OFAC sanctions are among the most far-reaching legal obligations in U.S. law. Unlike most regulatory regimes that apply only within a country’s borders, OFAC’s rules follow U.S. persons wherever they go and reach foreign companies that maintain any connection to the U.S. financial system. Businesses worldwide — not just American ones — have been surprised to discover they are subject to OFAC compliance requirements. If you are wondering whether your company must comply, the honest answer is: probably yes. Consulting a qualified OFAC sanctions lawyer is the most reliable way to assess your specific exposure.
U.S. Persons: The Core Obligation
At the heart of OFAC’s jurisdiction is the concept of the “U.S. person.” Every U.S. person is required to comply with all applicable OFAC sanctions programs — full stop. A U.S. person includes:
- U.S. citizens, regardless of where in the world they reside
- U.S. permanent residents (Green Card holders), regardless of location
- All individuals physically present within the United States at the time of a transaction, including foreign nationals on short-term visas
- Corporations, partnerships, limited liability companies, trusts, and other legal entities organized under U.S. law
- Foreign branches of U.S. entities (not just the parent company — the branch itself)
The obligation is absolute and geography-independent. A U.S. citizen living in Dubai, working for a European company, is still prohibited from entering into a business arrangement with an SDN-listed party. A U.S. passport holder who accepts a position on the board of a sanctioned company abroad violates OFAC regardless of where the board meetings are held. Experienced OFAC lawyers regularly advise U.S. expats who did not realize their personal business dealings remained subject to U.S. sanctions law.
Foreign Subsidiaries of U.S. Companies
Most OFAC sanctions programs do not automatically apply to foreign subsidiaries of U.S. parent companies — this is an important but frequently misunderstood distinction. The general rule is that a foreign subsidiary incorporated outside the United States is not a “U.S. person” and therefore does not have an automatic obligation to comply with all OFAC programs. However, there are significant exceptions:
- Cuba and North Korea: These comprehensive embargo programs explicitly extend to foreign subsidiaries of U.S. companies. A German subsidiary of a U.S. firm cannot trade with Cuba any more than the U.S. parent can.
- Facilitation prohibition: Even where a foreign subsidiary is not directly covered, U.S. parent companies are prohibited from directing, approving, facilitating, or “causing” their foreign subsidiaries to engage in transactions that the U.S. parent could not conduct. This anti-facilitation rule effectively requires U.S. companies to impose group-wide compliance standards.
- Practical banking realities: Foreign subsidiaries that process payments through U.S. correspondent banks bring their transactions within U.S. jurisdiction by virtue of that clearing relationship.
For multinationals, building a comprehensive OFAC compliance program that covers all subsidiaries — even those technically outside direct OFAC jurisdiction — is considered best practice and is often required by institutional banking relationships.
Foreign Companies with a U.S. Nexus
One of the most important and often overlooked categories of OFAC-covered parties is foreign companies with a U.S. nexus. A non-U.S. company comes within OFAC’s reach in several ways:
- USD transactions: Any payment denominated in U.S. dollars will typically clear through a U.S. correspondent bank. The moment a foreign bank or foreign company routes a USD payment through New York, it is transacting within U.S. jurisdiction. If any party to that payment is sanctioned, a violation may have occurred — by the U.S. correspondent bank and potentially by the originating foreign institution as well.
- U.S. financial infrastructure: Using U.S.-based payment systems, software, cloud services, or other infrastructure creates a nexus even if the underlying transaction is entirely between foreign parties.
- U.S. investors or owners: A foreign company with U.S. shareholders or investors may have contractual obligations to comply with OFAC under investment agreements, and those U.S. investors are themselves bound by OFAC’s rules in relation to their investment activities.
The practical implication is that virtually any foreign company conducting international business in U.S. dollars must maintain an OFAC compliance checklist and screen its counterparties. This is not a theoretical concern — OFAC has assessed significant penalties against foreign financial institutions for processing USD payments that benefited sanctioned parties without adequate screening.
Secondary Sanctions: Reaching Non-U.S. Companies Without Any U.S. Nexus
Beyond primary sanctions (which bind U.S. persons), the United States has developed an expansive system of secondary sanctions that can reach foreign companies with no U.S. nexus at all. Secondary sanctions do not impose criminal liability under U.S. law on foreign firms; instead, they threaten those firms with exclusion from the U.S. financial system, denial of U.S. visas to their executives, and blocking of their own assets if they engage in “significant transactions” with designated parties under programs like:
- Iran: Under the Iran Freedom and Counter-Proliferation Act and related executive orders, foreign companies that purchase Iranian oil, trade with the Iranian energy sector, or deal with certain Iranian financial institutions risk being cut off from U.S. markets entirely. Iran sanctions secondary provisions have been enforced against companies in China, India, Turkey, and the UAE.
- Russia: Executive Order 14024 and its supplements authorize secondary sanctions against foreign persons who materially support designated Russian entities in the defense, energy, and financial sectors. Russia sanctions have made secondary liability a major compliance concern for European and Asian companies.
- North Korea: CAATSA (Countering America’s Adversaries Through Sanctions Act) contains robust secondary sanctions provisions targeting those who conduct significant trade with North Korean entities.
For foreign companies, secondary sanctions create a stark choice: do business with the sanctioned party or maintain access to the U.S. financial system. Understanding your exposure under international sanctions regimes requires specialized legal advice tailored to your industry and geographic operations.
Who Is Caught in Practice: Real-World Examples
OFAC enforcement history is filled with examples of parties who did not realize they were subject to sanctions obligations:
- European banks: Multiple major European banks have paid billions in OFAC penalties for processing USD transactions on behalf of Cuban, Iranian, Sudanese, and other sanctioned parties — even though the transactions took place entirely between non-U.S. entities.
- Foreign shipping companies: Shipping lines that transported cargo to or from sanctioned countries, or that called at ports in sanctioned jurisdictions, have faced massive OFAC fines under secondary sanctions programs.
- Technology companies: U.S. tech companies have been penalized for allowing users in sanctioned countries to access their platforms — including companies that sold virtual goods or software subscriptions to users located in Iran.
- Individual U.S. persons: U.S. citizens have been prosecuted for traveling to Cuba, doing business in sanctioned countries, or acting as agents for SDN-listed companies while residing abroad.
These examples illustrate why OFAC enforcement defense has become a specialized practice area. When enforcement proceedings begin, having experienced OFAC legal counsel from the outset dramatically improves outcomes.
2025–2026 Developments in OFAC Jurisdiction
OFAC enforcement has intensified significantly in 2025 and into 2026. Key developments include:
- Expanded Russia-related designations: OFAC has continued to add entities under Russia-related programs at an unprecedented pace, including third-country companies that have provided material support to Russia’s defense-industrial base. This has extended compliance obligations to companies in Central Asia, the Caucasus, and the Middle East that serve as transit points for sanctioned goods.
- Cryptocurrency enforcement: OFAC has pursued enforcement against DeFi protocols, crypto mixers, and digital asset businesses that facilitated transactions involving SDN-listed parties — establishing that the technology sector cannot claim ignorance of sanctions obligations.
- Stricter compliance program expectations: Recent OFAC enforcement advisories signal that companies with inadequate screening programs — even where individual violations were unintentional — will not receive the same mitigation credit as companies with robust compliance infrastructure. The bar for what constitutes an “effective” OFAC compliance program has risen substantially.
Staying current on OFAC’s evolving jurisdiction requires monitoring regulatory updates and engaging with sanctions compliance counsel who tracks enforcement trends. A proactive approach — including regular internal audits and refreshed compliance training — is no longer optional for businesses with international operations.
The Role of AML and OFAC Compliance
For financial institutions, OFAC compliance is deeply intertwined with anti-money laundering obligations. Understanding the relationship between AML and OFAC compliance is essential because both regimes require customer identification, transaction monitoring, and suspicious activity reporting — but they operate under different legal frameworks with different obligations and enforcement bodies. A bank that has robust AML controls but a weak OFAC screening program remains exposed, and vice versa. Integrated compliance programs that address both simultaneously are far more effective than siloed approaches.
Frequently Asked Questions
Does a foreign company with no U.S. offices or U.S. owners need to comply with OFAC?
Possibly. If the foreign company processes any USD-denominated payments, uses U.S. financial infrastructure, or engages in significant transactions with parties covered by secondary sanctions programs (such as Iran or Russia), it has OFAC-related obligations or risk exposure. A compliance assessment by experienced qualified OFAC sanctions lawyer is advisable for any company with international operations.
Are U.S. citizens abroad exempt from OFAC requirements?
No. U.S. citizenship carries OFAC obligations worldwide. A U.S. citizen living and working abroad must comply with all OFAC programs just as if they were located in the United States. This includes restrictions on business dealings, investments, and even personal financial arrangements with SDN-listed parties.
What are the penalties for OFAC non-compliance?
Civil penalties can reach $1 million or more per violation (with the cap adjusted annually for inflation), and criminal penalties for willful violations can include imprisonment. OFAC also has the authority to block assets, deny export privileges, and publicly name violators — all of which create severe reputational consequences in addition to financial ones. The OFAC penalties framework distinguishes between egregious and non-egregious violations, with significant mitigation available for companies with strong compliance programs and prompt voluntary disclosure.
Do non-profit organizations have to comply with OFAC?
Yes. Non-profit organizations, NGOs, and charities that are U.S. persons — or that receive U.S. funding — must comply with OFAC. Humanitarian operations in or near sanctioned countries require careful review of applicable general licenses and, in many cases, specific license applications. OFAC has issued guidance specifically for NGOs operating in challenging environments such as Syria, Yemen, and Afghanistan.
Can a company that has violated OFAC rules self-report to reduce penalties?
Yes, and it is almost always advisable to do so. OFAC’s enforcement guidelines provide for significant penalty reductions — up to 50% — when a company makes a timely and complete voluntary self-disclosure. Companies that self-disclose, remediate the compliance failure, and cooperate fully with OFAC’s investigation typically receive substantially lower penalties than those discovered through third-party reporting or OFAC’s own investigations. Review the OFAC sanctioned countries to understand the geographic scope of your obligations.