.
| Screening Event Type | Required Timing | Data Fields to Screen | Typical Processing Time |
|---|---|---|---|
| New customer onboarding | Before account opening | Legal name, aliases, DOB, address, ID numbers | 1-3 business days |
| Wire transfer (international) | Before funds release | Sender, beneficiary, intermediary banks | Real-time to 24 hours |
| Batch customer rescreening | Per risk classification schedule | All current customer records | Monthly/quarterly/annual |
| Trade finance document review | Before letter of credit issuance | All parties on commercial documents | 24-72 hours |
Document everything. For each screening result, record the date and time, the specific list version used, all data fields compared, match scores or similarity percentages for potential hits, and the identity of staff conducting investigations. This documentation serves as evidence of due diligence during regulatory examinations and OFAC inquiries. Retain screening logs and investigation records for a minimum of five years per 31 CFR 1010.430. When OFAC arrives with questions—and they will—your documentation either protects you or convicts you.
Staff training on sanctions compliance directly shapes how well your screening program actually works. Everyone handling customer onboarding, processing transactions, or running sanctions checks needs initial training when hired, then annual refreshers covering OFAC list updates, new evasion tactics, and your internal escalation process. Good training includes real-world scenarios—the kind that help staff spot the difference between a genuine match and a false positive caused by a common name or incomplete data. Document everything: attendance, session dates, and test results that prove staff can actually apply the screening procedures correctly.
What Steps Should You Take if an OFAC Match or “Hit” is Discovered?
You’ve found a potential match. Stop. Suspend all transactions involving that party immediately and escalate to your compliance officers trained in sanctions investigation. Now comes the detailed work: pull every identifying detail you have—names, addresses, dates of birth, passport numbers, business registration info—and compare it against the SDN or consolidated list entry. The goal is simple but critical: determine whether this is a real match or a false positive. Document each step of your investigation: what data points you compared, where you looked, why you reached your conclusion.
If the investigation confirms a genuine match—a customer, transaction party, or business partner actually appears on OFAC sanctions lists—you must act immediately. Block all transactions. Freeze all assets. Those blocked assets go into interest-bearing accounts kept separate from your other funds. You cannot release a single dollar without OFAC’s written permission. Within 10 business days of blocking, if the blocked amount reaches $10,000 or more, file a Blocked Assets and Rejected Transaction Report (Form OFAC 308) through the OFAC portal. That report needs the blocking date, the blocked party’s name and address, which OFAC list entry triggered the block, a description of what you blocked, and the dollar amount.
False positives still require thorough documentation—even though no blocking or reporting happens. Your file should explain exactly why the match doesn’t represent a violations—for instance, showing that “Mohammed Ali Hassan” opening an account is a U.S.-born software engineer, not the Syrian national with the same name on the SDN List. Keep all false positive records. Examiners want to see that you investigated alerts thoughtfully rather than clearing them automatically.
Navigating complex screening situations or building your OFAC program from scratch? Our sanctions compliance legal team has worked across financial services, international trade, and cross-border transactions.
What Are the Legal Penalties for Non-Compliance with OFAC Screening Requirements?
Civil penalties adjust annually for inflation under federal law. As of 2026, OFAC can impose civil penalties up to $356,579 per violation or twice the transaction value—whichever is larger. But the actual penalty depends on factors in OFAC’s Economic Sanctions Enforcement Guidelines: Did you self-disclose? Did you maintain an effective compliance program? Were managers aware? Did deception occur? The difference between a $50,000 penalty and a $500,000 penalty often comes down to these details.
Criminal consequences are far more severe. Under 50 U.S.C. § 1705, willful IEEPA violations carry fines up to $1 million and up to 20 years in prison. Willfulness means you knew your conduct violated sanctions regulations or you recklessly ignored a substantial risk that it did. Here’s what many compliance officers miss: corporate officers and compliance personnel face personal criminal liability separate from company penalties. Your CFO or compliance director could face prison time.
Money isn’t the worst part. OFAC publishes every enforcement action on its website with the violator’s name, the violations, and the penalty. Financial institutions that appear in these enforcement actions lose correspondent banking relationships fast—other banks treat sanctions violations as a sign of weak compliance that could expose them to derivative liability. Exporters lose customers when procurement departments blacklist suppliers with compliance failures.
OFAC’s enforcement data through 2025 shows the agency resolved 238 enforcement actions with penalties exceeding $4.2 billion. Most went to financial institutions that processed sanctioned-jurisdiction transactions over years. Organizations that voluntarily self-disclosed violations, cooperated with investigations, and fixed their compliance systems received penalty reductions averaging 40-50% compared to cases where OFAC discovered violations independently.
How Should You Document and Audit Your OFAC Screening Program?
Start with written policies. These form your regulatory foundation. Define what activities and transaction types require OFAC review. List the specific sanctions lists you screen against. Set screening frequency based on customer risk tier. Document your matching thresholds and technology. Outline how you investigate potential matches. Specify who escalates confirmed hits and to whom. Assign a named officer responsibility for oversight with real authority. All of this must align with 31 CFR Chapter V, and you should review annually as your business operations or sanctions programs change.
Annual independent audits prove your program actually works—something regulators expect for financial institutions under the Bank Secrecy Act. Auditors should verify that screening happens at every required point (account opening, transaction processing, etc.), test alert quality by sampling investigations, measure false positive rates to check if your thresholds are realistic, confirm staff training completion, and check that you’re using current list versions and updating promptly. Written audit reports to senior management and the board matter as much as the audit itself.
Retention rules are strict. Keep screening logs showing every customer and transaction screening event with date, time, and result. Maintain investigation files for all matches—including false positives with documentation explaining why you cleared them. Preserve blocked transaction reports and all OFAC correspondence. File training records showing who attended, when, and what topics. Retain copies of every sanctions list version you used so you can prove you worked from current data. Federal regulations require five-year minimum retention under 31 CFR 1010.430, though many organizations keep records longer to protect against multi-year OFAC investigations.
Strengthening your OFAC infrastructure or preparing for examination? Our compliance legal team conducts program assessments, develops policies, and prepares organizations across financial services and international trade for regulatory review.
Frequently Asked Questions
Who is required to do OFAC screening?
U.S. persons must comply with OFAC requirements. That includes all U.S. citizens and permanent residents (even abroad), anyone physically present in the United States, and all U.S.-incorporated entities including their foreign branches. Financial institutions, exporters, importers, and any business handling international transactions involving U.S. jurisdiction fall here too. Non-U.S. persons also face OFAC obligations when transactions touch the U.S. financial system or involve U.S.-origin goods and services.
What is OFAC compliance screening?
OFAC screening means checking customers, transactions, and business partners against Office of Foreign Assets Control sanctions lists before any dealing occurs. You compare names, addresses, and identifying information against the Specially Designated Nationals (SDN) List and other OFAC lists to block prohibited dealings with sanctioned individuals, entities, or countries. Screening happens before account opening, before transaction processing, and at regular intervals for existing customers based on their risk classification.
What are the five essential components of OFAC compliance?
A risk-based OFAC compliance program rests on five pillars. First: management commitment and program oversight, with designated officers who own sanctions compliance day-to-day. Second: dedicated internal controls—screening procedures, escalation protocols, the mechanics that actually catch problems. Third: ongoing sanctions list screening of customers and transactions at appropriate frequencies. Fourth: employee training on sanctions regulations and identification procedures for everyone involved in screening or transaction processing. Fifth: independent testing or auditing to verify the framework actually works in practice.
What is the OFAC screening system?
OFAC screening works through interdiction software and procedures that compare transaction and customer data against current sanctions lists before the money moves or the account opens. Manually screening high volumes is impractical—most institutions rely on automated systems with fuzzy matching algorithms that catch variations in names, spellings, and transliterations. You set similarity thresholds yourself; a stricter threshold catches more false positives, a looser one lets riskier matches through.
What are the penalties for failing to comply with OFAC screening requirements?
Civil penalties can reach the greater of twice the transaction amount or statutory maximums adjusted yearly for inflation—$356,579 per violation in 2026 under IEEPA. Criminal penalties for willful violations are harsher: up to $1 million in fines and 20 years imprisonment for individuals under 50 U.S.C. § 1705. The severity matters because OFAC doesn’t fine every violation equally. They evaluate based on voluntary disclosure (did you self-report?), your compliance program’s actual effectiveness, management cooperation, and whether deceptive conduct was involved.
How often should OFAC screening be performed on customers and transactions?
Transaction screening is non-negotiable in real-time. Payments, wire transfers, trade finance documents—screen before the money leaves or the commitment is made. You cannot uncross a wire once it’s in the system.
What documentation should be maintained for OFAC screening and compliance audits?
Keep records of every screening event: positive results, negative results, false-positive analysis with clearance decisions and supporting documentation. If a transaction was blocked or rejected, document the case reference and any OFAC correspondence. Capture the screening date, list version used, data fields compared, staff involved in investigations, and supervisory approvals.
