OFAC sanctions compliance does not get the same airtime as BSA/AML program design in most fintech compliance conversations, but it surfaces in nearly every examination and enforcement action review. Unlike FinCEN BSA obligations, which require a risk-based approach and tolerate documented judgment calls, OFAC is strict liability — a prohibited transaction is a prohibited transaction regardless of intent. For a fintech processing thousands of transactions per day, the screening program is not just a compliance checkbox; it is the primary control preventing an inadvertent violation with potential eight-figure civil monetary penalties.
This article covers what OFAC sanctions screening actually requires, where fintech screening programs commonly leave gaps, what examiners look for when they review your program, and the documentation standards that allow you to respond to an OFAC inquiry with confidence.
OFAC's Legal Framework: What Is Actually Prohibited
OFAC administers economic and trade sanctions programs under authorities including the International Emergency Economic Powers Act (IEEPA), the Trading with the Enemy Act (TWEA), and numerous country-specific statutes. The core prohibition is straightforward: US persons — including US-incorporated entities and their overseas branches — may not engage in transactions with individuals or entities on the SDN (Specially Designated Nationals and Blocked Persons) list, or with parties in comprehensively sanctioned jurisdictions (currently Cuba, Iran, North Korea, Syria, and the Crimea/Donetsk/Luhansk regions of Ukraine).
Beyond the SDN list, OFAC maintains several sectoral sanctions programs that restrict specific categories of transactions with designated entities in certain sectors without a full asset freeze. The Russia/Ukraine-related sectoral sanctions, for example, restrict debt and equity transactions with certain Russian financial institutions even if those institutions are not SDN-listed. Sectoral sanctions require more nuanced screening — knowing that a counterparty is not on the SDN list is not sufficient if the transaction type falls within a sectoral restriction.
For fintechs, the practical screening obligation applies to: all customers at onboarding, all counterparties in transactions (both sending and receiving parties), and any updates following OFAC list changes. The last point is often overlooked — OFAC updates its lists frequently, and an institution that screens only at account opening will miss newly designated individuals who became SDN-listed after onboarding.
Coverage Gaps: Where Fintech Screening Programs Fail
Examiner observations and OFAC enforcement action notices consistently identify the same categories of coverage failure:
Screening only at onboarding, not on list changes. A US-licensed crypto exchange in the consumer-facing segment onboarded a customer in early 2023. That customer became SDN-listed in late 2023 following an OFAC designation action. The exchange's screening program only fired at account opening — it had no mechanism to re-screen existing customers when OFAC issued a new SDN designation. The account continued processing transactions for several months before the gap was discovered during an internal audit. Retroactive blocking and self-disclosure to OFAC followed.
Transaction party screening limited to account holders. In peer-to-peer and payment contexts, the account holder initiating a transaction may be clean, but the recipient may be SDN-listed or resident in a sanctioned jurisdiction. Screening only the account holder — and not the counterparty name and address fields — leaves an obvious gap. OFAC's expectations apply to the transaction, not just the customer account.
Fuzzy matching thresholds set too high for operational efficiency. Raising the fuzzy match threshold to reduce alert volume is a common temptation. A match score threshold that was set to clear 95% of alerts without analyst review will also clear a meaningful percentage of true positives where the name is close but not identical to the SDN entry. There is no regulatory bright line for fuzzy match thresholds — but OFAC and banking regulators expect that the threshold be calibrated with evidence that true positive rates have been tested at different threshold levels.
No screening of non-individual transaction data. Business account transactions often include free-text memo or reference fields. An SDN-listed entity's name appearing in a wire transfer memo — even if the account holder is not listed — can create an exposure. Some programs screen structured fields only and ignore unstructured reference data entirely.
What "Reasonable Procedures" Looks Like Under OFAC Guidance
OFAC has published guidance indicating that it will consider whether a company had in place "a rigorous compliance program that has been consistently and properly applied" when evaluating whether to pursue enforcement and what penalty level to impose. OFAC's Framework for Compliance Commitments (May 2019) identifies five core components: management commitment, risk assessment, internal controls, testing and auditing, and training.
We are not saying that any particular screening vendor or configuration guarantees a favorable enforcement outcome — OFAC's "voluntary self-disclosure" and "compliance program" factors mitigate but do not eliminate penalty exposure for actual violations. What the framework makes clear is that institutions with documented, consistently applied screening procedures, a demonstrated history of list-change updates, and a functioning match-review workflow receive materially better treatment in enforcement proceedings than those without.
The AML and sanctions screening infrastructure that supports this must include: automated SDN/Consolidated List screening at onboarding and on list updates, transaction counterparty screening, a documented match review workflow with defined escalation criteria, and audit logs sufficient to demonstrate that screening was conducted and that match reviews were completed within a defined timeframe.
Match Review Documentation: What Analysts Need to Record
Every potential OFAC match that is cleared by an analyst must be documented — not just the disposition, but the reasoning. OFAC examiners who review a sanctioned-entity name alert clearance will want to see: what the alert was (the name or data element that triggered), what the SDN entry was, what the analyst evaluated, and why the clearance conclusion was reached.
Common categories of documented clearance reasoning include:
- Date of birth differentiation: The customer's date of birth does not match the SDN entry's date of birth, and both are verified and documented.
- Nationality/address differentiation: The customer's verified address and nationality are inconsistent with the SDN entry's listed information.
- Alias confirmation not met: The name match is to an alias, and the identifying information does not corroborate the alias attribution.
- Entity type mismatch: The SDN entry is an individual; the customer is a legal entity, or vice versa.
Clearances documented only as "reviewed — not a match" without supporting reasoning are insufficient. In an enforcement inquiry, those clearance records will receive scrutiny. If an analyst cannot remember why a particular match was cleared months after the fact, and the record does not explain it, the program has a documentation problem that could transform a good-faith clearance into an apparent control failure.
Responding to an OFAC Inquiry or Blocked-Transaction Event
When a screening hit results in a potential blocked transaction, OFAC's regulations require the transaction to be blocked (funds held in a segregated interest-bearing account) and a report to be filed with OFAC within 10 business days under 31 CFR 501.603. Rejected transaction reports (where the transaction is rejected rather than blocked) must also be filed within 10 business days.
Self-disclosure is a mitigating factor in OFAC penalty calculations. Institutions that discover a historical compliance gap and voluntarily self-disclose before OFAC identifies it through examination receive significant penalty reductions compared to those where violations are found through examination. Maintaining a regular internal review process — including periodic testing of whether your screening program would have caught recently published OFAC enforcement cases — allows compliance officers to identify gaps before they become examination findings. Neobanks operating at volume should treat that internal review as a standard quarterly function, not a one-time exercise. The regularity of OFAC list updates and the frequency of new designations in current geopolitical environments make static programs operationally risky.
International Operations: FCA, OFSI, and Cross-Jurisdictional Screening
Fintechs operating in multiple jurisdictions face parallel sanctions obligations. UK operations are subject to OFSI (Office of Financial Sanctions Implementation) sanctions programs, which maintain their own SDN-equivalent consolidated list — post-Brexit no longer coterminous with EU sanctions. EU-licensed entities face EU restrictive measures including asset-freeze regulations under the EU's CFSP framework. MAS in Singapore maintains its own sanctions list for MAS-regulated entities.
A fintech that maintains separate screening programs for each jurisdiction without a unified case management workflow will face operational complexity that scales poorly as the business grows. Cross-jurisdictional sanctions coverage should be designed into the screening architecture from the outset. High-risk fintechs with international customer bases cannot treat each jurisdiction's sanctions obligations as a separate compliance project — the transaction flow does not respect those boundaries, and neither do the regulators.