Sanctions Screening: OFAC, BSA/AML Compliance Best Practices 2026
Complete guide to sanctions screening in the US: OFAC SDN list, FinCEN BSA requirements, federal and state obligations, and best practices for American businesses in 2026.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokSanctions screening is the systematic verification of customers, counterparties, and transactions against government-issued lists of designated persons, entities, and jurisdictions subject to U.S. and international economic sanctions. For U.S.-regulated financial institutions, OFAC (Office of Foreign Assets Control) enforces sanctions compliance on a strict liability basis โ intent is irrelevant โ while FinCEN (Financial Crimes Enforcement Network) oversees BSA/AML program requirements that complement sanctions screening. In fiscal year 2024, OFAC civil enforcement actions resulted in penalties exceeding $1.5 billion, with the median penalty for non-egregious violations reaching $250,000 per transaction.
This guide covers OFAC's screening requirements, the interplay between BSA/AML and sanctions compliance, key lists to monitor, and the operational best practices that leading compliance programs implement in 2026.
What is sanctions screening?
Sanctions screening is the process of checking customers, transactions, and business partners against government-issued prohibition lists before conducting business or executing payments. It differs from broader BSA/AML transaction monitoring: sanctions screening targets the identity of parties (are they designated?), while transaction monitoring analyzes behavioral patterns (is this activity suspicious?). Both are required components of a comprehensive AML/CFT program under U.S. federal law.
As of January 1, 2026, FinCEN's final rule extending Bank Secrecy Act requirements to Registered Investment Advisers (RIAs) and Exempt Reporting Advisers (ERAs) โ published September 4, 2024 โ requires these entities to implement AML/CFT programs including sanctions screening as a mandatory component (31 CFR Part 1032).
U.S. sanctions compliance is distinct from and additional to BSA/AML obligations. OFAC regulations apply to all U.S. persons (citizens, permanent residents, entities organized under U.S. law) and all persons within the United States, regardless of citizenship.
Key sanctions lists for U.S.-regulated businesses
| List | Issuing authority | Scope | Update frequency |
|---|---|---|---|
| SDN List (Specially Designated Nationals) | OFAC / U.S. Treasury | U.S. persons + extraterritorial (USD) | Near-daily |
| Non-SDN Consolidated List (NS-C) | OFAC | U.S. persons | Regular |
| Sectoral Sanctions Identifications (SSI) | OFAC | Sector-specific restrictions | Per executive order |
| CAPTA List | OFAC | Correspondent account restrictions | Per designation |
| FinCEN 314(a) list | FinCEN | Suspicious persons (law enforcement) | Bi-weekly |
| EU Consolidated List | Council of the EU | EU jurisdictions (relevant for U.S. firms with EU ops) | Variable |
| UN Security Council List | UN Security Council | Global (193 member states) | Per resolution |
The OFAC SDN List contains over 15,000 designations as of March 1, 2026. OFAC maintains over 38 separate sanctions programs targeting specific countries (Cuba, Iran, North Korea, Russia, Syria), regimes, and activity-based programs (counter-terrorism, counter-narcotics, cyber-related).
OFAC sanctions programs and their legal basis
Each OFAC sanctions program derives from a distinct statutory and executive order authority. Understanding the legal basis is critical for determining the scope of prohibited transactions and available licensing exceptions.
Country-based programs โ targeting Cuba (CACR), Iran (ITSR), North Korea (NKSR), Russia (EO 14024), and Syria (SySR) โ impose comprehensive or targeted restrictions depending on the program. The Russia sanctions program, substantially expanded since February 2022, now covers financial services, energy, metals, mining, and defense-related sectors under multiple executive orders.
Activity-based programs cover terrorism (E.O. 13224), narcotics trafficking (Kingpin Act), malicious cyber activities (E.O. 13694), and proliferation of weapons of mass destruction (E.O. 13382).
Compliance professionals on specialized forums frequently ask: "Does OFAC require a formal screening program in writing, or is it implied by the strict liability standard?" OFAC does not mandate a specific written program structure for all U.S. persons, but for financial institutions subject to federal banking examination, the FFIEC BSA/AML Examination Manual explicitly requires documented sanctions compliance programs. For non-bank financial institutions, OFAC's published Framework for OFAC Compliance Commitments (May 2019) sets out the five essential components of an effective program.
The OFAC 50% Rule and beneficial ownership
The OFAC 50% Rule is one of the most operationally complex aspects of U.S. sanctions compliance. Under this rule, any entity owned โ directly or indirectly โ 50% or more in the aggregate by one or more SDN-listed persons is itself treated as blocked, regardless of whether it appears explicitly on the SDN List.
This means screening the SDN List for the entity's name is insufficient. Compliance programs must also analyze the ultimate beneficial ownership (UBO) structure of every corporate counterparty, tracing ownership chains through multiple layers until the controlling beneficial owners are identified. OFAC's guidance clarifies that multiple SDN-listed persons' ownership stakes are aggregated โ if Person A holds 30% and Person B holds 25%, and both are SDNs, the entity is blocked.
CheckFile's KYC platform automates the extraction of beneficial ownership data from corporate documentation โ articles of incorporation, shareholder registers, operating agreements โ and feeds this structured data directly into sanctions screening workflows. This eliminates the manual research bottleneck that frequently causes UBO-related compliance gaps.
BSA/AML and OFAC: complementary but distinct frameworks
A common misconception among compliance teams โ frequently raised in r/compliance and banking professional forums โ is that a robust BSA/AML program automatically covers OFAC requirements. This is incorrect.
BSA/AML and OFAC compliance are legally distinct frameworks with different authorities, enforcement mechanisms, and requirements:
| Dimension | BSA/AML (FinCEN) | OFAC Sanctions |
|---|---|---|
| Authority | Bank Secrecy Act (31 U.S.C. ยง 5311 et seq.) | International Emergency Economic Powers Act (IEEPA); Trading with the Enemy Act (TWEA) |
| Enforcement | FinCEN (civil) + DOJ (criminal) | OFAC (civil) + DOJ (criminal) |
| Standard | Risk-based, reasonable steps | Strict liability (civil) |
| Key requirement | SAR filing, CIP, transaction monitoring | Blocking, rejecting, reporting transactions |
| Reporting | SARs to FinCEN | OFAC Annual/Blocking Reports to OFAC |
Financial institutions subject to the FFIEC Examination Manual must demonstrate that their BSA/AML compliance program and their OFAC compliance program address each framework's distinct requirements. OFAC deficiencies identified during a BSA/AML examination are referred to OFAC for independent enforcement action.
The FinCEN 314(a) process is also distinct from sanctions screening: it allows law enforcement to request that financial institutions search their records for specific named individuals or entities suspected of terrorism or money laundering. Institutions have 14 days to respond to 314(a) requests and must designate a 314(a) point of contact. 314(a) information must not be used for any purpose other than compliance with the request โ it cannot be treated as a sanctions list.
Types of sanctions screening in the U.S. context
Customer screening (CIP-linked): All U.S. financial institutions must screen new customers against the SDN List and other OFAC lists as part of their Customer Identification Program (CIP) requirements under 31 CFR 1020.220. This is a pre-onboarding requirement โ the screening must occur before the account is opened or the relationship is established.
Transaction screening: Real-time screening of payment instructions, wire transfers, and international ACH transactions is required for OFAC compliance. OFAC regulations specifically require that blocked and rejected transactions be identified before they are executed. For correspondent banking and international wire transfers, screening must cover both the originator and beneficiary chains.
Periodic rescreening: Existing customers must be rescreened on an ongoing basis when OFAC updates its lists. The frequency of rescreening should be documented in the institution's OFAC compliance program, calibrated to the institution's risk profile and the velocity of sanctions list changes (which accelerated significantly after February 2022).
Best practices for OFAC sanctions screening in 2026
1. Implement a risk-based screening program documented in writing
OFAC's May 2019 Framework identifies five essential components: (1) management commitment, (2) risk assessment, (3) internal controls, (4) testing and auditing, and (5) training. Examiners from the OCC, Federal Reserve, and FDIC review these components during BSA/AML examinations and may refer deficiencies to OFAC for civil enforcement.
2. Calibrate fuzzy matching thresholds by customer risk tier
Sanctions screening name-matching must account for transliterations, aliases, common name variants, and data entry errors. OFAC's SDN List includes aliases (AKA entries) โ screening only against primary names misses significant designation coverage. High-risk customer segments (high-value accounts, international counterparties, PEP-adjacent relationships) should use lower similarity thresholds with mandatory manual review.
3. Implement real-time transaction screening for wire transfers
Federal Reserve, OCC, and FDIC examination guidance requires real-time OFAC screening of wire transfer instructions for all federally regulated banks. Delayed screening โ processing payments before the OFAC check completes โ is an OFAC violation even if the screen ultimately shows no match. Batch screening is not compliant for real-time payment systems.
4. Manage the blocking and rejection process correctly
When a transaction matches an OFAC designation, the regulatory response depends on the sanctions program:
- Blocking: Required for property of SDN-listed persons. The funds must be placed in an interest-bearing blocked account, and a blocking report filed with OFAC within 10 business days.
- Rejecting: Required for transactions that are prohibited but not blocking-eligible (e.g., payments to non-SDN-listed entities in sanctioned countries under certain programs). A rejected transaction report must be filed with OFAC within 10 business days.
5. Conduct annual independent OFAC program validation
OFAC's framework and federal examination guidance expect annual independent testing of the sanctions screening program, conducted by a function separate from first-line compliance. Testing should cover: list coverage completeness, algorithm calibration accuracy, transaction screening coverage gaps, and alert disposition documentation quality.
CheckFile's document verification platform integrates sanctions screening into document-based onboarding workflows, reducing manual handoffs between compliance and operations teams. See our AML compliance guide for a framework to embed OFAC screening within a comprehensive BSA/AML program.
Penalties and enforcement
OFAC civil enforcement is based on strict liability โ no proof of intent required โ with statutory maximum penalties varying by sanctions program:
| Sanctions program | Maximum civil penalty per violation |
|---|---|
| Most programs (IEEPA-based) | Greater of $250,000 or 2ร transaction value |
| Trading with the Enemy Act (Cuba) | $65,000 |
| International Emergency Economic Powers Act | $311,562 (2024 adjusted amount) |
OFAC considers egregious vs. non-egregious violations differently. Voluntary self-disclosure of a non-egregious violation typically results in a 50% reduction from the base penalty. Self-disclosure is strongly encouraged and must be submitted before OFAC contacts the institution.
Criminal penalties for willful violations can reach $1 million per violation and up to 20 years imprisonment under IEEPA. Corporate criminal liability applies when senior officers with knowledge of the violation ratify or fail to stop the conduct.
Consult our guide on compliance risk assessment for a framework to evaluate your current OFAC screening program's effectiveness.
Frequently asked questions
Does every U.S. business need to conduct OFAC sanctions screening?
OFAC regulations apply to all U.S. persons โ citizens, permanent residents, and entities organized under U.S. law โ regardless of industry. However, the depth and formality of a written compliance program varies by entity type. Federally regulated financial institutions face the most prescriptive requirements through FFIEC examination standards. Non-bank businesses should at minimum screen SDN-listed parties before entering contracts, accepting payments, or providing services.
What is the difference between the SDN List and the Non-SDN Consolidated List?
The SDN List designates individuals and entities whose assets are blocked and with whom U.S. persons are generally prohibited from doing business. The Non-SDN Consolidated List (NS-C) consolidates several additional OFAC lists โ including the Sectoral Sanctions Identifications (SSI) List, Foreign Sanctions Evaders (FSE) List, and Palestinian Legislative Council (NS-PLC) List โ that impose different types of restrictions (transaction restrictions, reporting requirements) rather than full asset blocking. Both lists must be screened.
How does the FinCEN 314(a) process relate to OFAC screening?
The FinCEN 314(a) program allows federal law enforcement to request that financial institutions search their records for specific named individuals. It is a law enforcement coordination tool, not a sanctions list. Financial institutions must respond to 314(a) requests within 14 days and keep the request confidential. The information obtained through 314(a) cannot be used for general screening purposes โ it is legally restricted to the specific 314(a) compliance context.
Should investment advisers conduct OFAC screening after the 2026 rule?
Yes. The FinCEN final rule effective January 1, 2026 requires RIAs and ERAs to implement AML/CFT programs that include sanctions screening. OFAC has separately confirmed that investment advisers are subject to OFAC sanctions regulations regardless of the FinCEN rule. The practical implication is that investment advisers must now screen new advisory clients and existing portfolio holdings against OFAC lists as part of formal, documented compliance programs.
What voluntary self-disclosure procedures does OFAC use?
Voluntary self-disclosure (VSD) requires submitting an initial notice to OFAC within a reasonable time of discovering the apparent violation, followed by a complete report within 180 days. VSD typically qualifies a violation as non-egregious and results in a 50% reduction in the base penalty calculation. OFAC's penalties for non-egregious, voluntarily disclosed violations range from a no-action letter to approximately 50% of the base penalty.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. It covers the regulatory framework applicable to U.S.-regulated businesses. Readers should seek specialist legal advice from counsel qualified in U.S. sanctions law and BSA/AML compliance for their specific circumstances.