OFAC — the Office of Foreign Assets Control — is the U.S. Treasury agency responsible for administering and enforcing economic sanctions programs against foreign countries, terrorist organizations, drug traffickers, and other threats to U.S. national security. For any business that touches the U.S. financial system, OFAC compliance is not optional: it is a baseline legal obligation with enforcement teeth.
Payment businesses in particular face heightened OFAC exposure because every dollar-denominated transaction — whether a card payment, wire transfer, or digital wallet disbursement — passes through U.S. financial infrastructure at some point. Understanding how OFAC works, what it requires, and how to operationalize compliance is essential knowledge for merchants, payment engineers, and compliance officers alike.
How OFAC Works
OFAC operates through a system of sanctions programs, each targeting a specific country, regime, or category of bad actor. These programs prohibit U.S. persons and entities from engaging in financial transactions with designated parties and require businesses to screen, block, and report any matches. The process flows through several well-defined steps.
Sanctions Program Designation
OFAC issues sanctions programs under presidential authority (International Emergency Economic Powers Act or Trading with the Enemy Act). Each program targets a specific threat — e.g., Iran, Russia, narcotics trafficking, cyber actors — and defines what transactions are prohibited and what licenses may be available.
List Publication and Maintenance
OFAC publishes and continuously updates several key lists: the Specially Designated Nationals (SDN) list, the Consolidated Sanctions List, the Foreign Sanctions Evaders list, and country-specific blocked-party lists. These lists include individuals, companies, vessels, and aircraft. Updates occur without advance notice — sometimes multiple times per week.
Screening Obligation Triggers
Businesses must screen at customer onboarding, at each transaction, and retroactively whenever list updates occur. For sanctions screening to be effective, it must cover the customer's name, aliases, address, date of birth, and — for entities — ownership structures that could indicate indirect SDN exposure (the "50 percent rule").
Match Review and Disposition
A screening hit generates an alert that compliance staff must investigate. Potential matches must be reviewed against OFAC's identifying information. Confirmed matches result in either a blocked transaction (funds frozen, OFAC notified within 10 business days) or a rejected transaction, depending on the sanctions program involved.
Reporting and Recordkeeping
Blocked transactions must be reported to OFAC within 10 days and an annual report of all blocked property filed. Businesses must maintain records of all OFAC-related actions for five years. Voluntary self-disclosure of violations is a significant mitigating factor in OFAC's penalty calculations.
Why OFAC Matters
The practical stakes of OFAC non-compliance are significant, and enforcement has intensified as payments have digitized and cross-border transaction volumes have grown.
OFAC collected over $1.5 billion in civil penalties across its enforcement actions between 2019 and 2023, with financial institutions and payment processors representing the largest share of fined entities. Individual enforcement actions have ranged from five-figure settlements for small fintechs to nine-figure penalties for global banks. In 2019, BitPay — a crypto payment processor — paid $507,375 for processing transactions for users in sanctioned jurisdictions, underscoring that newer payment models face the same exposure as traditional banking.
The sanctions list is also growing: OFAC added over 1,500 new SDN entries in 2022 alone, largely driven by Russia-related designations following the Ukraine invasion. This pace of change makes static, periodic screening inadequate. For merchants selling internationally, OFAC exposure is not a theoretical risk — it is a live operational challenge.
The 50 Percent Rule
OFAC's 50 Percent Rule means that any entity owned 50% or more (in aggregate) by one or more SDN-listed persons is itself treated as blocked, even if not explicitly named on the SDN list. This dramatically expands the universe of entities that must be screened and requires beneficial ownership data to screen effectively.
OFAC vs. AML
OFAC compliance and anti-money-laundering compliance are both financial crime obligations, but they operate on fundamentally different logic and require different controls.
| Dimension | OFAC | AML |
|---|---|---|
| Primary goal | Block transactions with designated parties and jurisdictions | Detect and report suspicious financial activity patterns |
| Legal framework | IEEPA, TWEA, executive orders | Bank Secrecy Act, USA PATRIOT Act |
| Enforcing agency | OFAC (Treasury) | FinCEN, banking regulators |
| Key obligation | Screen and block/reject matches | Monitor, investigate, file SARs |
| Trigger | Identity match against sanctions list | Behavioral patterns suggesting financial crime |
| Action on hit | Block funds (freeze) or reject transaction | File Suspicious Activity Report (SAR) |
| Strict liability | Yes — intent is not required for violation | No — good faith efforts considered |
| Who is covered | All U.S. persons and entities; any USD transaction | Financial institutions with BSA obligations |
The critical distinction for payment businesses: OFAC is strict liability. If your system processes a payment involving an SDN-listed party — even by mistake, even without knowledge — you have committed a violation. AML programs focus on FinCEN reporting obligations and behavioral analysis, which involve more judgment. Both programs must coexist in a robust compliance architecture, but they cannot substitute for each other.
Types of OFAC Sanctions Programs
OFAC administers dozens of distinct sanctions programs, which fall into two broad categories.
Country-based (comprehensive) sanctions impose broad restrictions on nearly all transactions involving a specific jurisdiction. Current comprehensively sanctioned countries include Cuba, Iran, North Korea, Syria, and the Crimea/Donetsk/Luhansk regions of Ukraine. Transactions with these jurisdictions are blocked absent a specific license from OFAC.
List-based (targeted) sanctions allow transactions with a country or region in general, but prohibit dealings with specific designated individuals and entities appearing on the SDN list or other targeted lists. Russia, for example, is subject to list-based sanctions rather than comprehensive ones — most Russian transactions are permissible, but dealings with specific oligarchs, banks, and state entities are blocked.
Sectoral sanctions (used heavily against Russia) prohibit specific types of transactions — such as new debt or equity financing — with designated entities in targeted sectors like energy, finance, and defense, even if the entity is not on the SDN list.
Understanding which program applies to a given counterparty is essential for determining whether a transaction can proceed, must be blocked, or may be eligible for a specific or general OFAC license.
Best Practices
For Merchants
Screen customers at account creation using a reputable sanctions screening vendor that provides real-time list updates. Do not rely on manual lookups or infrequently updated databases. Implement a clear escalation procedure for screening hits that designates who reviews alerts, what documentation is required, and what the disposition timeline is. If you operate internationally, map your customer base against comprehensively sanctioned jurisdictions and ensure your checkout flow cannot accept payments from blocked countries. Maintain five years of screening records, including negative results and alert dispositions.
For Developers
Integrate OFAC screening as a synchronous step in your payment authorization flow, not a post-processing batch job. Use fuzzy matching — not exact string matching — because SDN names are frequently transliterated from Arabic, Persian, or Cyrillic and may appear in multiple spellings. Implement webhook listeners for list update notifications from your screening provider and trigger incremental rescreening of your customer base when significant updates occur. Build hard blocks (not just flags) into your payment pipeline for confirmed matches: the transaction must not complete. Log all screening events, including the list version queried, the match score, and the disposition decision, for audit trail purposes.
Common Mistakes
Relying on exact-match screening. SDN names include dozens of aliases and transliterations. Exact string matching produces unacceptable false-negative rates. Effective sanctions screening requires fuzzy matching algorithms with configurable match thresholds and human review for near-matches.
Treating rejected and blocked transactions the same way. A rejected transaction simply does not proceed. A blocked transaction requires the funds to be frozen in a segregated account and reported to OFAC within 10 business days. Confusing these dispositions — or declining a blocked payment and returning the funds — is itself a violation.
Ignoring the 50 Percent Rule. Screening only explicitly named SDN entities misses the full scope of blocked parties. Any entity majority-owned by SDN-listed persons is implicitly blocked. Without beneficial ownership data and ownership-chain screening, businesses will miss these indirect exposures.
Screening only at onboarding. A customer who passed screening at account creation may be designated months later. OFAC expects businesses to re-screen against updated lists on a regular basis — and immediately following significant list updates.
Assuming non-U.S. incorporation provides immunity. If your business processes U.S. dollar transactions, uses U.S. correspondent banking, or has U.S. persons in management, OFAC has jurisdiction. Foreign-incorporated fintechs have been subject to OFAC enforcement actions for exactly this reason.
OFAC and Tagada
Tagada's payment orchestration layer routes transactions across multiple acquiring banks and payment processors, each of which operates under their own OFAC compliance programs. When you connect a new payment method or acquirer through Tagada, that provider's sanctions screening runs as part of their authorization flow.
Layered Sanctions Coverage
Tagada's multi-acquirer routing means your transactions benefit from the OFAC screening controls of each connected processor. However, this does not replace your own compliance obligations as a merchant — OFAC's strict liability standard applies to you directly. Use Tagada's transaction metadata and routing logs as one input into your own compliance audit trail, not as a substitute for your sanctions screening program.
For merchants using Tagada to expand into new markets, pay close attention to the jurisdictions your new acquirer routes support. Some acquirers have broader geographic coverage than others, including regions with elevated OFAC exposure. Review acquirer compliance attestations and confirm sanctions screening coverage before enabling new payment corridors through the platform.