OFAC SDN: What It Requires and Who It Applies To

What is OFAC SDN?

The OFAC Specially Designated Nationals (SDN) List is a federal sanctions database, maintained by the US Department of the Treasury's Office of Foreign Assets Control (OFAC), that designates individuals, entities, and governments with whom US persons are prohibited from transacting. OFAC administers more than 30 active sanctions programs targeting countries, terrorist organizations, weapons proliferators, and narcotics trafficking networks. The SDN List consolidates designated parties across all those programs into a single searchable database.

OFAC was established on December 17, 1950, originally to administer Treasury's asset controls against North Korea and China during the Korean War. Most current SDN designations draw legal authority from the International Emergency Economic Powers Act (IEEPA), enacted in 1977, and the older Trading with the Enemy Act (TWEA) of 1917. Individual sanctions programs are typically authorized by executive orders issued under IEEPA authority.

Today the list contains over 12,000 entries, including aliases and alternative transliterations, covering programs on Russia, Iran, North Korea, Cuba, Syria, narcotics traffickers under the Kingpin Act, and terrorist financing under Executive Order 13224. When OFAC adds a party, the designation is effective immediately. US persons have no grace period to wind down existing transactions.

Geopolitical events drive list growth directly. The 2022 Russia-Ukraine conflict produced one of the fastest SDN expansions in OFAC's history, with hundreds of Russian oligarchs, state-owned banks, and industrial entities added within weeks. That acceleration exposed gaps in many institutions' list-update cadences. OFAC's guidance and subsequent enforcement actions clarified that same-day list synchronization is the expected standard for most program types.

Who does OFAC SDN apply to?

"US person" is a broader category than most compliance officers initially assume. The obligation covers:

• US citizens and permanent residents, wherever they are physically located in the world
• All entities organized under US law, including US subsidiaries of foreign-headquartered companies
• Anyone physically present in the United States at the time of a transaction
• US branches of foreign financial institutions conducting business in the US
• Foreign financial institutions that route US dollar payments through US correspondent accounts, because the US correspondent is required to block or reject SDN-linked transactions regardless of where the originating instruction comes from

In practice, every US-chartered bank, credit union, broker-dealer, registered investment adviser, money services business, insurance company, and corporate treasury department has a live SDN screening obligation. More specifically, that covers:

• Commercial and retail banks, national and state-chartered
• Credit unions and thrifts
• Investment banks and broker-dealers
• Payment processors and fintech companies
• Import/export businesses with US entities
• Law firms and accountancies handling client funds transfers

There's no size threshold. A $200 million community bank carries the same baseline obligation as a global money-center institution. And the OFAC 50% Rule extends the prohibition further: any entity owned 50% or more, directly or indirectly, by one or more SDN-listed parties is itself blocked, even if it doesn't appear on the list by name. Institutions that screen only a customer's registered legal name, without examining the Ultimate Beneficial Owner (UBO) chain, will miss those blocked entities entirely.

Foreign banks with USD correspondent relationships face effective compliance requirements too. Their US clearing bank will reject or block SDN-linked transactions regardless of where the originating instruction was generated.

What does OFAC SDN require?

OFAC's Framework for OFAC Compliance Commitments, published May 2, 2019, outlines five components of an effective program: management commitment, risk assessment, internal controls, testing and audit, and training. In operational terms, a defensible program requires:

1. Real-time screening at onboarding. Screen every new customer, UBO, and controlling party against the current SDN List before account opening or executing any transaction. Know Your Customer (KYC) and Know Your Business (KYB) programs must include SDN screening as a mandatory gate, not a downstream add-on.

2. Continuous portfolio monitoring. When OFAC adds a new designation, institutions must identify matching customers in existing portfolios. The practical standard is same-day identification for correspondent banking relationships and no later than next business day for retail customers.

3. Transaction screening. Every outbound wire, inbound wire, ACH batch, check, and trade finance instrument requires screening. For correspondent payments, that means all parties named in SWIFT MT103 fields, including beneficiary, originator, and all intermediaries.

4. Asset blocking and reporting. On confirming a match, block the assets immediately and file an OFAC blocking report within 10 business days using the applicable OFAC form. Unblocking requires a specific OFAC license; institutions can't release blocked assets on their own authority.

5. Rejected transaction reports. If you reject a transaction rather than block assets, OFAC requires a separate rejected transaction report within 10 business days. Rejection and blocking are different legal acts with different reporting obligations.

6. Record retention. Maintain all blocking and rejection records for 5 years from the transaction date, or until the blocked account is released, whichever is later.

7. Independent testing. Periodic documented testing of your screening system: false-positive rate analysis, name-matching logic review, and gap remediation evidence.

8. Annual training. Documented training for all customer-facing staff, BSA officers, and senior management. Training completion records must be available for examination.

The Bank Secrecy Act and OFAC are legally distinct. BSA violations and OFAC violations are separate enforcement matters with separate penalty regimes, and a single transaction can trigger both independently.

What evidence do regulators expect?

OFAC examinations are typically conducted by prudential regulators (OCC, Fed, FDIC, NCUA) as part of the combined BSA/AML examination. Examiners look for a documented program structure, not just evidence that screening software is running.

Policies and procedures. A board-approved written OFAC compliance policy, with procedures covering onboarding, transaction screening, ongoing monitoring, blocking, rejection, and escalation for each business line. Examiners want a written escalation matrix naming responsible parties by title, not just department.

System configuration. Vendor contracts and technical specifications for your screening software. Documentation of match threshold settings with written business justification. Evidence that the SDN list version loaded into the system is refreshed within 24 hours of OFAC publication.

Alert and case records. A complete audit trail for every SDN hit: the original alert, the analyst's review notes, disposition decision, and supervisor approval. Time-to-disposition metrics showing how long alerts remain open before closing.

Blocking and rejection filings. Copies of all OFAC filings for the past 5 years, with timestamps confirming 10-business-day compliance.

Testing results. The most recent independent testing report, plus documented remediation for any gaps identified.

Training records. Completion logs by employee name, date, and training module.

For correspondent banking operations, examiners will also request your nested correspondent due diligence procedures. Shell-bank risk and SDN exposure connect directly; both FATF Rec 13 and OCC correspondent banking guidance treat them as linked risk areas.

Common failure modes

Most OFAC enforcement actions don't involve deliberate evasion. They come from process gaps that accumulate over time. The patterns are predictable:

• SDN list update lag. The institution's screening vendor updates the list 48-72 hours after OFAC publishes a new designation. Transactions executed in that window are apparent violations. Same-day updates are the expected standard and have been cited as a baseline in multiple post-2022 enforcement actions.

• 50% Rule misses. The institution screens customer names directly but doesn't screen the full UBO chain. An entity 55% owned by a listed Russian oligarch passes screening because neither the entity nor the oligarch appears under the account name. OFAC cited exactly this pattern in the 2022 Bittrex enforcement action (OFAC Civil Penalties and Enforcement Information).

• Correspondent pass-through. A US bank processes dollar payments on behalf of a foreign bank without screening underlying beneficiaries. The foreign bank's customer is on the SDN List. OFAC holds the US correspondent accountable as the processing institution.

• Weak name-matching logic. A fuzzy matching algorithm requires near-exact name matches, missing common transliterations and alternate spellings. An SDN-listed party operating under a variant name passes through undetected.

• Undocumented alert dispositions. Alert hits are closed by junior analysts with no written rationale and no supervisor review. On exam, undocumented dispositions are treated as evidence of a weak compliance culture, which is an aggravating factor in penalty calculations.

• Late or missing filings. Delayed blocking reports were cited as an aggravating factor in the 2021 BitPay enforcement action, contributing directly to the final penalty amount.

Penalties for non-compliance

OFAC has authority to impose both civil and criminal penalties, and the agency uses it.

Civil penalties under most IEEPA-based programs: up to $356,579 per violation or twice the transaction value, whichever is greater. OFAC adjusts these caps annually for inflation. For TWEA-based programs covering Cuba and North Korea, the civil cap sits lower, at approximately $95,578 per violation.

Criminal penalties for willful violations: up to $1,000,000 per violation and 20 years imprisonment.

Real enforcement cases show the range:

Bittrex, October 2022. $24,280,829.10 covering 116,421 apparent violations across multiple sanctions programs. OFAC cited systemic failures including inadequate IP address screening, failure to update blocked jurisdiction controls, and weak oversight of name-matching logic. (OFAC enforcement release)

BitPay, February 2021. $507,375 for 2,102 apparent violations. BitPay processed Bitcoin transactions for persons in SDN-listed jurisdictions. OFAC noted that BitPay had reason to know based on IP address and geolocation data it already collected. (OFAC enforcement release)

Amazon Web Services EMEA Limited, November 2020. $115,793.88 for providing cloud computing services to persons in sanctioned jurisdictions. The case confirmed that technology companies and cloud providers face the same sanctions exposure as financial institutions.

OFAC's penalty matrix weighs the number of violations, total transaction value, whether the institution had reason to know, the strength of the pre-existing compliance program, and whether violations were self-disclosed. Self-disclosure can reduce penalties by up to 50%. For institutions with SAR Filing obligations under the BSA, an OFAC violation often triggers a parallel FinCEN investigation when the underlying transaction also involved suspicious activity.

Related regulations and frameworks

OFAC SDN compliance connects to almost every other AML/CFT obligation a US financial institution carries.

Domestic context. The Bank Secrecy Act requires financial institutions to maintain AML programs that include a sanctions screening component. OCC's 12 CFR Part 21 explicitly requires national banks to maintain BSA/AML programs inclusive of OFAC compliance. FinCEN's CDD Rule requires collection of beneficial ownership data at onboarding, which is a prerequisite for 50% Rule screening. You can't comply with the 50% Rule if you haven't collected the UBO chain. Section 314(a) information-sharing requests from FinCEN sometimes involve subjects adjacent to SDN designations; response quality depends on the same customer data infrastructure that drives screening.

International equivalents. The UN Security Council consolidated sanctions list under UNSC Resolution 1267 covers Al-Qaeda and ISIL-linked designations that overlap heavily with OFAC SDN entries. FATF Recommendation 6, the multilateral standard for targeted financial sanctions, is what the SDN program implements at the US domestic level. FATF Rec 10 on Customer Due Diligence requires sanctions screening as a component of the CDD process across all FATF member jurisdictions.

The EU operates equivalent lists under Common Foreign and Security Policy (CFSP) regulations. The EU AMLR, coming into force across 2025-2026, tightens EU-wide sanctions screening standards and brings them closer in scope to OFAC expectations. Institutions operating across jurisdictions typically run OFAC SDN, EU CFSP, HM Treasury, and UNSC lists in parallel. Consolidating those into a single screening pipeline is both operationally sensible and increasingly expected by multi-jurisdictional supervisors.

How FluxForce supports OFAC SDN compliance

FluxForce's AI agents handle continuous SDN screening across customer portfolios and payment flows, with real-time list synchronization and automated alert triage. Nova Sentinel flags potential SDN matches, routes confirmed hits to immediate blocking workflows, and builds the documentation trail examiners expect: alert log, analyst disposition, supervisor sign-off, and filing timestamp. The system connects SDN exposure directly to broader regulatory compliance automation and KYC/AML workflows, so a designation match surfaces across onboarding, transaction monitoring, and case management in one place. Request a demo to see how it handles a live SDN match scenario end to end.