OFAC Lawyer for Banks: Compliance & Defense
A regional bank in Texas processed a $47,000 wire transfer in February 2025. Thirty days later, OFAC sent a penalty notice—the beneficiary had been added to the SDN List three weeks before the transaction. The bank’s screening software hadn’t updated in real time. Legal counsel had 30 days to respond with a compliance history, transaction records, and a remedial action plan.
What Triggers OFAC Exposure for Banks & When You Need Legal Counsel Immediately
Financial institutions incur OFAC liability when they process transactions involving Specially Designated Nationals, blocked jurisdictions, or sanctioned sectors without proper screening or licensing. The Bank Secrecy Act imposes affirmative obligations to implement risk-based sanctions compliance programs under 31 U.S.C. § 5318(h). That means your institution cannot simply passively comply—you must actively build and maintain systems to catch violations before they happen. OFAC’s enforcement record shows they routinely pursue banks that lacked documented, tested controls, even when violations were technically isolated incidents.
Violations emerge at multiple transaction stages. Customer onboarding without SDN screening. Wire transfers that fail real-time interdiction. Trade finance documentation that omits beneficial ownership verification. Correspondent banking relationships with foreign institutions lacking adequate sanctions controls. Crypto and digital asset transfers carry identical screening requirements as traditional banking channels—OFAC’s 2019 Framework for Sanctions Compliance Commitments applies to virtual currency transactions without exception.
Civil penalties under IEEPA § 206 now reach $356,579 per violation (adjusted annually for inflation per the Federal Civil Penalties Inflation Adjustment Act). Each transaction counts as one violation. A bank that unknowingly processed 50 wire transfers through an SDN account faces potential exposure exceeding $17 million before any mitigation. Criminal prosecution under IEEPA § 206(b) requires willfulness but imposes penalties up to $1,000,000 per violation and imprisonment up to 20 years. In 2025 alone, Treasury issued 12 enforcement actions against U.S. financial institutions, with settlement amounts ranging from $180,000 to $28.5 million.
You need specialized OFAC counsel immediately when:
- Your transaction monitoring system flags a potential SDN match
- A customer certification discloses prior sanctions involvement
- Regulatory examiners question your screening protocols
- OFAC issues an administrative subpoena or pre-penalty notice
- Internal lookback review uncovers historical violations
OFAC Lawyer for Banks
Our team specialises in cases with an international element. We review applicable treaties, assess risks, and prepare an action plan.
Contact a lawyer →OFAC Compliance Requirements vs. Enforcement Defense: How Banks Choose the Right Legal Strategy
| Legal Service | When Used | Timeline | Typical Cost Range |
|---|---|---|---|
| Compliance Program Design | New sanctions program or regulatory update | 60–90 days development + ongoing monitoring | $25,000–$150,000 initial; $5,000–$25,000/month retainer |
| Voluntary Self-Disclosure (VSD) | Bank discovers violations internally | 30–90 days to file; 9–18 months OFAC review | $50,000–$300,000 preparation + defense |
| Administrative Enforcement Defense | OFAC issues Finding of Violation or pre-penalty notice | 30-day response; 6–24 months negotiation | $75,000–$500,000+ depending on violation count |
| OFAC Licensing Application | Client needs authorization for otherwise-prohibited transaction | 45–120 days OFAC review (specific licenses) | $15,000–$75,000 application + supporting docs |
| Compliance Audit & Lookback | Due diligence for M&A or proactive risk assessment | 30–90 days depending on transaction volume | $40,000–$200,000 |
Key strategic differences: Voluntary self-disclosure under OFAC’s 2019 Framework can reduce base penalties by 50% if the bank reports an apparent violation before OFAC discovers it, demonstrates effective compliance program design and implementation, and proposes meaningful remedial measures. Enforcement defense without prior VSD requires documenting that violations were non-egregious (low dollar value, limited duration, no management involvement) to qualify for reduced penalties.
OFAC distinguishes egregious from non-egregious cases based on five factors: willfulness or recklessness; awareness of sanctioned status; individual involved was management-level; transaction facilitated weapons proliferation or terrorism; and concealment or pattern of conduct. Non-egregious cases with voluntary disclosure and remediation may receive administrative warning letters with zero monetary penalty. Egregious violations with no cooperation history face penalties at or near the statutory maximum.
The Legal Route: How OFAC Defense Counsel Protects Financial Institutions
OFAC enforcement defense begins with a privileged internal investigation to establish the scope, causes, and timeline of apparent violations. Legal counsel reviews transaction records, interviews compliance staff and business-line personnel, examines customer due diligence files, and evaluates the design and implementation of the bank’s sanctions compliance program. Protect this investigation carefully—production of internal audit findings to OFAC waives privilege and exposes the bank to expanded discovery in parallel civil litigation.
Step 1: Determine whether to file voluntary self-disclosure. The decision requires weighing penalty mitigation benefits (typically 40–50% reduction for VSDs demonstrating good faith cooperation) against the risk of alerting OFAC to violations it may not have otherwise discovered. OFAC’s Enforcement Guidelines published in November 2019 favor disclosure when violations are systemic, high-dollar, or involve sanctioned jurisdictions subject to comprehensive embargoes (Iran, North Korea, Syria, Cuba, Crimea region of Ukraine). A bank that waits too long risks losing this protection entirely.
Step 2: Prepare and submit the VSD or respond to OFAC inquiry. Voluntary disclosures must include complete transactional data showing all apparent violations, root-cause analysis identifying compliance program deficiencies, description of remedial measures already implemented, and certification by senior management. OFAC requires VSDs within a “reasonable time” after discovery—our practice standard is 60 days for straightforward cases, 90 days for complex multi-year lookbacks. OFAC acknowledges receipt within 10 business days and assigns an enforcement officer. If you miss the reasonable-time window, you lose the ability to characterize your submission as voluntary.
Step 3: Negotiate settlement terms and compliance commitments. Most OFAC enforcement actions resolve through Settlement Agreements requiring payment of civil monetary penalty plus agreement to implement specific compliance enhancements (upgraded screening technology, enhanced training, independent compliance audits). Settlement negotiations typically span 9–18 months. OFAC applies its Economic Sanctions Enforcement Guidelines framework, considering the nature of violation, your compliance program quality, whether management was involved, transaction dollar value and duration, your remedial response, and cooperation with investigation. A documented track record of strong compliance work dramatically improves negotiating position.
Step 4: Document ongoing compliance obligations. Settlement Agreements typically impose 12–24 month reporting periods requiring quarterly certifications of compliance program enhancements. Failure to meet these obligations can trigger penalty re-imposition and new enforcement actions.
Banks in correspondent relationships with foreign financial institutions face heightened scrutiny under USA PATRIOT Act § 311, which authorizes Treasury to designate foreign banks as primary money laundering concerns and prohibit U.S. correspondent accounts. Section 311 designations require U.S. banks to terminate all correspondent relationships within 10 days of publication in the Federal Register. Legal counsel must monitor Federal Register notices and maintain jurisdiction-specific risk profiles for all correspondent partners—a missed deadline here creates instantaneous violations.
OFAC Penalties for Financial Institutions: Actual Settlement Data & Civil vs. Criminal Exposure
Civil penalties under IEEPA now reach $356,579 per violation as of 2026 (adjusted from $311,562 in 2024 per the Federal Civil Penalties Inflation Adjustment Act Improvements Act). Each individual transaction with a sanctioned party constitutes a separate violation. A bank that processed 200 wire transfers involving an SDN over six months faces potential exposure exceeding $71 million before mitigation factors. That number alone changes how most boards approach compliance budgets.
Recent OFAC enforcement actions—2024–2025 data:
- A major U.S. bank settled Cuba sanctions violations for $4.3 million in 2024 after processing over 1,700 transactions involving Cuban nationals without proper screening. That’s not a typo—1,700 separate lapses that slipped through.
- A regional trust company paid $650,000 in 2024 after compliance staff manually overrode 47 SDN matches without supervisory review. The pattern matters here: deliberate override, not system error.
- One payment processor faced a $28.5 million settlement (2025) for systematic failures in beneficial ownership verification across its correspondent banking network—a company-wide problem, not an isolated incident.
- A mid-sized commercial bank received an administrative warning letter with no monetary penalty in 2025 after voluntarily disclosing Syria-related transactions totaling $180,000. Why no fine? The bank proactively fixed its controls and cooperated fully.
Criminal prosecution under IEEPA § 206(b) requires proof of willfulness—the defendant knew the conduct violated sanctions law and engaged in it anyway. That’s a high bar. Criminal penalties reach $1,000,000 per violation plus up to 20 years imprisonment. The Department of Justice typically pursues criminal cases against individual bank officers who deliberately circumvent controls rather than prosecuting institutions directly, though corporate criminal liability remains available under respondeat superior.
Mitigating factors that reduce penalties:
- Voluntary self-disclosure before OFAC detects the violation—typically yields 40–50% penalty reduction
- Non-egregious violations—transactions under $100,000, no involvement from management, violations contained within a short timeframe
- Effective compliance program when the violation occurred—screening technology in place, regular training, active audit function
- Remedial measures already implemented—technology upgrades, staff changes, tightened due diligence procedures
- Full cooperation during OFAC investigation—documents produced on schedule, employees made available for interviews without delay
OFAC calculates penalties by multiplying transaction value by a “multiplier” that ranges from 0.1 (minor violation, strong mitigation) to 1.0 (severe violation, no mitigating factors). In practice, settlements vary dramatically: a bank with a comprehensive compliance program and early disclosure might settle for 10–15% of its potential maximum penalty, while an institution with systemic failures and delayed cooperation faces 60–80% of maximum exposure.
What Services & Transaction Types Are Subject to OFAC Screening Requirements
OFAC regulations apply to all U.S. persons (individuals, entities, and their foreign branches) and all transactions that touch the U.S. financial system—regardless of where the transaction originates or concludes. Most regulated activities fall into these categories:
Core banking transactions requiring real-time screening:
- Wire transfers (domestic and international SWIFT messages)—screen the originator, beneficiary, intermediary banks, and any parties named in payment details
- ACH payments—screening required before settlement, even though ACH operates on batch processing cycles
- Customer deposit accounts—screen at opening and monitor continuously (minimum quarterly re-screening against the updated SDN List)
- Trade finance (letters of credit, documentary collections, trade loans)—requires verification of beneficial ownership and certification of end-use
- Loan origination—commercial and consumer lending both require borrower screening and review of collateral for any interests held by blocked parties
Correspondent banking relationships present a distinct compliance challenge. USA PATRIOT Act § 311 allows OFAC to designate foreign banks as money laundering concerns, requiring U.S. banks to terminate correspondent accounts within 10 days. Due diligence on correspondent partners must assess sanctions compliance capability, evaluate country risk, and identify beneficial owners.
Investment advisory and custody services—OFAC prohibits U.S. financial institutions from managing or holding assets in which a sanctioned person has any interest. That includes investment accounts where an SDN is a beneficial owner, trustee, or authorized signatory. Fiduciary accounts require ongoing SDN screening of everyone with signing authority.
Digital assets and cryptocurrency transactions follow the same rules as traditional currency. OFAC’s 2019 guidance makes this explicit: virtual currency transfers face identical sanctions requirements. Blockchain analytics must identify wallet ownership and flag transactions with SDN-associated addresses. Most major crypto exchanges now maintain internal OFAC screening; traditional banks offering crypto custody must implement equivalent controls.
Employee training obligations are non-negotiable. The Bank Secrecy Act requires financial institutions to provide ongoing OFAC training to all employees with transaction authority, compliance oversight, or customer-facing roles. Training must cover current sanctions programs, SDN screening procedures, blocking obligations, license requirements, and reporting protocols. OFAC enforcement actions frequently cite inadequate or absent training as evidence of program weakness.
Services not exempt from OFAC regulation include pro bono legal services, humanitarian assistance transactions, and informational materials—all remain subject to sanctions law unless a specific license authorizes otherwise. Exemptions are narrow. The Berman Amendment protects information and informational materials themselves, but payment processing for those materials still requires licensing.
Internal Investigations & Self-Disclosure: When Banks Should Report Violations to OFAC
The decision to file voluntary self-disclosure hinges on whether the penalty reduction outweighs the risk of alerting OFAC to violations it might never find. OFAC’s 2019 Economic Sanctions Enforcement Guidelines promise that institutions filing complete, timely disclosures with demonstrated commitment to compliance receive average penalty reductions of 40–50%. But that benefit only applies if the disclosure is genuine and the cooperation is real.
Circumstances favoring voluntary self-disclosure:
- Systematic or pattern violations—multiple transactions over months or years, not one-off mistakes. OFAC treats patterns far more severely.
- High-dollar transactions (typically above $100,000 each)—large transaction values create proportionally large penalties; early disclosure limits exposure
- Violations involving comprehensive embargo programs (Iran, North Korea, Syria, Cuba)—these receive heightened enforcement attention
- Discovery during a regulatory examination—examiners will report findings anyway; bank-initiated disclosure preserves cooperation credit
- Multiple business lines affected—indicates fundamental compliance program failure that demands root-cause remediation
When voluntary self-disclosure may be unnecessary:
- Isolated, low-dollar violations (single transaction under $10,000) with documented strong compliance program—administrative warning letter possible without disclosure
- Violations discovered in lookback going back more than 5 years—OFAC’s statute of limitations is 5 years from violation date (31 C.F.R. § 501.604)
- Unclear sanctions interpretation—where transaction arguably falls outside OFAC’s prohibition, requesting an advisory opinion may work better than disclosure
VSD preparation timeline and what OFAC expects:
File within 60–90 days of discovering the violation for routine matters. Multi-year lookbacks can extend to 120 days if you notify OFAC in the interim. Your submission must include:
- Detailed transaction data—every apparent violation with dates, amounts, parties, payment messages, and relevant correspondence
- Root-cause analysis—explain exactly which compliance program failures or control gaps allowed violations to occur
- Compliance program description—written policies, procedures, training materials, and audit reports showing program design and implementation
- Remedial measures—specific steps you’ve already taken to prevent recurrence (technology upgrades, personnel changes, enhanced due diligence)
- Management certification—signed statement from a senior officer certifying disclosure completeness and accuracy
OFAC assigns an enforcement officer within 10 business days of receiving your VSD. Expect supplemental information requests, personnel interviews, and possibly administrative subpoenas. Timeline from VSD filing to settlement typically runs 9–18 months.
Post-disclosure, cooperation is mandatory. You must respond to OFAC document requests within stated deadlines (usually 30 days), make staff available for interviews, and disclose any additional violations discovered during OFAC’s review. Failure to cooperate after filing VSD eliminates mitigation credit entirely and can push penalties toward statutory maximum.
OFAC Licensing: When Financial Institutions Need Specific Authorization
OFAC issues specific licenses to authorize transactions that would otherwise violate sanctions regulations. Financial institutions need licenses when clients have legitimate business in sanctioned jurisdictions or with sanctioned parties—humanitarian aid payments to Syria, family remittances to Cuba, or authorized trade under General License provisions requiring written documentation.
How to apply:
Submit applications through OFAC’s online portal or by mail to the Sanctions Compliance & Evaluation Division. Include: description of the proposed transaction, identification of all parties (including SDN status), transaction amount, transaction purpose and business justification, and explanation of how the transaction advances U.S. foreign policy interests. OFAC reviews specific license applications within 45–120 days depending on program complexity and dollar value.
License types financial institutions typically encounter:
- Specific licenses for individual transactions—required when general license provisions don't apply
- Statement of Licensing Policy (SoLP)—OFAC publishes favorable licensing policies for certain transaction categories but requires case-by-case approval
- General licenses—regulatory provisions authorizing categories of transactions without individual application. You must still maintain records demonstrating compliance with general license terms
Legal counsel should prepare license applications with complete supporting documentation. Incomplete applications trigger rejection letters requiring resubmission—which adds 60+ days to your approval timeline. OFAC may deny licenses without explanation when transactions do not serve U.S. policy interests or involve national security concerns. Plan accordingly if timing is critical to your business.
FAQ
What is OFAC attorney near me?
An OFAC attorney near you is a lawyer with expertise in Treasury Department sanctions regulations who can represent your bank or financial institution in enforcement matters, compliance program development, or licensing applications. Geographic proximity matters less than sanctions specialization. Most OFAC enforcement defense and compliance work happens remotely, with occasional in-person meetings when needed. Look for counsel with former OFAC or Treasury experience, demonstrated track record in financial institution defense, and capability to handle both civil enforcement and criminal referral risk.
What is OFAC lawyer Iran?
An OFAC lawyer handling Iran sanctions matters specializes in the Iranian Transactions and Sanctions Regulations (ITSR), 31 C.F.R. Part 560, which imposes comprehensive economic sanctions on Iran with limited exceptions for humanitarian trade and informational materials. Iran sanctions cases require expertise in secondary sanctions—where non-U.S. persons conducting Iran-related business face liability—complex licensing procedures for authorized transactions, and defense strategies when banks inadvertently process Iran-related payments through correspondent accounts. Legal counsel must understand both primary sanctions (binding on U.S. persons) and secondary sanctions (targeting non-U.S. persons who facilitate Iran transactions). This distinction can mean the difference between a manageable civil penalty and a multi-year criminal investigation.
What is the possible penalty for violating OFAC sanctions?
Civil penalties under the International Emergency Economic Powers Act reach $356,579 per violation as of 2026. Each prohibited transaction counts as a separate violation, so a single wire payment routed through multiple correspondent banks could trigger penalties for each leg of the transaction. Criminal penalties for willful violations reach $1,000,000 per violation and imprisonment up to 20 years under IEEPA § 206(b). Actual settlement amounts vary dramatically. Non-egregious violations with voluntary disclosure and strong compliance programs may settle for $50,000–$500,000 total. Egregious cases with systemic failures and delayed cooperation have resulted in settlements exceeding $100 million. OFAC applies mitigating factors including voluntary self-disclosure (40–50% reduction), compliance program quality, remedial measures, and cooperation.
What services are subject to OFAC regulations?
All services provided by U.S. financial institutions are subject to OFAC regulations when they involve sanctioned parties, blocked jurisdictions, or prohibited transactions. Wire transfers, ACH payments, deposit accounts, loans, trade finance, investment advisory, custody services, correspondent banking, payment processing, and digital asset transactions all fall within scope. OFAC regulations apply extraterritorially to foreign branches of U.S. banks and to transactions that touch the U.S. financial system regardless of where the parties are located. Employee training, transaction monitoring, customer due diligence, and record retention are mandatory compliance activities. Regulators expect these controls built into your compliance program during examinations.
