Primary and Secondary Sanctions Explained: Key Differences, Risks, and Compliance
- 01 What are Primary Sanctions?
- 02 What are Secondary Sanctions?
- 03 How Do OFAC Primary Sanctions Differ From Secondary Sanctions?
- 04 Which Countries Are Subject To US Secondary Sanctions?
- 05 What Are The Penalties For Violating Secondary Sanctions?
- 06 What is Sanctions Evasion and How Is It Detected?
- 07 How Secondary Sanctions Affect Non-US Companies
- 08 How Can Businesses Comply with Both Primary and Secondary Sanctions?
- 09 How Shufti Helps Compliance Teams Manage Sanctions Exposure
TL;DR
- Primary sanctions bind US persons and any transaction with a US nexus.
- Secondary sanctions target non-US firms for dealing with sanctioned parties, no US nexus required.
- Iran-related designations make up roughly 68% of US secondary sanctions to date.
- OFAC penalties and settlements exceeded $265 million in 2025, up sharply from 2024.
- Most evasion slips through gaps in beneficial-ownership and counterparty screening.
In 2025, the Office of Foreign Assets Control (OFAC) collected more than $265 million in penalties and settlements across 14 public enforcement actions, up from roughly $49 million the year before. Eight of those 14 actions tied back to Russia-related programs. The number that should worry a compliance team, though, is not the total. It is the reach. Some of the parties in the regulator’s sights had no office in the United States, no US bank account, and no American on staff. They were caught anyway, because the transaction touched a sanctioned party the US had chosen to isolate globally.
That is the line where primary sanctions end and secondary sanctions begin. Primary sanctions govern who the US can do business with. Secondary sanctions govern who everyone else can do business with, backed by the threat of losing access to the US financial system. For any firm that clears dollars, onboards cross-border customers, or sits anywhere in a global supply chain, the difference decides how much exposure sits on the books.
What are Primary Sanctions?
Primary sanctions are restrictions that a government places on its own people and companies, prohibiting them from dealing with a sanctioned target. In the US context, primary sanctions apply to US persons and to any transaction with a US nexus, meaning a US person is involved, US-origin goods are moving, or the payment clears through the US financial system.
A US person means a US citizen, a permanent resident, an entity organized under US law, and anyone physically present in the United States. When OFAC adds a name to the Specially Designated Nationals (SDN) list, US persons must freeze any assets they hold for that party and stop transacting with it. The prohibition is direct. It flows from US law and applies inside US jurisdiction.
Primary sanctions come in two broad shapes. Comprehensive programs impose near-total embargoes on an entire jurisdiction, currently covering Cuba, Iran, North Korea, and Syria. Targeted programs hit named individuals, companies, vessels, and sectors rather than a whole country, which is how most Russia, Venezuela, and Belarus measures operate. The common thread is that the restriction binds people and firms subject to US law. A German manufacturer with no US touchpoint is not violating US primary sanctions when it sells to a sanctioned buyer, because it sits outside that jurisdiction. Whether it faces a secondary sanctions risk is a separate question, and the one that trips most firms up.
What are Secondary Sanctions?
Secondary sanctions are measures that target non-US persons and companies for doing business with a sanctioned party, even when no US person, no US goods, and no US payment rail are involved. Rather than prosecuting the foreign firm under US law, the US threatens to cut it off from the American market and financial system if it continues the prohibited activity. The tool is leverage, not direct legal jurisdiction.
The distinction matters because it reverses the usual logic of jurisdiction. A foreign company cannot be sued for breaking a US law it was never subject to. But it can be designated, and designation carries consequences that most global businesses cannot absorb.

Who Do Secondary Sanctions Apply To?
Secondary sanctions apply to non-US individuals and entities operating entirely outside US jurisdiction. A Chinese trading house buying Iranian oil, a Gulf bank processing payments for a sanctioned Russian defense firm, or a shipping company moving cargo for North Korea can all fall within scope. None of them needs a US office, a US customer, or a US dollar in the chain to be exposed.
The activity that triggers a secondary designation is usually described as a “significant transaction” with a sanctioned target, though the term is deliberately elastic. Regulators weigh the size of the deal, its frequency, the level of awareness, and the nature of the sanctioned party. A one-off, low-value transaction may not clear the bar. A pattern of dealing almost certainly will.
Why Secondary Sanctions Are Called Extraterritorial
Secondary sanctions are called extraterritorial because they reach conduct that happens entirely beyond the borders of the country imposing them. A traditional law stops at a nation’s edge. A secondary sanction does not stop, because it does not try to punish the foreign firm directly. It changes the cost of a choice. The foreign firm remains free to trade with the sanctioned party, but if it does, it forfeits the US market.
For a bank, that forfeit usually means the loss of correspondent banking access, the arrangement that lets it clear US dollars through a US institution. For a corporation, it can mean being added to the SDN list itself, at which point US persons must treat it as radioactive. Either outcome ends a global business faster than most fines. That is why secondary sanctions work without a courtroom.
How Do OFAC Primary Sanctions Differ From Secondary Sanctions?
OFAC primary sanctions differ from secondary sanctions on one central axis: whether the target is subject to US law in the first place. Primary sanctions bind parties already inside US jurisdiction. Secondary sanctions reach parties outside it by threatening their access to the US market. The table below maps the practical differences a compliance team needs to act on.
| Dimension | Primary sanctions | Secondary sanctions |
| Who is bound | US persons and anyone with a US nexus | Non-US persons and companies with no US nexus |
| US nexus required | Yes | No |
| Legal basis | Direct prohibition under US law | Threat of losing US market and financial-system access |
| Typical mechanism | Asset freeze, transaction ban, SDN listing | Designation, loss of correspondent banking, SDN listing |
| Geographic reach | Territorial | Extraterritorial |
| Enforcement trigger | A prohibited transaction touching US jurisdiction | A “significant transaction” with a sanctioned target |
| Example target | A US bank wiring funds to a sanctioned entity | A foreign refinery buying oil from a sanctioned producer |
The operational takeaway is that a US nexus test alone is not enough. A compliance program built only to catch US-jurisdiction transactions will miss the exposure that secondary sanctions create, because that exposure lives in dealings with sanctioned parties that never touch a US person or a US dollar. Screening has to look at the counterparty and its network, not just the payment rail.
Which Countries Are Subject To US Secondary Sanctions?
The countries most associated with US secondary sanctions are Iran, North Korea, and Russia, with Iran accounting for the largest share by a wide margin. Analysis by the Center for a New American Security (CNAS) found that Iran-related designations make up roughly 68% of total US secondary designations, driven by the unilateral approach the US took after withdrawing from the Joint Comprehensive Plan of Action (JCPOA) in 2018. North Korean entities account for about 22%, tied to the North Korea Sanctions and Policy Enhancement Act (NKSPEA) and later amendments.
Russia entered the picture more recently. The Countering America’s Adversaries Through Sanctions Act (CAATSA), signed into law on August 2, 2017, first put mandatory secondary sanctions authorities around Iran, North Korea, and Russia in the same statute, per OFAC. Later Russia programs expanded that reach, and in 2025 OFAC signaled that foreign financial institutions facilitating significant transactions for Russia’s military-industrial base risk secondary measures.
The practical point for a business is that secondary sanctions exposure is concentrated but not fixed. The programs evolve with foreign policy, and a jurisdiction that carried only targeted measures last year can face broader secondary authorities this year. Because sanctions programs change with events after any fixed reference date, a compliance team should confirm the current scope of each program against OFAC’s live program pages rather than relying on a static list.
What Are The Penalties For Violating Secondary Sanctions?
The penalty for violating secondary sanctions is usually not a fine. It is designation, and designation cuts a firm off from the US market and financial system. A designated bank loses correspondent access and can no longer clear US dollars. A designated company lands on the SDN list, at which point every US person is barred from dealing with it and its US-touching assets are frozen. For a business that depends on dollar clearing or US customers, that outcome is closer to a death sentence than a cost.
Primary sanctions violations, by contrast, carry direct legal penalties. OFAC can impose civil penalties running into the millions per violation, and willful breaches can bring criminal charges. The scale is visible in the enforcement record.
The failure mode most firms overlook is that a secondary designation does not require a US enforcement action against them at all. There is no notice period, no settlement negotiation, no penalty schedule to plan around. The firm simply appears on a list one morning, and its banking relationships end that day. That asymmetry is the reason secondary sanctions shape behavior so effectively. The cost of getting caught is not a number a CFO can budget for.
What is Sanctions Evasion and How Is It Detected?
Sanctions evasion is the deliberate use of concealment techniques to move value or goods for a sanctioned party while hiding the connection from banks, regulators, and counterparties. It is what turns a designated entity from a blocked name on a screen into a live risk, because evasion is engineered specifically to defeat the screening that sanctions rely on. Detection depends on spotting the concealment, not just matching the name.
Common Evasion Typologies
Evaders reuse a small set of techniques across programs. Financial institutions should treat the following as recurring red flags:
- Shell and front companies that obscure the true owner of funds, flagged repeatedly by FinCEN in its Russia evasion guidance.
- Layered ownership that buries the ultimate beneficial owner behind several corporate vehicles, often across multiple jurisdictions.
- Third-party intermediaries in non-sanctioned countries that re-invoice or trans-ship goods to break the visible link to the sanctioned party.
- Trade-based laundering using mis-stated prices, quantities, or descriptions on shipping and customs documents.
- Shadow banking and illicit oil networks, which FinCEN named specifically in its June 6, 2025 advisory on Iranian sanctions evasion, alongside weapons-procurement fronts.
How Screening Detects It
Detection works by combining name screening with the context around the name. Sanctions screening checks customers, counterparties, and transactions against consolidated lists such as the SDN list, the EU consolidated list, the UK HMT list, and UN measures. On its own, list matching catches the obvious. The evasion cases hide behind names that are not on any list yet.
Closing that gap takes three layers working together. Beneficial-ownership analysis traces a corporate structure to the natural persons behind it, so a clean-looking shell does not pass just because its front name is unlisted. Adverse-media screening surfaces reporting that ties a counterparty to a sanctioned network before a formal designation lands. Ongoing transaction monitoring watches for the behavioral red flags above, such as sudden value spikes with no business rationale or a burst of new company formations in a jurisdiction linked to sanctioned flows. No single layer is sufficient. Evasion is designed to pass any one of them in isolation.
How Secondary Sanctions Affect Non-US Companies
Secondary sanctions affect non-US companies by pricing US market access into every dealing with a sanctioned party, whether or not the company ever intended to touch US jurisdiction. A firm in the Gulf, Southeast Asia, or Latin America that has never onboarded a US customer still has to screen against US lists, because a single significant transaction with a sanctioned counterparty can cost it correspondent banking and, with it, the ability to trade in dollars at all.
The pressure lands hardest on banks and any business with a global supply chain. A bank that loses correspondent access cannot clear the world’s reserve currency, so most treat US secondary lists as binding even though they are not legally subject to them. A corporate importer that unknowingly buys through a sanctioned intermediary inherits that intermediary’s designation risk. Neither party gets a warning shot.
For firms operating in hard markets, the practical challenge is compounded by screening quality. Sanctioned networks route deliberately through jurisdictions where documentation is thinner and beneficial ownership is harder to trace, including parts of the Gulf, South Asia, and Southeast Asia. A screening program that performs well on Western entities but degrades on non-Latin names and regional corporate registries leaves exactly the gap evaders aim for. Coverage in those markets is not a nice-to-have. It is where the sanctions list actually concentrates.
How Can Businesses Comply with Both Primary and Secondary Sanctions?
Businesses comply with both primary and secondary sanctions by building a risk-based program that screens beyond the US nexus test and keeps watching after onboarding. A one-time check at account opening catches the customer who is already listed. It does nothing about the counterparty that gets designated six months later, or the ownership change that pulls a clean customer into a sanctioned network. Compliance across both regimes is continuous, and it rests on five practices.
- Screen every party against consolidated lists. Check customers, beneficial owners, and transaction counterparties against the SDN list, the EU consolidated list, UK HMT, and UN measures, not just the jurisdictions where you operate.
- Verify beneficial ownership through the full structure. Trace layered corporate ownership to the natural persons behind it, so shell and front companies cannot pass on an unlisted front name.
- Monitor on an ongoing basis. Re-screen the book against updated lists and watch transactions for evasion red flags, because designations and ownership both change after onboarding.
- Set risk-based thresholds you can defend. Tune match scoring to your risk appetite rather than accepting a vendor default that either floods the queue or misses close matches, and document why.
- Keep an audit-ready trail. Record every screening decision, escalation, and clearance so you can show a regulator the basis for each call.
The common thread is that primary and secondary sanctions compliance is one program, not two. The same screening, beneficial-ownership, and monitoring stack that keeps you inside US primary rules is what surfaces the secondary exposure hiding in your counterparties.
How Shufti Helps Compliance Teams Manage Sanctions Exposure
If your customers or their counterparties sit in the Gulf, South Asia, Southeast Asia, or Latin America, you have seen where standard screening thins out. Sanctioned networks route through exactly those markets, and a program tuned for Western names starts missing matches in non-Latin scripts and regional registries, which is where secondary sanctions risk concentrates.
Shufti’s AML screening runs individuals, businesses, and transactions against the major sanctions lists, 1,200+ PEP and RCA databases, and adverse media in 80+ languages, with match thresholds compliance teams set themselves rather than inheriting a vendor default. Because the models are Shufti’s own, screening decisions are explainable when a regulator asks for the basis of a call. One platform. Fully owned technology. Global coverage with real local depth.
Frequently Asked Questions
What is the difference between primary and secondary sanctions?
Primary sanctions bind US persons and any transaction with a US nexus, prohibiting them directly under US law. Secondary sanctions target non-US firms for dealing with a sanctioned party, with no US nexus needed, by threatening their access to the US market and financial system.
Who do secondary sanctions apply to?
Secondary sanctions apply to non-US individuals and companies operating entirely outside US jurisdiction. A foreign bank, trader, or shipping firm can be exposed for a significant transaction with a sanctioned party, even with no US office, no US customer, and no US dollar in the transaction chain.
How do secondary sanctions affect non-US companies?
Secondary sanctions price US market access into every dealing with a sanctioned party. A non-US company that transacts with a sanctioned counterparty risks losing correspondent banking and dollar-clearing access, or landing on the SDN list itself, which ends most global businesses faster than any fine.
What is sanctions evasion and how is it detected?
Sanctions evasion is the deliberate concealment of a sanctioned party's involvement in a transaction, using shell companies, layered ownership, or intermediaries. Detection combines name screening with beneficial-ownership analysis, adverse-media checks, and transaction monitoring for red flags like unexplained value spikes.
How can businesses ensure compliance with both primary and secondary sanctions?
Businesses run one risk-based program that screens all parties against consolidated lists, verifies beneficial ownership through the full corporate structure, monitors continuously after onboarding, sets defensible match thresholds, and keeps an audit-ready record of every screening decision.
