What Is the OFAC Sanctions List and How Does It Affect Your Business?

In December 2024, OFAC imposed a $14.55 million civil penalty on Aiotec GmbH, a German company, for processing transactions that indirectly involved sanctioned entities. The company was not based in the United States. Being outside U.S. territory did not remove its liability. If your business touches U.S. dollars, U.S. financial institutions, or U.S. persons at any point in your transaction chain, OFAC’s reach likely extends to you too.

The OFAC sanctions list is a publicly maintained database of individuals, entities, vessels, and aircraft that U.S. persons, and in certain circumstances non-U.S. persons, are prohibited from transacting with.

Sanctions exposure is no longer a concern confined to global banks with dedicated compliance floors. Fintechs, crypto platforms, payment processors, and any business with cross-border operations now sit in the enforcement spotlight. This article explains what the OFAC sanctions list contains, who it applies to, what violations cost in practice, and the five-element framework regulators expect you to follow.

What is the OFAC sanctions list?

The Office of Foreign Assets Control (OFAC), part of the U.S. Department of the Treasury, administers and enforces economic and trade sanctions based on U.S. foreign policy and national security objectives. Its primary enforcement tool is a list of names that U.S. persons cannot do business with.

The primary list administered by OFAC is the Specially Designated Nationals and Blocked Persons list, commonly called the SDN list. Updated on a rolling basis with no predetermined timetable, the SDN list includes terrorists, narcotics traffickers, weapons proliferators, and entities linked to sanctioned countries or regimes.

When a person or company is designated as an SDN, their U.S.-based assets are blocked and U.S. persons are generally prohibited from any transaction with them. The designation extends further than the list itself. Front companies, subsidiaries 50% or more owned by an SDN, and individuals acting on behalf of sanctioned entities fall under the same prohibition without appearing on the list by name. This is known as the OFAC 50 Percent Rule, and it catches a wide range of corporate structures that would otherwise appear clean on a name-only check.

There is also the Sectoral Sanctions Identifications (SSI) List that has enlisted persons who operate within certain sectors of the Russian economy, it restricts US persons from certain dealings with these entities.  

Foreign Sanctions Evaders List provides details of foreign people that have either violated, attempted to violate or conspired to violate US sanctions against Syria or Iran.

Who needs to comply with OFAC sanctions?

The formal obligation applies to “U.S. persons,” which includes U.S. citizens, permanent residents, entities organized under U.S. law, and anyone physically located in the United States. That includes banks, broker-dealers, insurance companies, and money services businesses operating domestically.

The obligation does not stop at U.S. borders, though. Non-U.S. entities face secondary sanctions exposure when they transact in U.S. dollars, use U.S. correspondent banks, or process payments through U.S.-based financial infrastructure. A payment business headquartered in Europe that routes transactions through a U.S. clearing bank is not operating outside OFAC’s line of sight.

The 2024 enforcement action against Aiotec GmbH makes this concrete. The German company processed transactions through channels that involved U.S. persons and paid over $14.5 million as a result. Non-U.S. geography does not equal non-U.S. obligation.

Regulated industries face the most direct exposure, including banking, payments, crypto, insurance, money transmission, and trade finance. Professional service firms and e-commerce platforms with international payment flows carry real risk too.

What OFAC sanctions lists apply to your business?

The SDN list is the most widely screened, but OFAC maintains several others with distinct legal effects. For a broader view of global sanctions regimes, it is worth understanding that OFAC’s lists sit alongside UN, EU, and UK frameworks that many businesses must screen simultaneously.

The Foreign Sanctions Evaders list covers individuals and companies found to have violated or evaded U.S. sanctions on Russia and Syria. The Sectoral Sanctions Identifications list restricts specific dealings, such as debt and equity transactions, with Russian energy, defence, and financial companies without applying the full asset-blocking that SDN designation triggers. The Non-SDN Communist Chinese Military Companies List restricts certain investment activity involving named Chinese defence-linked entities.

A “we screen the SDN list” approach is no longer a complete compliance answer. A thorough screening process checks across every relevant OFAC list. The consolidated lists, their current versions, and data download formats are maintained at the OFAC Sanctions List Service, which provides structured data files ready for integration with screening tools.

What happens when OFAC screening fails?

The cost of a sanctions violation depends on severity, but OFAC’s 2024 enforcement record shows penalties move fast into the millions. OFAC published 12 enforcement actions in 2024, totalling $48.79M in civil penalties. The largest single settlement, SCG Plastics Co., Ltd., reached $20 million after the Thai manufacturer supplied goods to Iranian buyers in breach of Iran sanctions.

OFAC weighs several factors when setting penalties. These include the apparent harm caused, the company’s compliance history, whether the conduct was wilful or reckless, and whether the entity voluntarily self-disclosed the violation before OFAC opened its own inquiry. Companies with a documented, functioning compliance program that self-report potential violations typically receive substantially reduced penalties. Companies with no program, or one that existed only on paper, receive no such credit.

The consequences extend beyond the fine. OFAC violations can produce reputational damage, loss of correspondent banking relationships, and in serious cases, criminal referral to the Department of Justice. For payment businesses specifically, losing a correspondent banking relationship is operationally catastrophic. A well-structured sanctions screening workflow is both the compliance obligation and the primary mitigation against disproportionate enforcement outcomes.

Building an OFAC compliance program

In 2019, OFAC published A Framework for OFAC Compliance Commitments, which remains the reference document for what a functioning sanctions compliance program looks like. It identifies five components that OFAC examines when assessing a company’s compliance culture.

The first is management commitment. Senior leadership must own the sanctions program, not just sign off on it. This means allocating resources, appointing a dedicated sanctions compliance officer, and making clear that compliance takes priority over revenue when they conflict.

The second is risk assessment. Companies must evaluate their own exposure, looking at which customers they serve, which geographies they operate in, which payment channels they use, and which products they offer. A crypto exchange with global retail users faces different risks than a trade finance bank with a small institutional counterparty base. The assessment should match the actual risk profile, not a generic checklist.

The third is internal controls. Policies and procedures need to reflect the risk assessment. That means defining who screens what, when, against which lists, and with what escalation path when a potential match appears. Automated watchlist screening integrated into customer onboarding is now the standard operational expectation.

The fourth is testing and auditing. Compliance programs must be tested independently and regularly. OFAC has issued penalties where the screening system was technically in place but had never been validated, leaving gaps that went undetected for years.

The fifth is training. Everyone who touches customer onboarding, payments, or trade flows needs to understand what a sanctions alert looks like and what to do when one triggers. Training should be documented, repeated at regular intervals, and updated whenever OFAC adds a new sanctions program or amends guidance.

Standard Framework for Businesses Operating Globally

For businesses with global operations, this framework applies even where local law does not replicate it directly. Any business with material U.S. dollar exposure or U.S. financial institution relationships should build a program that satisfies these five elements. Practical guidance on how automated watchlist checks fit into a modern compliance workflow covers the operational detail beyond what this overview addresses.