Understanding OFAC Screening and Sanctions List

Introduction

A single transaction with a sanctioned entity — even an accidental one — can result in frozen assets, multi-million dollar penalties, and a regulatory investigation that derails your business. OFAC doesn't require intent to impose civil liability. OFAC FAQ 65 confirms that penalties can apply even when a business had no knowledge of the violation, if adequate screening controls were absent.

For fintechs, crypto firms, BaaS banks, and cross-border payment companies, this isn't a theoretical risk. Binance settled for $968 million with OFAC in 2023. Bittrex paid $24.3 million. BitPay was fined for 2,102 apparent violations — many involving transactions as small as a few hundred dollars.

That exposure starts with understanding how screening actually works. This guide covers what OFAC screening is, which sanctions lists matter across the US, UK, EU, and Canada, how a compliant process is built — and where most programs break down.

TL;DR

  • OFAC enforces US sanctions by maintaining lists of blocked individuals, entities, and countries that no US person or company may transact with.
  • Sanctions screening means checking customers, counterparties, and transactions against OFAC and other relevant lists — both at onboarding and on an ongoing basis.
  • Civil penalties reach $377,700 per violation (or twice the transaction value), and willful violations carry criminal liability.
  • Businesses operating across the US, UK, EU, and Canada must monitor multiple sanctions regimes simultaneously.
  • Effective compliance requires defined scope, quality data, continuous monitoring, and documented decision-making at every stage.

What Is OFAC Screening — and Why Does It Matter?

The Office of Foreign Assets Control (OFAC) is a division of the US Treasury Department that administers and enforces economic and trade sanctions based on US foreign policy and national security objectives. Its jurisdiction is broad: it covers all US persons and entities, US-incorporated companies and their foreign branches, and any non-US entity that causes a US person to violate sanctions.

OFAC screening is the practice of comparing customer names, entity identifiers, and transaction details against OFAC's published sanctions lists before and during a business relationship. This is a recurring compliance obligation, not a box checked once at onboarding.

The SDN List and the 50% Rule

OFAC's primary tool is the Specially Designated Nationals (SDN) List — a registry of individuals, entities, and organizations whose assets are blocked and with whom US persons are entirely prohibited from transacting. OFAC also maintains a Consolidated Sanctions List covering non-SDN programs such as sectoral sanctions.

One of the most misunderstood aspects of OFAC compliance is the 50% Rule. Per OFAC FAQ 401, an entity is treated as blocked if one or more SDNs own 50% or more of it — directly or indirectly, in aggregate. Two points catch compliance teams off guard:

  • The entity doesn't need to appear on any published list to be blocked
  • Screening only direct entity names leaves the indirect ownership exposure completely unaddressed

The Legal Stakes

That gap in coverage translates directly into enforcement risk. The settlement figures below show what OFAC penalties look like in practice:

Company Year OFAC Settlement Key Facts
BNP Paribas 2014 $963M (OFAC) / $8.9B total Processed $8.8B+ through US financial system for sanctioned countries
Binance 2023 $968.6M 1,667,153 apparent violations; required independent compliance monitor
Bittrex 2022 $24.3M Violations across Cuba, Iran, Sudan, Syria, and Ukraine sanctions programs
BitPay 2021 $507,375 2,102 apparent violations involving persons in sanctioned jurisdictions

Current IEEPA civil penalties are set at the greater of $377,700 per violation or twice the transaction value. At scale, the math gets painful fast.

Critically, OFAC operates on strict liability — meaning a business can be penalized even without knowing a violation occurred. Running no screening program at all doesn't reduce liability — OFAC treats it as an aggravating factor that increases penalty severity.

OFAC enforcement settlements comparison chart showing penalties and violation counts

Key Sanctions Lists Every Fintech and Financial Business Needs to Monitor

OFAC is not the only sanctions regime that matters. A fintech processing cross-border payments or serving UK and EU customers faces compounded obligations across multiple jurisdictions.

The Core Lists

Jurisdiction List Administering Body
United States SDN List + Consolidated Sanctions List OFAC, US Treasury
United Kingdom The UK Sanctions List FCDO / OFSI (HM Treasury)
European Union Consolidated Financial Sanctions List European Commission / EEAS
Canada Consolidated Canadian Autonomous Sanctions List Global Affairs Canada
United Nations UN Security Council Consolidated List UN Security Council

A company can be fully compliant with OFAC and still violate UK or EU sanctions by failing to screen against those regimes. Jurisdictional scope differs in ways that matter:

  • UK: Financial sanctions apply to UK persons wherever located and to anyone operating within the UK
  • EU: Obligations bind EU nationals, persons located in the EU, and businesses transacting there

The Implicit Sanctions Problem

Not every sanctioned party appears on a list by name. Under OFAC's 50% Rule, entities can be blocked through indirect ownership chains without ever being explicitly listed. The same ownership-and-control principles apply under UK, EU, and Canadian sanctions frameworks.

Automated name-matching alone is insufficient. Businesses must apply judgment and enhanced due diligence when screening complex corporate structures, not treat a database query as a complete compliance step.

The Speed Problem

When geopolitical events accelerate sanctions activity, lists change faster than manual processes can track. In the first year after Russia's February 2022 invasion of Ukraine, OFAC added over 2,500 Russia-related targets to the SDN List — approximately 2,400 individuals and entities, 115 vessels, and 19 aircraft. Manual monitoring of that volume is not viable.

Four major sanctions regimes US UK EU Canada jurisdiction comparison infographic

How OFAC Screening Works — A Step-by-Step Breakdown

Sanctions screening is a structured, recurring process, not a one-time checkbox at onboarding. OFAC's 2019 Framework for Compliance Commitments identifies five components of a risk-based sanctions program: management commitment, risk assessment, internal controls, testing and auditing, and training.

Here's what that looks like operationally:

Step 1: Define Your Screening Scope

Identify everything that must be screened:

  • Individual customers and business entities
  • Beneficial owners and ultimate beneficial owners (UBOs)
  • Counterparties, vendors, and correspondent banks
  • Transaction parties (sender and receiver)
  • Geographic destinations where sanctions programs restrict activity

Scope that's too narrow is a common compliance failure. B2B fintechs and embedded finance companies also need to consider whether their clients' underlying end users fall within scope.

Step 2: Collect and Normalize Entity Data

Screening quality is only as good as the input data. Poor or incomplete KYC data leads to missed matches. Before running any screen, data should be standardized:

  • Full legal names and all known aliases
  • Dates of birth and nationalities (for individuals)
  • Company registration numbers and jurisdictions (for entities)
  • Addresses and government-issued identifiers

Normalization reduces both false negatives and false positives — cleaner input data means fewer missed matches and fewer erroneous flags.

Step 3: Run the Screen Against Applicable Lists

Screening software compares entity data against applicable sanctions lists using fuzzy matching algorithms that account for name variations, transliterations, and aliases. OFAC's own Sanctions List Search tool uses fuzzy logic.

Two configuration risks to manage:

  • Thresholds set too strict — genuine matches get missed
  • Thresholds set too loose — excessive false positives overwhelm compliance teams

Manual screening is impractical at any meaningful transaction volume. Automated tools handle the scale — but they require proper configuration and ongoing calibration to stay accurate.

Step 4: Review, Investigate, and Adjudicate Matches

When a potential match (a "hit") is returned, a compliance analyst must determine whether it's a true match or a false positive. Factors considered include:

  • Name similarity score and variant analysis
  • Date of birth and nationality alignment
  • Context of the business relationship
  • Whether the 50% Rule applies to any associated entities

A true match requires immediate action: block the transaction, freeze associated assets, and potentially file a report with OFAC.

Document every step. Regulators expect a clear, defensible audit trail.

Step 5: Conduct Ongoing Monitoring and Document Everything

Sanctions lists are updated with no predetermined timetable. Per OFAC FAQ 20, names are added or removed as necessary and appropriate. A customer who was clean at onboarding may be designated six months later.

Ongoing obligations include:

  • Periodic rescreening of the entire customer base
  • Real-time or near-real-time monitoring for list changes
  • Documented screening decisions, escalations, and exceptions
  • Evidence of testing and auditing to demonstrate due diligence

5-step OFAC sanctions screening compliance process flow from scope to monitoring

Common OFAC Screening Challenges and How to Address Them

False Positives and Alert Fatigue

Poorly configured screening tools generate excessive false positive alerts — common names, variant spellings, and transliterations of foreign names. Compliance teams drown in noise, which increases the risk of missing a real hit buried in the queue.

The solution isn't more manual review capacity. It's risk-based threshold configuration, smart deduplication, and a tiered review process that routes low-risk alerts differently from high-risk ones.

List Proliferation and Update Frequency

No compliance team can sustain manual list management across five or more sanctions regimes — each updated independently, sometimes within hours of a geopolitical event. The Russia/Ukraine sanctions response made this clear: programs relying on manual list updates couldn't keep pace.

Automated list ingestion from a consolidated data provider isn't optional at that volume. It's the only way to stay current.

Incomplete Beneficial Ownership Data

Weak KYB (Know Your Business) processes create a major gap in many screening programs. If you can't see through a corporate structure to the ultimate beneficial owner (UBO), the 50% Rule is functionally unenforceable.

Sponsor banks and regulators now expect UBO-level screening for business accounts — not just the registered entity name. That requires:

  • Collecting and verifying beneficial ownership documentation at onboarding
  • Mapping corporate structures beyond the first layer of ownership
  • Re-screening UBOs when ownership changes or sanctions lists update

How Fraxtional Helps You Build a Robust OFAC Compliance Program

An OFAC screening program is only as strong as the compliance leadership behind it. Deploying a tool is the easy part — knowing how regulators evaluate it, what your sponsor bank expects, and how it fits within overlapping jurisdictional obligations is where most fintechs fall short.

Fraxtional provides fractional compliance leadership to fintechs, crypto firms, BaaS banks, and embedded finance businesses, giving companies access to director-level BSA Officer, CCO, and MLRO expertise without the cost or commitment of a full-time hire.

What Fraxtional Delivers for Sanctions Compliance

  • Designs risk-based OFAC screening programs aligned with FFIEC, FinCEN, and FATF expectations
  • Selects and validates screening vendors matched to your product type and transaction volume
  • Develops written screening policies, escalation procedures, and documentation frameworks for regulators, sponsor banks, and auditors
  • Provides named BSA Officers and CCOs who own sanctions screening decisions, regulatory correspondence, and audit-trail documentation
  • Benchmarks existing controls against regulatory standards and delivers prioritized remediation findings for fintechs with tools already in place

Fraxtional compliance team providing fractional BSA officer and CCO services to fintechs

That cross-functional scope is backed by a global team. Fraxtional's directors span the US, UK, EU, and Canada, hold ACAMS credentials, and carry hands-on experience across OFAC, OFSI, EU, and FINTRAC frameworks. For UK and EU clients, named MLRO services include direct regulatory liaison with the FCA and other relevant authorities.

Ryan Cimo, Fraxtional's founder, was named a Top 100 Leader in Finance for 2024 — and the firm has served 50+ fintech and crypto clients including BayFirst, Trans Pecos Bank, Artoh, Winden, and TradeAlgo.

If you're building an OFAC screening program from scratch or stress-testing one already in place, a compliance review with Fraxtional costs a fraction of what a single sanctions violation would. Contact Fraxtional to get started.

Frequently Asked Questions

What is sanctions list screening?

Sanctions list screening is the process of checking individuals, entities, and transactions against published sanctions lists to ensure no business is conducted with prohibited parties. It's a legal requirement for financial institutions and a core risk management requirement for any business touching the US financial system.

What is screened against a sanctions list?

Screening covers a broad range of parties and data points, including:

  • Customer names (individuals and legal entities)
  • Beneficial owners and controlling parties
  • Counterparties and transaction parties (sender and receiver)
  • Correspondent banks
  • Products or geographic destinations, depending on the sanctions program

What does it mean to be listed on a sanctions list?

Being listed means a regulatory authority has designated that individual, entity, or country as subject to economic or legal restrictions: asset freezes, transaction prohibitions, and restrictions on receiving goods, services, or financing from parties within that jurisdiction.

What is the OFAC SDN List?

The Specially Designated Nationals (SDN) List is OFAC's primary sanctions list. It contains individuals, entities, and organizations whose assets are blocked and with whom US persons are entirely prohibited from transacting. It's updated frequently with no predetermined schedule.

What are the penalties for OFAC violations?

Current IEEPA civil penalties are the greater of $377,700 per violation or twice the transaction value. Willful violations can carry criminal penalties including imprisonment. Penalties apply even for unknowing violations if a business lacked adequate screening controls — OFAC operates on strict liability.

How often should OFAC screening be conducted?

Screening should occur at customer onboarding and on a continuous basis thereafter, since sanctions lists update without notice. Businesses must also rescreen existing customers when material changes occur or when a new sanctions program is introduced that's relevant to their customer base.