Guide to OFAC Compliance and Regulations

Introduction

A fintech startup processes a routine payment. The recipient, unknown to the compliance team, appears on OFAC's Specially Designated Nationals (SDN) list. Days later, a federal notice arrives. Intent doesn't factor into OFAC's enforcement calculus. Civil penalties apply whether a violation was deliberate or accidental.

This scenario plays out more often than most founders and compliance officers expect. The consequences — frozen assets, federal scrutiny, severed banking relationships — have ended companies that were otherwise well-run.

This guide covers what OFAC is, who must comply, what a defensible Sanctions Compliance Program (SCP) looks like, and the pitfalls most commonly facing fintechs, crypto firms, and startups operating across borders.

TL;DR

  • OFAC is the U.S. Treasury agency that administers economic and trade sanctions against foreign countries, individuals, and entities
  • All U.S. persons and businesses — plus foreign entities transacting in USD or dealing with U.S. parties — must comply
  • A compliant SCP covers five elements: management commitment, risk assessment, internal controls, testing/auditing, and training
  • Civil penalties can reach $377,700 or twice the transaction value per violation under IEEPA
  • Willful violations carry criminal penalties up to $1,000,000 and 20 years imprisonment
  • Fintechs and crypto firms face elevated OFAC risk due to cross-border payment volumes and pseudonymous transactions

What Is OFAC and Who Must Comply?

OFAC — the Office of Foreign Assets Control — is a division of the U.S. Department of the Treasury that administers and enforces U.S. economic sanctions programs against foreign countries, terrorists, narcotics traffickers, and other designated actors. Its authority derives from two key statutes: the Trading with the Enemy Act (TWEA) and the International Emergency Economic Powers Act (IEEPA).

Who Is Covered

The obligation to comply is broader than most companies realize:

  • U.S. persons — citizens, permanent residents, and U.S.-organized entities, wherever located
  • U.S. banks and their foreign branches — subject to OFAC requirements on all transactions
  • Non-U.S. entities — if they transact in U.S. dollars, use U.S.-origin goods or services, or deal with U.S. persons

That third category has real teeth. Swedbank Latvia settled with OFAC for $3,430,900 covering 386 apparent Crimea sanctions violations — because the underlying payments were processed through U.S. correspondent banks. The institution was Latvia-headquartered, Swedish-owned, and still fully within OFAC's reach.

The U.S. Nexus Concept

The Swedbank case illustrates the core principle: any U.S. touchpoint in a transaction chain can establish OFAC jurisdiction. Routing through a U.S. correspondent bank is the most common trigger, but using a U.S.-based platform or service creates the same exposure. If a U.S. touchpoint exists anywhere in the chain, OFAC's reach extends to all parties involved.

Reporting and Recordkeeping Requirements

OFAC's reporting obligations under 31 C.F.R. Part 501 are strict:

  • Blocked property must be reported within 10 business days of blocking
  • Rejected transactions must also be reported within 10 business days
  • Annual blocked property reports are due by September 30 each year
  • Records of transactions, including rejected transactions, must be retained for 10 years

Types of OFAC Sanctions and Key Watchlists

OFAC administers sanctions programs that are either comprehensive or selective in scope. For practical compliance purposes, they fall into four categories:

Type Description Examples
Comprehensive Broad prohibitions on entire countries Iran, North Korea, Cuba, Syria
Selective/List-Based Targeting specific individuals or entities SDN List designations
Sectoral Restricting specific economic sectors Russian energy, finance sectors
Secondary Applied to non-U.S. parties in prohibited dealings Non-U.S. banks transacting with Iran

Four types of OFAC sanctions programs comparison chart with examples

The SDN List

The Specially Designated Nationals list is OFAC's primary enforcement tool. It includes terrorists, narcotics traffickers, sanctions evaders, and proliferators of weapons of mass destruction — along with companies they own or control.

SDN entries frequently include aliases, variant spellings, and incomplete identifiers — which makes manual searches unreliable. Automated screening is the only dependable way to catch entries where "Habana" appears instead of "Havana," or where a sanctioned entity operates under a slightly different name across jurisdictions.

Blocked vs. Rejected Transactions

These two outcomes are often confused but require different actions:

  • Blocked transaction: A sanctioned party has an interest in the funds. Assets must be frozen in a separate, interest-bearing blocked account and reported to OFAC within 10 business days.
  • Rejected transaction: The transaction is prohibited but no blockable interest exists. The payment is simply declined and returned to the originator — not frozen, but still a reportable event.

To illustrate: a payment routed through your platform to a Cuban state-owned entity gets blocked. A payment attempt from an SDN-listed individual with no underlying asset claim gets rejected.

The 5 Essential Components of an OFAC Compliance Program

OFAC's Framework for OFAC Compliance Commitments, published May 2, 2019, identifies five essential components of a Sanctions Compliance Program. OFAC does not legally mandate an SCP — but the absence of one is regularly cited as an aggravating factor in enforcement actions. The strength of an SCP and the adequacy of remedial response are also factors OFAC considers when determining penalty amounts under General Factors E and F.

Management Commitment

Senior leadership — the board, C-suite, and a designated OFAC Compliance Officer — must formally approve and resource the SCP. OFAC looks for genuine commitment: dedicated reporting lines, adequate budget, and a culture where employees can raise sanctions concerns without risk.

At smaller firms, the OFAC compliance officer role can overlap with the BSA Officer. The key requirement is that responsibility is formally assigned to a named, qualified individual.

Risk Assessment

A risk assessment must evaluate exposure across:

  • Customers and counterparties
  • Products, services, and delivery channels
  • Geographic footprint
  • Supply chains and intermediaries

Assessments must be updated regularly — after new sanctions programs, business expansion, or M&A activity. Acquisitions involving non-U.S. customer portfolios have triggered multiple OFAC enforcement actions against acquiring companies that skipped pre-close due diligence.

Internal Controls

Written controls must cover:

  • Customer onboarding screening against SDN and other OFAC lists
  • Ongoing transaction monitoring
  • Payment escalation workflows for flagged transactions
  • Sanctions clauses in vendor contracts
  • Documented procedures for blocked and rejected transaction handling

New designations and executive orders can arrive with little notice — systems that take weeks to update create real exposure windows. Controls must be structured to absorb list changes within hours, not weeks.

Testing and Auditing

Testing verifies that the SCP works as designed. At minimum, this means confirming:

  • Screening tools are properly calibrated and returning accurate match results
  • Escalation procedures are followed when transactions are flagged
  • Staff are adhering to documented policies in practice, not just on paper

Findings must be reported to senior management with a remediation plan that specifies owners, deadlines, and retesting timelines. Independent third-party audits carry more weight with regulators and sponsor banks than self-assessments alone.

Training

Training must be role-specific. A customer onboarding specialist needs different training than a procurement officer or payment operations analyst. Effective programs include:

  • Annual training cycles with role-tailored content
  • Scenario-based exercises tied to real sanctions typologies
  • Remedial sessions triggered when audits or testing reveal gaps

Common OFAC Violations and Root Causes

OFAC's Framework identifies several recurring root causes across enforcement actions:

  • No formal SCP — cited as both a root cause and an aggravating factor in penalty calculations
  • Misunderstanding jurisdictional reach — particularly among non-U.S. companies that assume OFAC doesn't apply to them
  • Inadequate customer due diligence — failure to verify ownership structures, geographic location, or counterparty identity during onboarding
  • Screening software failures — using tools that aren't updated with new SDN designations, or that miss alternate spellings and SWIFT BICs for sanctioned institutions
  • Decentralized compliance — inconsistent policy application across subsidiaries or business units

Each of these gaps carries direct financial consequences. Under current OFAC civil penalty guidelines:

Penalty Exposure

  • IEEPA civil maximum: $377,700 or twice the transaction value, per violation
  • TWEA civil maximum: $111,308 per violation
  • IEEPA criminal penalties (willful violations): up to $1,000,000 fine and 20 years imprisonment

These figures apply per violation, not per enforcement action. An organization processing hundreds of transactions involving a sanctioned party faces multiplied exposure. The Swedbank Latvia case (386 violations, $3.43 million settlement) shows how quickly transaction-level penalties accumulate.

OFAC civil and criminal penalty tiers per violation with maximum amounts

Individual liability extends beyond the corporation. Supervisory and executive employees who facilitate violations can face personal enforcement action, separate from any corporate penalty.

OFAC Compliance for FinTechs, Crypto Firms, and Startups

Fintechs, embedded finance companies, money transmitters, and crypto firms face elevated OFAC risk for specific structural reasons: high transaction volumes, cross-border payments, pseudonymous transaction architectures, and rapid customer growth that can outpace compliance infrastructure.

OFAC has been explicit on this point. Its Sanctions Compliance Guidance for the Virtual Currency Industry (October 2021) states that sanctions obligations apply to virtual currency transactions the same way they apply to traditional financial transactions. Recent enforcement confirms the stakes: OFAC reached a $968,618,825 settlement with Binance in November 2023 and a $1,207,830 settlement with CoinList Markets in December 2023.

No Startup Exemption

OFAC's Framework applies to all organizations subject to U.S. jurisdiction and foreign entities doing business with U.S. persons or using U.S.-origin goods or services. Company size and funding stage are not mitigating factors. OFAC treats an underfunded compliance program as a failure of management commitment, not a concession to early-stage constraints.

Sponsor Bank Requirements

Sponsor banks conduct their own OFAC due diligence on fintech partners before and during the relationship. A weak or absent SCP is a common reason fintechs fail bank reviews. Banks look specifically for:

  • Documented risk assessments
  • Screening procedures with evidence of testing
  • A named compliance officer with verifiable credentials
  • Training records demonstrating employee awareness

For companies that can't justify a full-time CCO or BSA Officer, a fractional compliance leadership model fills this gap without a permanent executive hire. Fraxtional provides Directors who serve in named CCO, BSA Officer, and CAMLO roles, recognized by sponsor banks, audit firms, and regulators in that capacity.

Fraxtional's sponsor bank work includes reviewing and remediating compliance stacks before the review, with fractional officers available to serve as named BSA Officer or CCO during onboarding. A Crypto Lending Platform's Head of Compliance noted: "Fraxtional came in, cleaned up our AML framework, and helped us pass review faster than we expected."

OFAC Compliance Checklist for Fintechs and Startups

  1. Screen all customers and transactions against the SDN list and applicable OFAC lists at onboarding and on an ongoing basis
  2. Designate a qualified OFAC compliance officer who is named, accountable, and formally assigned
  3. Document a written risk assessment and update it at least annually
  4. **Implement and test transaction screening software** to verify it catches alias variations and updates promptly with new designations
  5. Train all relevant employees at hire and annually, with role-specific content
  6. Establish a reporting workflow for blocked and rejected transactions, including the 10-business-day filing requirement
  7. Conduct periodic independent audits of the full SCP, not just internal self-assessments

7-step OFAC compliance checklist for fintechs and startups process flow

Frequently Asked Questions

What are the most common OFAC violations?

The most frequent violations involve lack of a formal SCP, processing payments involving sanctioned parties through U.S. financial institutions, inadequate customer due diligence at onboarding, outdated or misconfigured screening software, and misunderstanding OFAC's jurisdictional reach to non-U.S. entities transacting in USD.

Does OFAC compliance apply to non-U.S. companies?

Yes. Non-U.S. entities can be subject to OFAC regulations if they transact in U.S. dollars, use U.S.-origin goods or services, deal with U.S. persons, or route transactions through U.S. correspondent banks, regardless of where the underlying transaction occurs.

What is the difference between a blocked transaction and a rejected transaction?

A blocked transaction involves a sanctioned party with an interest in the funds. Assets must be frozen in a blocked account and reported to OFAC within 10 business days. A rejected transaction is prohibited but has no blockable interest — the payment is declined and returned to the originator without being frozen.

How often should an OFAC risk assessment be updated?

At minimum, risk assessments should be updated annually. Beyond that, updates are warranted after significant business changes, new sanctions designations, M&A activity, or when internal testing reveals a compliance gap.

What happens if a company unknowingly violates OFAC sanctions?

OFAC can impose civil penalties for unknowing violations; intent is not required for civil liability. A documented SCP and voluntary self-disclosure both weigh in your favor when OFAC determines the final penalty.

Do crypto and fintech companies need OFAC compliance programs?

Yes. OFAC applies the same sanctions compliance obligations to crypto and fintech companies as to traditional financial institutions — including transaction screening, customer due diligence, and a documented SCP. Company size and stage are not exempting factors.