Introduction
The ACH Network processed 35.2 billion payments worth $93 trillion in 2025, handling approximately 141 million transactions daily. Every participant in this massive ecosystem — from FinTechs and banks to corporate originators — carries a legal obligation not to facilitate payments that violate U.S. sanctions law administered by the Office of Foreign Assets Control (OFAC).
Many assume OFAC compliance is primarily a wire transfer concern. That assumption creates significant legal exposure. NACHA rules explicitly extend OFAC obligations to ACH transactions, and the regulatory framework was specifically amended at OFAC's request to make sanctions enforcement easier across the entire ACH network.
This guide covers the regulatory relationship between NACHA ACH rules and OFAC sanctions requirements, who bears screening responsibilities, and what a sound compliance program looks like in practice.
TLDR:
- OFAC sanctions apply to all ACH transactions, domestic and international
- The 2009 IAT rule merged NACHA and OFAC obligations, requiring enhanced party data for cross-border payments
- ODFIs, RDFIs, and Originators each carry distinct OFAC screening duties
- Civil penalties reach $377,700 per transaction; recordkeeping requirements now extend to 10 years
- Audit-ready programs require automated screening, a designated compliance officer, and regular independent audits
What Is NACHA OFAC Compliance?
NACHA (the National Automated Clearing House Association) administers the ACH Network through the NACHA Operating Rules. All participating banks and their customers are contractually bound by these rules.
OFAC (Office of Foreign Assets Control) is a U.S. Treasury agency that administers and enforces economic and trade sanctions against targeted foreign countries, regimes, terrorist organizations, narcotics traffickers, and other national security threats. The centerpiece of OFAC enforcement is the Specially Designated Nationals (SDN) list — a continuously updated roster of individuals, groups, and entities whose assets are blocked and with whom U.S. persons are generally prohibited from transacting.
"NACHA OFAC compliance" refers to the obligation of all ACH network participants to ensure that no ACH entry — whether domestic or international — violates OFAC sanctions. NACHA rules were specifically amended at OFAC's request to make this obligation easier to enforce and monitor.
How OFAC Obligations Entered the ACH Framework
The regulatory foundation for ACH OFAC compliance was established in a March 20, 1997 letter from OFAC to NACHA. This letter established clear compliance expectations for domestic ACH:
- ODFIs (Originating Depository Financial Institutions) must verify that Originators are not blocked parties and make good faith efforts to ensure blocked funds are not transmitted
- RDFIs (Receiving Depository Financial Institutions) must verify that Receivers are not blocked parties and block accounts/transactions on their books
- Originators must contractually acknowledge that ACH cannot be used in violation of U.S. law
That framework expanded in 2009. Effective September 18, 2009, NACHA amended its Operating Rules to create the International ACH Transaction (IAT) standard at OFAC's request — aligning NACHA rules with OFAC's need for enhanced cross-border payment data and implementing compliance with FATF Special Recommendation VII.
Domestic ACH vs. International ACH: Different but Both OFAC-Obligated
The Federal Reserve explicitly confirms that "OFAC rules apply to all payments, both domestic and international". However, the screening model differs based on transaction type.
Domestic ACH relies primarily on RDFIs to block or reject sanctioned accounts and transactions. That said, all parties (ODFIs, RDFIs, and Originators) still carry independent OFAC obligations and cannot initiate or process payments to blocked accounts or sanctioned parties.
International ACH carries heightened OFAC risk due to the involvement of non-U.S. financial institutions. This is why IAT rules require more detailed party information: to enable effective OFAC screening at every point in the payment chain, including participants outside U.S. regulatory jurisdiction.
The IAT Rule: Where NACHA and OFAC Requirements Converge
The IAT rule is where NACHA's operating requirements and OFAC's sanctions obligations directly intersect — and where many institutions underestimate their exposure.
An International ACH Transaction (IAT) is any ACH entry that is part of a payment involving a financial agency's office outside U.S. territorial jurisdiction: whether that agency holds a credited or debited account, receives or disburses funds directly, or acts as an intermediary in settlement.
Identifying IAT Transactions: Not Just About Geography
A common compliance mistake is assuming that only payments to foreign recipients qualify as IATs. The triggering criterion is whether funds will ultimately be forwarded to a non-U.S. financial institution.
Example: A U.S. employee receives their paycheck via direct deposit to their U.S. bank account but has set up an automatic forward to their family's bank account in Mexico. The original domestic ACH becomes an IAT because funds will ultimately reach a financial agency outside U.S. territorial jurisdiction.
The 7 Mandatory IAT Addenda Records
Every IAT entry must include seven mandatory addenda records (710–716) containing Travel Rule-equivalent information:
| Addenda | Required Information | Purpose |
|---|---|---|
| 710 | Receiver's name, foreign payment amount, transaction type code | Identifies the Receiver and payment reason (for example, SALA for salary) |
| 711 | Originator's name and street address | Provides Originator identification |
| 712 | Originator's city, state/province, country, postal code | Completes Originator location data |
| 713 | Originating DFI name, ID, and branch country code | Identifies the originating financial institution |
| 714 | Receiving DFI name, ID, and branch country code | Identifies the receiving financial institution |
| 715 | Receiver's identification number and street address | Provides Receiver account/ID and address |
| 716 | Receiver's city, state/province, country, postal code | Completes Receiver location data |
These fields exist to enable OFAC screening at each point in the payment chain. Missing or malformed data will result in ACH Operator rejection.
Critical Compliance Nuance: IAT Rules Are Stricter Than BSA
The BSA Travel Rule requires party information only for funds transfers exceeding $3,000. However, NACHA Operating Rules require Travel Rule-equivalent information for ALL IAT entries regardless of dollar amount.
NACHA's standard is significantly stricter than the BSA baseline. Institutions that apply the $3,000 threshold to IAT entries are out of compliance — a gap that examiners actively look for.
Inbound vs. Outbound IATs
OFAC screening obligations apply in both directions:
- Inbound IATs (originating outside the U.S. and entering the ACH Network) require screening by all receiving institutions
- Outbound IATs (originating in the U.S. and transmitted abroad) require screening by originators and ODFIs before transmission
The Federal Reserve, acting as Gateway Operator for international ACH, screens IAT entries and populates an OFAC Screening Indicator. RDFIs cannot rely on that indicator alone — independent due diligence is required.
Who Bears OFAC Compliance Responsibilities in the ACH Network?
OFAC compliance in the ACH Network is a shared responsibility, but liability cannot be contracted away.
Originating Companies (Corporate Customers)
Corporate originators are subject to U.S. law, including OFAC sanctions. Their ACH origination agreements obligate them to acknowledge that ACH may not be used for transactions violating U.S. law.
Originator obligations:
- Screen transactions before submission to the ODFI
- Identify which payments should be formatted as IATs
- Maintain internal OFAC compliance procedures for payroll, vendor payments, and customer transactions
Originating Depository Financial Institutions (ODFIs)
ODFIs are the first institutional checkpoint in the ACH payment chain.
ODFI responsibilities:
- Educate Originators on IAT requirements and OFAC obligations
- Review customer files for foreign address indicators that may trigger IAT classification
- Ensure origination agreements contain explicit OFAC acknowledgment clauses
- Verify that the Originator is not a blocked party
The "Unbatching" Rule: If an ODFI unbatches a file received from an Originator to strip out on-us transactions (where the ODFI also serves as RDFI), it assumes full OFAC screening responsibility for those on-us transactions as though it had done the initial batching.
Receiving Depository Financial Institutions (RDFIs)
RDFIs are the primary compliance backstop in domestic ACH.
RDFI responsibilities:
- Block accounts and transactions on their books
- Prohibit posting of credits or debits to sanctioned accounts
- Flag suspect incoming entries, including IATs screened at settlement
- Verify that the Receiver is not a blocked party
- Conduct independent screening even when Gateway Operators provide screening indicators
Gateway Operators and the Federal Reserve
When the Federal Reserve acts as a Gateway Operator for international ACH through FedGlobal services, it screens IAT entries for OFAC compliance and populates the OFAC Screening Indicator (Field 10) with a "1" (suspect) or "0" (clean).
The Fed's role is limited to screening and flagging — it will not block transactions or freeze funds. That means:
- A "0" (clean) indicator from the Fed does not release the RDFI from its own screening obligation
- A "1" (suspect) indicator requires the RDFI to independently investigate and act
- Enforcement liability stays with the financial institution, not the Gateway Operator
Key OFAC Compliance Requirements for ACH Participants
All ACH participants must maintain SDN list screening processes — either automated interdiction software or documented manual procedures. These must compare transaction party names against the OFAC SDN list, blocked countries list, and any applicable sanctions programs before processing entries.
Blocking vs. Rejecting
When a sanctions match is identified, institutions must determine the appropriate action:
| Action | When It Applies | Required Response |
|---|---|---|
| Blocking | Payment involves a blockable property interest of a sanctioned target (for example, a payment destined for a blocked Iranian financial institution) | Hold funds in an interest-bearing account |
| Rejecting | Transaction is prohibited by sanctions but no blockable interest exists (for example, an unblocked entity attempting to export a service to Iran) | Stop the transaction and return it to the originator |
Reporting Requirements
Two reporting obligations apply once action is taken on a sanctioned transaction:
- 10-day reports: Blocked and rejected transactions must be reported to OFAC within 10 business days of the action (31 C.F.R. § 501.603)
- Annual reports: Institutions must file a report of all blocked property held as of June 30 by September 30 each year (31 C.F.R. § 501.604)
Note that IAT transactions do not need to be reported to NACHA — these obligations run directly to OFAC.
Recordkeeping Obligations: Now Extended to 10 Years
Effective March 2025, OFAC extended its recordkeeping requirement from five to 10 years (31 CFR 501.601). Institutions must maintain an audit trail of:
- All blocked funds and their disposition
- Documentation of ownership and beneficial interest
- Interest accrued on blocked accounts
- Licenses obtained for specific transactions
- Resolution of flagged transactions
- Internal screening records and decision documentation
These records must be available on request by OFAC or banking regulators.
Best Practices for Building a NACHA OFAC Compliance Program
Conduct a Risk-Based OFAC Assessment
The foundation of any effective compliance program is understanding your specific risk profile. Map your product lines against OFAC risk factors:
Product line mapping:
- Domestic ACH volume and transaction types
- IAT volume and destination countries
- Cross-border clients and correspondent banking relationships
- Customer segments (B2B, consumer, international)
Risk factors to evaluate:
- Customer base exposure to high-risk jurisdictions
- International transaction volume and velocity
- History of OFAC actions or near-misses
- Complexity of payment flows (direct vs. multi-party)
Calibrate your compliance program using a low/moderate/high risk matrix. Higher-risk profiles require more robust controls, more frequent auditing, and greater resource allocation.
Deploy Automated Interdiction Software
For high-volume or high-risk environments, automated interdiction software is essential. Manual screening cannot keep pace with the ACH Network's velocity — Same Day ACH alone reached 1.4 billion payments ($3.9 trillion) in 2025, averaging 5.8 million payments daily.
Automated screening should:
- Flag close name derivations and fuzzy matches, not just exact hits
- Cover new accounts before any transactions are posted
- Run against OFAC updates on an ongoing basis, not just at onboarding
- Integrate directly with OFAC's Sanctions List Service to ingest daily updates
Designate a Qualified OFAC Compliance Officer
Appoint a designated OFAC compliance officer with clear authority and accountability. This individual should have:
- Technical expertise in sanctions regulations and payment systems
- Authority to halt transactions and escalate issues
- Direct reporting line to senior management or the board
- Resources to maintain and improve the compliance program
Support the compliance officer with regular staff training tailored to each employee's role — and refresh that training whenever OFAC issues new guidance or adds sanctions programs.
Conduct Periodic Independent Audits
Schedule independent audits of your OFAC compliance program at minimum annually for higher-risk institutions. Audits can be conducted by internal audit, outside consultants, or qualified third parties.
Audit scope should include:
- Effectiveness of screening technology and processes
- Accuracy of IAT classification procedures
- Timeliness and completeness of OFAC reporting
- Adequacy of recordkeeping and documentation
- Staff training completion and competency
- Quality of escalation and resolution procedures
Promptly report discovered violations to both OFAC and your banking regulator.
Consider Fractional Compliance Leadership
Many FinTechs, money transmitters, and embedded finance companies at the seed through Series B stage face a common challenge: they need deep OFAC expertise but lack the budget or transaction volume to justify a full-time compliance executive.
Fractional compliance services address this gap directly. Firms like Fraxtional provide fractional BSA Officer and Chief Compliance Officer services — delivering director-level expertise with flexible engagement structures. Fractional officers can serve as the designated compliance officer of record, maintain regulatory relationships, and respond to examiner inquiries while working directly with full-time teams.
Penalties for NACHA OFAC Non-Compliance
Civil and Criminal Penalties
OFAC treats sanctions violations as strict liability offenses — institutions can be penalized even without knowledge or intent. Maximum civil monetary penalties under IEEPA increased to $377,700 per violation in 2025, with figures adjusted annually for inflation. OFAC assesses penalties per violation, so a systemic failure in an ACH batch file containing thousands of transactions can quickly result in enterprise-threatening fines.
| Penalty Type | Maximum Amount | Authority |
|---|---|---|
| IEEPA Civil Penalty | $377,700 per violation (or twice transaction value) | International Emergency Economic Powers Act |
| TWEA Civil Penalty | $111,308 per violation | Trading With the Enemy Act |
| Recordkeeping Failure | $73,011 per violation | 31 CFR 501.601 |
Criminal penalties vary by sanctions program and can include imprisonment ranging from 10 to 30 years depending on the program, plus forfeiture of property involved in the violation.
Collateral Consequences
Beyond direct regulatory penalties, institutions face:
- Reputational damage that erodes customer acquisition and retention
- Severed banking relationships, including correspondent banking access
- Heightened regulatory scrutiny and more frequent examinations
- Revoked or suspended ACH origination privileges
- Board-level fallout and increased investor due diligence pressure
When penalties compound across thousands of ACH transactions in a single batch, even a single screening gap can trigger costs that dwarf the entire annual compliance budget.
Frequently Asked Questions
Is OFAC addressed or not addressed in the ACH rules?
OFAC is directly addressed in NACHA rules. NACHA created the IAT rule at OFAC's explicit request in 2009 to align ACH operating rules with sanctions obligations, and NACHA origination agreements require acknowledgment that ACH cannot be used for OFAC-prohibited transactions.
Does OFAC apply to all financial institutions?
OFAC sanctions apply to all U.S. persons and entities, including all depository financial institutions, FinTechs, money transmitters, and corporate originators participating in the ACH network — not just banks.
What is the difference between IAT and ACH?
ACH is the broader domestic electronic payments network governed by NACHA. IAT (International ACH Transaction) is a specific transaction type and SEC code within ACH used when a payment involves a bank or financial institution outside U.S. territorial jurisdiction, with additional data fields required to enable OFAC screening.
What types of financial transactions are subject to OFAC sanctions?
OFAC sanctions reach a broad range of commercial and financial transactions involving sanctioned parties or countries, including ACH transfers, wire transfers, trade finance, correspondent banking, loans, and merchant payment processing.
Who regulates the ACH Network?
NACHA administers the ACH Network through its Operating Rules, while federal regulators including the Federal Reserve, OCC, FDIC, and CFPB oversee ACH participants' compliance with applicable laws including OFAC sanctions.
What is the $3,000 rule in banking?
The $3,000 rule refers to the BSA Travel Rule, which requires financial institutions to pass along identifying information on funds transfers of $3,000 or more. However, for IAT entries under NACHA rules, Travel Rule-equivalent information is required for all transactions regardless of amount, making the NACHA standard stricter than the BSA baseline.
