Secondary Sanctions: Definition and Use in Compliance

What is Secondary Sanctions?

Secondary sanctions are penalties a government imposes on foreign persons or entities for transacting with a designated target, even when those transactions have no direct connection to the sanctioning country's territory, currency, or nationals. The United States uses secondary sanctions more aggressively than any other jurisdiction, and most globally active financial institutions treat U.S. secondary sanction exposure as the most consequential compliance risk outside of a direct SDN hit.

The distinction from primary sanctions is what makes secondary sanctions structurally different. Primary sanctions prohibit U.S. persons from dealing with listed parties. Secondary sanctions go further: they use the threat of exclusion from the U.S. financial system to pressure foreign entities that are not themselves bound by U.S. law. A Turkish bank with no U.S. assets, no U.S. shareholders, and no U.S. operations can still face secondary sanction consequences if it processes payments connected to an Iranian energy company.

OFAC administers the main U.S. secondary sanction programs, each with its own statutory basis. The Iran-related programs are the most extensive, covering energy sector investment, shipping, insurance, and financial services. The Russia-related programs, codified primarily under CAATSA, add a "significant transaction" standard that requires a documented materiality determination. North Korea-related secondary sanctions under Executive Order 13810 (2017) are among the broadest by sector: they apply to anyone doing business with North Korea across virtually any industry.

The practical consequence for international banks is that sanctions screening can't stop at checking whether a counterparty appears on the Specially Designated Nationals List (SDN). A clean SDN result doesn't rule out secondary sanction exposure. A third-party entity can be perfectly clean on the SDN list and still create a secondary sanction violation if it has a documented business relationship with a designated party. That's the structural challenge: the liability doesn't always sit in the transaction you're looking at.

How is Secondary Sanctions used in practice?

Correspondent banking is where secondary sanction risk concentrates most visibly. A U.S. correspondent bank must assess whether its respondent banks, particularly those in jurisdictions adjacent to sanctioned countries, are exposed to secondary sanction triggers. This assessment goes beyond checking the respondent bank itself. It means looking at the respondent's customer base, their geographic exposure, and any beneficial ownership connections to designated parties.

The workflow typically runs like this. A compliance team at a U.S. bank reviews a SWIFT MT202 payment from a respondent in the UAE. The originator is an oil field services company. Network analysis against OFAC's Iran-related SDN dataset surfaces that the company has historical ties to an SDN-listed Iranian entity. The payment goes on hold. The correspondent banking relationship moves to Enhanced Due Diligence review, the respondent bank is asked for documentation on its AML controls and its exposure to the Iran-related trade sector, and the compliance team documents its "significant transaction" determination under CAATSA Section 231.

Customer Due Diligence programs have evolved to incorporate secondary sanction exposure as a standalone risk dimension. This means asking about customers' business relationships in jurisdictions under secondary sanction programs, not just their own jurisdictional location. A trading company incorporated in Singapore looks low-risk on primary sanctions. If 60% of its revenue comes from Iranian crude shipping, its secondary sanction exposure is material and demands treatment as such.

A risk-based approach to secondary sanctions involves tiering customers and transaction types by their proximity to sanctioned sectors. Energy, shipping, metals, and financial services carry the highest secondary sanction risk across most U.S. programs. Compliance teams assign elevated scrutiny thresholds to these sectors, flagging transactions for manual review even where automated screening returns no direct hits. Documentation of these determinations is everything: OFAC's enforcement actions consistently reward programs that can show a documented, reasoned analysis, even where the ultimate decision turns out to be wrong.

Secondary Sanctions in regulatory context

The regulatory framework for secondary sanctions is predominantly U.S. in origin, but its effects are global. OFAC issues authoritative guidance through program-specific FAQs, general licenses, and enforcement actions. The Iran, Russia, North Korea, Venezuela, and Cuba programs each have different statutory bases, different trigger thresholds, and different available licenses.

The EU's response to U.S. secondary sanctions is its Blocking Statute (Council Regulation 2271/96, updated by Delegated Regulation 2018/1100). It prohibits EU entities from complying with certain foreign secondary sanctions and requires them to notify the European Commission if they're affected. This creates a genuine legal conflict for EU banks: comply with U.S. secondary sanctions and risk EU blocking statute violations, or comply with the EU blocking statute and risk U.S. penalties. In practice, most large EU banks choose U.S. compliance because the cost of losing dollar clearing access outweighs the EU blocking statute penalties, which have historically been nominal.

The Financial Action Task Force (FATF) doesn't issue secondary sanction guidance directly, but FATF Recommendation 6 on targeted financial sanctions interacts with secondary sanction programs. Countries on the FATF Grey List often face elevated U.S. scrutiny, and secondary sanction risk for their financial institutions rises accordingly.

OFAC enforcement actions give the clearest picture of what triggers secondary sanction liability. The 2019 settlement with Standard Chartered totaled $1.1 billion across multiple regulators, with a significant OFAC component covering transactions routed to obscure an Iranian nexus. The 2012 HSBC deferred prosecution agreement with the U.S. Department of Justice, totaling $1.9 billion, involved conduct that exposed U.S. correspondents to secondary sanction risk through the bank's failure to apply adequate controls on correspondent accounts. Both cases established that regulators expect institutions to know their respondents' customers, a standard that mirrors the spirit of secondary sanction compliance across the correspondent chain.

Common challenges and how to address them

The hardest operational problem with secondary sanctions is that the exposure isn't always visible in the payment itself. A wire transfer from a UAE trading company to a German machinery exporter looks clean on the surface. If the underlying purpose is to supply machine tools destined for an entity in a sanctioned sector in Iran, the transaction creates secondary sanction risk for every institution in the chain. The transaction monitoring alert doesn't fire because the counterparties are clean. The risk lives in the commercial purpose behind the payment.

Typology detection for secondary sanction evasion overlaps heavily with sanctions evasion patterns more broadly: third-country routing, opaque beneficial ownership, mismatched trade documentation, and payments with no discernible commercial rationale. Compliance teams that run network analysis alongside linear transaction screening catch significantly more of these patterns than those relying on name-screening alone.

De-risking is the bluntest instrument available. Banks that can't get comfortable with secondary sanction exposure in a particular geography or sector simply exit the relationship. We've seen correspondent banks withdraw from entire jurisdictions, particularly the Gulf and Southeast Asia for Iran-related programs, rather than invest in the screening capabilities needed to manage the risk selectively. That's often the wrong call economically, but it's a predictable reaction to regulatory uncertainty and the reputational cost of a public OFAC enforcement action.

The more precise approach involves investing in entity resolution to track indirect relationships, layering transaction monitoring rules that flag sector-specific indicators (oil field equipment, dual-use goods, specialty metals, shipping services), and building documented workflows for the "significant transaction" determination that CAATSA and other programs require. Documentation is the difference between a defensible position and a civil penalty. Adverse media monitoring also matters here: published reports of a counterparty's involvement in sanctioned-sector transactions can surface secondary sanction risk months before OFAC's formal designations catch up.

Related terms and concepts

Secondary sanctions don't operate in isolation. They interact with several adjacent compliance categories that financial institutions need to understand together.

Sectoral sanctions are a close cousin. Rather than listing specific entities, sectoral sanctions restrict categories of transactions with entire sectors of a country's economy, particularly debt maturity and equity restrictions on Russian energy and financial companies under CAATSA. A transaction can clear the SDN list entirely and still violate sectoral sanction restrictions. The two concepts are distinct but frequently conflated, and the conflation causes real compliance gaps.

Primary sanctions operate on U.S. persons and U.S.-nexus transactions. Secondary sanctions operate on foreign persons. In practice, compliance programs must address both simultaneously, because a single transaction chain can trigger primary sanction violations for U.S. entities and secondary sanction exposure for non-U.S. intermediaries in the same payment.

The OFAC 50 Percent Rule compounds secondary sanction risk: an entity owned 50% or more by an SDN-listed party is treated as SDN-listed even if not explicitly named. A non-U.S. bank transacting with a company that is majority-owned by an SDN-listed party faces secondary sanction exposure through the 50 Percent Rule, not just through a direct designation. This matters because beneficial ownership opacity in jurisdictions adjacent to sanctioned countries is the norm, not the exception.

Blocking statutes, the EU instrument discussed in the regulatory context section, are the primary legal defense non-U.S. jurisdictions have constructed against secondary sanction extraterritoriality. Understanding blocking statute exposure is essential for any compliance program at a European institution with U.S. dollar operations, particularly as geopolitical tensions create more situations where U.S. and EU sanctions programs diverge.

Finally, the Financial Intelligence Unit (FIU) role in secondary sanction compliance is underappreciated. FIUs in jurisdictions adjacent to sanctioned countries receive typology guidance from the FATF and Egmont Group members that can signal emerging secondary sanction risk patterns before OFAC designations catch up. Monitoring FIU publications from relevant jurisdictions is a legitimate horizon-scanning tool that most compliance teams underuse.