← Blog

What Is OFAC Screening? A Practitioner's Guide for 2026

Arvin Wilderink ·

OFAC screening means checking the names you do business with — customers, vendors, counterparties, often their shareholders — against sanctions lists maintained by the U.S. Treasury's Office of Foreign Assets Control. If a name matches, you generally can't transact until you've either cleared the match as a false positive or blocked the transaction and reported it.

That's the one-sentence version. What follows is what I wish someone had told me before I started building SanctScan: what the lists actually contain, why fuzzy matching is harder than it looks, and where most compliance teams quietly cut corners.

Who OFAC regulates (hint: probably you)

OFAC is part of the U.S. Treasury. It administers economic and trade sanctions as an instrument of U.S. foreign policy and national security. Common misconception: OFAC rules only apply to banks. They don't.

"U.S. persons" — the group required to comply — includes:

  • U.S. citizens and permanent residents, wherever they live
  • Any entity organised under U.S. law, including its foreign branches
  • Anyone physically located in the United States, regardless of nationality
  • In some sanctions programs (Cuba, Iran), even foreign subsidiaries owned or controlled by U.S. persons

Non-U.S. businesses also get pulled into OFAC's orbit when their transactions touch the U.S. financial system (correspondent banking in USD), use U.S.-origin goods or software, or involve U.S. persons. A European fintech routing a single wire through a New York correspondent bank has exposure. So does an export company selling semiconductors that contain any U.S.-origin components above the de minimis threshold.

If your business does any of the following, you're in scope:

  • Onboard customers, vendors or suppliers
  • Process cross-border payments
  • Sell software or services to customers outside the U.S.
  • Ship goods internationally
  • Hold or manage funds for someone else

Small companies are not exempt. OFAC has fined sole-proprietorship shipping agents, regional banks, and tech startups. The enforcement data is public. ofac.treasury.gov publishes settlement agreements, and reading five of them changes how you think about risk.

What lists OFAC maintains

Most people mean "the SDN list" when they say "OFAC screening," but there are several lists and they behave differently.

The SDN list

The Specially Designated Nationals and Blocked Persons List is the big one. Around 12,000–15,000 designations at any given time, covering individuals, companies, vessels and aircraft. If a name is on the SDN list, U.S. persons are prohibited from virtually any dealings with them. Assets in U.S. jurisdiction must be blocked (frozen) and the blocking reported to OFAC within ten business days.

The SDN list is organised by sanctions program — counter-terrorism, counter-narcotics, Russia-related, Iran-related, and dozens more. Each program has its own legal basis and nuances, but the screening mechanics are the same.

You can screen for free against the SDN list on sanctscan.app/check/ofac without an account.

The 50% rule (the one that gets people fined)

An entity isn't on the SDN list, but one or more of its owners is. You clear the entity during onboarding because its name doesn't match anything. Six months later, OFAC puts out a press release saying that entity was controlled all along by an SDN through a 55% stake held by a shell in Cyprus.

This is the 50% rule: if one or more SDN-designated persons own, in aggregate, 50% or more of an entity, that entity is also blocked. Automatically. Even if it's never appeared on any published list. The rule is outlined in OFAC guidance from 2014.

Two consequences that trip people up:

  1. Aggregation matters. Two SDNs who each own 30% of a company, individually below 50%, combined own 60% — that company is blocked.
  2. Ownership chains propagate. If SDN A owns 60% of Company X, and Company X owns 55% of Company Y, then Company Y is also blocked under the rule.

Screening names alone isn't enough. You need to know beneficial ownership, at least down to the level reasonable for your risk profile, and screen the owners too.

SSI, FSE, NS-CMIC and the others

OFAC maintains supplementary lists that impose targeted restrictions rather than full blocking. The SSI (Sectoral Sanctions Identifications) restricts specific transaction types, typically new debt or equity, with named Russian entities in certain sectors. The FSE (Foreign Sanctions Evaders) targets those who help SDNs evade sanctions; U.S. persons are barred from dealing with them. The NS-CMIC (Non-SDN Chinese Military-Industrial Complex) list stops U.S. persons from investing in listed Chinese companies' securities.

Each list has its own rulebook. A confirmed hit doesn't always mean "block the transaction." Sometimes it means "don't extend 30-day credit" or "can't buy their equity." Screening has to capture these lists, but adjudication varies by list.

The Consolidated Screening List

The U.S. government maintains a Consolidated Screening List that combines OFAC lists with the Commerce Department's Entity List, the State Department's Debarred List, and several others. For importers, exporters and freight forwarders, screening the CSL rather than just the SDN list is the practical default. SanctScan screens both — see /check/us-consolidated.

What non-compliance actually costs

The statutory maximums are eye-watering. Civil penalties under the International Emergency Economic Powers Act can reach the greater of roughly $377,700 per violation (adjusted annually for inflation) or twice the underlying transaction value. Wilful criminal violations carry up to $1 million and 20 years in prison.

The real-world fines tell you more than the statutes:

  • BNP Paribas (2014) — $8.9 billion for processing billions of dollars in prohibited transactions through the U.S. financial system on behalf of Sudanese, Iranian and Cuban parties.
  • Binance (2023) — $968 million to OFAC (plus FinCEN and DOJ components totalling $4.3 billion) for systemic failures to block trades for users in sanctioned jurisdictions.
  • Bittrex (2022) — $24 million for more than 116,000 transactions worth nearly $263 million with users in Crimea, Cuba, Iran, Sudan and Syria.
  • Deutsche Bank (2015) — $258 million combined US settlement (NYDFS + Federal Reserve) for transactions on behalf of Iranian, Libyan, Syrian, Burmese and Sudanese parties; OFAC's specific portion was a much smaller civil penalty (~$258K).

Those are the headline cases. The more instructive ones are the smaller settlements. $50,000 here, $200,000 there. Freight forwarders who let a single shipment slip through. E-commerce platforms that didn't geo-block Crimea quickly enough. Payment processors that screened on day one and never rescreened.

Fines are just the start. Correspondent banks derisk. Relationships unwind. Regulatory attention follows you around for years.

How screening actually works (and where it breaks)

The textbook workflow is simple:

  1. Collect — gather the entity's legal name, date of birth (for individuals), country of operation, government identifiers.
  2. Screen — run that data against sanctions lists using fuzzy matching.
  3. Adjudicate — decide whether each hit is a true positive or a false positive.
  4. Document — log the search, the decision, and the reasoning.
  5. Act — block the transaction or reject the business if confirmed, file a report where required.
  6. Rescreen — repeat periodically because the lists change.

Every step has pitfalls.

Names aren't reliable

OFAC lists contain Arabic, Cyrillic, Chinese, Persian, Burmese and many other scripts transliterated into English, often in several ways. The Libyan leader's surname appears as Gaddafi, Qaddafi, Kadafi, Qadhafi and several other variants across lists over the years. Exact-match screening on the "wrong" spelling misses the hit. Good fuzzy matching uses phonetic algorithms (Soundex, Metaphone), edit-distance metrics, and alias tables that capture known transliteration variants.

Going too loose is a different failure mode. If every search returns fifty fuzzy hits, compliance analysts stop reading them carefully. You want to maximise true-positive detection while keeping false positives manageable, and that balance is tuneable, not fixed.

Adjudication is judgement, not just matching

A name hit isn't a blockable match until you check secondary identifiers. Date of birth, country, government ID, any known aliases. If an SDN named "Alex Smith" was born in 1965 in Moscow, and your customer is an "Alex Smith" born in 1992 in Manchester, you've found a false positive. But you still need to document why you dismissed it.

This is where spreadsheet-based compliance falls apart. An email thread between two analysts saying "clearly not the same person" is not an audit trail. Regulators want to see that you screened, what you found, what you decided and why.

Rescreening is often the missing step

List additions and removals happen daily. An existing customer who wasn't on any list when onboarded two years ago can get sanctioned tomorrow. If you don't rescreen your book of business regularly — weekly at minimum, daily for higher-risk portfolios — you're carrying blocked relationships you don't know about.

OFAC's 2019 framework for sanctions compliance explicitly calls out ongoing monitoring as one of the five essential components. Settlements routinely cite its absence.

When to screen (and how often)

At minimum:

  • Onboarding — before opening an account, extending credit, or signing a vendor contract. Block the business upstream of operations.
  • Transactions — for higher-risk transactions (large cross-border payments, new counterparties), screen the counterparty at the point of transaction, not just at onboarding.
  • Continuous monitoring — rescreen the entire book of existing customers and counterparties on a fixed cadence. Daily if your risk profile warrants it, weekly as a reasonable default for SMB compliance programs.

Continuous monitoring catches two scenarios onboarding misses: existing customers who get sanctioned post-onboarding, and new designations to lists you didn't originally screen against (for example, your onboarding screen ran SDN only; EU and UN added the same name later).

Building vs buying a screening tool

The in-house option looks simple. Download the XML from treasury.gov, write a Python script, do Levenshtein matching. I've watched compliance officers in finance teams do exactly this for years. It works. Until it doesn't.

The hidden costs show up in four places. First, data ingestion: lists come in inconsistent formats across jurisdictions. OFAC publishes structured XML; EU publishes its own XML; UK HMT publishes CSV. Parsing, normalising and reconciling aliases across lists is ongoing engineering work that never ends. Second, fuzzy matching quality: naïve Levenshtein produces noise. Production-grade matching needs phonetic indexing, n-gram overlap, script-aware normalisation, and a tuned threshold per score component. Third, rescreening at scale: re-running every customer name against every list every day means either holding the whole list in memory or building proper indexing, and neither is a weekend project. Fourth, audit trail durability: your screening logs need to survive infrastructure migrations, analyst turnover, and regulator requests years after the fact.

Buying lands faster. The market spans enterprise platforms (Dow Jones Risk, LexisNexis, Moody's Analytics) sold on multi-year sales-quoted contracts with multi-month implementations, down to API-first tools built for SMBs and engineering teams with published monthly pricing.

SanctScan sits in the latter bucket. The free tier covers 25 checks per month. Paid plans start at $19/month and include continuous monitoring, API access and audit-ready exports. You can compare options on our pricing page or read our vs. ComplyAdvantage and vs. Namescan write-ups.

Frequently asked questions

Is OFAC screening legally required?

For U.S. persons and any transaction involving U.S. jurisdiction, yes — U.S. sanctions law is a strict-liability regime. You don't need intent to violate OFAC rules; you need only to have transacted with a sanctioned party. That's why screening is framed as a defensive control, not a nice-to-have.

How is OFAC screening different from KYC?

KYC (Know Your Customer) is the broader framework of identifying and verifying who you're doing business with and understanding the nature of the relationship. Sanctions screening is one specific control within a KYC program — typically run after initial identity verification. You can have good KYC and bad sanctions screening, and vice versa.

Do I need to screen on every transaction or just at onboarding?

Onboarding is mandatory. Transaction-level screening depends on your risk profile. Banks generally screen every wire; e-commerce platforms might screen only at onboarding plus ongoing monitoring. Your sanctions compliance program should document the cadence and the reasoning.

What's the difference between the SDN list and the OFAC Consolidated List?

The SDN list is a single list maintained by OFAC. "OFAC Consolidated" colloquially refers to the combined OFAC lists (SDN + SSI + FSE + others). The U.S. government's Consolidated Screening List (CSL) is broader still — it combines all OFAC lists with lists from Commerce (Entity List, BIS Denied Persons) and State (Debarred List).

How often do OFAC lists update?

OFAC adds or removes designations multiple times per week. Daily rescreening is the gold standard; weekly is defensible for most SMB programs. Monthly is where regulatory risk starts accumulating.

Can I just use OFAC's sanctions search tool on the Treasury website?

Yes, for occasional one-off lookups. It's fine for checking a single name before a meeting. It doesn't scale — no API, no bulk upload, no audit trail, no fuzzy matching on aliases, and no monitoring. For any compliance program screening more than a dozen names a month, the Treasury search is not sufficient.

What's a false positive and how do I handle it?

A false positive is a name hit that turns out not to be the actual sanctioned individual — same name, different person. Document the adjudication: which secondary identifiers (DOB, country, ID) you used to clear it, who made the decision, when. Save it. Regulators routinely inspect false-positive decisions when auditing compliance programs.

What lists should a non-U.S. business screen against?

At a minimum: OFAC (because of the U.S. financial system), EU Consolidated Sanctions, UN Security Council, and the sanctions list of your home jurisdiction (UK HMT for UK businesses, HMT/OFSI). SanctScan covers all major lists by default on every plan — no per-list surcharges.

Bottom line

OFAC screening stops you from doing business with someone the U.S. government has declared off-limits. The mechanics are straightforward. The failure modes are not. Thin fuzzy matching misses transliterations. Stale screening misses new designations. Weak adjudication workflows produce audit trails that don't survive a regulator's questions. And the 50% rule tends to catch the teams that thought name-matching was enough.

If you want to see screening in action, check a name for free. No signup. Covers OFAC SDN and the Consolidated List. When you're ready for ongoing monitoring and API access, the free plan handles 25 checks a month.

Préférences de cookies

Nous utilisons des cookies pour analyser le trafic du site et améliorer votre expérience. Vous pouvez choisir d'accepter ou de refuser les cookies non essentiels.