AML (Anti-Money Laundering) compliance is governed by the Bank Secrecy Act (BSA) and enforced by FinCEN (Financial Crimes Enforcement Network). Its purpose is to detect and report suspicious financial activity — primarily through Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs).
OFAC (Office of Foreign Assets Control) compliance is a U.S. Treasury sanctions regime requiring financial institutions to screen every customer and transaction against the Specially Designated Nationals (SDN) List. Unlike AML, OFAC operates under strict liability — civil penalties apply even without intent to violate.
In short: AML focuses on detecting illicit money flows; OFAC focuses on blocking transactions with sanctioned parties. Both are mandatory, but they operate under separate legal frameworks and cannot substitute for one another.
For financial institutions operating in or with the United States, AML and OFAC compliance are not optional — and they are not interchangeable. Understanding how each program works, where they overlap, and how to build a unified compliance structure is critical for avoiding penalties that in FY2024 alone exceeded $1.5 billion in OFAC enforcement actions.
This guide explains the key differences, the specific responsibilities under each regime, and best practices for a combined AML and OFAC sanctions compliance program in 2025-2026. If your institution is facing an investigation or needs to build or remediate a compliance program, our OFAC compliance program attorneys can help.
AML vs OFAC: Comparison Table
| Dimension | AML / BSA (FinCEN) | OFAC Sanctions |
|---|---|---|
| Regulatory Body | FinCEN + prudential regulators (OCC, Federal Reserve, FDIC) | OFAC (U.S. Department of Treasury) |
| Legal Basis | Bank Secrecy Act (31 U.S.C. § 5311) | IEEPA, TWEA, program-specific statutes |
| Purpose | Detect and report suspicious activity (money laundering, terrorism financing) | Block transactions with sanctioned persons, entities, and countries |
| Screening Type | Transaction monitoring, PEP screening, adverse media, high-risk typologies | SDN List, Consolidated Sanctions List, country/sector-based restrictions |
| Enforcement Standard | Risk-based — reasonable steps required | Strict liability — intent not required for civil penalties |
| Reporting | SARs and CTRs filed with FinCEN (transaction continues) | Blocking/rejection reports filed with OFAC within 10 business days (transaction stops) |
| Penalties | Up to $1M+ per violation; criminal charges possible | Over $1.5B in FY2024 enforcement; strict liability civil penalties |
| Who Must Comply | Banks, MSBs, broker-dealers, insurers (regulated financial institutions) | All U.S. persons and any entity with a U.S. nexus |
AML Compliance Responsibilities
AML compliance in the United States is governed primarily by the Bank Secrecy Act (BSA), administered by FinCEN and examined by prudential regulators including the OCC, Federal Reserve, and FDIC. The BSA requires financial institutions to maintain an AML program with four core elements: written policies and procedures, a designated compliance officer, ongoing employee training, and independent auditing.
Currency Transaction Reports (CTRs)
Financial institutions must file a Currency Transaction Report for any cash transaction exceeding $10,000 in a single business day — including multiple transactions by the same customer that aggregate above the threshold. CTRs are filed electronically with FinCEN within 15 days. CTR filing is not discretionary: the obligation is triggered automatically by the transaction amount, regardless of whether the activity appears suspicious.
Suspicious Activity Reports (SARs)
When a transaction or series of transactions involves at least $5,000 (or $2,000 for MSBs) and the institution knows, suspects, or has reason to suspect that the funds derive from illegal activity, involve evasion of BSA requirements, or are designed to evade reporting, the institution must file a SAR with FinCEN within 30 days of detecting the suspicious activity (60 days if no suspect can be identified). SAR filings are strictly confidential — the customer may not be notified.
Customer Due Diligence (CDD) and KYC
Since the 2018 FinCEN CDD Rule, covered financial institutions must collect and verify beneficial ownership information for legal entity customers — identifying natural persons who own 25% or more of the entity, plus one control person. Know Your Customer (KYC) procedures form the foundation of every AML program: identity verification at onboarding, risk profiling, and ongoing monitoring for changes in customer behavior.
Transaction Monitoring
AML transaction monitoring systems analyze customer behavior against expected patterns, flagging deviations that may indicate structuring, layering, or other money laundering typologies. Effective monitoring requires calibration to the institution’s specific customer base and risk profile — regulators have increasingly scrutinized institutions that deploy generic rule sets without tuning them to reflect actual business activity.
OFAC Compliance Responsibilities
OFAC administers U.S. economic sanctions programs — comprehensive and targeted — under authority granted by Congress through statutes including the International Emergency Economic Powers Act (IEEPA) and the Trading With the Enemy Act (TWEA). OFAC’s jurisdiction extends to all U.S. persons, U.S. entities (including foreign branches), and any transaction with a U.S. nexus.
SDN List Screening
The Specially Designated Nationals and Blocked Persons (SDN) List is OFAC’s primary enforcement tool. It currently contains over 15,000 entries covering individuals, companies, vessels, and aircraft. Financial institutions must screen all customers, counterparties, and transactions against the SDN List — as well as OFAC’s other sanctions lists including the Sectoral Sanctions Identifications (SSI) List and the Non-SDN Menu-Based Sanctions List. Learn more about OFAC screening requirements and best practices.
Blocking and Rejection Requirements
When screening identifies a match with an SDN-listed party, the institution’s response depends on the type of transaction:
- Blocking: Funds or property of a sanctioned party must be blocked — frozen in a segregated, interest-bearing account. The institution cannot release or transfer blocked funds without an OFAC license.
- Rejection: Transactions that do not involve property of a sanctioned party but are prohibited under OFAC’s programs (e.g., transactions with certain countries) must be rejected — returned to the originator.
OFAC Reporting Requirements
Institutions must file a blocking report with OFAC within 10 business days of blocking property. Annual reports are required for all blocked property held at year-end. Rejected transactions must also be reported to OFAC. Failure to report is itself a separate violation, independent of the underlying transaction.
OFAC Licenses
In some circumstances, an institution or its customer may seek an OFAC license to authorize a transaction that would otherwise be prohibited. General Licenses are published by OFAC and authorize classes of transactions; Specific Licenses are granted case-by-case. Institutions should have clear procedures for identifying when a license application may be appropriate and for processing licensed transactions.
How AML and OFAC Work Together in a Compliance Program
Despite operating under different legal frameworks, AML and OFAC compliance are deeply interconnected in practice — and must be designed to work together. OFAC-listed entities frequently engage in precisely the typologies AML transaction monitoring is designed to detect: structuring, layering funds through shell companies, and using complex cross-border payment chains. A robust compliance program leverages both regimes as mutually reinforcing controls.
The Critical Operational Difference
The most important thing compliance officers must understand is that AML and OFAC require different operational responses. When an AML alert is generated, the institution investigates and, if the activity is deemed suspicious, files a SAR — the transaction may continue processing. When an OFAC match is identified, the transaction must be immediately blocked or rejected. Filing a SAR for a transaction that should have been blocked under OFAC is not a substitute for OFAC compliance and provides no defense against sanctions violations.
Five-Pillar OFAC Compliance Framework
OFAC has identified five core components that regulators assess in examinations. Financial institutions should build their program around all five pillars:
- Management Commitment — Senior leadership must allocate adequate resources and designate a qualified OFAC Compliance Officer with board-level access. OFAC examiners look for active engagement, not nominal support.
- Risk Assessment — Conduct documented, periodic assessments of sanctions exposure based on customers, products, services, and geographies. High-risk indicators include correspondent banking, international wire activity, and connections to OFAC-designated countries.
- Internal Controls — Implement screening procedures covering customer onboarding, transaction screening against all OFAC lists, and counterparty due diligence. Escalation paths must be clearly defined.
- Testing and Auditing — Independent testing must assess whether controls function in practice. Audit findings must be remediated with documented action plans and reported to the board.
- Training — Job-specific training must be delivered to all personnel whose roles touch sanctions compliance, from front-line staff to senior management.
For comprehensive guidance on building a defensible OFAC compliance program, see our OFAC Compliance Program page.
Integrated vs Siloed Programs
Institutions that maintain AML and OFAC compliance in organizational silos face significant risk that transactions will not receive full scrutiny under both regimes. Best practices for 2025-2026 include:
- Unified case management systems that share intelligence between AML and OFAC workflows
- Shared typology libraries and coordinated escalation protocols
- Clearly delineated procedures distinguishing AML investigations (ongoing, confidential) from OFAC matches (immediate operational response required)
- Coordinated audit coverage — AML examiners (from prudential regulators) and OFAC examiners assess different things; internal audit must cover both
- False positive management — Screening systems generate substantial false positives due to name matching. Institutions need documented procedures for efficiently reviewing, clearing, and escalating potential matches
Penalties for AML vs OFAC Violations
Understanding the penalty exposure under each regime — and how they differ — is essential for calibrating compliance investment and risk tolerance.
AML / BSA Penalties
BSA violations can result in civil money penalties of up to $1 million or more per violation under 31 U.S.C. § 5321. For willful violations, criminal penalties are available under 31 U.S.C. § 5322, including fines of up to $250,000 and imprisonment of up to five years (ten years for violations involving other criminal activity). FinCEN enforcement actions have targeted institutions for systemic AML program failures — inadequate transaction monitoring, failure to file SARs, and insufficient CDD procedures.
Notable recent AML enforcement actions have involved penalties in the hundreds of millions — and in the case of TD Bank’s 2024 guilty plea, over $3 billion in combined penalties across AML and related charges.
OFAC Penalties
OFAC civil penalties are assessed on a strict liability basis — meaning intent to violate is not required. Base civil penalties range from the greater of $368,136 (adjusted annually for inflation) or twice the transaction value per violation. In egregious cases involving willful conduct, penalties can be significantly higher.
In FY2024, OFAC resolved enforcement actions across banking, fintech, oil and gas, and cryptocurrency sectors totaling over $1.5 billion. Enforcement is expanding beyond traditional banks — recent actions have reached companies in sectors with limited prior OFAC exposure.
Criminal penalties for willful OFAC violations can include fines up to $1 million per violation and imprisonment up to 20 years. Corporate officers can be held personally liable.
Factors OFAC Considers in Penalty Calculations
OFAC’s Economic Sanctions Enforcement Guidelines identify factors that can reduce or increase penalties, including: whether the violation was voluntarily self-disclosed, the institution’s compliance program at the time of the violation, cooperation with OFAC’s investigation, harm to sanctions program objectives, and whether the institution is a recidivist. Proactive voluntary disclosure and a demonstrably robust compliance program are the most significant mitigating factors available. If your institution is facing an OFAC investigation, contact our OFAC enforcement attorneys immediately.
AML and Sanctions Compliance: 2025-2026 Regulatory Trends
The compliance landscape for both AML and OFAC continues to evolve rapidly. Financial institutions should be monitoring several key developments:
- Expanded OFAC enforcement scope: OFAC is enforcing against non-traditional sectors including technology companies, sports and entertainment, and cryptocurrency exchanges — not just banks.
- AI and model governance: Regulators now expect documented model governance, audit trails, and ongoing validation for any AI systems used in compliance functions, including transaction monitoring and OFAC alert adjudication.
- Cryptocurrency compliance: Both FinCEN and OFAC have issued guidance on virtual currency compliance, and enforcement actions against crypto exchanges have accelerated. BSA/AML and OFAC obligations apply fully to digital asset transactions.
- Beneficial ownership: The Corporate Transparency Act’s beneficial ownership reporting requirements and FinCEN’s forthcoming revised CDD rule will significantly expand KYC obligations for many institutions.
- Global convergence: The EU’s new Anti-Money Laundering Authority (AMLA) is operational, signaling global convergence toward stricter standards. U.S. institutions with EU operations must monitor both regimes.
