What Is OFAC Screening?

OFAC screening is the process of checking individuals, entities, transactions, and counterparties against U.S. Treasury sanctions lists to ensure that no prohibited dealings are being conducted with designated parties. It is one of the most fundamental obligations in U.S. sanctions compliance — and one of the most consequential when done poorly. Whether you are a bank processing wire transfers, a fintech company onboarding new users, a law firm conducting client due diligence, or a corporation evaluating a new supplier, OFAC screening is likely a legal and regulatory obligation. Experienced sanctions compliance counsel can help you design and implement a screening program that matches your risk profile.

What Is OFAC Screening?

At its core, OFAC screening means running names, addresses, account numbers, vessel identifiers, and other identifying data through one or more official sanctions lists to determine whether any match exists. A “hit” or “match” means the checked party may be a sanctioned person — triggering the obligation to block the transaction, freeze assets, and report to OFAC as required. A “false positive” means the check returned a potential match that, upon investigation, turns out to be a different person from the sanctioned party. The goal of a well-designed screening program is to catch every true hit while minimizing operationally disruptive false positives. OFAC screening services provided by specialized law firms can help calibrate this balance correctly.

Who Must Screen

OFAC does not explicitly mandate a specific screening procedure for every industry, but the practical obligation to screen arises from the underlying prohibitions: if a U.S. person — or anyone using U.S. financial infrastructure — cannot transact with SDN-listed parties, then the only way to comply is to know who you are dealing with. The following categories of organizations have the most acute screening obligations:

• Banks and financial institutions: All U.S. banks and foreign banks with U.S. branches or correspondent relationships must screen customers, beneficial owners, and payment parties. Failure to screen is routinely cited in OFAC penalty notices.
• Money services businesses: Money transmitters, check cashers, currency exchange businesses, and payment processors must screen all customers and transaction parties in real time.
• Securities broker-dealers and investment advisers: Financial firms that manage accounts or execute trades on behalf of clients must screen all account holders and counterparties.
• Insurance companies: Insurers and reinsurers must screen policyholders, beneficiaries, and insureds for SDN status before issuing or renewing coverage.
• Import/export businesses: Companies engaged in international trade must screen all trading partners, freight forwarders, and end users of exported goods.
• Law firms, accounting firms, and consultants: Professional services firms are expected to conduct sanctions screening of new clients as part of onboarding due diligence, with periodic re-screening thereafter.
• Cryptocurrency and digital asset businesses: Exchanges, wallets, and DeFi protocols are subject to sanctions screening obligations under the same framework that applies to traditional financial services.

As a best practice, any company that operates internationally or maintains bank account compliance obligations should implement formal OFAC screening as a core component of its risk management framework.

Which Lists Are Screened

The OFAC OFAC blacklist — the Specially Designated Nationals and Blocked Persons list — is the most important, but it is far from the only list that compliance programs must cover. A complete OFAC screening program addresses all of the following:

• SDN List (Specially Designated Nationals and Blocked Persons): Over 12,000 entries of individuals, companies, vessels, and aircraft subject to asset blocking and transactional prohibitions.
• FSE List (Foreign Sanctions Evaders): Individuals and entities that have been determined by OFAC to have violated or attempted to evade U.S. sanctions relating to Syria or Iran. U.S. persons are prohibited from dealing with FSEs.
• SSI List (Sectoral Sanctions Identifications): Entities subject to sectoral sanctions under Ukraine-related executive orders — covering Russia’s financial, energy, and defense sectors. SSI listings do not impose full blocking but prohibit specific categories of transactions (debt/equity issuance above specified maturities, etc.).
• CAPTA List (Correspondent Account or Payable-Through Account Sanctions): Foreign financial institutions subject to sanctions that restrict their access to U.S. correspondent banking services.
• Executive Order Lists: Various additional lists maintained under specific executive orders covering regions, individuals, or activities not addressed in the above consolidated lists.
• Non-SDN PEP List / Other Non-SDN Lists: OFAC publishes several Non-SDN lists covering Palestinian Legislative Council members, menu-based sanctions parties, and others who face targeted — rather than comprehensive — restrictions.

Sophisticated compliance programs also screen against allied countries’ sanctions lists — EU, UK, UN — because transacting with a party designated only by the EU may still carry reputational and secondary sanctions risk even for U.S. entities. PEP and sanctions screening that combines OFAC lists with international sanctions databases provides the most comprehensive protection.

How Screening Works: Manual vs. Automated

Manual screening involves downloading the OFAC lists and running searches by hand — comparing customer names against the list entries. This approach is only viable for very small businesses with minimal transaction volume. Its limitations are significant: it becomes outdated quickly (the SDN list is updated multiple times per week), it is prone to human error, it cannot efficiently handle fuzzy name matching, and it leaves no adequate audit trail. Manual screening is generally considered insufficient for regulated industries.

Automated screening uses dedicated compliance software to screen in real time (for transactions) or in batch (for periodic customer re-screening). Automated tools offer several critical capabilities that manual screening cannot provide:

• Fuzzy name matching: Algorithms that account for transliterations (Arabic, Cyrillic, Chinese names rendered in Latin script), common spelling variants, and partial matches — catching SDNs who use slight name variations to avoid detection.
• Alias detection: SDN entries often include dozens of aliases. Automated tools check all aliases associated with an SDN entry, not just the primary name.
• Real-time list updates: Automated systems refresh their underlying databases continuously, ensuring that a new SDN designation is captured within minutes or hours rather than days.
• Ownership structure analysis: Advanced tools incorporate beneficial ownership data to apply OFAC’s 50% Rule, flagging entities that are indirectly controlled by SDN-listed parties.
• Audit trails: Every screening check, every match result, and every resolution decision is documented — creating the compliance records that OFAC reviewers will want to examine in an enforcement proceeding.

The World-Check database, LexisNexis Bridger, Dow Jones Risk & Compliance, Refinitiv, and ComplyAdvantage are among the most widely used commercial screening platforms. Each has strengths and weaknesses; the right choice depends on your transaction volume, geographic footprint, and industry. Consulting with a sanctions database screening expert can help you select and configure the right solution.

Screening Frequency: When and How Often to Screen

OFAC does not specify mandatory screening frequencies, but enforcement guidance makes clear that one-time onboarding screening is insufficient. Best practices — and the implicit standard embedded in enforcement actions against companies with poor programs — include:

• At onboarding: Every new customer, vendor, investor, or partner should be screened before the relationship begins. This applies to individual consumers and corporate entities alike.
• At transaction processing: For financial institutions and payment processors, each payment or transfer should be screened in real time against all relevant lists, covering all parties: sender, receiver, correspondent banks, and beneficial owners.
• Periodic re-screening: Existing customers and counterparties must be re-screened on a regular basis — monthly for high-risk relationships, quarterly or semi-annually for lower-risk ones — because the SDN list changes frequently. A customer who was clean at onboarding may be designated six months later.
• Event-triggered screening: Any change in a counterparty’s ownership structure, management, or geographic operations should trigger an out-of-cycle screen.

Implementing these screening cadences requires documented policies, procedures, and a technology infrastructure that can handle the required volume. Your OFAC compliance checklist should include screening frequency standards tailored to your highest-risk customer segments.

Managing False Positives

False positives are one of the biggest operational challenges in OFAC screening. Common names — particularly those from regions with many sanctioned parties — generate high rates of false positive alerts. “Ali Hassan,” for example, matches dozens of SDN entries. An effective compliance program manages false positives through:

• Calibrated matching thresholds: Screening software can be tuned to balance sensitivity (catching all true hits) against specificity (avoiding excessive false positives). The right calibration depends on the risk level of the counterparty population being screened.
• Tiered review workflows: Automated systems can triage alerts by confidence score, routing high-confidence matches directly to senior compliance staff and low-confidence matches to a junior review queue.
• Documented disposition: Every false positive resolution must be documented, including the reasons for clearance. Inadequate recordkeeping is itself a compliance failure that OFAC may view negatively.
• Lookback lists: Once a counterparty has been cleared as a false positive against a specific SDN entry, that clearance can be documented and applied to future screening of the same counterparty — reducing repeated false positive alerts for the same known relationship.

The Cost of Not Screening

The consequences of inadequate OFAC screening can be catastrophic. OFAC civil OFAC penalties can reach hundreds of millions of dollars for financial institutions that systematically fail to screen transactions. But the costs go beyond civil fines:

• Criminal liability: Willful OFAC violations can result in criminal prosecution, with penalties including imprisonment for responsible individuals.
• Correspondent banking loss: Foreign banks that repeatedly fail to identify SDN-related transactions may lose their U.S. correspondent banking relationships — effectively cutting them off from USD clearing.
• Reputational damage: Public OFAC enforcement actions name the violating entity, describe the violations in detail, and remain permanently accessible online.
• Regulatory consequences: Financial regulators (OCC, FRB, FDIC, FINRA) treat OFAC compliance failures as safety and soundness concerns, which can result in formal enforcement orders, management bans, and license revocations.

When a compliance failure is discovered internally, the decision of whether to make a voluntary self-disclosure to OFAC — and how to do so in a way that maximizes penalty mitigation — is one of the most consequential decisions a company will face. The guidance of experienced OFAC enforcement defense counsel at this juncture is invaluable. A well-constructed self-disclosure, accompanied by evidence of a robust remediated OFAC compliance program, can reduce penalties by 50% or more. For businesses that want to understand their current exposure and build a defensible program, our top sanctions law firms offer compliance program reviews and gap analyses.

Frequently Asked Questions

Is OFAC screening the same as AML screening?

No, though they share many of the same processes. AML and OFAC compliance are distinct regulatory frameworks. AML screening focuses on detecting suspicious transactions that may indicate money laundering, while OFAC screening is specifically about identifying transactions involving sanctioned parties. However, both require customer identification, ongoing monitoring, and robust recordkeeping, and they are often administered by the same compliance teams using the same technology platforms.

Do small businesses need to screen for OFAC?

Yes. OFAC’s obligations apply to all U.S. persons regardless of business size. There is no small-business exemption. However, the scope and sophistication of the screening program should be proportionate to the business’s risk profile. A domestic-only small business with no international clients may have minimal exposure, while a small business that imports goods or serves international clients should have a formal, documented screening program.

What happens if my screening system generates a false positive?

If your system flags a potential match, you must pause the transaction or relationship until the match is investigated. A compliance officer reviews the flagged entry, compares all available identifying information (date of birth, nationality, address, etc.), and makes a documented determination of whether the match is a true hit or a false positive. If it is a false positive — meaning the counterparty is a different person from the SDN entry — the transaction may proceed and the clearance should be documented for audit purposes.

What is a “true hit” and what must I do when I get one?

A true hit means the counterparty is, in fact, a party on the SDN list (or another blocking list). Upon confirming a true hit, you must: immediately refuse or block the transaction; if the SDN has assets in your possession, block (freeze) those assets; file a blocking report with OFAC within 10 business days; and seek guidance from your OFAC legal counsel on next steps, including whether a license application or disclosure to OFAC is required.

How do I know if my current screening program is adequate?

OFAC’s own Framework for Compliance Commitments identifies five components of an effective compliance program: management commitment; risk assessment; internal controls; testing and auditing; and training. If your program lacks documented policies in any of these areas, or if it has not been tested and audited recently, it may not meet OFAC’s expectations. Our firm offers sanctions database screening program reviews and gap analyses that benchmark your controls against current OFAC enforcement expectations.