OFAC Sanctions Screening: A Practical Guide for US Businesses
OFAC penalties hit $1.5M per violation on a strict-liability basis. Here's how to screen properly without drowning in false positives.
OFAC sanctions screening is non-negotiable for any US business that handles money or data on behalf of customers. Violations are strict liability — meaning you can be fined even if you had no idea your customer was sanctioned. The maximum civil penalty is currently $1.5 million per violation, and OFAC routinely publishes enforcement actions against banks, payment processors and even non-financial businesses.
This guide walks through which lists you must check, how fuzzy matching works, how to handle hits and how to design a screening program that survives examination.
Which Lists Must You Screen?
At minimum: OFAC SDN, OFAC Consolidated Non-SDN, OFAC Sectoral Sanctions. Most programs also include UN, EU, UK HMT, Canadian, Australian and high-risk-jurisdiction national lists. Daily list refreshes are now industry standard.
Fuzzy Matching: Why Exact Match Is Not Enough
Sanctioned individuals use aliases, transliterations and birth-date variations. Modern engines apply phonetic algorithms (Soundex, Metaphone), edit-distance scoring (Levenshtein) and date-of-birth tolerance. A good engine catches 'Vladimir Putin' even if spelled 'Wladimir Poutine'.
Handling Hits and False Positives
Most hits are false positives. Triage with a four-eye process: a Level 1 analyst compares the hit against the customer record; a Level 2 analyst signs off on dismissal or escalation. Confirmed hits trigger blocking, OFAC reporting within 10 days and account freeze.
Ongoing Screening
Lists change daily. You must re-screen your entire customer base every time a list changes. Cloud-native engines do this automatically; legacy systems often miss new additions for days, creating exposure.
Geographic and IP Screening
OFAC sanctions also cover entire countries (Iran, North Korea, Syria, Cuba, Crimea, certain regions of Ukraine). IP geolocation and shipping-address screening are essential. A customer logging in from a sanctioned country is a hit even if their name isn't on a list.
Documentation and Audit
Every screening event must be logged with timestamp, list version, hit score and analyst decision. Regulators will sample these on exam. Retain logs for at least five years.
Key Takeaways
- Screen against OFAC SDN, Consolidated, UN, EU and UK HMT at minimum.
- Refresh lists daily and re-screen your entire base on every change.
- Use fuzzy matching with phonetic + edit-distance scoring.
- Log every hit and decision; retain for at least five years.
Related Verification Services
Screen against US Treasury sanctions lists.
Identify domestic and foreign PEPs.
Search 10,000+ news sources for negative mentions.
Check against United Nations consolidated list.
Frequently Asked Questions
Do non-financial businesses need OFAC screening?
Yes. OFAC applies to all US persons and businesses, including SaaS companies, marketplaces and exporters. Anyone could face strict-liability penalties.
How quickly must I report a confirmed OFAC hit?
Blocked or rejected transactions must be reported to OFAC within 10 business days.
Can I rely on my bank to screen for me?
No. Each entity in the payment chain has independent screening obligations.
Avoid a strict-liability OFAC fine.
Run continuous sanctions screening against OFAC, UN, EU, UK HMT and more — with daily refreshes and fuzzy matching tuned to your risk.