OFAC Compliance: A Risk-Based Approach

Dixie K. Hieb, Davenport Evans, an ICBSD Preferred Partner

OFAC – “What is that, and do I care?” The answer to the latter question should be a resounding “Yes” if you are in bank management, compliance, account onboarding, or transaction monitoring. OFAC, the acronym for the Office of Foreign Assets Control of the U.S. Department of the Treasury, enforces economic sanctions against targeted foreign countries, terrorists, international narcotics traffickers, and others who pose a threat to national security, foreign policy, or the economy. While treasury-imposed sanctions date back as far as the War of 1812, OFAC only came into existence in 1950 when President Truman blocked Chinese and North Korean assets after China entered the Korean War.

Working one’s way through the OFAC’s sanctions list is a monumental task. The OFAC website provides that it does not maintain a specific list of countries that U.S. persons cannot do business with because the sanctions programs vary in scope. Some are broad-based and oriented geographically (e.g., Cuba and Iran), while others are “targeted” and focus on specific individuals and entities (e.g., counter-terrorism and counter-narcotics). The countries listed on the “Sanctions Programs and Country Information” section of the website range from Afghanistan to Yemen and Zimbabwe, and the “specially designated nationals and blocked persons list” contains approximately 12,000 names connected with sanctions targets.

There are significant penalties for violating OFAC sanctions. A civil money penalty may be as much as $250,000 per violation or twice the amount of a transaction, whichever is greater, and civil and criminal penalties can exceed several million dollars depending on the sanctions program. As an extreme example, in November 2023, OFAC reached a $968 million settlement with Binance Holdings, Ltd., the world’s largest virtual currency exchange, based on Binance’s potential civil liability for over a million apparent violations of multiple sanctions programs. In a less dramatic action, OFAC settled with Microsoft for just under $3 million related to apparent violations of OFAC’s Cuba, Iran, Syria, and Ukraine/Russia-related sanctions programs. OFAC may also use its enforcement authority against individuals who facilitate violations.

Blocked Accounts and Prohibited Transactions.

All U.S. persons, including banks, are required to comply with the OFAC sanctions, and the Federal banking regulators evaluate bank OFAC compliance programs. Banks are required to block accounts of OFAC specified countries, entities, and individuals when the account is located within the United States or is held by U.S. individuals or entities. Banks are also required to reject transactions that are by or on behalf of a blocked individual or entity, or that are to or through a blocked entity. OFAC compliance software can automate blocking accounts and rejecting prohibited transactions.

Compliance Framework.

The Treasury’s framework for OFAC compliance encourages organizations to employ a risk-based approach to sanctions compliance by implementing and routinely updating a sanctions compliance program (SCP). The risk-based SCP should incorporate five essential components: (1) management commitment; (2) risk assessments; (3) internal controls; (4) testing and auditing; and (5) training. The FFIEC’s BSA/AML Examination Manual (BSA/AML Manual) echoes those components, stating that the program should identify higher-risk areas, provide for appropriate internal controls for screening and reporting, establish independent testing for compliance, designate a bank employee responsible for OFAC compliance, and create training programs for appropriate personnel in different levels and areas of the bank.

Risk Assessment.

Per the BSA/AML Manual, a bank’s OFAC compliance program should be commensurate with its OFAC risk profile based on products, services, customers, and geographic locations. The initial identification of higher-risk customers may be performed as part of the bank’s customer identification program (CIP) procedures. However, as OFAC sanctions can reach into all areas of operation, banks should also consider all types of transactions, products, and services when conducting the risk assessment. A bank must also have policies and procedures in place for ongoing review of transactions and transaction parties for OFAC compliance purposes. Transactions involving higher OFAC risk include international funds transfers, non-resident alien accounts, foreign customer accounts, cross-border ACH transactions, and commercial letters of credit.


The Treasury framework states that training should be provided to all appropriate employees on a periodic basis (and at a minimum, annually) and should accomplish the following: provide job-specific knowledge; communicate each employee’s compliance responsibilities; and hold employees accountable through assessments. The BSA/AML Manual reiterates these expectations, stating that adequate training should be provided to all appropriate employees on a bank’s OFAC compliance program, and the scope and frequency of the training should be consistent with the bank’s OFAC risk profile and appropriate to employee responsibilities.


Much of the heavy lifting in OFA compliance can be handled by the use of appropriate software. However, it remains important that bank compliance personnel be well versed in OFAC requirements, and that bank management ensure the adoption and support of a risk-based OFAC compliance program which meets Treasury and regulatory expectations.