OFAC sanctions shape how money moves across borders, often in ways that aren’t immediately visible. These sanctions are issued by the US Treasury’s Office of Foreign Assets Control (OFAC), and they limit who you can do business with when certain countries, companies, or individuals are involved.
Because the US financial system plays such a central role in global payments and investment, OFAC sanctions reach well beyond US borders. A single US connection, whether through currency, infrastructure, or counterparties, can bring these rules into play and affect how transactions are processed.
In this guide, we’ll break down what OFAC sanctions are, how they work, and why they matter in 2026.
What Are OFAC Sanctions?
OFAC sanctions are economic and financial restrictions designed to limit transactions connected to activities that threaten US foreign policy, national security, or the stability of the global financial system.
For fintechs, these sanctions influence:
How cross-border payments move
How investments and lending are structured
How crypto platforms control access to their products
The impact often depends on the type of sanctions involved. Some impose broad embargoes on entire countries, while others apply narrowly to specific companies, wallets, or individuals.
Regardless of how narrowly or broadly OFAC sanctions apply, they carry legal impact. Failure to comply can lead to significant fines, regulatory enforcement actions, and long-term reputational damage.
Who Must Comply With OFAC Sanctions?
Compliance with OFAC sanctions applies to all US persons. This includes:
Citizens
Permanent residents
Companies incorporated under US law
This obligation also extends to any entity operating in the US, even if it’s partially foreign-owned. For fintechs, this means that every transaction, investment, and partnership, domestic or international, must comply with the OFAC framework.
Non-US entities may also fall under OFAC rules if they conduct business with US persons or use US-based financial institutions. This often includes international payment processors, cryptocurrency platforms, and cross-border lenders.
What Do OFAC Sanctions Include?
OFAC sanctions don’t operate as a single rule. Instead, they’re enforced through various types of restrictions that apply differently.
Types of OFAC Sanctions: Comprehensive, Sectoral, and Targeted
OFAC sanctions generally fall into three main categories: comprehensive, sectoral, and targeted.
Comprehensive Sanctions: These sanctions apply to entire countries or regions, and block virtually all transactions with the sanctioned jurisdiction. US persons cannot conduct business, invest, or provide services to entities or individuals within these countries.
Sectoral Sanctions: These sanctions apply to specific sectors of a country’s economy, which aim to restrict economic growth in areas linked to government officials or decision-makers.
Targeted Sanctions: These sanctions take a more focused approach. Instead of restricting an entire country, they apply to specific individuals, companies, sectors, or types of activity, allowing lawful business to continue with non-sanctioned parties.
Most modern OFAC sanctions programs are targeted, calling for screening and investigations that go beyond geography. Firms must assess who the counterparty is, who owns or controls them, and how transactions move through the system.
Blocked Property and Prohibited Transactions Explained
Blocked property are assets in which a sanctioned party has an interest, whether direct or indirect. Even partial ownership is often enough to make the property considered blocked, no matter where the asset is located.
Blocked property can include:
Bank deposits and payment balances
Securities, digital assets, and investment accounts
Real estate and physical assets located in the US
Contracts, receivables, and intangible rights
Prohibited transactions are activities that involve blocked property or sanctioned parties not authorized by OFAC. These are broad restrictions that can be difficult to manage, especially when ownership structures are complex or transactions are automated.
Common examples of prohibited transactions include:
Sending or receiving payments involving a blocked person
Providing services, software, or infrastructure to a sanctioned entity
Facilitating crypto transfers tied to sanctioned wallets
Entering into contracts or extending credit to restricted parties
Even in complex or high-volume environments, regulators expect firms to have reasonable controls in place. This includes clear documentation, timely escalation, and processes that stop prohibited activity when it’s identified.
OFAC Sanctions Programs vs. the Specially Designated Nationals (SDN) List
OFAC maintains a Specially Designated Nationals (SDN) list of specific individuals and entities that are currently subject to blocking. It's essentially a screening tool used to identify who is restricted, as opposed to OFAC sanctions programs, which define the broader legal framework for what activities are restricted and how prohibitions apply.
The list is updated regularly, sometimes multiple times per week, and firms are expected to screen customers, transactions, and counterparties against it.
OFAC sanctions programs and the SDN List work together, but they serve different roles in compliance. The table below highlights how they differ.
Aspect | OFAC Sanctions Programs | SDN List |
|---|---|---|
Purpose | Define the legal framework for sanctions | Identify designated individuals and entities |
What they explain | What activities are restricted, and how prohibitions apply | Who is currently subject to blocking |
Scope | Country-based, sector-based, or conduct-based | Person and entity specific |
How they’re used | Interpreting sanctions obligations | Screening and investigations |
Update frequency | Changes less frequently | Updated regularly |
A transaction can still violate OFAC rules even when no SDN is involved. In those cases, the restriction comes from the sanctions program itself, such as sectoral sanctions, regional embargoes, or ownership rules, rather than list-based screening.
OFAC Sanctions Countries List (Updated 2026)
There is no single OFAC country list. Instead, US sanctions include full country bans, restrictions on specific regions, and targeted measures aimed at certain people, industries, or types of activity.
Fully Embargoed Countries
These jurisdictions are under broad, country-wide sanctions that limit most financial and business activity involving US persons. This means US individuals and companies generally can’t do business, move money, provide services, or trade with parties connected to these countries.
OFAC applies the most extensive restrictions to these countries, including asset blocking and broad limits on economic engagement. As a result, most transactions in these locations are prohibited unless OFAC has issued a general or specific license.
For the most current information on active sanctions programs and jurisdictions, visit OFAC’s official page.
Regions Treated as Comprehensively Sanctioned
In some cases, OFAC sanctions apply to specific regions rather than an entire country. These measures are typically imposed in response to ongoing conflict or international concerns.
Examples include parts of Ukraine, such as Crimea and other regions covered by US sanctions programs.
Sanctions on these areas often function like full embargoes, restricting most financial and commercial activity. Because these measures are tied to geopolitical developments, they may be updated frequently as US policy changes.
Countries With Targeted Sanctions Programs
Countries with targeted sanctions aren’t fully prohibited, but certain financial and business activities may still be restricted. Instead of blocking the whole country, these sanctions usually focus on specific industries, companies, individuals, or types of activity.
Targeted sanctions also vary in scope and purpose. Some focus on counter-terrorism, while others address corruption, human rights abuses, or conflict-related activity. Because each program is designed around a specific policy goal, the restrictions can look very different from one jurisdiction to another.
Restrictions often shift quickly based on foreign policy and national security developments. For the most current information on countries with targeted sanctions programs, visit OFAC’s official page.
How Do OFAC Sanctions Affect Fintech and Financial Services?
OFAC sanctions affect far more than compliance programs. They shape how fintech and financial services firms build products and manage day-to-day risk. For fintechs, the impact usually shows up in a few core areas:
Customer onboarding and ongoing screening: Fintechs must screen customers against OFAC sanctions lists at onboarding and on an ongoing basis. This includes individuals, businesses, beneficial owners, and, where applicable, wallet addresses. Controls should be automated, risk-based, and capable of handling list updates in near real time.
Transaction monitoring and payment routing: Sanctions rules apply to how funds move, not just who is involved. Payments that pass through sanctioned jurisdictions, intermediaries, or blocked parties can trigger violations. Fintechs need transaction monitoring that accounts for geography, counterparties, and payment flows, especially where US dollars are involved. Solutions like Regly’s transaction monitoring software are designed to support this kind of ongoing oversight as payment flows and risk profiles change.
Crypto wallet interactions and smart contract access: For crypto-enabled platforms, sanctions risk extends to wallet addresses, protocols, and smart contracts. OFAC has designated certain addresses and services, making it important to screen wallet activity and restrict access where required. Controls should be embedded at the protocol and application level, not handled manually.
Vendor, partner, and API relationships: Third-party providers can introduce sanctions exposure if they interact with sanctioned users or jurisdictions on your behalf. Fintechs are expected to conduct sanctions due diligence on vendors, banks, and API partners, and to clearly define responsibility for screening and enforcement. Platforms like Regly’s vendor management software support this process by centralizing vendor information and helping teams manage third-party sanctions exposure more consistently.
Product design and geographic availability: Sanctions influence where products can be offered and which features are available in certain regions. Fintechs should assess sanctions risk during product development, not after launch, to avoid retroactive restrictions or forced shutdowns.
Unlike traditional banks, fintech platforms move fast and rely heavily on automation. If sanctions controls aren’t built in early, that speed can increase risk.
OFAC Compliance and Regulatory Expectations
OFAC compliance is evaluated based on how well firms translate sanctions obligations into practice. Regulators focus on whether controls are designed to match real risk, not whether policies look complete on paper.
Key US Regulators Enforcing Sanctions Compliance
Sanctions enforcement and supervision extend across several US regulatory agencies. For fintechs, that can mean dealing with more than one regulator depending on your licenses, banking partners, and the products you offer.
Here are the key US regulators involved in sanctions compliance and oversight.
Office of Foreign Assets Control (OFAC): OFAC is responsible for issuing sanctions programs, maintaining designation lists, granting licenses, and investigating potential violations. It has civil enforcement authority and can impose monetary penalties for non-compliance. OFAC reviews transaction activity, screening controls, reporting accuracy, and response timelines. Voluntary self-disclosures and remediation efforts may factor into penalty decisions, but the underlying controls remain the primary focus.
Financial Crimes Enforcement Network (FinCEN): FinCEN oversees compliance with the Bank Secrecy Act, including transaction monitoring, suspicious activity reporting, and AML program governance. Sanctions controls often intersect with AML systems, especially in high-risk payment flows and crypto activity. FinCEN examinations frequently evaluate how sanctions screening integrates with broader financial crime controls rather than operating in isolation.
Federal Banking Regulators: For bank-affiliated fintechs and embedded finance platforms, oversight may also involve the Federal Reserve, Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC).
Real-World Examples of OFAC Violations
Most real-world OFAC violations don’t come from bad actors trying to break the rules. They usually start with small operational gaps or assumptions about sanctions risk that no longer hold up.
GVA Capital Ltd.: ~$216M penalty (June 2025)
OFAC fined this California-based venture capital firm $215,988,868 (the maximum civil monetary penalty) for willful violations of Russia/Ukraine-related sanctions and failing to comply with an OFAC subpoena. GVA continued managing and benefiting from investments tied to a sanctioned Russian oligarch long after their designation, despite clear notice of the restrictions.
Key takeaway: OFAC considers continued involvement with blocked interests and failure to cooperate with subpoenas to be aggravating factors. Ownership and control rules still apply, even if the interest is passive or held through a fund or investment structure.
Interactive Brokers LLC: ~$11.8M settlement (July 15, 2025)
OFAC announced an $11,832,136 settlement with Interactive Brokers for apparent violations of multiple sanctions programs. The firm provided brokerage services and processed transactions involving sanctioned jurisdictions, including Iran, Cuba, Syria, and the Crimea region, often due to gaps in customer screening and transaction controls.
Key takeaway: When sanctions issues show up across more than one program, the enforcement risk increases quickly. Controls should address customer residency, how transactions are routed, and overall jurisdictional exposure together, not as separate checkboxes.
Gracetown Inc.: $7.1M fine (Dec 4, 2025)
The US Treasury fined Gracetown Inc. $7.1 million for managing luxury properties for sanctioned Russian oligarch Oleg Deripaska after OFAC explicitly warned the firm that the activity was prohibited. The firm continued providing services despite clear regulatory guidance.
Key takeaway: If a firm ignores or delays action after an OFAC warning, the potential penalties can increase significantly. Once notified, regulators expect the firm to stop the prohibited activity right away and fix the underlying control gaps.
Binance: ~$968.6M settlement (2023)
OFAC imposed a $968,618,825 settlement with Binance for apparent violations of multiple sanctions programs, including transactions involving sanctioned jurisdictions. The action cited widespread control failures in screening, transaction monitoring, and sanctions governance at scale.
Key takeaway: High transaction volume and automated systems increase sanctions expectations. OFAC expects your controls to grow with your business. When failures become systemic, that’s when penalties tend to be the largest.
Common OFAC Sanctions Compliance Challenges
Sanctions compliance may seem straightforward on paper, but in fast-moving financial environments, it quickly becomes complex. Firms must keep up with changing sanctions lists, layered ownership structures, automated transactions, and third-party exposure all at once.
Here are some of the most common challenges firms face when managing OFAC risk.
Understanding the OFAC 50 Percent Ownership Rule: The 50 Percent Rule requires firms to treat entities as blocked if one or more sanctioned persons collectively own 50% or more, even if the entity isn’t listed. Ownership aggregation and indirect control often make this difficult to identify, as many firms struggle with incomplete ownership data and inconsistent refresh processes.
Managing False Positives in OFAC Screening: Screening systems frequently generate alerts due to common names, transliteration differences, or incomplete identifiers. High alert volumes can overwhelm compliance teams and increase the risk of inconsistent reviews. Clearing alerts too quickly increases exposure, while over-blocking disrupts legitimate customers.
Keeping Up With Constantly Changing Sanctions Lists: OFAC updates its sanctions lists frequently, sometimes multiple times per week. Firms must confirm that list updates are automated, validated, and reflected across all screening systems. Delays or version mismatches can lead to missed designations.
Sanctions Evasion Through Third Parties: Sanctions exposure doesn’t always come directly from customers. Vendors, API partners, intermediaries, and correspondent relationships can introduce risk if they interact with sanctioned parties on a firm’s behalf. Ongoing oversight is just as critical as onboarding checks.
Aligning Controls With Business Growth and Automation: As firms scale, transaction volume, product complexity, and cross-border exposure increase. Sanctions controls that don’t evolve alongside growth can create gaps in monitoring, escalation, and documentation. Regulators expect controls to scale with risk, not lag behind it.
Best Practices for OFAC Sanctions Compliance Programs
Strong OFAC compliance programs are built around risk, operational discipline, and consistent execution. Here are some best practices to help firms design sanctions controls that meet regulatory expectations and grow with the business.
Build a Risk-Based OFAC Compliance Framework
Start by asking a simple question: where could sanctions risk realistically show up in your business? Look across your products, customer types, geographies, and transaction flows.
The higher the risk, the stronger your screening, monitoring, and oversight should be. Not every area needs the same level of control, but high-risk areas absolutely do.
Choose the Right OFAC Screening Software
Your screening tool should do more than just run names against a list. It should help you catch true matches, understand ownership structures, and keep clear records of what was reviewed and why.
The right technology fits into your existing systems, updates sanctions data automatically, and reduces noise instead of overwhelming your team with false alerts.
Investigate, Escalate, and Document OFAC Matches
When an alert comes in, your team needs a clear and consistent way to handle it. That means reviewing relevant data, checking ownership and control, and documenting the decision in plain terms.
Be proactive about defining escalation paths to quickly address high-risk matches and avoid debating them in the moment.
Train and Audit Your OFAC Compliance Process
Sanctions training should feel practical, not theoretical. Employees need to understand how sanctions apply to their day-to-day roles.
Regular independent testing and audits help you spot weaknesses early, before a regulator does. Strong documentation also shows that your policies aren’t just written down, but are followed in practice.
Maintain Clear Governance and Accountability
Sanctions compliance should not sit in a gray area. Someone at the management level needs clear ownership. Roles and reporting lines should be defined, and senior leadership should actively review risk assessments and remediation efforts.
Regulators want to see that compliance is supported from the top, not treated as an afterthought.
Recent OFAC Sanctions Updates and Enforcement Actions
Sanctions rules are constantly changing, especially as global conflicts, new technologies, and cross-border enforcement efforts evolve. For fintechs and other regulated firms, that means the risk landscape can shift quickly.
Below are some of the areas where OFAC activity and enforcement have been particularly active in 2025 and 2026.
Russia, Iran, and Ukraine-Related Sanctions in 2025-2026
Russia-related sanctions remain among the broadest and most actively enforced programs. They target:
Financial institutions
Key sectors such as energy and defense
State-owned entities
Individuals connected to the war in Ukraine
Ukraine-related sanctions are closely tied to the broader Russia program and focus on occupied regions and destabilization efforts. In many cases, these regional measures operate much like embargoes, which means firms need to look beyond specific names and carefully assess geographic exposure and transaction routing.
Iran-related sanctions are just as far-reaching. They address nuclear activity, military networks, proxy groups, and complex evasion schemes that often use layered ownership and front companies to hide connections to sanctioned parties.
Across these programs, the common factor is scale and complexity. They are broad, frequently updated, and heavily focused on ownership and control, meaning firms must assess indirect exposure, not just clear name matches.
OFAC Focus on China-Linked Companies and Supply Chains
Sanctions involving China-linked entities often focus on:
Companies connected to military-industrial activity
Surveillance technology
Human rights concerns
Broader national security risks
Instead of broad embargoes, regulators typically designate specific entities, subsidiaries, or sectors. That means firms cannot rely on simple country screening. They need to understand ownership structures, supply chain relationships, and where indirect exposure may exist.
For fintechs and financial institutions involved in trade finance, payments, or cross-border services, supply chain visibility is essential. Risk may come in the form of counterparties, intermediaries, or business partners embedded in global trade networks.
Sanctions on Crypto Platforms and DeFi Projects
Sanctions risk in crypto is not just about who your customer is. It can arise from wallet addresses, transaction routing, and even the infrastructure that supports transfers.
OFAC has stated explicitly that virtual currency activity is subject to the same sanctions obligations as traditional finance, including screening, blocking, and reporting.
In DeFi, the risk is often operational. A decentralized protocol can still generate sanctions exposure when control points exist, such as hosted front ends or governance mechanisms.
As a result, crypto compliance programs are increasingly expected to include wallet screening, sanctions-aware monitoring, and controls that address how users access the product, not just who they say they are.
Cross-Border Enforcement With the EU, UK, and Allies
Sanctions enforcement is becoming more coordinated across borders. The United States, European Union, United Kingdom, and other allied governments often align on designations and enforcement priorities, especially in programs involving Russia, Iran, cybercrime, and terrorism.
That said, the legal details don’t always match. Differences in scope, licensing rules, reporting requirements, and ownership thresholds can create real complexity for firms operating in multiple markets.
For global fintechs and financial institutions, this means sanctions compliance can’t be managed through a single list or one jurisdiction’s rules. Controls need to account for overlapping obligations and the possibility that a designation in one country may trigger consequences elsewhere.
Where to Find OFAC Sanctions Lists and Guidance
Access to accurate, up-to-date sanctions information is critical for compliance. While many firms rely on screening vendors, regulators expect teams to understand and reference primary sources issued directly by the US Department of the Treasury.
Below are the key official resources firms should monitor.
Official OFAC Sanctions Lists and Update Sources
The most authoritative source for sanctions information is the OFAC’s website. The site publishes and maintains the SDN List, along with other sanctions-related lists such as sectoral sanctions identifiers and non-SDN designations.
Key resources include:
OFAC updates its lists frequently, sometimes multiple times per week. Firms should confirm that screening systems reflect current data and that internal teams know where to verify designations directly from the source when questions arise.
General Licenses, Exemptions, and Application Process
Not all sanctioned activity is completely prohibited. In some cases, OFAC authorizes limited transactions through general or specific licenses.
General licenses are published authorizations that allow certain categories of activity without requiring individual approval. These licenses are often tied to:
Humanitarian activity
Wind-down periods
Narrowly defined commercial exceptions.
Firms must carefully review the terms and conditions, as even small deviations can invalidate reliance on the license.
Specific licenses require a formal application to OFAC. These are case-by-case approvals for transactions that would otherwise be prohibited. The application process typically requires detailed information about the:
Parties involved
Nature of the transaction
Compliance controls in place
Most importantly, exemptions aren’t automatic. Firms shouldn’t assume activity is permitted simply because it appears low risk. Any reliance on a license should be documented, reviewed by compliance, and aligned with the precise language of the authorization.
How to Stay Current on OFAC Rules and Changes
Sanctions programs evolve quickly, often in response to geopolitical events, enforcement trends, or policy shifts. Staying current requires more than periodic list updates. It requires a structured monitoring process. Firms should:
Assign clear internal ownership: Designate someone responsible for monitoring OFAC developments, including website updates, Treasury press releases, new designations, and updated guidance.
Use automated list updates, but verify them: Automated screening updates are essential, but compliance teams should still review changes, confirm they were properly implemented, and assess how they affect existing customers or transactions.
Assess impact, not just updates: When new sanctions are issued, evaluate whether current controls, risk assessments, or customer relationships need to change and document any actions taken.
Refresh policies and training regularly: Periodic policy reviews, employee training updates, and independent testing keep new developments reflected in daily operations.
Translate awareness into action: Staying current isn’t just about knowing what changed. It’s about adjusting controls before enforcement risk materializes.
—
OFAC sanctions aren’t just background rules. They shape how financial institutions, fintechs, and crypto firms operate every day, from onboarding and transaction monitoring to cross-border activity. The real challenge isn’t just screening names, but understanding ownership, indirect exposure, and how quickly risk can shift.
Strong sanctions compliance comes down to staying proactive. Firms that align controls with real-world risk, document decisions clearly, and respond quickly to updates are far better positioned to manage enforcement exposure.
Frequently Asked Questions About OFAC Sanctions Lists
How often is the OFAC list updated?
There’s no fixed schedule for OFAC list updates. Designations and changes can occur at any time, often multiple times per week, depending on geopolitical developments and enforcement actions. Because updates aren’t predictable, firms should rely on automated list updates and structured monitoring processes to confirm that screening systems reflect the most current designations.
How long does it take to report to OFAC?
When property is blocked due to sanctions, firms are generally required to report the blocked property to OFAC within 10 business days. In addition, an annual report of blocked property must typically be submitted by September 30 each year. Timely reporting is critical, as delays or incomplete submissions can increase enforcement risk.
What is the OFAC 10-year rule?
The OFAC 10-year rule refers to the statute of limitations for civil sanctions violations. Under current law, OFAC generally has up to 10 years from the date of a violation to bring a civil enforcement action. This extended lookback period increases the importance of maintaining detailed records and defensible documentation over time.
What are three of the five essential components of OFAC?
OFAC outlines five essential components of a sanctions compliance program: management commitment, risk assessment, internal controls, testing and auditing, and training. Three of these core components include management commitment to support compliance efforts, risk assessments tailored to the firm’s exposure, and internal controls designed to prevent and detect violations.
Ready to Get Started?
Schedule a demo today and find out how Regly can help your business.