OFAC Screening Guide — How to Screen Against Sanctions Lists

What Is OFAC Screening?

OFAC screening is the process of checking individuals, entities, vessels, and transactions against sanctions lists maintained by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). The purpose of OFAC screening is to ensure that U.S. persons and regulated financial institutions do not conduct business with sanctioned parties — including terrorists, narcotics traffickers, proliferators of weapons of mass destruction, and foreign governments subject to comprehensive embargoes.

OFAC administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals. Compliance with OFAC regulations is not optional: violations can result in civil monetary penalties, criminal prosecution, and severe reputational damage. The legal basis for OFAC’s authority comes from the International Emergency Economic Powers Act (IEEPA), the Trading with the Enemy Act (TWEA), and various executive orders and statutes targeting specific countries, individuals, and entities.

At its core, OFAC screening means comparing the names, addresses, identification numbers, and other identifying information of customers, counterparties, and business partners against OFAC’s published lists — most notably the Specially Designated Nationals and Blocked Persons List (SDN List). When a match is found, the institution must take immediate action: block the transaction, freeze the assets, and report the match to OFAC.

Who Must Screen Against OFAC Lists

OFAC regulations apply broadly to U.S. persons, which includes:

• U.S. citizens and permanent residents, regardless of where they are located
• All persons and entities located within the United States
• U.S.-incorporated entities and their foreign branches
• Any person conducting transactions in U.S. dollars (due to dollar clearing through U.S. correspondent banks)

In practice, this means virtually every U.S.-regulated institution must maintain a robust OFAC screening program. The following categories of entities face the highest compliance exposure:

Financial Institutions

Banks, credit unions, broker-dealers, money services businesses (MSBs), insurance companies, and payment processors are required to screen all customers, transactions, and counterparties against OFAC lists. The Bank Secrecy Act (BSA) and OFAC regulations work in tandem — OFAC compliance is separate from AML compliance and cannot be satisfied by AML controls alone.

Cryptocurrency Exchanges and Virtual Asset Service Providers (VASPs)

OFAC has made clear that cryptocurrency exchanges, DeFi platforms, NFT marketplaces, and other virtual asset service providers are subject to the same OFAC obligations as traditional financial institutions. This includes screening both customers and blockchain wallet addresses against OFAC’s SDN List, which now includes specific cryptocurrency addresses.

Fintechs and Payment Platforms

Fintech companies offering payment services, peer-to-peer transfers, or financial products to U.S. customers must screen against OFAC lists. The growth of API-based financial services has not reduced OFAC obligations — if anything, regulators have increased scrutiny of fintechs that process high volumes of cross-border transactions.

Exporters, Importers, and Trade Finance

Companies engaged in international trade, logistics, shipping, and supply chain operations must screen customers, counterparties, vessels, and end-users of exported goods. Export licensing requirements under the Export Administration Regulations (EAR) and OFAC are closely related.

Non-U.S. Entities

Although OFAC’s primary jurisdiction covers U.S. persons, non-U.S. entities can face exposure if they process U.S. dollar transactions, use U.S. correspondent banks, or employ U.S. persons. Many non-U.S. financial institutions voluntarily implement OFAC screening to maintain access to U.S. dollar clearing and correspondent banking relationships.

OFAC Lists to Screen Against

OFAC maintains over 30 sanctions programs and publishes multiple lists. The key lists for screening purposes include:

Specially Designated Nationals and Blocked Persons List (SDN List)

The SDN List is OFAC’s primary enforcement list and the most critical for compliance. It contains the names of individuals, companies, and other entities (including vessels and aircraft) whose assets must be blocked and with whom U.S. persons are generally prohibited from dealing. The SDN List is updated frequently — sometimes multiple times per week — and must be checked against current versions.

Consolidated Sanctions List

OFAC publishes a Consolidated Sanctions List that combines the SDN List with other OFAC-administered lists, including the Sectoral Sanctions Identifications (SSI) List, the Foreign Sanctions Evaders (FSE) List, the Non-SDN Palestinian Legislative Council (NS-PLC) List, and others. Many compliance programs screen against the full Consolidated Sanctions List rather than the SDN List alone.

OFSI and UK Sanctions Lists

Following Brexit, the UK’s Office of Financial Sanctions Implementation (OFSI) administers its own financial sanctions regime, separate from EU sanctions. UK financial institutions, and non-UK entities doing business in the UK or processing GBP transactions, must screen against OFSI’s Consolidated List of Financial Sanctions Targets.

EU Consolidated Sanctions List

The European Union maintains its own consolidated list of persons, groups, and entities subject to EU financial sanctions. EU-regulated entities must screen against this list, which is maintained by the European Commission and updated through Council Regulations implementing specific EU sanctions programs.

UN Security Council Consolidated List

The United Nations Security Council publishes its own Consolidated List of individuals and entities subject to measures imposed by the Security Council, including arms embargoes and travel bans. OFAC and many other national sanctions regulators implement UN Security Council designations into their own lists.

How OFAC Screening Works

OFAC screening involves comparing identifying information about a person or entity against entries on sanctions lists. In theory this sounds straightforward — in practice it is highly complex, because names can be spelled in multiple ways, transliterated from different scripts, or deliberately altered to evade detection.

Name Matching Algorithms

Modern OFAC screening systems use sophisticated name-matching algorithms to identify potential matches between customer data and sanctions list entries. Common techniques include:

• Exact matching: Direct string comparison — effective for standardized identifiers but insufficient for name variations
• Fuzzy matching: Algorithms that score the similarity between two strings, accounting for typos, transpositions, and minor spelling differences (e.g., Levenshtein distance, Jaro-Winkler similarity)
• Phonetic matching: Algorithms like Soundex or Metaphone that match names based on how they sound, useful for cross-language transliteration (e.g., “Mohammed” vs. “Muhammad” vs. “Mohamed”)
• Token-based matching: Breaking names into individual tokens and matching each component, useful for multi-part names and names in different orders
• AI and machine learning: Increasingly used to improve match accuracy and reduce false positives through training on historical match decisions

Match Scoring and Thresholds

Most screening systems assign a match score (typically expressed as a percentage) reflecting the similarity between a screening candidate and a sanctions list entry. Institutions set screening thresholds (e.g., 85% similarity triggers a review) that balance the risk of missing true matches against the operational cost of reviewing false positives. Setting the threshold too high creates compliance risk; setting it too low creates alert fatigue and operational strain.

False Positives

False positives are matches flagged by the screening system that, upon investigation, do not represent actual sanctioned parties. False positives are an unavoidable feature of any name-based screening program, particularly for common names (e.g., “Ali Hassan,” “Wang Wei”) or names that coincidentally resemble SDN entries. A well-designed screening program includes clear procedures for investigating and resolving false positives efficiently without compromising compliance integrity.

Automated vs. Manual Screening

Organizations typically choose between automated screening tools (for high-volume, real-time screening) and manual processes (for lower-volume or more complex reviews).

Automated Screening Tools

The leading commercial sanctions screening platforms include:

• Refinitiv World-Check (LSEG): One of the most widely used global risk intelligence databases, covering politically exposed persons (PEPs), sanctions, and adverse media. Used by thousands of financial institutions worldwide.
• Dow Jones Risk & Compliance: Comprehensive sanctions, PEP, and adverse media screening, integrated with Dow Jones news and data assets.
• ComplyAdvantage: AI-driven AML and sanctions screening platform that combines structured sanctions list data with real-time adverse media monitoring.
• LexisNexis Bridger Insight: Widely used in the U.S. for BSA/AML and OFAC screening, with deep integration into U.S. financial institution workflows.
• Accuity (Bankers Almanac) / Firco Compliance Link: Focused on payment screening and real-time transaction filtering, widely used by correspondent banks and wire transfer processors.

Automated tools offer significant advantages: real-time screening, audit trails, consistent application of matching rules, and scalability. However, they require proper configuration, regular testing, and governance to ensure they remain effective and do not generate unmanageable alert volumes.

Manual Screening

For smaller institutions or lower-risk activities, manual screening against OFAC’s published lists (available for free download at OFAC’s website) may be sufficient. Manual screening is generally appropriate only where transaction volumes are low and customer bases are stable. It is not suitable for real-time payment processing or high-volume onboarding environments.

OFAC Screening for Crypto Businesses

The cryptocurrency industry presents unique challenges for OFAC screening. Unlike traditional finance, where parties can be identified through account numbers and verified identities, crypto transactions involve pseudonymous blockchain addresses. OFAC has addressed this directly: the SDN List now includes specific cryptocurrency wallet addresses associated with designated parties, and OFAC has made clear that blockchain transactions involving SDN-listed addresses are prohibited.

Blockchain Address Screening

Crypto compliance requires screening both customer identities (through KYC procedures) and blockchain wallet addresses. When a customer sends or receives funds from an SDN-listed wallet address — even without knowing it — the VASP may be in violation of OFAC sanctions. Leading blockchain analytics providers have developed tools to address this:

• Chainalysis: The market-leading blockchain analytics platform, used by financial institutions, exchanges, and law enforcement to trace crypto transactions, identify high-risk addresses, and flag SDN-listed wallets.
• Elliptic: A blockchain analytics and risk management platform that provides transaction monitoring, wallet screening, and sanctions compliance tools for VASPs and financial institutions.
• TRM Labs: Provides blockchain intelligence and risk management, including sanctions screening for crypto businesses.
• CipherTrace: Now part of Mastercard, offering AML and sanctions compliance tools for crypto businesses.

Travel Rule Compliance

FATF’s Travel Rule (implemented in the U.S. through FinCEN’s rules and in the EU through the Transfer of Funds Regulation) requires VASPs to collect and transmit originator and beneficiary information for crypto transfers above certain thresholds. Travel Rule compliance data also feeds into sanctions screening by providing identifying information that can be matched against sanctions lists.

DeFi and Smart Contract Risk

Decentralized finance (DeFi) protocols present additional complexity for OFAC compliance. OFAC’s designation of Tornado Cash in August 2022 demonstrated that smart contracts themselves can be designated as SDN entities, and that interacting with designated smart contracts can constitute an OFAC violation. Crypto businesses must monitor OFAC designations closely and assess their exposure to DeFi protocols.

What to Do When You Get an OFAC Match

When a screening system flags a potential OFAC match, institutions must follow a defined escalation and investigation procedure. The standard process involves the following steps:

Step 1: Alert Review and Initial Assessment

The screening alert is reviewed by a trained compliance analyst. The analyst compares all available identifying information — name, date of birth, nationality, passport number, address, account numbers — between the flagged customer or transaction and the sanctions list entry. The goal is to determine whether the match is genuine (a “true positive”) or a false positive.

Step 2: Block or Reject

If the match is determined to be a true positive — meaning the customer or counterparty is, in fact, an SDN or otherwise designated party — the institution must act immediately:

• Block the transaction: Funds must be blocked (frozen) and held in a separate blocked assets account. The institution may not return the funds to the sender or transfer them to the intended recipient.
• Reject the transaction (where appropriate): For transactions that do not involve property that must be blocked (e.g., a rejected SWIFT transfer that has not yet been accepted), the transaction may be rejected and returned to the originating institution.

Step 3: Report to OFAC

Institutions that block or reject transactions must report to OFAC within specific timeframes:

• Blocked transactions: Must be reported to OFAC within 10 business days of blocking, with annual reports of all blocked property thereafter.
• Rejected transactions: Must be reported to OFAC within 10 business days of rejection.

Step 4: Escalate and Document

All match investigations must be documented thoroughly, including the data reviewed, the decision reached, and the identity of the analyst and supervisor who approved the decision. In regulated institutions, OFAC match decisions are subject to review by senior compliance officers and, in significant cases, legal counsel.

False Positives and How to Resolve Them

False positives are an inherent challenge of name-based sanctions screening. When a compliance analyst determines that a flagged individual or entity is not, in fact, a sanctioned party, the match can be cleared through a documented false positive disposition — and the transaction can proceed.

Documenting False Positives

Every false positive determination must be documented with the specific reasons why the match was rejected, including:

• Differences in date of birth, nationality, or identification numbers
• Geographic information inconsistencies
• Business or personal context that clearly distinguishes the individual from the SDN entry

OFAC Specific License

In some cases, a transaction involves a designated party but may be permitted under an OFAC-issued specific license. Specific licenses can be requested from OFAC for humanitarian transactions, legal services, or other activities that fall within OFAC’s licensing policy. Applying for a specific license is a formal process and requires legal expertise.

OFAC Delisting Petitions

If a party believes it has been erroneously designated — or that the reasons for designation no longer exist — it may submit a delisting petition to OFAC. The petition process involves presenting evidence that the designation was made in error or that the designated party has come into compliance with applicable law. Delisting petitions are complex administrative proceedings that typically require experienced sanctions counsel.

Administrative Appeals and Judicial Review

OFAC designations can also be challenged through administrative review processes and, in some cases, in federal court. Recent court decisions (including challenges to Tornado Cash designation) have clarified the limits of OFAC’s authority and the due process rights of designated parties. Legal challenges to OFAC designations require specialized expertise in both administrative law and sanctions law.

Penalties for Failing to Screen

OFAC has broad authority to impose civil and criminal penalties for violations of U.S. sanctions laws. Civil penalties can be imposed on a strict liability basis — meaning that even innocent violations, without any intent to evade sanctions, can result in substantial fines.

Civil Monetary Penalties

The maximum civil monetary penalty for a single OFAC violation is the greater of $364,992 (adjusted annually for inflation) or twice the value of the violating transaction. For systemic violations involving thousands of transactions, total civil penalties can reach hundreds of millions of dollars.

Enforcement Examples

• BitPay (2021): OFAC settled with BitPay for $507,375 for processing transactions with customers in sanctioned jurisdictions including Cuba, Iran, North Korea, and the Crimea region — despite having sanctions screening in some areas, gaps in their compliance program allowed violations to occur.
• Bittrex (2022): OFAC and FinCEN jointly imposed penalties totaling $53 million on Bittrex for AML and OFAC compliance failures, including failure to prevent transactions with users in sanctioned jurisdictions.
• Payoneer (2023): OFAC settled with Payoneer for $1.4 million for processing payments that benefited individuals in Cuba, Iran, and Sudan.
• Standard Chartered Bank (2019): Paid $1.1 billion in combined settlements with OFAC, DOJ, NYDFS, and other regulators for sanctions violations involving transactions with Iran, Myanmar, Zimbabwe, Sudan, and Cuba.

Criminal Penalties

Willful violations of OFAC regulations can result in criminal prosecution under IEEPA, with maximum penalties of $1,000,000 per violation and up to 20 years of imprisonment for individuals.

Collateral Consequences

Beyond monetary penalties, OFAC enforcement actions can result in loss of banking licenses, debarment from government contracts, exclusion from U.S. correspondent banking relationships, and severe reputational damage that affects a company’s ability to operate in global markets.