OFAC SDN List: Compliance Guide & Screening
A Luxembourg-based fintech company processed a wire transfer in February 2026. Three days later, they discovered the beneficiary had been added to the OFAC SDN List that same morning. The company faced a potential civil penalty of $250,000 per violation and spent nine months documenting its compliance procedures to OFAC investigators.
The OFAC SDN List is the US government’s primary financial blacklist of individuals, companies, and vessels tied to terrorism, crime, or targeted regimes, whose assets are instantly frozen under US jurisdiction. It is globally critical because any business with them triggers severe fines for US entities and can completely cut off foreign banks from the US financial system.
What Exactly Is the OFAC SDN List and Why Does It Matter?
The SDN List is where U.S. sanctions policy becomes operational reality. As of June 11, 2026, OFAC maintains over 12,000 entries—individuals, corporate entities, aircraft, maritime vessels, and since 2022, digital asset addresses tied to sanctioned actors. The list is published continuously through the Treasury Department’s Sanctions List Service portal.
SDN designations rest on multiple legal foundations. The International Emergency Economic Powers Act grants the President broad authority to regulate economic transactions during national emergencies. From there, specific Executive Orders authorize the Treasury Secretary to designate parties who meet program-specific criteria: material support to terrorism under Executive Order 13224, involvement in narcotics trafficking under the Foreign Narcotics Kingpin Designation Act, or activities undermining democratic processes under country-specific programs.
Here’s what catches most organizations off guard: the SDN List’s reach extends far beyond U.S. borders. Financial institutions worldwide must screen against it because correspondent banking with U.S. institutions requires OFAC compliance. A European bank processing a euro transaction between two non-U.S. parties can still face OFAC enforcement if that transaction touches a U.S. correspondent account and involves an SDN. Between 2015 and 2024, OFAC imposed more than $8.5 billion in civil penalties on financial institutions for sanctions violations—about 40% stemmed from SDN-related infractions. That’s not theoretical cost; that’s enforcement reality.
⚠️ Time is critical — every day matters
Get a free case assessment
Our team specialises in cases with an international element. We review applicable treaties, assess risks, and prepare an action plan.
How Does the OFAC SDN List Connect to Other Sanctions Programs?
The SDN List functions as part of a broader sanctions architecture. Several complementary lists serve distinct regulatory functions, and understanding how they interact matters for compliance.
The Foreign Sanctions Evaders List (FSE) identifies individuals and entities that have violated U.S. sanctions or facilitated evasion. FSE designees face the same blocking requirements as SDNs but signal something different: these parties actively circumvented existing sanctions. The FSE List contained 327 entries as of January 2026. Compare that to other lists—the signal matters.
The Non-SDN Iran Sanctions Act List (NS-ISA List) targets parties subject to secondary sanctions under the Iran Sanctions Act but without full blocking status. U.S. persons can still conduct transactions with NS-ISA designees, though such transactions carry reputational risks and reporting obligations. This demonstrates OFAC’s graduated approach: not every designation requires complete asset blocking.
The Sectoral Sanctions Identifications List (SSI List) imposes prohibitions on specific transaction categories rather than comprehensive blocking. Created in 2014 for Russia-related sanctions, it restricts debt financing, equity participation, or dealings in certain debt instruments for designated Russian financial institutions and energy companies. An entity on the SSI List may conduct some business with U.S. persons; only narrow transaction types face prohibition based on sectoral directives published separately.
Screening all applicable lists is non-negotiable. A technology company exporting software to a Middle Eastern distributor must check the SDN List, the Entity List maintained by the Bureau of Industry and Security (export controls), the Sectoral Sanctions List if Russian entities are involved, and potentially the Non-SDN Palestinian Legislative Council List depending on end-user location. This layered compliance structure creates real complexity—missing one list creates exposure.
Screening all applicable lists is non-negotiable. A technology company exporting software to a Middle Eastern distributor must check the SDN List, the OFAC watchlist and related sanctions lists, the Entity List maintained by the Bureau of Industry and Security (export controls), the Sectoral Sanctions List if Russian entities are involved, and potentially the Non-SDN Palestinian Legislative Council List depending on end-user location. This layered compliance structure creates real complexity—missing one list creates exposure.
For operational implementation, organizations should establish clear procedures aligned with how to screen against the SDN list, ensuring all relevant sanctions lists are covered in automated and manual checks.
A full understanding of how these lists fit into a compliance framework is outlined in the complete OFAC compliance guide, which provides the broader structural approach to sanctions risk management.
When and How Does OFAC Update the SDN List?
OFAC updates the SDN List continuously, on no fixed schedule. Designations and delistings publish as they occur through the Recent Actions page, typically announced via press releases explaining policy rationale and evidentiary basis.
Daily updates create immediate compliance obligation. A designation announced at 10:00 AM Eastern Time becomes effective immediately. Transactions processed after that timestamp involving the newly designated party constitute violations even if your compliance database hasn’t yet refreshed. The cumulative SDN List file dated June 11, 2026 reflects all modifications through that date, but organizations processing high-volume transactions cannot rely on weekly manual downloads.
OFAC provides SDN data in multiple technical formats:
| Format | File Name | Size (June 2026) | Use Case |
|---|---|---|---|
| Enhanced XML | SDN_ENHANCED.XML | 12.4 MB | Structured data integration with modern compliance platforms |
| Compressed XML | SDN_ENHANCED.ZIP | 6.32 MB | Bandwidth-efficient download for automated daily refresh |
| Delimited Text | SDN.FF | 2.1 MB | Legacy system integration using fixed-field format |
| PDF (Human-Readable) | SDN_Current.pdf | 18.7 MB | Manual review and audit documentation |
SDN_ENHANCED.XML includes additional fields introduced in 2019: digital currency addresses, national identification numbers, and enhanced geographic location data. Financial institutions using enhanced formats achieve higher match accuracy—they cross-reference multiple identifiers rather than relying solely on name-matching algorithms. That precision difference translates to fewer false positives and fewer legitimate transactions blocked by mistake.
What Tools Does OFAC Provide to Search and Screen the SDN List?
OFAC maintains a web-based search tool at sanctionssearch.ofac.treas.gov. It applies approximate string matching to identify potential name matches. The confidence rating slider adjusts matching sensitivity—higher thresholds reduce false positives but increase false negatives when names include transliteration variations, nicknames, or typographical errors.
Search results include program codes that specify which sanctions authority applies to each designation. A result showing program code SDGT indicates designation under the Specially Designated Global Terrorist program (Executive Order 13224), triggering different prohibitions than UKRAINE-EO13662 (sectoral sanctions). Program codes matter because different legal authorities impose different transaction restrictions.
Search results show:
- Primary Name — exactly as it appears on designation documents
- AKA (Also Known As) — alternative names, transliterations, aliases
- Address Information — known locations and registered addresses
- Identification Numbers — passport numbers, national IDs, tax IDs, vessel IMO numbers
- Birth details for individuals: date and place
- Program Codes — the legal authorities underlying the designation
- Remarks — identifying information and cross-references to related designees
Organizations requiring programmatic access face a gap: OFAC does not maintain an official real-time API. Third-party compliance vendors fill this gap with services that refresh from OFAC data sources, offering fuzzy name-matching algorithms calibrated for international character sets, automated screening workflows, and customer onboarding integration.
Manual searches suffice for occasional due diligence. A law firm vetting a new client or a university screening a visiting researcher can use the web tool effectively. Financial institutions processing thousands of daily transactions require automated screening integrated directly into payment workflows—detecting violations before transactions execute, not discovering them during post-processing audits.
What Are the Real Compliance Obligations for Businesses Screening Against SDN?
U.S. persons—defined as U.S. citizens, permanent residents, entities organized under U.S. law, and any person physically located in the United States—bear mandatory obligations to comply with OFAC sanctions regulations. A French national working temporarily in New York becomes a “U.S. person” for the duration of their U.S. presence and must comply with SDN prohibitions even for transactions involving non-U.S. parties. The definition extends U.S. jurisdiction broadly.
Here’s the core obligation: block property and interests in property of SDNs, and prohibit all transactions with SDNs unless authorized by OFAC through a specific license. “Property” includes not only bank accounts and real estate but also contractual rights, intellectual property, and accounts receivable. When an entity is designated, all pending contracts with that entity become unenforceable by U.S. persons immediately—no grace period, no wind-down window. All assets held by U.S. persons on behalf of the SDN must be frozen and reported to OFAC within 10 business days. Miss that deadline and you’ve compounded the violation.
Screening requirements apply at multiple stages:
Customer Onboarding: Before establishing a business relationship, screen the prospective customer’s name, beneficial owners, and associated entities against the SDN List. For corporate customers, screening must extend to individuals owning 25% or more of the entity (consistent with FinCEN beneficial ownership requirements) and any individuals exercising control through voting rights or management authority. Many organizations stop here—they screen the company name but miss the human networks behind it.
Transaction Initiation: Each payment, wire transfer, trade finance transaction, or contractual commitment requires screening before execution. No de minimis exception exists—a $500 transaction involving an SDN carries the same penalty exposure as a $5 million one.
Periodic Rescreening: Customer relationships require periodic rescreening at intervals calibrated to risk. High-risk industries (money services businesses, cryptocurrency exchanges, international trade finance) demand monthly rescreening. Moderate-risk sectors like commercial banking and insurance typically operate on quarterly cycles. Low-risk relationships in domestic retail banking with limited international exposure may suffice with annual rescreening. The frequency matters because people get designated all the time—waiting a full year to check again is precisely when you’ll discover you’ve been transacting with someone newly on the list.
Interdiction During Transaction Processing: Real-time screening systems must flag transactions matching SDN entries before settlement occurs. Compliance officers review, block, or reject the transaction before funds move. If your system flags a match at 2 PM but your team doesn’t clear it until 5 PM and settlement happens at 6 PM, you’ve violated OFAC.
The penalty structure incentivizes over-compliance. Civil penalties for strict liability violations (technical violations without willful misconduct) can reach $250,000 per transaction or twice the transaction value, whichever is greater. Willful violations involving intentional evasion or reckless disregard trigger criminal penalties: up to $1 million in fines and 20 years imprisonment for individuals, with corporate criminal penalties reaching $20 million per violation under the Alternative Fines Act. One missed match can bankrupt a compliance budget.
How Should Organizations Structure Ongoing Compliance Monitoring?
Effective sanctions compliance requires governance frameworks that integrate technical screening tools, trained personnel, documented procedures, and regular audits. OFAC’s Framework for OFAC Compliance Commitments published in 2019 outlines five essential components: management commitment, risk assessment, internal controls, testing and auditing, and training.
Automated Refresh Cycles: Configure compliance systems to download updated SDN List files daily, with automated parsing and integration into screening databases. The refresh should occur during low-transaction-volume periods (typically overnight for U.S.-based institutions) to minimize processing disruption. But here’s the catch: transactions initiated after OFAC’s publication time and before your overnight refresh cycle require retroactive screening against the updated list. If someone initiates a wire at 11 AM and you don’t refresh until midnight, you need to manually check that transaction against the afternoon updates.
Audit Trail Documentation: Maintain records proving that each transaction was screened, which version of the SDN List was used, what screening algorithms and threshold settings applied, and whether the transaction returned matches requiring human review. During OFAC audits, examiners request sampling of transactions with timestamped proof of screening. Organizations that cannot produce contemporaneous screening logs face inference that screening was inadequate—and OFAC will presume violations occurred.
False Positive Management: Name-matching algorithms generate false positives constantly. A transaction involving “Mohammed Ahmed” might flag because an SDN entry exists for “Muhammad Ahmad.” Compliance officers must document their analysis: comparing addresses, dates of birth, national identification numbers, and contextual information to conclude the match is coincidental. Do this poorly, and you either block legitimate customers or let false negatives slip through.
Staff Training and Role-Based Access: Personnel with sanctions compliance responsibilities require regular training on OFAC regulations, screening procedures, and escalation protocols. Quarterly updates for front-line compliance staff. Annual comprehensive training for all employees with transaction authority. Executive-level briefings when major sanctions programs launch (such as the Russia-related sanctions imposed in February 2022 and expanded through 2025). Training documentation matters—OFAC will ask for it.
List Layering: Screen not only against the SDN List but also against other relevant lists based on organizational risk profile. Export-oriented companies must screen the Bureau of Industry and Security Entity List and Denied Persons List. Defense contractors must check the System for Award Management exclusions database. Organizations with Middle East exposure must screen the Non-SDN Palestinian Legislative Council List and country-specific designations.
The European Union maintains parallel sanctions lists that overlap with but do not perfectly mirror the OFAC SDN List. EU Regulation 2022/345 (Russia sanctions) and various country-specific regimes designate individuals and entities under EU authority. Organizations operating in both U.S. and EU jurisdictions must screen against both frameworks because certain entities appear on the EU list but not the SDN List, and vice versa. The technical challenge is that EU lists use different data formats and update on different schedules than OFAC lists, requiring dual-stream compliance architectures.
