Is OFAC Compliance Mandatory for ACH?
The short answer is YES. All U.S. financial institutions and businesses must comply with OFAC sanctions regulations, and ACH transactions are no exception. There is no loophole that exempts ACH payments from sanctions screening. If an ACH payment involves a party, listed on OFAC’s Specially Designated Nationals (SDN) or other sanctions list, flag it! Just like wire transfers, such payments must be blocked or rejected before processing to ensure compliance. In its Automated Clearing House Activities: Risk Management Guidance, the OCC clearly state that “The Bank Secrecy Act requires banks to have BSA/AML compliance programs and appropriate policies, procedures, and processes in place to monitor and identify unusual activity, including ACH transactions.”
What are OFAC’s rules for domestic and cross-border ACH transactions?
The obligation is rooted in law: facilitating any payment for a sanctioned party is strictly prohibited, even if the transaction is domestic. OFAC has clarified its interpretation of the application of its rules for domestic and cross-border ACH transactions and provided more detailed guidance on cross-border ACH. OFAC’s rules operate on a strict liability basis. This means that a bank can be held liable for sanctions breaches even if it was unaware of the violation. The Federal Reserve also clearly states that “OFAC rules apply to all payments, both domestic and international and that all depository financial institutions, whether originating or receiving, are responsible for OFAC compliance.” As a result, banks are expected to intercept or block any ACH payment involving SDNs or other prohibited parties, and report such incidents to OFAC within 10 days (bsaaml.ffiec.gov).
ODFI and RDFI Shared Responsibilities
ACH payments typically involve an Originating Depository Financial Institution (ODFI) initiating the entry and a Receiving Depository Financial Institution (RDFI) that credits or debits the receiver’s account. Regulators have clarified that both ODFIs and RDFIs share the burden of sanctions compliance. According to the OCC “All parties to an ACH transaction are subject to the requirements of OFAC. With respect to domestic ACH transactions, the ODFI is responsible for verifying whether the originator is not a blocked party and for making a good faith effort to determine that the originator is not transmitting blocked funds. The RDFI similarly is responsible for verifying that the receiver is not a blocked party.”
In other words, each bank checks the customer it serves in the transaction. This division of labor means banks rely on each other – the ODFI trusts that the RDFI will catch any sanctioned beneficiary, and vice versa (nafcu.org). However, this does not dilute responsibility: “the duty on both financial institutions to prevent prohibited transactions from occurring is absolute” (nafcu.org). If either side fails and a sanctioned party is paid, an OFAC violation has occurred.
No “Domestic Exemption”
One common question is whether purely domestic ACH transfers need OFAC screening. There is no specific law or rule that carves out domestic ACH transactions from sanctions compliance. As the NAFCU notes, no regulation will explicitly tell you which ACH transactions to run against OFAC. Instead, every institution must assess its own risk and design a compliance program accordingly. So, if a bank were to facilitate a payment for a sanctioned person, it would be an OFAC breach. This risk-based approach is crucial. Sanctioned individuals or entities can reside in the U.S. or attempt to use domestic accounts to move funds.
In 2024, TD Bank faced significant penalties totaling approximately $3.09 billion due to failures in its AML compliance program. According to the Justice Department, the bank intentionally didn’t screen domestic ACH transactions, most check activity, and other transaction types, ‘’ Throughout this time, TD Bank intentionally excluded all domestic automated clearinghouse (ACH) transactions.’’ In the well-publicized PayPal sanctions case, the company had not been adequately screening transactions for several years. This led to 486 violations. This included payments on behalf of a Turkish individual on the WMD proliferators blacklist – resulting in a $7.7 million settlement*. The lesson is clear: ignoring sanctions screening on “routine” ACH transactions is not an option.
NACHA Rules and International ACH
The ACH network’s governing body, NACHA, has also baked sanctions compliance into its rules. All participants warrant that their ACH entries do not violate U.S. law, including OFAC regulations. This became especially important for international transactions. In 2009, Nacha introduced the “International ACH Transaction (IAT)” code specifically to identify cross-border ACH payments and facilitate sanctions screening*. An ACH entry that involves a non-U.S. bank must be classified as an IAT, and it carries additional data (such as names, addresses, and other) to help banks and regulators screen for OFAC compliance. For example, an outgoing ACH credit to a European bank, or an incoming remittance from abroad, will be tagged as IAT. The Federal Reserve, acting as an ACH Operator, will perform OFAC screening on incoming IAT items flowing through its FedGlobal service. I.e., the Fed flags potential hits to notify the receiving bank. But crucially, the Fed’s screening does not absolve the bank receiving the funds from doing its own due diligence. Every link in the chain – the originator, ODFI, ACH operator, and RDFI – should be mindful of sanctions. As NACHA’s guidance for corporates emphasizes, ACH originators and receivers are fully subject to U.S. sanctions laws. They should not initiate or accept transactions that would violate OFAC rules*.
Why daily screening of your own customers is not sufficient for OFAC compliance of ACH transactions
- OFAC risk is transaction-based and counterparty-based, not just customer-based. OFAC expects a risk-based sanctions compliance program that covers all the parties involved in the transaction. Screening only your bank’s customers can miss non-customer originators/receivers involved in ACH entries routed through your institution.
- ACH create exposure to non-customers. In the ACH model (Originator → ODFI → ACH Operator → RDFI → Receiver), both ODFIs and RDFIs have sanctions risk.
Industry guidance has long recognized that ODFIs/RDFIs share responsibility to prevent OFAC violations in ACH processing (e.g., when files are handled, unbatched, or contain “on-us” items). Limiting screening to your customer list ignores originators at other institutions and counterparties your customers pay or receive from. - Obligations attach when a prohibited party or country is in the payment—even if not your customer. If a transfer involves an SDN or other prohibited party, the funds must be blocked/rejected and reported; that duty is only triggered by screening transactions, not by whether the party is on your records. Therefore, relying on daily customer screening alone can allow a prohibited ACH entry to through.
- Controls must operate in time to stop prohibited payments. OFAC emphasizes that transactions should not be completed before screening/analysis is finished.
A separate daily customer screening doesn’t ensure timely interdiction of ACH entries with blocked originators/beneficiaries. Transaction-level controls (or near-real-time screening of ACH
data elements) are required to meet this expectation. - Risk-based screening is the baseline expectation. OFAC’s compliance framework calls for risk assessment and internal controls aligned to your products and payment channels.
For ACH, that typically means screening transaction participants and relevant fields (e.g., names, addresses, countries) consistent with your risk profile—beyond static customer lists.
Bottom line
Daily screening of your customer database alone will miss non-customer parties (e.g., ACH originators/receivers) and can’t reliably stop or report prohibited ACH transactions. A compliant approach applies risk-based, transaction-level screening across ACH flows so that any entry involving a sanctioned party is identified, blocked/rejected, and reported as required.
ACH transactions frequently involve high volumes and multiple entries, and traditional OFAC screening methods often generate a high number of false positives, making it difficult to screen each transaction, increasing workload and payment processing time, and leading to operational inefficiencies. Nevertheless, financial institutions that fail to screen or that intentionally do not screen domestic and international ACH transactions put themself in a serious compliance risk.
Fincom Screening Solution for ACH Payments
Fincom’s advanced screening solution enabling financial institutions to overcome the operational burdens and lengthy manual processes of ACH transactions’ OFAC checks. Fincom’s solution delivers unmatched accuracy and speed by screening large ACH files in minutes, leveraging sophisticated alert suppression mechanisms to significantly reduce the number of alerts and cut alert rates from 30-50% to below 0.5%.
The solution provides Insightful case resolution screen through which, alerted ACH files entries are presented in their original structure, enabling investigators to quickly identify and
review flagged transactions directly within the transaction records. Associated alert information from sanction lists provided to allow fast and easy case resolution and decisioning.
Learn how Fincom can help your institution ensure its ACH payments OFAC compliance.
