Office of Foreign Assets Control (OFAC): Definition and Use in Compliance

What is Office of Foreign Assets Control (OFAC)?

OFAC is the U.S. Treasury Department agency responsible for administering and enforcing economic and trade sanctions. It acts on presidential declarations of national emergency or specific congressional mandates, designating foreign governments, entities, and individuals whose assets must be blocked and with whom U.S. persons are generally prohibited from transacting.

The agency maintains more than 30 active sanctions programs. The Iran, Russia, North Korea, Cuba, and Venezuela programs are among the most heavily enforced. The primary output compliance teams work with daily is the Specially Designated Nationals List (SDN), which contained over 12,000 entries as of 2025, covering individuals, corporations, vessels, and aircraft. Every entry represents a party whose U.S.-located assets must be frozen and with whom transactions are generally prohibited.

OFAC's authority derives primarily from the International Emergency Economic Powers Act (IEEPA) of 1977 and the Trading with the Enemy Act (TWEA) of 1917. More than 30 additional statutes underpin individual programs. The reach isn't limited to U.S.-headquartered companies. Any transaction that "touches" the U.S. financial system, clears in U.S. dollars, or involves a U.S. person is potentially subject to OFAC jurisdiction regardless of where the transaction originates.

OFAC also operates secondary sanctions programs that go beyond primary designations. They can restrict non-U.S. entities from accessing U.S. markets if those entities transact with OFAC-designated parties. Bank of Kunlun in China received a U.S. correspondent banking termination warning in 2012 for exactly this reason. According to OFAC's sanctions program documentation, secondary sanctions exposure exists across the Iran, Russia, and North Korea programs, among others.

Understanding OFAC's full scope is the baseline requirement for any sanctions screening program. Without a clear mapping of which OFAC programs apply to your business model, geography, and product set, a compliance team can't design a screening architecture that actually works.

How is Office of Foreign Assets Control (OFAC) used in practice?

In daily compliance operations, OFAC screening is a prerequisite. Every institution with U.S. dollar business needs a defensible answer to one question: "Did you screen this counterparty against OFAC before proceeding?"

At customer onboarding, compliance teams check names as part of Know Your Customer (KYC) workflows. This means running customer names, aliases, dates of birth, and addresses against the SDN List and program-specific lists. Beneficial owner screening is equally mandatory. A corporate customer whose Ultimate Beneficial Owner (UBO) is on the SDN List is itself a prohibited relationship, whether or not the customer entity appears on any list directly. Skipping that layer is a common finding in OFAC examinations.

For payment processing, screening applies to originators, beneficiaries, and any intermediate party named in the instruction. A wire from a non-designated originator to a non-designated beneficiary account is still blocked if the beneficiary's correspondent bank is sanctioned. In 2019, Standard Chartered Bank reached a $657 million settlement with OFAC for processing transactions involving Iranian parties routed through intermediaries to obscure the Iran nexus. Full details are available on OFAC's civil penalties page.

When a potential match appears in the queue, the analyst assesses it against name similarity scores, geographic indicators, dates of birth, and entity type. Confirmed matches require the transaction to be blocked, a blocked assets report filed with OFAC, and a follow-up report within 10 business days. Rejected transactions require a separate rejected transaction report on the same 10-day timeline.

Periodic re-screening is an expectation, not a best practice. OFAC adds new designations multiple times per week. Most institutions run nightly or weekly batch screens against their full customer base to catch retroactive additions before the next transaction cycle. This applies to individual customers, corporate entities, and counterparties identified through Customer Due Diligence (CDD) reviews.

Office of Foreign Assets Control (OFAC) in regulatory context

OFAC sits within a broader U.S. financial crime compliance structure. Treasury coordinates OFAC programs with State Department designation recommendations and intelligence community threat assessments. From an operations standpoint, the BSA Officer typically owns OFAC compliance alongside Anti-Money Laundering (AML) obligations, even though the two programs have distinct legal bases and different penalty structures.

The Bank Secrecy Act governs AML obligations. OFAC sanctions arise from IEEPA, TWEA, and program-specific statutes. A transaction can be AML-clean and still violate OFAC rules. A Suspicious Activity Report (SAR) filing doesn't exempt an institution from OFAC reporting. Both obligations can apply to the same transaction simultaneously.

Internationally, OFAC programs are closely tracked by Financial Action Task Force (FATF) member states, the EU through its autonomous sanctions regime, and the UK's Office of Financial Sanctions Implementation (OFSI). These regimes don't always align. Transactions permitted under EU sanctions may still be blocked under OFAC. Multinational banks manage these overlaps through detailed legal mapping exercises updated whenever any of the three regimes adds a new designation.

OFAC enforcement actions are the most practical calibration tool available to compliance programs. The 2022 Bittrex enforcement action resulted in a $24 million penalty for processing transactions for customers in Cuba, Iran, Sudan, and Syria despite having geolocation data that should have triggered blocks. The case established clear expectations for IP-based screening in digital asset platforms. That same year, the Tornado Cash designation, where OFAC sanctioned a decentralized smart contract rather than a specific individual, extended the perceived scope of OFAC authority into open-source cryptocurrency infrastructure.

The Financial Crimes Enforcement Network (FinCEN) and OFAC coordinate regularly on cases involving both money laundering and sanctions evasion. A single transaction can generate both a FinCEN SAR filing obligation and an OFAC blocking requirement, depending on the facts.

Common challenges and how to address them

The most pervasive operational problem with OFAC screening is false positive management. The SDN List contains transliterated names from Arabic, Farsi, Russian, Chinese, and other scripts, which creates substantial name variation. A system configured to match "Abdur Rahman" may or may not catch "Abd al-Rahman" or "Abdurrahman." Too tight a threshold and real violations slip through. Too loose and analysts spend their day clearing legitimate customers.

Fuzzy matching algorithm calibration is the core technical solution. Institutions need documented scoring thresholds, clear logic for auto-clearing low-confidence hits, and evidence that the chosen thresholds were tested against known SDN entries. That documentation needs to hold up in an exam, not just internal review.

A second challenge is the overlap between OFAC screening and Politically Exposed Person (PEP) workflows. PEPs aren't automatically sanctioned, but many designated individuals are current or former PEPs. We've seen banks complete PEP review and clear a customer, then separately block that customer's wire at payment screening, with neither team aware of what the other had done. A unified customer risk record capturing OFAC status alongside PEP status eliminates that gap.

Third is correspondent banking opacity. A U.S. correspondent bank relies on its respondents to have screened transactions before they arrive in the U.S. system. When a respondent fails to screen adequately, the U.S. correspondent faces liability for processing the resulting wire. The 2019 UniCredit enforcement action resulted in a $1.3 billion combined settlement with OFAC, DOJ, and other agencies after a European bank processed dollar-denominated transactions for Iranian parties through U.S. correspondents.

Enhanced Due Diligence (EDD) for high-risk correspondents and nested correspondent accounts is the standard response. Contractual representations, periodic questionnaires, and transaction-level monitoring on inbound correspondent wires are all controls examiners look for.

Related terms and concepts

OFAC sits at the intersection of several compliance disciplines. It's closest operationally to Counter-Financing of Terrorism (CFT) because many OFAC programs specifically target terrorist financing. The Iran program aims partly to prevent financing of the IRGC and its designated affiliates. An OFAC hit and a terrorism financing flag can arise from the same activity and trigger overlapping reporting obligations.

Sanctions evasion is the primary risk the programs exist to counter. Evasion methods include using front companies, falsifying payment instructions to obscure beneficial owner identity, routing payments through non-sanctioned jurisdictions, and using trade-based money laundering techniques to disguise value flows. OFAC has published typology advisories on North Korean shipping network evasion (2020) and Iranian oil payment obfuscation (2018 and 2019). FATF's proliferation financing guidance covers overlapping methodology used in WMD financing channels.

Asset freezing is the direct operational consequence of a confirmed OFAC hit. When a bank identifies a sanctioned party's account, it must freeze the assets immediately and report to OFAC. The funds remain in a segregated blocked account until OFAC issues a license authorizing disposition or until the underlying designation is revoked.

Proliferation financing sits adjacent to OFAC's WMD-related sanctions programs. OFAC administers programs specifically targeting proliferators of weapons of mass destruction under IEEPA, and those programs overlap directly with FATF Recommendation 7, which requires countries to implement targeted financial sanctions against proliferators without delay.

For compliance teams building screening architectures, the SDN List is one input among several. A complete sanctions screening program also covers the EU Consolidated List, OFSI's UK list, and UN Security Council designations. These are separate databases with different update cycles, different legal bases, and different geographic scopes. Relying on the SDN List alone leaves material gaps.