OFAC Compliance Checklist

Quick Answer: An OFAC compliance checklist is a structured set of procedures businesses must follow to comply with U.S. sanctions administered by the Office of Foreign Assets Control (OFAC). It covers SDN list screening, transaction monitoring, risk assessment, record-keeping, employee training, and voluntary self-disclosure procedures. Failure to maintain a compliant program exposes your business to civil penalties exceeding $1 million per violation.

Why You Need an OFAC Compliance Checklist

OFAC administers more than 30 active sanctions programs targeting countries, individuals, and entities that pose threats to U.S. national security, foreign policy, or the economy. Every U.S. person — and many foreign entities with U.S. nexus — must comply with these sanctions.

The consequences of non-compliance are severe. In recent years, OFAC enforcement actions have resulted in penalties exceeding $1 billion annually across industries. But enforcement isn’t random — OFAC consistently rewards companies that have robust OFAC compliance programs in place, even when violations occur.

OFAC’s A Framework for OFAC Compliance Commitments identifies five essential pillars of a compliant sanctions compliance program (SCP):

• Management commitment — senior leadership actively supports compliance
• Risk assessment — identifying your specific exposure to sanctioned parties and jurisdictions
• Internal controls — written policies, screening procedures, and escalation protocols
• Testing and auditing — regular review of your program’s effectiveness
• Training — ongoing education for all relevant staff

Without a documented compliance checklist, your business cannot demonstrate good faith to OFAC — which is the primary factor in whether violations result in no-action letters, reduced penalties, or maximum civil monetary penalties (CMPs).

OFAC Compliance Checklist: 10 Core Steps

The following checklist applies to all U.S. businesses and foreign companies with U.S. nexus. Complete each step and document your efforts.

Step 1: Appoint a Sanctions Compliance Officer

Designate a qualified individual with authority and resources to implement and oversee your OFAC compliance program. This officer should report to senior management and have direct access to legal counsel. Document the appointment in writing and define the role’s responsibilities clearly.

Step 2: Conduct a Sanctions Risk Assessment

Map your business operations against all active OFAC sanctions programs. Your risk assessment should identify:

• Customers and counterparties by country of origin and beneficial ownership
• Products and services that could be diverted to sanctioned jurisdictions
• Payment flows that touch high-risk correspondent banks or intermediaries
• Exposure to comprehensive sanctions (Cuba, Iran, North Korea, Syria, Russia-related programs)
• Sector-specific risks under targeted programs (e.g., Russia energy sector, China military-industrial complex)

Perform this assessment at least annually, and update it whenever you enter new markets, launch new products, or OFAC updates a major program.

Step 3: Screen Against OFAC Sanctions Lists

Screen all customers, vendors, counterparties, and beneficial owners against:

• SDN List (Specially Designated Nationals and Blocked Persons)
• Consolidated Sanctions List (all OFAC-administered lists combined)
• Sectoral Sanctions Identifications (SSI) List
• Foreign Sanctions Evaders (FSE) List
• Non-SDN Menu-Based Sanctions (NS-MBS) List

Screen at onboarding, periodically during the relationship (minimum annually, ideally in real-time or weekly), and immediately following any OFAC list update. Use fuzzy matching to catch name variations and transliterations. Apply the 50% rule: any entity 50% or more owned by an SDN-listed party is itself blocked, even if not explicitly on the list.

Step 4: Implement Transaction Monitoring

Deploy automated systems to flag transactions involving:

• IP addresses, shipping addresses, or billing addresses in sanctioned countries
• Payment routing through sanctioned financial institutions
• Unusual payment patterns suggesting third-party payments on behalf of sanctioned persons
• Transactions referencing sanctioned ports, vessels, or aircraft
• Payments with obfuscated beneficiary information

Configure alerts for high-risk indicators specific to your industry and document every alert, investigation, and disposition decision.

Step 5: Apply Beneficial Ownership Due Diligence

Verify the ultimate beneficial owners of all business counterparties. OFAC’s 50% rule means that entities owned 50% or more by an SDN-listed person are blocked — regardless of whether they appear on the SDN list themselves. For high-risk customers, obtain corporate structure documentation and verify through independent sources.

Step 6: Establish Written Policies and Escalation Procedures

Document your compliance program in a written policies and procedures manual covering:

• Screening frequency and methodology
• How potential matches are investigated and resolved
• Escalation chain for suspected violations
• Procedures for blocking transactions and reporting to OFAC
• Licensing procedures (when to apply for specific or general licenses)
• Record-keeping requirements

Step 7: Maintain Required Records

OFAC requires records to be maintained for at least 5 years. Your records must include:

• Screening results with dates and list versions used
• Blocked transaction reports (filed with OFAC within 10 business days)
• Annual reports of blocked property (due September 30 each year)
• All correspondence with OFAC, including license applications and responses
• Risk assessment reports and audit results
• Employee training records (dates, attendees, materials used)
• Rejected transaction reports (filed within 10 business days)

Step 8: Train All Relevant Employees

Provide role-specific OFAC training to all employees who interact with customers, process transactions, manage vendor relationships, or make compliance decisions. Training should cover:

• Current OFAC sanctions programs relevant to your business
• How to identify red flags and potential sanctions matches
• Escalation procedures — who to contact and when
• Consequences of violations, including personal liability for individuals
• Whistleblower protections for reporting misconduct

Conduct training at least annually and document all sessions. Update training materials whenever major sanctions programs change.

Step 9: Conduct Regular Audits and Testing

Periodically test your compliance controls through internal audits and, for higher-risk businesses, independent third-party reviews. Audits should:

• Test whether screening systems are functioning correctly
• Review a sample of transactions for compliance
• Assess whether policies and procedures are being followed
• Identify gaps in coverage or control weaknesses
• Produce written findings and remediation plans

Step 10: Establish Voluntary Self-Disclosure Procedures

If a potential OFAC violation is discovered, your response matters enormously. Establish clear procedures for:

• Internal reporting to the compliance officer and legal counsel immediately upon discovery
• Preserving all relevant records (do not destroy anything)
• Conducting a thorough internal investigation to scope the issue
• Evaluating whether voluntary self-disclosure to OFAC is appropriate
• Implementing remediation measures to prevent recurrence

OFAC treats voluntary self-disclosure as a significant mitigating factor. Companies that self-disclose, cooperate fully, and implement remediation typically receive substantially reduced penalties compared to those discovered through external enforcement.

OFAC Compliance Checklist for Financial Institutions

Banks, credit unions, money services businesses, and other financial institutions face heightened OFAC obligations due to their central role in payment flows. In addition to the core 10-step checklist, financial institutions must:

• Real-time transaction screening — Screen wire transfers, ACH payments, and other transactions in real-time before processing, not batch-processed after the fact
• SWIFT message screening — Screen all fields of international wire instructions, including originator, beneficiary, and intermediary bank information
• Correspondent banking due diligence — Assess OFAC risk posed by foreign correspondent banks; avoid processing U-turn transactions for comprehensively sanctioned countries
• OFAC blocking and rejection procedures — Distinguish between transactions that must be blocked (funds frozen) versus rejected (returned); each has different reporting requirements
• Integration with BSA/AML program — OFAC compliance and AML compliance are separate obligations but must be integrated; suspicious activity reports (SARs) and OFAC reports serve different purposes
• Annual OFAC audit — Regulatory expectations for financial institutions include formal annual OFAC compliance audits, often reviewed by examiners
• Customer risk scoring — Incorporate OFAC risk factors into customer due diligence (CDD) and enhanced due diligence (EDD) frameworks

OFAC Compliance Checklist for Exporters and Importers

Companies engaged in international trade face unique OFAC risks because goods can be diverted to sanctioned destinations after export. Key checklist items for exporters and importers:

• End-user verification — Confirm the ultimate end user of your products; obtain end-user statements for sensitive goods and verify through independent research
• Supply chain screening — Screen all logistics providers, freight forwarders, shipping companies, and intermediaries against OFAC lists
• Vessel and aircraft screening — Check vessel names and IMO numbers against OFAC’s list of blocked vessels; Iran, North Korea, and Russia sanctions programs frequently involve vessel deception tactics
• Diversion red flags — Watch for orders from countries that don’t typically use your products, unusual shipping routes, requests to omit product descriptions, or payments from unrelated third parties
• Export license coordination — Coordinate OFAC licensing requirements with BIS export control licenses; both may be required for the same transaction
• Country-of-origin rules — Understand how foreign-made goods with U.S.-origin content are subject to OFAC controls
• Incoterms risk — Know your point of control in the transaction; DDP (Delivered Duty Paid) terms give you greatest control and responsibility

OFAC Compliance Checklist for Crypto and Fintech Companies

OFAC has made clear that sanctions apply equally to transactions involving virtual currency. Crypto exchanges, DeFi platforms, payment processors, and other fintech companies must address unique compliance challenges:

• Blockchain address screening — Screen wallet addresses against OFAC’s published list of blocked cryptocurrency addresses; implement real-time screening before processing transactions
• KYC/AML integration — Collect sufficient customer identification information to conduct OFAC screening; pseudonymous transactions create compliance blind spots
• Geographic IP blocking — Block users accessing your platform from comprehensively sanctioned countries (Iran, Cuba, North Korea, Syria, Crimea/Donetsk/Luhansk regions)
• Blockchain analytics tools — Use chain analysis tools to trace the origin and destination of funds; identify mixing services, darknet market connections, and other red flags
• Smart contract exposure — Assess whether your protocol could be used by sanctioned persons; OFAC has sanctioned smart contract addresses (Tornado Cash)
• Stablecoin and DeFi risks — Understand your exposure when users interact with sanctioned DeFi protocols or hold sanctioned stablecoins
• NFT and token screening — Apply OFAC screening to NFT marketplace participants and token sale participants

Common OFAC Compliance Failures

Understanding why companies fail helps you avoid the same mistakes. The most common OFAC compliance failures documented in enforcement actions include:

• Inadequate screening systems — Using outdated list versions, insufficient fuzzy matching, or failing to screen all relevant data fields
• The 50% rule blind spot — Missing beneficial ownership chains that result in transactions with SDN-owned entities not explicitly on the list
• Ignoring geography — Processing transactions with counterparties in comprehensively sanctioned jurisdictions without adequate due diligence
• Third-party payment risks — Accepting payments from unrelated third parties without investigating why a direct counterparty is using a payment intermediary
• Inadequate training — Front-line employees who interact with customers not knowing what red flags to escalate
• No escalation culture — Employees aware of potential issues but not reporting them due to lack of clear procedures or fear of retaliation
• Delayed reporting — Discovering a violation but failing to report blocked transactions within the mandatory 10-business-day window
• Inadequate records — Unable to produce documentation demonstrating compliance efforts when OFAC investigates
• Static programs — Compliance programs written once and never updated as sanctions programs evolve

How a Sanctions Lawyer Helps Build Your Compliance Program

Building an effective OFAC compliance program is not a one-size-fits-all exercise. The right program for your business depends on your industry, customer base, transaction volumes, geographic exposure, and risk appetite. A generic template downloaded from the internet will not satisfy OFAC’s expectations for a tailored, risk-based compliance program.

Our OFAC sanctions lawyers work with businesses across industries to:

• Conduct sanctions risk assessments specific to your business model and geographic exposure
• Draft and implement written compliance policies that satisfy OFAC’s Framework requirements
• Review and advise on screening systems to ensure adequate coverage of all relevant lists and data fields
• Provide employee training tailored to your industry and the specific sanctions programs that affect you
• Conduct internal compliance audits to identify gaps before OFAC does
• Advise on specific or general license applications when you need to engage in otherwise prohibited transactions
• Guide voluntary self-disclosure when a potential violation is discovered, to maximize penalty mitigation
• Represent you in OFAC investigations and penalty proceedings

Whether you are building a compliance program from scratch, updating an existing program, or responding to an OFAC inquiry, early legal involvement significantly reduces your risk exposure. Contact our team for a confidential consultation.