What are OFAC Requirements for Financial Institutions?
OFAC (Office of Foreign Assets Control) imposes strict requirements on U.S. persons and businesses to ensure compliance with economic sanctions. Financial Institutions (FIs), along with trade-related companies (exporters and importers), insurance and legal firms, and other organizations must implement robust, risk-based sanctions compliance measures. Here is an overview of OFAC’s requirements for the Financial Institutions sector.
Financial Institutions – subject to OFAC regulations – include banks, credit unions, or any other money service businesses (MSBs). OFAC expects Fis to develop risk-based sanctions compliance programs that meet their specific business characteristics (customers, products, geographies).
Organizations’ senior management should support these programs with adequate resources and oversight, often by appointing dedicated OFAC compliance officers and using automated filtering software to screen transactions. In essence, banks must ensure they do not engage, directly or indirectly, with sanctioned individuals, entities, countries, or activities, which means blocking or rejecting prohibited transactions and freezing assets as required by law. Failure to comply can result in regulatory actions, substantial civil penalties, and even criminal liability for willful violations.
Key OFAC Requirements include:
Sanctions Screening Procedures
Financial institutions must screen customers (e.g. during onboarding) and all relevant transactions against OFAC’s Specially Designated Nationals (SDN) list and other sanctions lists. This includes real-time sanctions screening of wire transfers, trade finance transactions, and any payment instructions to detect potential matches to blocked persons or embargoed countries. If a match to an OFAC-listed “blocked” person is confirmed, the institution must block (freeze) the assets or transaction immediately. Transactions that are prohibited by sanctions (even if no listed SDN is involved) should be rejected (not processed) to ensure no funds or services reach the sanctioned target. Banks typically employ sophisticated interdiction software to flag possible name matches and other risk indicators. OFAC expects prompt investigation of any “hits” to determine if they are true matches, and if so, the bank must take the required action (blocking or rejecting) and cease any dealings with the sanctioned party or property.
Importantly, OFAC’s 50% Rule extends blocking requirements to entities that are 50% or more are under an ownership (direct or indirect) of one or more blocked persons, even if those entities are not explicitly on the SDN list. Thus, FIs should screen not just named parties but also, as feasible, the ownership of business customers to catch any sanctioned beneficial owners. Compliance procedures should be risk-based – for example, a small community bank might manually review fewer international transactions, whereas a global bank will have automated filters and dedicated compliance staff – but all FIs are expected to take reasonable steps to prevent facilitating any sanctioned transactions.
Blocking, Reporting and Recordkeeping
When a financial institution blocks an asset or transaction, it must report the blocking to OFAC within 10 business days. OFAC regulations require a blocking report to include details such as the name of the blocked party, a description of the property or transaction, the value, the date blocked, and relevant identifiers (e.g. account numbers). Similarly, if a transaction is rejected (rather than blocked) due to sanctions (for instance, an unauthorized wire to a sanctioned country), the FI must file a rejection report within 10 days, documenting the details and reason for rejection. In addition to event-based reporting, banks are required to file an annual report of all blocked property they hold as of June 30 each year, due by September 30. OFAC also mandates rigorous recordkeeping. All records of transactions that are subject to OFAC regulations must be retained for at least 10 years.
OFAC extended the retention period from five to ten years in 2025 to align with an extended statute of limitations). This requirement is very broad: it covers any transaction or activity that falls under U.S. sanctions laws, whether or not a blocking or rejection occurred. In practice, a bank should maintain comprehensive documentation of its sanctions screening (e.g. hit investigation logs, funds transfer details) and any actions taken (such as block/reject reports filed, licenses obtained) to demonstrate compliance. Records of blocked accounts or funds must be kept for 10 years after the date they are unblocked as well, meaning some records may need to be kept well beyond a decade. These obligations ensure that an audit trail exists for OFAC to verify compliance. U.S. financial regulators (OCC, Federal Reserve, FDIC, etc.) will examine banks for OFAC compliance, including whether adequate recordkeeping and reporting procedures are in place, and they coordinate with OFAC via formal agreements to refer potential violations.
Enforcement and Penalty Framework
OFAC enforces sanctions violations under a strict but calibrated framework. Civil penalties can be severe – for most sanctions programs under IEEPA (International Emergency Economic Powers Act), OFAC may impose penalties up to the greater of about $330,000 (indexed for inflation; originally $250,000) or twice the value of the transaction per violation. For programs under the older TWEA authority (e.g. Cuba), penalties up to $1,000,000 per violation are authorized. In egregious cases, or where willful misconduct is found, violations can also be referred for criminal prosecution, which carries fines up to $1 million (or more) and imprisonment up to 20 years under IEEPA, and even higher fines (up to $10 million) and 30 years in prison under certain statutes. These guidelines outline “General Factors” that OFAC evaluates, such as the willfulness or recklessness of the violation, the awareness of management, the harm to sanctions program objectives, the existence and robustness of the institution’s compliance program, the remedial steps taken, and whether the violation was voluntarily self-disclosed. Notably, if a bank had an effective OFAC compliance program in place and the violation was an isolated slip, OFAC may treat the case as “non-egregious” and significantly mitigate the penalty.
Depending on these factors, OFAC’s enforcement response might range from a No Action or Cautionary Letter (for minor infractions) up to a civil penalty settlement running into millions of dollars for systemic or egregious violations. All enforcement actions, including penalties against financial institutions, are publicly announced by OFAC, highlighting the violations and lessons – a clear sign that banks must take sanctions compliance seriously or face reputational and financial consequences. In short, the penalty framework is strict but provides incentives for FIs to invest in compliance upfront: an FI with a strong OFAC program, that self-discloses problems and remediates promptly, will fare far better under OFAC’s enforcement calculus than one that is careless or non-cooperative.
References:
Basic Information on OFAC and Sanctions, OFAC Regulations for Exporters and Importers, A Framework for OFAC Compliance Commitments, OFAC regulations for the Financial Community
