OFAC Sanctions Screening: Compliance for Payment Firms

The US Office of Foreign Assets Control (OFAC) administers one of the world's most extensive and most enforced sanctions programmes. For payment firms — whether US-domiciled or international firms processing USD transactions — OFAC compliance is not a peripheral concern. The combination of primary sanctions (which apply to US persons and transactions touching the US financial system) and the extraterritorial reach of secondary sanctions creates a compliance obligation that affects virtually any firm participating in global payments. Understanding OFAC's requirements, the lists that matter, and the enforcement track record is essential for any payment compliance professional.

OFAC's Primary Sanctions Lists

Specially Designated Nationals (SDN) List

The SDN list is the core OFAC sanctions list. It contains individuals, entities, and vessels that US persons — and entities that facilitate transactions on behalf of US persons — are prohibited from transacting with. SDNs span all of OFAC's sanctions programmes: Russia, Iran, North Korea, Syria, Venezuela, Cuba, narcotics traffickers, proliferators of weapons of mass destruction, and many others. As of early 2026, the SDN list contains over 12,000 entries. Transactions with SDNs must be blocked (funds frozen) or rejected depending on the programme; the distinction matters for compliance procedures and required reporting to OFAC.

Non-SDN Lists

Beyond the SDN list, OFAC maintains several other lists with specific legal consequences:

• Non-SDN Menu-Based Sanctions (NS-MBS) List: Entities subject to specific, targeted sanctions rather than the comprehensive prohibitions applicable to SDNs. Permitted transactions are limited by the specific authorisation applicable to each programme.
• Non-SDN Palestinian Legislative Council (NS-PLC) List: Specific to OFAC's Middle East Terrorism sanctions.
• Sectoral Sanctions Identifications (SSI) List: Entities in specified sectors of the Russian economy subject to sectoral sanctions under Executive Order 13662. SSI entities are not fully blocked like SDNs but are subject to specific prohibitions on debt/equity transactions above defined maturity thresholds.
• Foreign Sanctions Evaders (FSE) List: Foreign individuals and entities that have violated US sanctions or helped others do so. US persons and entities are prohibited from transacting with FSEs.

The 50% Rule

One of the most practically complex aspects of OFAC compliance is the 50% rule. OFAC considers an entity to be subject to the same prohibitions as an SDN if it is owned, directly or indirectly, 50% or more by an SDN — even if the entity itself does not appear on the SDN list. This rule applies regardless of how many layers of ownership exist between the SDN and the entity: if an SDN owns 51% of Company A, which owns 51% of Company B, then Company B is a blocked entity.

The 50% rule is aggregated: if two SDNs each own 25% of an entity, the combined SDN ownership is 50% and the entity is blocked. The rule also applies in the other direction: an entity is not blocked if SDN ownership is 49% or less — though this near-miss situation warrants enhanced scrutiny and may attract OFAC attention.

The practical compliance implication is that sanctions screening against named lists is not sufficient on its own. Firms must maintain procedures to assess whether customers or transaction counterparties are owned or controlled by SDNs at the beneficial ownership level. This requires beneficial ownership data, which is why OFAC compliance and KYC/CDD processes must be integrated.

Screening Frequency and Triggers

Sanctions lists are updated continuously — OFAC makes designation decisions on any business day, and designations can occur without advance notice. The compliance question is: how frequently should firms re-screen their customer base and transaction counterparties against current lists?

For new customers and transactions, screening must occur at the point of onboarding and before transaction processing. For existing customers, ongoing screening at minimum daily re-screening of the customer base against updated lists is a widely adopted industry standard. Some firms screen against list updates in real time as they are published.

Trigger-based re-screening should supplement scheduled screening: whenever a customer relationship undergoes a material change (new beneficial owner, change of address, new product access), the screening should be refreshed. Adverse media monitoring that identifies a link between a customer and a sanctioned person should trigger immediate screening.

False Positive Management

Sanctions screening generates large volumes of false positives — alerts for customers or counterparties whose names are similar to, but not the same as, designated persons. Common reasons include: shared common names (particularly common surnames in certain cultures), transliteration variations (especially for names from Arabic, Russian, or Chinese), and incomplete matching data. A sanction alert for "John Smith" is virtually guaranteed to be a false positive; an alert for "Mohammad Al-Rashid" requires more careful analysis to determine whether it matches a listed individual of that name.

False positive management requires a structured investigation process: record the alert, review the matching criteria, compare identifying information (date of birth, nationality, address) against the listed person's attributes, and document the conclusion with a clear rationale. Where the comparison definitively excludes a match, the alert can be closed and the customer cleared. Where uncertainty remains, escalation to a sanctions specialist or legal counsel is appropriate.

Firms must not pre-emptively dismiss alerts based on commercial pressure. OFAC enforcement actions have explicitly cited cases where compliance staff closed sanctions alerts without adequate investigation because of time pressure or commercial concerns about the customer relationship. This is a violation of the firm's own procedures and, in some circumstances, can constitute a wilful sanctions violation.

OFAC Enforcement: The Track Record

OFAC's enforcement record demonstrates its willingness to impose very large penalties for sanctions violations. Significant recent enforcement actions include: BitPay ($507,375 civil penalty, 2021, for processing cryptocurrency transactions connected to OFAC-sanctioned jurisdictions without adequate controls); PayPal ($206,213, 2021, for processing transactions involving blocked persons and sanctioned countries); Bittrex ($24 million, 2022, for apparent violations involving users in OFAC-sanctioned jurisdictions); and SUEX OTC ($1 million+, 2021, the first cryptocurrency exchange designated as a primary money laundering concern). These actions demonstrate that fintech and crypto firms are fully within OFAC's enforcement perimeter.

OFAC's enforcement discretion considers several mitigating factors: whether the violation was voluntary self-disclosed, whether the firm had a compliance programme in place (even if it failed), the harm caused, the value of the transactions involved, and whether the firm cooperated with OFAC's investigation. Voluntary self-disclosure typically results in a 50% reduction in the base penalty — a powerful incentive to identify and report potential violations promptly rather than hoping they are not discovered.