OFAC Compliance for Fintech: Why Enforcement Is No Longer Someone Else’s Problem

In December 2025, the Office of Foreign Assets Control (OFAC) settled a $3.1 million enforcement case against Exodus, a US-based non-custodial software wallet provider, for processing transactions involving users in comprehensively sanctioned jurisdictions. The wallet was not a bank, and the company was not a traditional financial institution. OFAC found violations regardless. Fintechs processing payments, digital assets, or cross-border transfers cannot treat sanctions compliance as someone else’s obligation, and the 2025 enforcement record makes that position harder to hold than it was at any prior point.

OFAC is a US Treasury office that administers and enforces economic and trade sanctions against targeted foreign governments, entities, and individuals. Every US person, including companies incorporated in the United States and their foreign branches, must comply with OFAC regulations. For most fintechs, the requirement covers screening against OFAC’s sanctions lists before processing transactions and blocking or rejecting any transaction involving a designated party.

What is OFAC and who does it apply to?

OFAC derives its authority from presidential emergency powers and statutes including the International Emergency Economic Powers Act (IEEPA) and the Trading With the Enemy Act (TWEA). Its primary enforcement tool is the Specially Designated Nationals and Blocked Persons (SDN) List, a database of individuals, entities, and cryptocurrency wallet addresses that US persons are prohibited from transacting with. OFAC also administers country-level sanctions programs covering Cuba, Iran, North Korea, Russia, and others, where entire categories of transactions are prohibited or require an OFAC license. Understanding who the rules reach, and through which structures is the first compliance question every fintech needs to answer.

Who is a “US person” under OFAC rules?

Under OFAC’s framework, a US person includes US citizens and permanent residents regardless of where they are located, entities incorporated under US law, and all persons physically present in the United States. Foreign branches of US entities are covered under most sanctions programs. Foreign subsidiaries face full coverage under country-specific regimes such as Cuba and North Korea. For fintechs with global user bases, this means OFAC screening applies to any transaction flowing through a US-incorporated entity or a US correspondent banking relationship, even where the fintech itself is headquartered outside the United States.

What does OFAC specifically require fintechs to do?

At a minimum, fintechs must screen customers, counterparties, and transactions against the SDN List and other OFAC-administered sanctions lists before those transactions are processed. Any property of a designated party that comes into the fintech’s control must be blocked and reported to OFAC within 10 business days. Transactions that are prohibited but do not involve blockable property must be rejected, also with a report filed within 10 business days. Records of blocked and rejected items must be maintained for at least five years. The FFIEC BSA/AML Manual notes that OFAC compliance is a separate and additional obligation from Bank Secrecy Act (BSA) and AML requirements, though a functioning fintech compliance program needs to address all three in an integrated way. For a closer look at what that means in practice for sanctions list screening, the global regimes involved go beyond the SDN List alone.

Why do fintechs face heightened OFAC enforcement risk?

OFAC’s 2025 enforcement calendar confirmed a shift in the agency’s targeting. Actions were brought against a digital asset exchange, a financial technology company, and a global electronic broker-dealer, demonstrating that OFAC’s sanctions compliance expectations apply across the financial sector. This matters for any fintech that assumed its regulatory exposure sat primarily with its banking partners rather than with its own compliance program.

How does the 2025 enforcement data reflect OFAC’s priorities?

According to Sidley Austin’s review of 2025 US sanctions enforcement, total OFAC penalties and settlements exceeded $265 million in 2025, compared with approximately $49 million in 2024. OFAC issued 14 enforcement actions, up from 12 in 2024, and issued three penalty notices rather than the single one issued in each of the two prior years. The 2026 review identified four consistent enforcement themes across the actions: Russia-related sanctions violations, liability for advisers and intermediaries acting as gatekeepers, rejection of overly formalistic ownership analyses, and heightened scrutiny of non-bank financial institutions, including digital asset businesses. The fourth theme is the one most directly relevant to fintech compliance teams.

Why do cross-border payments and crypto carry specific OFAC exposure?

A fintech processing high transaction volumes through a rules-based screening filter running on a list that updates on a weekly cycle carries three risks at once. False negatives can emerge from incomplete data coverage. False positives from imprecise name-matching logic create review backlogs. And there is a lag between when OFAC designates a party and when the screening system reflects that designation. OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry calls out geographic IP blocking and blockchain address screening as baseline controls for crypto-adjacent businesses, not optional enhancements. Missing either control makes a violation more likely and a voluntary self-disclosure less persuasive to OFAC when calculating the enforcement response.

Building an OFAC compliance program that holds up

OFAC does not require a specific program structure by regulation, but its Framework for OFAC Compliance Commitments and the FFIEC examination guidance point to the same five components as markers of a sound program. Designing around these components matters practically as well as regulatorily: OFAC weighs program adequacy when determining enforcement responses, which means a documented, functioning program can reduce the penalty outcome even when a violation has occurred.

The five core components

The FFIEC’s OFAC examination guidance identifies five elements that define a credible program. Management commitment means documented executive ownership, with the program’s scope and resources approved at a senior level. Risk assessment means mapping which products, customer types, and geographies carry the highest OFAC exposure so the screening program reflects actual risk rather than generic categories. Internal controls cover the policies, procedures, and technology for screening customers and transactions, identifying hits, resolving matches, blocking property when required, and filing reports within the 10-business-day window.

Independent testing means an objective review of the program, proportionate to the fintech’s risk profile, conducted by internal audit or an external party. Training means role-specific instruction for any employee who touches onboarding, payments, or customer data. Compliance professionals building or auditing these programs can also find operational depth in the sanctions screening guide for compliance professionals, covering how each control typically performs in production.

Where do fintech OFAC programs typically fall short?

Four gaps appear consistently in fintech programs. List currency is the most common: many fintechs screen against a copy of the SDN list that updates weekly or monthly, while OFAC updates the list after each designation, often in near real-time. A 24-hour lag on a high-volume platform is a real exposure window, not a theoretical one. Data coverage is the second gap: screening customer names without screening counterparties, beneficiaries, and, for crypto products, blockchain wallet addresses leaves the program incomplete. Match resolution is the third: having the screening logic but no documented process for investigating, escalating, and closing a flagged match means the system cannot demonstrate that hits were properly assessed. Reporting workflow is the fourth: the 10-business-day window for filing blocked and rejected transaction reports with OFAC requires a built operational process, not just a stated policy.

How does Shufti help fintechs meet sanctions screening requirements?

The operational challenge for fintech compliance teams is running OFAC screening alongside broader sanctions and AML obligations in real time, across high transaction volumes, without overwhelming analysts with unresolved flags. Shufti’s AML screening covers 215+ sanction regimes, including OFAC, UN, EU, and UK sanctions lists, with list data refreshed every 15 minutes. That refresh cadence closes the list-currency gap that sits at the root of many fintech violations: the screening reflects the current state of the SDN List rather than a weekly snapshot.

The AML screening runs through the same API as identity verification checks, so a fintech can run document verification, biometric matching, and sanctions screening inside a single onboarding workflow rather than stitching together separate processes. For payment and transaction-level coverage, Shufti’s transaction screening handles counterparty and wallet address checks. When a match is flagged, the platform surfaces the matched list entry and the reason for the flag, giving analysts the context to resolve it rather than escalating every hit to manual review.