A Framework for Sanctions Compliance Programs Sanctions enforcement is not a theoretical risk. In 2023, OFAC settled with Binance Holdings for nearly $969 million across 1.6 million apparent violations — the largest crypto-related sanctions settlement on record. That same year, OFSI issued a public disclosure against Wise Payments Limited after the UK fintech permitted a GBP 250 cash withdrawal by a designated person under Russia sanctions. The dollar amount was trivial. The reputational and regulatory signal was not.

These cases span different continents, different regulators, and wildly different transaction sizes — but they share a common thread: inadequate program controls.

This post applies to any organization subject to U.S. jurisdiction, UK/EU operators, and foreign entities that process USD payments or use U.S. financial infrastructure. That includes fintechs, crypto firms, and money transmitters at every stage of growth. We'll cover the five core components of a sanctions compliance program (SCP) as defined by OFAC's framework, common failure patterns, multi-jurisdictional obligations, record-keeping requirements, and how resource-constrained organizations can build a credible program without a full-time compliance executive.

TL;DR

  • A formal SCP is not legally required by OFAC — but its absence is treated as an aggravating factor in enforcement actions
  • OFAC's framework defines five essential SCP components: management commitment, risk assessment, internal controls, testing and auditing, and training
  • Common violations trace back to predictable gaps: outdated screening tools, poor due diligence, and misreading which regulations apply
  • Multi-jurisdictional operators must navigate OFAC, OFSI, EU, and FINTRAC obligations in parallel — similar in structure, but not interchangeable
  • Seed-stage and Series A firms can build credible programs by right-sizing each component and engaging fractional compliance leadership

The 5 Essential Components of a Sanctions Compliance Program

OFAC's Framework for Compliance Commitments, published in May 2019, remains the authoritative reference point for SCP design. It applies to all U.S. persons and entities, as well as foreign entities conducting business in or through the United States. UK (OFSI) and EU guidance follows parallel logic, requiring sufficient measures and controls to meet financial sanctions obligations — including screening, due diligence, and asset-freeze compliance.

While no regulator formally mandates a written SCP, the absence of one has been cited repeatedly as an aggravating factor when calculating civil monetary penalties. Having a documented, functioning program creates the mitigation argument. Not having one removes it.

Each of the five components below maps directly to OFAC's framework — and to the enforcement record of firms that got one wrong.

Five essential OFAC sanctions compliance program components framework overview

Management Commitment

Senior management — executives and the board — must formally approve the SCP, allocate adequate resources, and establish direct reporting lines between compliance and leadership. OFAC specifically cites the appointment of a dedicated sanctions compliance officer as an indicator of organizational commitment.

For early-stage fintechs and crypto firms, the cost of a full-time executive with this profile is often prohibitive. A fractional compliance leader — serving as named CCO, BSA Officer, MLRO, or CAMLO — meets this benchmark without the overhead of a permanent hire. Fraxtional's fractional leaders, for example, are named on regulatory filings, report directly to the board or CEO, and carry full accountability for the compliance function.

Senior leadership must do more than sign a policy. Staff need a clear path to escalate concerns without fear of reprisal, and leadership must visibly reinforce that prohibited activity won't be tolerated.

Risk Assessment

A risk assessment is a structured, top-to-bottom review of where sanctions exposure exists across the organization. OFAC's framework specifies that it should cover:

  • Customers and counterparties
  • Products and services
  • Geographic footprints
  • Supply chain and intermediaries
  • Transaction types and payment flows

The assessment shouldn't be a one-time exercise. Update it routinely — and trigger a fresh review after apparent violations, M&A activity, new market entry, or significant product changes.

Risk ratings inform the depth of due diligence at each touchpoint: onboarding, transaction monitoring, and periodic relationship reviews. Bittrex's 2022 OFAC settlement ($24.3 million) illustrates the cost of gaps here — the exchange failed to screen customer IP addresses and physical locations for sanctioned-jurisdiction indicators despite having reason to know users were in restricted regions.

Internal Controls

Effective internal controls include written policies and procedures, clear escalation chains, and sanctions screening tools calibrated to the organization's actual risk profile. Controls must also extend to third parties performing compliance functions on the organization's behalf.

Two critical attributes:

  • SDN List currency — Controls must absorb SDN List updates, new executive orders, and amended sanctions programs quickly. OFAC publishes updates on no fixed timetable.
  • Immediate gap response — When weaknesses surface, implement compensating controls first. Root cause investigation follows; it does not precede the fix.

Payoneer's 2021 OFAC settlement ($1.39 million for 2,220 apparent violations) illustrates what misconfigured controls look like in practice: weak screening algorithms that missed close SDN matches, failure to screen Business Identifier Codes, and automatic payment release during alert backlog periods.

Testing and Auditing

Testing and auditing functions must be independent of the activities being reviewed, adequately resourced, and accountable to senior management. There are two distinct activities:

  • Ongoing testing: Verifies that controls operate as designed on a continuous basis
  • Periodic audits: Comprehensive program-level assessments, typically annual

Both can be conducted internally or with external support. Interactive Brokers' 2025 OFAC settlement ($11.8 million) cited failure to adequately audit or test IP geo-blocking systems and delays in alert review due to resource constraints.

Any negative finding from testing or audit must trigger documented, immediate remediation — not a remediation roadmap that gets filed and forgotten. Audit results should feed directly back into the risk assessment cycle.

Training

OFAC sets a clear floor: all relevant employees trained at minimum annually, with content tailored to their role and risk exposure. Payments staff, onboarding teams, and sales personnel in high-risk markets need more targeted training than general employees who have limited sanctions-relevant touchpoints.

Training content must be updated when the sanctions environment changes, when audit findings surface gaps, or when apparent violations occur. Materials should remain accessible between formal training cycles — not locked in an annual compliance deck that nobody can find after January.

Common Root Causes of Sanctions Compliance Program Failures

OFAC's 2019 Framework documents recurring root causes from enforcement actions. These are patterns — not isolated incidents — and reviewing them as a checklist against your own program is one of the most direct self-assessments a compliance function can run.

Structural and Programmatic Failures

  • No formal SCP — The absence of any documented program removes the primary mitigating argument in enforcement proceedings
  • Misreading jurisdictional scope — U.S.-owned foreign subsidiaries, cross-border USD payments, and foreign entities using U.S. correspondent banks all trigger OFAC jurisdiction regardless of where the organization is incorporated
  • Screening tool failures — Outdated software that doesn't account for SDN list updates, alternative name spellings, or SWIFT identifiers for sanctioned institutions

The Swedbank Latvia case (2023, $3.43 million settlement) shows exactly how this plays out: a customer used the bank's e-banking platform from Crimea to send USD payments through U.S. correspondent banks. The Latvia-based entity faced OFAC enforcement because those payments touched the U.S. financial system.

Three categories of sanctions compliance program failure root causes comparison chart

Organizational and Process Failures

  • Decentralized compliance functions — When sanctions responsibility is fragmented across business units, escalation paths break down and oversight gaps emerge
  • Inadequate due diligence — Particularly around beneficial ownership, geographic exposure, and transaction context at onboarding and ongoing review
  • No documented escalation or disposition records — When reviewers clear or escalate potential matches without written rationale, there is no audit trail to demonstrate a good-faith compliance decision in an enforcement proceeding

Individual Liability

OFAC pursues action against individuals — not just organizations — in cases involving willful conduct, concealment, or supervisory failure. A 2026 OFAC settlement saw an individual pay $3.78 million for apparent Syrian Sanctions Regulations violations. For compliance leaders and senior management at fintechs and crypto firms, that figure is the clearest argument for documented oversight, written sign-offs, and defined accountability at every level of the program.

Multi-Jurisdictional Sanctions Obligations

Organizations operating across the US, UK, EU, and Canada face parallel but distinct sanctions regimes:

Regime Authority Key Mechanism
OFAC U.S. Treasury SDN List, sectoral programs, general licenses
OFSI UK HM Treasury UK Sanctions List, asset-freeze obligations
EU Restrictive Measures EU Council, administered nationally Consolidated EU list, regulation-specific rules
Canada Global Affairs Canada / OSFI / FINTRAC Canadian Autonomous Sanctions List, suspicious transaction reporting

Four-regime international sanctions authority comparison table OFAC OFSI EU FINTRAC

These regimes share common logic: designations, asset freezes, and prohibitions on dealings. The divergence lies in their lists, licensing mechanisms, and enforcement postures. A single transaction can trigger obligations under multiple regimes at once.

The practical implication: your SCP framework must map each business activity and jurisdiction to the applicable sanctions authority. In practice, that means:

  • Tracking list updates across every relevant regime on an ongoing basis
  • Building escalation paths that specify which regulator holds jurisdiction over which activity
  • Ensuring your screening tools apply the right lists to the right transaction types

For fintechs and crypto firms with cross-border payment flows or customers in multiple jurisdictions, this is routine operational pressure — not a one-time setup task.

Binance's 2023 OFAC settlement — $968.6 million across multiple sanctions programs — involved apparent violations spanning Iran, Syria, Cuba, North Korea, and other programs simultaneously, reflecting the compounding complexity of multi-program exposure.

That kind of multi-program exposure is exactly what a siloed, jurisdiction-by-jurisdiction approach fails to catch. Fraxtional's compliance professionals cover U.S., Canadian, UK, and EU regulatory frameworks. For clients with cross-border payment flows, engagements address OFAC, OFSI, FINTRAC, and EU obligations within a single program structure — keeping all jurisdictions in view at the same time.

Record-Keeping: The Often-Overlooked Pillar

When a regulator or enforcement action arrives, documented evidence of what actually happened on a specific transaction matters more than what your written program claims to do. Record-keeping is both a legal obligation and your most concrete line of defense.

Key standards:

  • OFAC: A 2025 final rule extended recordkeeping requirements under 31 CFR 501.601 from 5 years to 10 years, effective March 21, 2025
  • EU: Certain regime-specific regulations (such as DPRK restrictive measures) require credit and financial institutions to maintain transaction records for 5 years, available to national authorities on request
  • OFSI/UK: General licence conditions may include specific record-keeping and reporting obligations; compliance with those conditions is mandatory

Record-keeping gaps are cited in enforcement proceedings not as minor administrative failures but as evidence of inadequate program design. If you can't reconstruct the due diligence trail on a flagged transaction, you can't demonstrate the right steps were taken — and regulators will draw their own conclusions.

Recordkeeping policies should be integrated with internal controls and tested as part of the audit cycle. Treat retention schedules, access controls, and retrieval procedures as auditable components — not administrative housekeeping.

Building a Sanctions Compliance Program When Resources Are Constrained

The compliance obligations facing a seed-stage fintech are materially the same as those facing a large bank. The budget, headcount, and infrastructure are not. OFAC's framework explicitly accommodates a risk-based, right-sized approach — the program should reflect the organization's actual risk profile.

A Practical Sequencing Approach

  1. Start with a documented risk assessment — Establish your baseline before building anything else. Understand where your actual exposure sits: which customers, geographies, products, and payment flows carry elevated risk.
  2. Prioritize internal controls in the highest-risk areas first — Don't try to build a comprehensive program simultaneously. Address the highest-consequence gaps first, then expand.
  3. Build training around those controls — Train the people who touch the highest-risk touchpoints first. Payments, onboarding, and customer-facing teams before everyone else.
  4. Establish a lightweight testing cadence — Even a simple quarterly review of whether screening tools are functioning and list updates are being applied is better than no testing at all.

Four-step sanctions compliance program sequencing approach for resource-constrained fintechs

Avoid the common mistake of producing policy documentation without operational controls to back it up. A well-written policy manual that describes processes your organization doesn't actually follow is not a program — it's a liability.

The Leadership Constraint

The most common bottleneck isn't budget for technology. It's compliance leadership capacity. Fintechs and crypto firms frequently lack in-house expertise to own sanctions compliance at a director level — and that gap shows during sponsor bank due diligence, investor reviews, and regulatory examinations.

Engaging a fractional compliance leader — a fractional CCO, MLRO, BSA Officer, or CAMLO through a firm like Fraxtional — addresses this directly. The engagement provides director-level expertise and named executive accountability, with the leader:

  • Appearing on regulatory filings and named in official submissions
  • Reporting to the board and owning sanctions compliance at an executive level
  • Representing the organization directly to sponsor banks and regulators

One client noted that after Fraxtional revamped their policies, their sponsor bank approved them without a single revision.

Frequently Asked Questions

What is sanctions compliance?

Sanctions compliance refers to an organization's adherence to laws and regulations issued by authorities such as OFAC, OFSI, and the EU to prevent dealings with designated individuals, entities, or countries. In practice, it covers screening, customer due diligence, transaction monitoring, and ongoing risk management.

What are the main types of sanctions?

The four primary categories are diplomatic, trade, financial, and military sanctions. Sectoral sanctions targeting specific industries and UN-mandated international sanctions also apply frequently. Multiple sanction types are frequently applied to the same target simultaneously.

What does a sanctions compliance officer do?

A sanctions compliance officer (titled CCO, MLRO, BSA Officer, or CAMLO depending on jurisdiction) owns the SCP end to end. Core responsibilities include developing policies, overseeing risk assessments, managing screening programs, and delivering training. They also serve as the primary point of contact for regulators and auditors.

What are the consequences of failing to comply with sanctions?

Violations can result in significant civil monetary penalties, criminal liability for individuals, loss of banking relationships, and reputational damage. In severe cases involving willful conduct, criminal prosecution is possible. The presence or absence of a formal SCP directly affects how regulators calculate penalty severity.

Do startups and small fintechs need a formal sanctions compliance program?

OFAC does not mandate a formal SCP by regulation, but its absence is explicitly treated as an aggravating factor in enforcement actions. Any organization subject to U.S. jurisdiction, processing USD payments, or serving customers in sanctioned-risk geographies has a practical obligation to maintain a documented, risk-based program regardless of size.

How often should a sanctions compliance program be reviewed?

At minimum annually — but also in response to material changes: new sanctions designations, market expansion, M&A activity, audit findings, or apparent violations. The sanctions landscape changes frequently, and an outdated program carries many of the same enforcement risks as no program at all.