OFAC compliance refers to an organization’s adherence to U.S. Treasury sanctions regulations administered by the Office of Foreign Assets Control. Every U.S. person and many non-U.S. entities must comply. Penalties for violations reach $1.3 million per transaction. A robust OFAC compliance program built on five core pillars is the most effective protection against enforcement action.
OFAC compliance is not optional — it is a legal obligation backed by some of the most severe financial penalties in U.S. regulatory law. This guide covers who must comply, what compliance programs must include, how penalties are calculated, recent enforcement trends, and how to respond when violations are discovered. For tailored compliance advice, consult our OFAC compliance lawyers.
What Are OFAC Regulations?
OFAC regulations are a body of U.S. federal rules prohibiting or restricting economic and financial transactions with specific countries, entities, and individuals. They are codified in Title 31 of the Code of Federal Regulations (C.F.R.), with separate parts for each sanctions program (e.g., Part 560 for Iran, Part 515 for Cuba, Part 589 for Russia). These regulations implement executive orders and statutory authorities including the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA).
OFAC administers more than 30 active sanctions programs targeting comprehensively sanctioned countries (Iran, Cuba, North Korea, Syria) and dozens of targeted programs for Russia, Venezuela, Belarus, Myanmar, and others. For a full breakdown of which countries are sanctioned and how, see our OFAC sanctioned countries list.
Who Must Comply with OFAC?
OFAC compliance obligations apply to a broader population than most businesses realize. The following parties are all subject to OFAC requirements:
- U.S. citizens and permanent residents — wherever located in the world. A U.S. citizen working in London is still subject to OFAC.
- U.S.-incorporated companies — including their foreign branches. Most also extend to controlled foreign subsidiaries under specific program rules.
- Any person physically present in the United States — regardless of nationality.
- Non-U.S. entities processing U.S. dollar payments — virtually all international USD transactions clear through U.S. correspondent banks, bringing non-U.S. parties within OFAC jurisdiction for those transactions.
- Non-U.S. entities using U.S.-origin goods or technology — OFAC jurisdiction attaches to transactions involving U.S.-origin items.
- Secondary sanctions targets — Non-U.S. parties that engage in significant transactions with sanctioned countries (primarily Iran, Russia, North Korea) risk being designated or losing access to the U.S. financial system.
If you are uncertain about your organization’s OFAC compliance obligations, a consultation with our sanctions lawyer team is the fastest way to assess your exposure and compliance gaps.
OFAC’s Five-Pillar Compliance Framework
In May 2019, OFAC published its Framework for Compliance Commitments — the most authoritative guidance on what a robust OFAC compliance program should include. This framework identifies five essential components, each of which is evaluated in enforcement actions when OFAC determines penalty amounts.
| Pillar | Core Requirements | Enforcement Relevance |
|---|---|---|
| 1. Management Commitment | Senior leadership support; dedicated compliance officer; adequate resources | Absence cited as aggravating factor in penalties |
| 2. Risk Assessment | Identify sanctions exposure by customer type, geography, products, services | Risk-based approach required; generic programs penalized |
| 3. Internal Controls | SDN screening, transaction approval workflows, blocking procedures, recordkeeping | Control failures = higher penalty multipliers |
| 4. Testing and Auditing | Periodic effectiveness testing; third-party audits; corrective action processes | Evidence of testing = mitigating factor in enforcement |
| 5. Training | Annual training for all relevant staff; role-specific training for front-line personnel | Untrained employees = increased organizational liability |
Pillar 1: Management Commitment
OFAC’s framework places management commitment first for a reason: compliance programs without senior leadership buy-in consistently fail. Effective management commitment means: a board-level or C-suite officer is responsible for sanctions compliance; compliance receives adequate staffing and budget; a Chief Compliance Officer or equivalent role exists with direct access to senior management; and the organization treats sanctions compliance as a legal and reputational imperative, not a box-checking exercise.
In enforcement actions, OFAC expressly considers whether senior management was aware of and approved of compliance failures, or whether violations reflected systemic management indifference to sanctions obligations.
Pillar 2: Risk Assessment
A risk-based approach means tailoring compliance controls to your organization’s actual sanctions exposure. OFAC does not expect a domestic retailer to maintain the same compliance infrastructure as a global financial institution. Risk assessment should map: customer base (geography, nationalities, beneficial ownership), products and services offered, transaction channels (correspondent banking, trade finance, digital payments), and counterparty due diligence gaps.
The risk assessment drives resource allocation — higher-risk business lines require more intensive controls, screening, and monitoring. Organizations that maintain generic, one-size-fits-all compliance programs without documented risk assessments are viewed unfavorably in enforcement proceedings. Our OFAC compliance program development service includes comprehensive risk assessment methodology tailored to your industry and business model.
Pillar 3: Internal Controls
Internal controls are the operational heart of OFAC compliance. They include:
- SDN screening: All customers, counterparties, beneficial owners, and third parties must be screened against the SDN list and other OFAC lists before onboarding and on an ongoing basis. Screening systems must use fuzzy matching for name variations and aliases. Our OFAC screening review service audits existing screening implementations.
- Transaction monitoring: Payment systems must flag transactions involving sanctioned jurisdictions or SDN-listed parties for review before processing.
- Blocking and rejecting procedures: Transactions with SDN-listed parties must be blocked (frozen) and reported to OFAC. Transactions that don’t meet blocking criteria but are otherwise impermissible should be rejected. Both must be documented.
- Recordkeeping: OFAC requires 5-year retention of all records related to sanctioned transactions, including blocked asset reports, license applications, and correspondence with OFAC.
- Escalation protocols: Clear procedures for escalating potential violations to compliance management and legal counsel.
For financial institutions, the bank account compliance review is a critical component of internal controls. Banks must screen account holders, transaction counterparties, and payment messages including correspondent banking intermediaries.
Pillar 4: Testing and Auditing
Regular testing ensures that compliance controls actually work as designed. Testing activities include: periodic back-testing of screening systems against known SDN aliases; annual independent compliance audits; review of blocked and rejected transaction logs; testing of escalation procedures; and evaluation of training effectiveness. Third-party compliance audits conducted by qualified external counsel are particularly valuable because they reflect the perspective OFAC would apply in an examination.
Organizations that can demonstrate proactive testing and continuous improvement of their compliance programs receive significantly better treatment in enforcement proceedings. OFAC’s penalty guidelines specifically list “a demonstrated, effective compliance program at the time of the apparent violation” as a mitigating factor. Use our OFAC compliance checklist to conduct systematic self-assessments between formal audits.
Pillar 5: Training
OFAC compliance training must be role-specific and regularly updated. Front-line compliance staff, customer-facing personnel, trade finance teams, and senior management all require different training content. Key requirements: annual training for all personnel with sanctions compliance responsibilities; specialized training for high-risk business units; training documentation demonstrating completion and content coverage; and update training when significant program changes occur (new executive orders, new designations, updated general licenses).
OFAC Penalties: How They’re Calculated
OFAC’s civil penalty authority is formidable. Under IEEPA, the maximum civil penalty is the greater of $368,136 per violation (adjusted annually for inflation — currently approximately $1,330,783) or twice the value of the underlying transaction. For a single large wire transfer, the penalty could far exceed the transaction value.
OFAC calculates civil penalties using its Economic Sanctions Enforcement Guidelines (31 C.F.R. Part 501, Appendix A). The process involves:
- Base penalty determination: Each violation is assessed a base penalty, starting from the transaction value and the statutory maximum.
- Egregiousness assessment: OFAC classifies violations as egregious or non-egregious. Egregious violations (willful conduct, harm to sanctions objectives, significant management awareness) attract the highest penalty multipliers — up to the statutory maximum. Non-egregious violations attract base penalties of 10-50% of the transaction value.
- Aggravating factors: Willful or reckless conduct, management involvement, harm to sanctions objectives, pattern of misconduct, concealment, and prior OFAC violations all increase penalty levels.
- Mitigating factors: Voluntary self-disclosure, existence of an effective compliance program, cooperation with OFAC, remediation, and no prior violations all reduce penalties.
Use our OFAC penalties calculator tool to estimate potential penalty exposure for your specific situation. For enforcement defense, our OFAC enforcement defense lawyers negotiate directly with OFAC’s Compliance and Enforcement Division to achieve the most favorable settlement outcome.
Recent OFAC Enforcement Trends: 2024-2026
OFAC enforcement in 2024-2025 reflected several notable trends that compliance professionals must understand:
- Maximum penalties for non-disclosers: The GVA Capital case in 2025 resulted in OFAC imposing the statutory maximum penalty of approximately $215.99 million, explicitly because the company made no voluntary self-disclosure and the conduct was deemed egregious. This case sends a clear signal: the cost of not disclosing a known violation can be catastrophic.
- Cryptocurrency enforcement expansion: OFAC designated crypto mixers (Tornado Cash, Sinbad) and pursued enforcement against exchanges processing transactions for SDN-listed parties. The agency has made clear that digital assets offer no “sanctions-free zone.”
- Russia sanctions evasion focus: Enforcement targeted “gatekeepers” facilitating oligarch sanctions evasion through real estate, shell companies, and luxury assets. Lawyers, accountants, art dealers, and real estate brokers have all been subjects of OFAC action.
- Syria continued enforcement: A February 2026 OFAC settlement for $3.777 million related to Syrian sanctions violations — even as the new administration reviewed Syria policy — demonstrated that past violations remain subject to enforcement.
- Virtual currency address designations: OFAC increasingly designates specific blockchain wallet addresses, requiring crypto businesses to screen wallets in real time.
These trends underscore the critical importance of maintaining robust compliance programs and engaging sanctions lawyers proactively — not reactively. The cost of prevention is a fraction of the cost of enforcement.
Voluntary Self-Disclosure: How to Reduce OFAC Penalties
If your organization discovers a potential OFAC violation — whether through an internal audit, a bank notification, or a compliance review — voluntary self-disclosure (VSD) to OFAC is almost always in your interest. Key VSD benefits and considerations:
- 50% penalty reduction: OFAC’s guidelines provide that VSD is a significant mitigating factor that can reduce base penalties by up to 50%. Combined with other mitigating factors (compliance program, cooperation, remediation), total penalty reductions can be substantial.
- Avoidance of egregious classification: A properly filed VSD can prevent OFAC from classifying the violation as egregious — which would otherwise trigger maximum penalty calculations.
- Timing is critical: VSD must be filed before OFAC initiates its own investigation. Once OFAC has opened an investigation, the VSD “window” is closed for penalty reduction purposes.
- Preliminary notification: Organizations that discover violations but need time to scope the full extent can file a preliminary VSD notification, preserving the penalty reduction while completing the internal investigation.
- Comprehensive disclosure: A VSD must cover all violations discovered — a partial disclosure that later proves incomplete can result in OFAC treating the entire matter as a non-disclosure.
Our lawyers manage the complete voluntary self-disclosure process: internal investigation scoping, remediation implementation, VSD drafting, and OFAC negotiation. We also advise on whether a situation warrants VSD or whether alternative approaches (such as a compliance commitment without VSD) better serve the client’s interests.
Recordkeeping Requirements
OFAC regulations require retention of records related to blocked transactions and other OFAC-related activities for five years from the date of the transaction. Specifically:
- All blocked property and accounts must be reported to OFAC within 10 business days of blocking
- Annual reports on blocked property must be filed with OFAC by September 30 each year
- Records of rejected (rather than blocked) transactions must also be maintained
- Specific license applications and supporting documents must be retained for the license period plus five years
- Documentation of general license compliance (transaction purpose, counterparty information) must be retained for five years
Failure to maintain adequate records is itself an OFAC violation and can dramatically increase penalty assessments. PEP screening and World-Check screening records should be preserved as evidence of ongoing due diligence, particularly for financial institutions and compliance-intensive businesses.
Frequently Asked Questions: OFAC Compliance
Does our company need a formal OFAC compliance program?
OFAC does not legally require every organization to have a written compliance program. However, the absence of a compliance program is treated as an aggravating factor in enforcement proceedings, while the existence of an effective program is a significant mitigating factor. In practical terms, any business with international operations, U.S. dollar transactions, or exposure to sanctioned jurisdictions should maintain a formal, documented OFAC compliance program.
How does OFAC find out about violations?
OFAC learns about violations through multiple channels: voluntary self-disclosures from the violating party; reports from financial institutions (banks are required to report blocked transactions within 10 business days); tips from other parties; referrals from DOJ, FBI, HSI, and other agencies; OFAC’s own transaction monitoring programs; and media reports. OFAC also conducts outreach and examinations of financial institutions through coordination with the Federal Reserve, OCC, and FDIC.
Are small businesses subject to OFAC?
Yes. OFAC applies to all U.S. persons and entities regardless of size. Small businesses that conduct international transactions, have foreign customers, or use payment processors that screen against OFAC lists are all subject to compliance obligations. OFAC does apply a proportionality principle in enforcement — smaller violations by organizations with no compliance history may receive lower penalties — but the underlying obligation to comply applies universally.
What is the 50% rule in OFAC compliance?
The 50% rule provides that entities owned 50% or more — individually or in aggregate — by one or more SDN-listed parties are treated as if they were themselves listed, even if they don’t appear on the SDN list. This means that screening against the SDN list alone is not sufficient — businesses must also investigate beneficial ownership structures of counterparties to identify indirect SDN exposure. Our OFAC legal counsel team advises on beneficial ownership analysis and 50%-rule assessments.
How do I know if a transaction violates OFAC?
Determining whether a specific transaction is prohibited requires analyzing: (1) whether any party to the transaction is on the SDN list or owned by an SDN (50% rule); (2) whether the transaction involves a comprehensively sanctioned country; (3) whether the transaction involves goods, services, or technology subject to specific prohibitions; and (4) whether any general or specific license applies. Our sanctions lawyers provide transaction-specific legal opinions on OFAC compliance, typically within 24-48 hours for standard transactions.