What is OFAC?

The Office of Foreign Assets Control (OFAC) is a US Treasury Department agency that administers and enforces economic sanctions against targeted countries, entities, and individuals. Its authority comes from presidential wartime and national emergency powers, as well as legislation including the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA).

OFAC was established in 1950 as the successor to the Office of Foreign Funds Control, which was created in 1940 to prevent Axis powers from using foreign exchange holdings in occupied countries. Today it operates over 30 active sanctions programs targeting jurisdictions, regimes, terrorist organizations, narcotics traffickers, weapons proliferators, and other actors that threaten US national security.

How OFAC sanctions work

OFAC sanctions take two main forms.

• Comprehensive sanctions prohibit nearly all transactions with a targeted country or jurisdiction. Current comprehensive sanctions programs cover Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine, among others. Transactions with these jurisdictions are broadly prohibited unless a specific license applies.
• Targeted sanctions restrict dealings with specific individuals and entities rather than entire countries. These are administered through the Specially Designated Nationals and Blocked Persons List, commonly known as the SDN List. Parties on the SDN List have their US-held assets frozen, and US persons are generally prohibited from conducting any business with them.

OFAC also maintains several other lists, including the Sectoral Sanctions Identifications (SSI) List, which restricts specific types of transactions with listed entities in targeted sectors such as Russian finance and energy, and the Foreign Sanctions Evaders (FSE) List.

When a transaction involves a sanctioned party or jurisdiction, the business must either block the funds, freezing them in a segregated account and reporting to OFAC, or reject the transaction outright, depending on the circumstances. Blocking applies when the funds are property of a sanctioned party. Rejection applies when the transaction would violate sanctions but no property interest of a sanctioned party is involved.

Who is subject to OFAC

OFAC's reach extends further than most businesses expect. The following are subject to OFAC regulations:

• All US persons, including US citizens and permanent residents wherever located, and all entities organized under US law
• All persons and entities physically located in the United States
• Foreign branches of US companies
• Any transaction that passes through the US financial system or is denominated in USD

That last point is significant for cross-border payment operators. A wire transfer denominated in USD typically clears through a US correspondent bank, bringing it within OFAC's jurisdiction regardless of where the sender or recipient is located. A foreign company with no US presence can still trigger OFAC obligations if its payments touch the US dollar clearing system.

OFAC has also made clear that the virtual currency industry is within scope. Crypto exchanges, stablecoin platforms, and other digital asset businesses are required to screen transactions and counterparties against OFAC lists.

OFAC and payments screening

Any business processing payments with exposure to US persons, USD, or the US financial system needs to screen transactions and counterparties against OFAC lists. In practice this means:

• Screening customer names, beneficial owners, and counterparties against the SDN List and other relevant lists at onboarding and on an ongoing basis
• Screening payment details, including originator and beneficiary information, against OFAC lists before executing transfers
• Maintaining policies for how to handle a match, including blocking, rejecting, and reporting procedures
• Keeping records of all screened transactions and any blocked or rejected payments

For ACH and wire transfers, OFAC screening obligations apply to both the originating and receiving institution. For international ACH transactions (IATs), both the originating depository financial institution (ODFI) and the receiving depository financial institution (RDFI) are responsible for compliance, regardless of whether the OFAC flag in the IAT is set.

Screening systems typically use fuzzy matching to catch name variations, aliases, and transliterations of names on OFAC lists. Matching logic that is too strict will miss real hits; logic that is too loose generates high volumes of false positives that require manual review. Calibrating this threshold is one of the core operational challenges of OFAC compliance.

OFAC compliance programs

OFAC strongly encourages all organizations subject to its jurisdiction to maintain a formal Sanctions Compliance Program (SCP). OFAC's own framework, published in its Framework for OFAC Compliance Commitments, identifies five essential components:

• Management commitment: Senior leadership support and adequate resources dedicated to the compliance function
• Risk assessment: A holistic review of the organization's exposure across customers, products, counterparties, geographies, and payment types
• Internal controls: Policies and procedures that identify, escalate, and report potentially prohibited transactions
• Testing and auditing: Regular review of the program's effectiveness, including both internal and external audits
• Training: Job-specific education for all relevant employees, conducted at least annually

A well-documented SCP is a mitigating factor in enforcement proceedings. OFAC has explicitly stated that organizations with effective compliance programs at the time of an apparent violation may receive reduced penalties.

Penalties for OFAC violations

OFAC violations can result in civil and criminal penalties.

For civil violations, the maximum penalty under IEEPA as of January 2025 is the greater of $377,700 per violation or twice the value of the underlying transaction. For egregious violations, the statutory maximum applies per transaction, which can result in total penalties running into the tens or hundreds of millions of dollars for organizations with large transaction volumes.

For willful criminal violations, penalties under IEEPA can reach $1,000,000 (USD) per violation and up to 20 years imprisonment for individuals.

Voluntary self-disclosure is a meaningful mitigant. OFAC reduces the base penalty to half the transaction value, capped at $188,850 per violation, for non-egregious cases where the organization self-discloses. This creates a strong incentive to report apparent violations promptly rather than hoping they go undetected.

OFAC and KYC

OFAC compliance overlaps with but is distinct from KYC and AML obligations. KYC verifies who a customer is. OFAC screening checks whether that customer or their transaction is prohibited. 

Both are required, and both depend on accurate customer data, but they serve different legal purposes and are administered by different agencies. KYC and AML obligations in the US sit primarily with FinCEN under the Bank Secrecy Act; OFAC obligations sit with the Treasury's Office of Foreign Assets Control.

A business that has strong KYC processes but no OFAC screening program is still exposed to sanctions risk. The two programs need to be designed and operated together.