OFAC vs FinCEN: Differences, Overlaps & Compliance Guide
In the landscape of U.S. financial regulation, two agencies frequently appear together in compliance discussions: the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN). Both sit within the U.S. Department of the Treasury, both affect financial institutions and businesses operating in U.S. markets, and both carry significant penalty exposure for non-compliance. Yet their missions, legal authority, regulatory mechanisms, and compliance obligations are fundamentally different. Understanding those differences — and how the two regimes interact — is essential for any legal or compliance professional advising clients in 2026. If you need guidance navigating either regime, our team of OFAC attorneys is ready to assist.
What Is OFAC? Mission, Authority, and Legal Framework
The Office of Foreign Assets Control was established in 1950 and today administers more than 30 active sanctions programs. OFAC’s mission is to implement and enforce U.S. economic and trade sanctions based on national security and foreign policy objectives. It targets foreign nations, international terrorists, narcotics traffickers, weapons proliferators, human rights abusers, cyber actors, and other threats to U.S. national security and economic interests.
OFAC derives its primary legal authority from:
- The International Emergency Economic Powers Act (IEEPA) — the statutory basis for most modern sanctions programs, exercised through presidential executive orders declaring national emergencies
- The Trading With the Enemy Act (TWEA) — which underpins the Cuba sanctions program
- Program-specific statutes such as the Comprehensive Iran Sanctions, Accountability, and Divestment Act (CISADA), CAATSA (Countering America’s Adversaries Through Sanctions Act), the North Korea Sanctions Policy and Enhancement Act, and others
OFAC’s central tools include the designation of individuals and entities to the SDN list, the blocking of assets held within U.S. jurisdiction, prohibitions on transactions with designated parties, and the imposition of sector-specific restrictions. When an entity is designated, U.S. persons must block its property and refrain from all dealings. For affected parties, our blocked assets practice handles the full range of issues arising from a blocking order.
OFAC’s jurisdiction extends not just to U.S. persons and entities but — through secondary sanctions and dollar-clearing — reaches non-U.S. parties as well. This extraterritorial reach makes OFAC the most globally impactful sanctions authority in the world. A dedicated OFAC attorney can map your specific exposure across all applicable programs.
What Is FinCEN? Mission, Authority, and Legal Framework
The Financial Crimes Enforcement Network was established in 1990 as a bureau of the U.S. Department of the Treasury. FinCEN’s mission is to safeguard the financial system from illicit use, combat money laundering and the financing of terrorism, and promote national security through the collection, analysis, and dissemination of financial intelligence.
FinCEN derives its primary legal authority from the Bank Secrecy Act (BSA), enacted in 1970. The BSA requires financial institutions to maintain records and file reports that help the government detect and prevent financial crime. Key BSA obligations include:
- Suspicious Activity Reports (SARs): Filed when a financial institution knows, suspects, or has reason to suspect that a transaction involves illicit funds, is designed to evade reporting requirements, or lacks a lawful purpose. SARs are confidential and filed directly with FinCEN.
- Currency Transaction Reports (CTRs): Filed for cash transactions exceeding $10,000.
- Customer Due Diligence (CDD) Rule: Requires financial institutions to collect and verify beneficial ownership information for legal entity customers, identify the nature and purpose of customer relationships, and conduct ongoing monitoring.
- Beneficial Ownership Reporting: Under the Corporate Transparency Act (effective 2024-2025), most U.S. companies must report beneficial ownership information to FinCEN’s national database.
FinCEN does not impose sanctions in the traditional OFAC sense, but it does designate institutions under Section 311 of the USA PATRIOT Act as “primary money laundering concerns,” resulting in the imposition of special measures including the prohibition of correspondent accounts (the CAPTA list). Understanding how AML and OFAC compliance interact is increasingly important for financial institutions navigating dual obligations.
IEEPA vs. Bank Secrecy Act: Different Legal Foundations
The fundamental difference between OFAC and FinCEN begins with their statutory foundations:
IEEPA (OFAC): Grants executive power to declare national emergencies and impose economic sanctions. It is a national security and foreign policy tool — the President identifies a threat, issues an executive order, and OFAC implements the resulting prohibitions. IEEPA is not primarily about detecting crime; it is about blocking economic relationships with identified threats.
Bank Secrecy Act (FinCEN): Creates an anti-money laundering (AML) compliance infrastructure. The BSA requires financial institutions to be partners in detecting and reporting financial crime. It is a regulatory compliance framework — institutions must implement programs, conduct due diligence, and file reports. The BSA does not prohibit specific transactions the way IEEPA does; it requires that suspicious activity be identified and reported.
This distinction matters for legal analysis: an OFAC violation typically involves a specific prohibited transaction (a violation of a bright-line rule), while a BSA violation typically involves inadequate systems or failure to file required reports (a compliance program failure). The legal defenses, remedies, and penalty structures differ accordingly. An experienced sanctions lawyer understands both frameworks and advises clients on managing exposure under each.
Key Differences: OFAC vs. FinCEN
The table below summarizes the principal distinctions between the two agencies:
| Aspect | OFAC | FinCEN |
|---|---|---|
| Primary Authority | IEEPA, TWEA, program statutes | Bank Secrecy Act |
| Core Mission | Sanctions enforcement / national security | AML / financial crime prevention |
| Primary Tool | SDN designations, blocking orders | SAR requirements, CDD rules |
| Jurisdiction | U.S. persons + extraterritorial via secondary sanctions | U.S. financial institutions |
| Reporting Obligation | Report blocked/rejected transactions within 10 days | File SARs within 30 days of detection |
| Penalty Structure | Up to $368,136/violation (civil); criminal penalties possible | Up to $1M+/day for systemic failures; criminal exposure |
| Enforcement Model | Transaction-specific prohibition | Program-based compliance obligations |
Suspicious Activity Reports vs. OFAC Blocking Reports
One of the most practically important distinctions for financial institutions is the different reporting obligations under each regime:
OFAC Blocking/Rejection Reports: When a financial institution blocks property (e.g., freezes an SDN’s funds) or rejects a prohibited transaction, it must report the action to OFAC within 10 business days. Annual reports on all blocked property are due by September 30. These reports go directly to OFAC and are part of the public enforcement record. Assistance with release blocked funds requests typically follows the filing of a blocking report.
FinCEN SARs: When a financial institution detects suspicious activity suggestive of money laundering, fraud, or other financial crime — including potential sanctions evasion — it must file a SAR with FinCEN within 30 days of detection (60 days if no suspect can be identified at initial detection). SARs are confidential — they cannot be disclosed to the subject of the report, and disclosure is itself a criminal offense. FinCEN shares SAR data with law enforcement agencies and, when relevant, with OFAC.
A critical compliance nuance: a transaction that triggers an OFAC blocking report may also require a SAR filing if there are indicators of financial crime beyond the mere sanctions violation. Conversely, a SAR filed for suspicious activity may be forwarded to OFAC if it reveals potential sanctions evasion. Financial institutions must have procedures addressing both reporting channels.
How OFAC and FinCEN Intersect: The AML-Sanctions Compliance Overlap
Despite their different mandates, OFAC and FinCEN are increasingly intertwined in both policy and enforcement. Several key areas of overlap require integrated compliance approaches:
Sanctions Evasion as a Financial Crime: Sanctions evasion — structuring transactions to avoid OFAC detection — also constitutes a financial crime that triggers SAR obligations under the BSA. OFAC and FinCEN regularly issue joint advisories on common evasion typologies (e.g., shell company networks, correspondent banking abuse, trade-based money laundering). The FATF grey list identifies jurisdictions with AML/CFT deficiencies that correlate with elevated sanctions evasion risk.
Beneficial Ownership: Both regimes require understanding who ultimately owns or controls a transaction counterparty. OFAC’s 50% ownership rule and FinCEN’s CDD beneficial ownership requirements both demand tracing ownership structures — the analytical work overlaps, and firms that invest in beneficial ownership infrastructure satisfy both agencies’ requirements more efficiently.
Joint Enforcement Actions: OFAC and FinCEN frequently coordinate enforcement actions against financial institutions for simultaneous sanctions and AML violations. In 2025, several OFAC enforcement actions were pursued jointly with FinCEN and DOJ. A financial institution facing simultaneous OFAC and FinCEN scrutiny needs a defense team experienced in both regulatory frameworks. Our OFAC enforcement defense practice has handled multi-agency matters involving coordination between OFAC, FinCEN, DOJ, and state financial regulators.
OFAC Compliance as Part of AML Programs: The BSA requires financial institutions to maintain comprehensive AML compliance programs. Banking regulators (OCC, Federal Reserve, FDIC, NCUA) consistently treat OFAC compliance as a component of adequate AML programs — and an institution with strong AML controls but weak OFAC screening faces examination findings on both fronts. An integrated OFAC compliance program that aligns with AML requirements is the baseline expectation.
Penalty Structures: Different but Both Severe
Both OFAC and FinCEN can impose substantial civil monetary penalties, but their penalty structures differ:
OFAC penalties are calculated per violation (i.e., per prohibited transaction), with a maximum of $368,136 per violation as of 2026 (adjusted annually for inflation) for most programs. Egregious violations can be penalized at twice the value of the underlying transaction, which in large-value cases can dwarf the per-violation cap. OFAC’s 2019 Enforcement Guidelines provide a detailed framework for analyzing aggravating and mitigating factors. Voluntary self-disclosure through OFAC VSD can reduce the base penalty by 50%.
FinCEN penalties under the BSA can be imposed for each day that a violation continues, creating the potential for massive aggregate penalties for systemic compliance failures. The maximum civil penalty for willful BSA violations is the greater of $100,000 or the amount of the underlying transaction, per violation. For large institutions, FinCEN settlements have reached hundreds of millions of dollars.
Criminal penalties apply in both regimes: willful OFAC violations can result in up to 20 years imprisonment; willful BSA violations can result in up to 10 years imprisonment. The risk of criminal referral to DOJ exists under both programs, particularly for conduct that appears intentional or involves senior management.
Dual Compliance Obligations for Financial Institutions
For financial institutions, the practical challenge is managing simultaneous, overlapping compliance obligations under two distinct regulatory regimes. Best practices for integrated OFAC/AML compliance include:
- Unified customer risk rating: Incorporate both sanctions exposure (country of origin, counterparty SDN status) and AML risk indicators (transaction patterns, PEP status) into a single customer risk score. Our PEP and sanctions screening review service provides a comprehensive risk assessment covering both dimensions.
- Integrated screening infrastructure: Screen all customers, transactions, and counterparties against both OFAC sanctions lists and AML watchlists (PEP lists, adverse media, criminal records) in a single workflow.
- Coordinated SAR and blocking report procedures: When a transaction triggers an OFAC block, assess simultaneously whether a SAR is also required. Build dual-reporting workflows into compliance procedures.
- Cross-training: Compliance staff should understand both OFAC and BSA obligations. An OFAC compliance checklist that integrates AML checkpoints reduces the risk of compliance gaps at the intersection of the two regimes.
- Regulatory examination preparation: Prepare for joint examination scenarios where banking regulators assess OFAC compliance as part of BSA/AML examinations. Document the integrated compliance framework clearly for examiners.
2025-2026 Regulatory Developments Affecting Both Regimes
Several developments in 2025-2026 affect the OFAC-FinCEN compliance landscape:
- Corporate Transparency Act (CTA): The CTA, effective 2024, requires most U.S. companies to file beneficial ownership information with FinCEN. This data supports both AML due diligence and OFAC 50% rule analysis, creating a new compliance infrastructure that both regimes benefit from.
- OFAC gatekeeper enforcement: OFAC’s 2025-2026 enforcement priority targets accountants, attorneys, and compliance professionals who obscure blocked-person interests — directly paralleling FinCEN’s longstanding emphasis on professional service providers’ AML obligations.
- Joint advisories on Russia and Iran evasion: OFAC and FinCEN issued multiple joint advisories on Russian and Iranian sanctions evasion typologies in 2024-2025, emphasizing the use of shell companies, cryptocurrency, and trade-based structures. Both regimes require institutions to monitor for these typologies.
- Crypto and digital assets: Both OFAC (through crypto sanctions designations) and FinCEN (through BSA virtual asset service provider rules) are expanding their reach into the cryptocurrency sector. Compliance infrastructure must cover both regulatory dimensions.
Understanding what it means to be sanctioned from a financial institution’s perspective — both the OFAC blocking obligation and the potential AML/SAR implications — requires dual-regime expertise. Our sanctions lawyers provide integrated advice covering both OFAC and FinCEN compliance.
Frequently Asked Questions
Does blocking a transaction under OFAC also require a SAR filing?
Not necessarily, but often yes. An OFAC blocking report and a SAR serve different regulatory purposes. The blocking report notifies OFAC that property has been frozen pursuant to a sanctions obligation. A SAR is required if there are indicators of financial crime — and a sanctions violation, particularly an attempted one, often qualifies. Financial institutions should assess both obligations simultaneously when a transaction is blocked. Many institutions’ policies require automatic SAR review when an OFAC block occurs.
Can FinCEN impose sanctions like OFAC does?
No. FinCEN does not maintain a sanctions list equivalent to the SDN list, and it does not block assets under IEEPA authority. However, under Section 311 of the USA PATRIOT Act, FinCEN can designate foreign financial institutions as “primary money laundering concerns” and impose “special measures” — including the prohibition of correspondent accounts. This is recorded on the CAPTA list and has the practical effect of cutting off a foreign bank from the U.S. financial system.
What is the difference between a SAR and an OFAC blocking report?
A SAR is a confidential report filed with FinCEN when suspicious activity is detected. It cannot be disclosed to the subject and is shared with law enforcement. An OFAC blocking report is filed with OFAC within 10 business days of blocking property, documenting the specific transaction and the basis for blocking. Both reports may arise from the same transaction but serve different regulatory purposes and are filed with different agencies.
How do OFAC and FinCEN coordinate enforcement?
OFAC and FinCEN coordinate through information sharing, joint advisories, and coordinated enforcement actions. FinCEN may refer suspicious activity to OFAC when SAR data reveals potential sanctions violations. OFAC may refer cases to DOJ or FinCEN when enforcement action under IEEPA is complemented by BSA or criminal violations. Joint enforcement actions — particularly against financial institutions — are increasingly common and can result in simultaneous settlements with both agencies plus DOJ.
What are the penalties for OFAC violations compared to BSA violations?
OFAC civil penalties are per-transaction: up to $368,136 per violation as of 2026, or twice the transaction value for egregious violations. BSA penalties can be per day of violation — up to $100,000 per day for systemic failures — creating massive aggregate exposure for institutional compliance breakdowns. Both regimes carry criminal exposure for willful violations. Our civil monetary penalties resource provides a detailed penalty calculation framework. OFAC enforcement defense counsel can help minimize penalty exposure through strategic response to pre-penalty notices.
When OFAC and FinCEN Overlap: Dual Compliance Obligations
Financial institutions and regulated businesses do not face OFAC and FinCEN obligations in isolation — in many high-risk scenarios, a single transaction or customer relationship triggers simultaneous compliance duties under both regulatory frameworks. Understanding how these obligations interact is critical to avoiding dual-agency enforcement actions, which increasingly result in coordinated penalties from both OFAC and FinCEN (and frequently the Department of Justice as well).
| Scenario | OFAC Obligation | FinCEN Obligation | Combined Risk |
|---|---|---|---|
| Customer Screening / Onboarding | Screen all new customers and beneficial owners against the SDN list and OFAC consolidated sanctions list before account opening; re-screen at each OFAC list update. Prohibited counterparties must be rejected and, if applicable, assets blocked. | CDD (Customer Due Diligence) Rule requires identification and verification of beneficial owners for legal entity customers; ongoing monitoring for suspicious activity patterns. FinCEN KYC obligations apply from initial onboarding. | High — An onboarded customer who later appears on the SDN list creates simultaneous OFAC blocking obligation and FinCEN SAR filing requirement. Failure to screen proactively risks both an OFAC civil penalty and a BSA violation for failing to detect suspicious activity. |
| International Wire Transfers | Screen originator, beneficiary, and all intermediaries in the payment chain against OFAC lists. Block or reject any wire involving a designated party. File a report with OFAC within 10 business days of blocking. Rejected transactions must be returned unless OFAC-prohibited. | Recordkeeping and travel rule requirements (31 CFR Part 1010.410) require transmission of originator/beneficiary information for wires of USD 3,000 or more. Monitor for structuring, layering, or high-risk corridor activity. File SARs for suspicious wire patterns. | High — Wire transfers are the primary vector for sanctions evasion. A wire that is blocked by OFAC may also require a SAR if the context suggests money laundering or sanctions evasion intent. Insufficient wire monitoring has been the basis for major joint OFAC/FinCEN enforcement actions, including multi-hundred-million-dollar settlements. |
| SAR Filing (Suspicious Activity) | OFAC does not receive SARs directly, but SAR data shared with law enforcement may be referred to OFAC. Institutions that file SARs on suspected sanctions evasion should also assess whether to voluntarily disclose the underlying conduct to OFAC — voluntary self-disclosure can significantly reduce OFAC civil penalty exposure. | Mandatory SAR filing within 30 days of detecting suspicious activity involving USD 5,000 or more (banks) or USD 2,000 or more (MSBs). Failure to file a SAR on known or suspected sanctions evasion is itself a BSA violation, separate from any OFAC violation. | High — Suspected sanctions evasion triggers both FinCEN SAR obligations and potential OFAC voluntary self-disclosure considerations. Institutions must coordinate their legal and compliance teams to ensure SAR filings do not inadvertently waive privilege or prejudice OFAC defense positions. |
| Customer Due Diligence (CDD) / Ongoing Monitoring | OFAC requires institutions to maintain risk-based programs that re-screen customers when OFAC lists are updated (which can occur without notice). Ownership and control analysis (50% rule) must be applied to identify indirect SDN exposure through beneficial ownership structures. | FinCEN CDD Rule (effective 2018) mandates that covered financial institutions identify beneficial owners of legal entity customers and conduct ongoing monitoring to maintain updated customer information. Risk-based enhanced due diligence (EDD) applies to high-risk customers. | High — Complex corporate structures used for sanctions evasion are also used for money laundering. A customer with an SDN beneficial owner who passes initial KYC but is identified in ongoing monitoring creates concurrent obligations: OFAC asset blocking plus retroactive SAR analysis for prior transactions. |
| Cryptocurrency / Virtual Asset Transactions | OFAC has designated virtual currency addresses on the SDN list (including OFAC-linked Bitcoin and Ethereum addresses). Virtual asset service providers (VASPs) and exchanges must screen wallet addresses and blockchain transactions against OFAC lists. In 2022, OFAC sanctioned Tornado Cash (a crypto mixer), establishing precedent for smart contract designation. | FinCEN treats convertible virtual currency exchanges and administrators as money services businesses (MSBs) subject to full BSA obligations: AML program, SAR filing, CTR filing for qualifying transactions, and Travel Rule compliance for transfers of USD 3,000 or more. The April 2026 GENIUS Act NPRM extends FinCEN/OFAC dual compliance to stablecoin issuers (PPSIs). | Very High — Crypto presents the most complex dual-compliance challenge. Blockchain pseudonymity creates OFAC screening difficulties; the decentralized nature of many protocols creates jurisdictional ambiguity for FinCEN reporting. Exchanges and DeFi platforms face coordinated OFAC/FinCEN enforcement for AML and sanctions deficiencies, as demonstrated by the Binance (2023, USD 4.3B combined penalties) and BitMEX enforcement actions. |
The practical takeaway for compliance professionals is that OFAC and FinCEN obligations are complementary but not coextensive. An institution can have a clean OFAC screening record while still violating BSA obligations (for example, by failing to file SARs on structuring that happens not to involve any sanctioned party). Conversely, strong BSA/AML monitoring that surfaces suspicious activity does not automatically satisfy OFAC strict liability blocking obligations. Effective compliance programs address both frameworks as an integrated system, with clear escalation procedures when a transaction simultaneously triggers OFAC screening alerts and FinCEN suspicious activity criteria.
Joint OFAC/FinCEN enforcement actions have become a defining feature of US financial crime enforcement. The 2023 Binance settlement — coordinated across OFAC, FinCEN, DOJ, and CFTC — resulted in a combined penalty of USD 4.3 billion, the largest crypto enforcement action in history. For institutions facing parallel investigations, coordinated legal representation before both agencies is essential. Our OFAC enforcement defense team works alongside BSA/AML counsel to develop unified response strategies.