Anti Money-Laundering

Building an OFAC Sanctions Compliance Program

  • Originally published 14 May 2026, updated 18 May 2026
  • Author Image Minhac Celik

Economic sanctions have become the new normal for governments worldwide to exert their influence on the global economy to further their national security interests. Economic sanctions not only affect entities within a sanctioned country but also affect entities outside of the country as well as entities that deal with entities within a sanctioned country. As a result, the reach of sanctions has grown exponentially as has the complexity of sanctions regimes which now include a multitude of different types of sanctions including but not limited to trade embargoes, asset freezes, investment prohibitions, and sanctions on specific technologies, specific industries, and even on specific products.

The Office of Foreign Assets Control (OFAC) looks at the Sanctions Compliance Programs of financial institutions around the world, including the largest of global banks as well as the newest of FinTech and even decentralized finance (DeFi) companies. The U.S. Department of the Treasury expects that these companies have an effective organizational “immune system” consisting of a written Sanctions Compliance Program (SCP) that functions as a dynamic framework of all activities related to sanctions compliance of each such company. A written SCP is not a statutory requirement under U.S. law. However, the absence of a robust SCP is considered an “aggravating factor” in the enforcement actions of OFAC, leading to the assessment of very high civil penalties even for a sanctions violation that was managed and had only minor consequences, thereby causing extreme financial and reputational harm to such a company.

A good SCP is a lot more than a great written document stored on the compliance officer’s hard drive, collecting dust. Whether you are trying to set up a first-class SCP from scratch or improve your currently implemented sanctions compliance policy and procedure to OFAC compliance status, the Five Essential Pillars will serve as the necessary framework to deliver a strong framework for Sanctions Compliance in order to best protect the U.S. financial system and save your company in the long run.

The following topics are going to be covered in this article;

  1. What Is an OFAC Sanctions Compliance Program?
  2. Who Needs an SCP?
  3. Component 1: Management Commitment
  4. Component 2: Risk Assessment
  5. Component 3: Internal Controls
  6. Component 4: Testing and Auditing
  7. Component 5: Training
  8. How OFAC Evaluates Your SCP During Enforcement
  9. Common SCP Weaknesses That Lead to Enforcement
  10. Building an SCP

1. What Is an OFAC Sanctions Compliance Program (SCP)?

At its core, an OFAC Sanctions Compliance Program (SCP) is a set of policies and procedures (combined with internal controls) designed to help a company (not just banks) of any size to keep from doing business with ‘prohibited persons’ and with any ‘prohibited or blocked entities or countries’.

A small regional credit union’s compliance program will not require the same type of technological compliance solutions that a multinational investment bank would. Conversely, the banks' program needs to be just as strong as the credit unions. It also needs to fit the bank's risk profile.

The most important thing for a leader to understand is that an SCP is your company’s insurance policy. Even though an SCP cannot excuse a violation of sanctions laws (which are strictly liability), the existence of a robust SCP will likely result in OFAC issuing a non-public Cautionary Letter rather than a very public and very expensive fine for a violation of the same law. To a regulator, the difference between being “unlucky” and being “reckless” is the existence of a robust SCP.

2. Who Needs an SCP?

An equally misguided myth is that an SCP is the province of only the “big banks.” In fact, virtually all financial organizations, no matter their location, would benefit from a well-designed sanctions compliance program, as sanctions programs have grown exponentially over the last several years, with more than 1,000 individuals and entities being targeted under various programs and with a growing number of “general” and “sectoral” sanctions targeting entire industries or entities conducting business with other prohibited entities or individuals. With the digital interconnectivity of global finance expected to dramatically increase by 2026, it is not likely that any significant financial organization will be able to completely avoid U.S. dollar transactions that may have some U.S. nexus for which they will need to ensure are compliant with OFAC sanctions regulations.

A formal SCP program is required for:

  • U.S. Persons: These are all people and companies no matter where they are in the world or where they do business even if they have offices in countries. This includes all United States citizens and people who live in the US permanently as well as all companies that were started in the United States or any place that has to follow United States rules and does business anywhere in the world.
  • Foreign Subsidiaries: So even if a company from another country is not in trouble with the Office of Foreign Assets Control which's what we call OFAC it can still get into trouble. This happens with some countries like Iran and Cuba. If a company from one of these countries is owned or controlled by people from the United States it is not allowed to do business in any way.
  • Non-U.S. Persons “Touching” the U.S. Dollar Payments System: When a non-U.S. person carries out a transaction that touches the U.S. dollar payments system (i.e. U.S. correspondent or agent banks, U.S. dollar transactions, software or other technology of U.S. origin) the non-U.S. person can be considered to be causing a U.S. person to violate the sanctions regulations. OFAC has historically found individuals and entities from around the world to be in violation of the sanctions regulations for actions that caused a U.S. person to be a party to a prohibited transaction (e.g. where wire transfer information was stripped of U.S. person information or where the identity of a sanctioned person subject to sanctions was not revealed to the U.S. person).
  • Fintech and MSB: U.S. and non-U.S. money service businesses and other financial service providers, including fintechs, have to deal with a lot of scrutiny from the OFAC. This is because they usually help people move money around the world quickly. Accordingly, while a number of “plug-and-play” types of SCP’s are available to small Fintechs and other MSBs, a formal, fully-functioning risk-based SCP is now the norm in the industry.

3. Component 1: Management Commitment

According to OFAC’s 2019 Framework for Sanctions Compliance, Management Commitment is the first and most important of the 5 components to develop a successful Sanctions Compliance Program (SCP). It refers to the fact that, as a compliance officer, you cannot succeed in developing a sanctions compliance program in a vacuum. The ‘tone at the top’ of an organization is critical to ensuring the implementation and continued success of any effective sanctions compliance program.

Management commitment is not a statement or memo buried on a web page. It is the “tone at the top” and OFAC looks at this component through the lens of 5 specific criteria for Board and C-Suite Review of the SCP and sanctions risk; a Dedicated Compliance Officer; Adequate Resources for the compliance program; a Culture of Compliance; and Demonstrated Learning from Failings.

  • Board and C-Suite Review: Whether or not senior management approves a SCP in writing, OFAC wants to know that they are supportive of sanctions compliance in general and will be following the progress of the SCP on an ongoing basis. This would be measured by the frequency with which senior management reviews reports on sanctions risk presented to the Board by compliance.
  • A Dedicated Compliance Officer: Someone has to be responsible for the sanctions compliance program within the organization. This individual needs to have the correct amount of technical sanctions compliance knowledge as well as appropriate organizational seniority to be able to challenge the rest of the organization and appropriately communicate with organizational management. OFAC will view a junior sanctions compliance employee within an organization who has been given no power to influence the organization’s actions as indicative of the organization not taking sanctions compliance seriously and therefore an unacceptable manner in which to organize a compliance program.
  • Adequate Resources: Resources will include a sufficient number of qualified compliance staff, as well as funds for specialized training, information technology solutions that provide high performance and advanced monitoring (e.g. automated screening and monitoring using AI).
  • A Culture of Compliance: An organization’s culture consists of its organization’s DNA. Here, the issue is whether or not every employee from sales to operations knows that they have the authority to stop a transaction that appears to be in violation of sanctions.
  • Demonstrated Learning from Failings: OFAC wants to see a company learn from mistakes and root cause analysis that results in changes to a company’s policy and procedures in order to prevent similar future failures.

This component forms the basis of a compliance program having the ‘political capital’ and resources to implement effective sanctions compliance, even in situations where the pressure to close a deal is immense.

4. Component 2: Risk Assessment

If management commitment is the engine of the compliance program, then the Risk Assessment is the GPS that steers it in the correct direction. As the 2019 Framework of OFAC further elaborates, one of the main reasons for a compliance program to fail is because such a program is not ‘stitch’d’ to the company’s specific risks and therefore does not function when it is actually needed. Therefore, a sanctions compliance program needs to be ‘stitch’d’ to the specific risks an organization faces in order to function in high-pressure situations when the need to close a deal is paramount. In other words, a ‘copy-paste’ program from another organization does more harm than good.

A robust risk assessment is a top-to-bottom review of a company’s exposure within a number of dimensions:

  • Customer Base: What customers does the Company have? A review of the customers of the Company’s customers (i.e., Ultimate Beneficial Owners or “UBOs”) as well as an assessment of the various industries in which the Company’s customers operate (e.g. oil and gas, retail, etc.).
  • Products and Services: Are you selling high-risk products and services such as international wire transfers, trade finance, or anonymous digital currency exchangers and wallets? In addition, lower-risk products can pose extreme risk when sold in high-risk locations or to high-risk customers.
  • Geographic Footprint: The locations of the company’s offices and the locations of its customers. This is not as simple as determining whether or not a country is under sanctions by OFAC.
  • Onboarding and Transactions: The process used to locate new customers and conduct new transactions. Face-to-face onboarding of customers is typically considered to be a lower risk activity than non-face-to-face onboarding of customers.

As discussed earlier, this process is a living and breathing process that will need updates on an ongoing basis. A risk assessment developed in 2024 is pretty much worthless in 2026 given the constant changes in the global and US foreign policy landscapes. Any SCP will need to reflect updates to the risk assessment when there are fundamental changes to a company’s operating model.

5. Component 3: Internal Controls

The ‘Internal Controls’ of an effective compliance program are what actually do all of the real work of implementing the overarching policy of the SCP (in practice). They are the practical mechanics or business rules that are put in place to govern all transactions, as a general policy, as a regular course of action. Written rules of a policy or operating procedure, are written to be implemented or to be put into practice by someone or by some group or department, and are generally followed, i.e. internal controls.

A successful Internal Controls framework consists of several key elements:

Written Policies and Procedures

There must be clear policies on the screening of individuals and companies as well as the subsequent actions that are taken as a result of the screening process. In the case of the SCP’s vendor screening policy, for example, if a vendor is screened on a weekly basis as required by the program’s policy then they cannot claim that they were unaware of sanctions on any individual included on the vendor’s staff. If, on the other hand, the program were to screen all vendors on a monthly basis then OFAC would consider this to be a failure of the program’s internal controls.

Screening Systems: The Role of Technology

Screening for sanctions on an ongoing basis is now largely an automated process using high-performance compliance screening software such as Sanction Scanner. This needs to be fully integrated with the vendor onboarding process and also into the payment/transaction process so that a hit is identified before the payment is actually made. Fuzzy matching and alias detection are critical components of such screening software so that a sanctioned person cannot attempt to circumvent the sanctions by changing a vowel in their name for example.

Escalation Workflows

Internal controls for Screening also need to include an Escalation Workflows component to outline what to do after a potential match has been identified. Who is supposed to review the results, what documentation needs to be written up in order to clear false positives, what the compliance officer needs to do in the case of a True Match. In order to avoid the ‘bottleneck effect’ (where a single individual ends up approving or rejecting all of the transactions that have been flagged) these decisions should be made by individuals with relevant qualifications.

Blocked and Rejected Reporting

Blocked or Rejected Reporting: When you determine a party is sanctioned, U.S. law requires the immediate “blockage” of the asset to block it and report to OFAC within 10 business days (or permit the transaction to be “rejected”). OFAC thinks it is a violation if you do not report when you have to block assets. This is in addition to any violation for dealing with a party, on a sanctions list.

Recordkeeping (The 5-Year Rule)

A record of all compliance activity, including screening logs, due diligence files, etc. must be maintained for at least five years from the date of the record. This can include ‘meta-data’ of the screening software to prove that the software was actually operating on a particular date.

IT and Cybersecurity Controls

It is so critical for an organization to incorporate into its internal controls related to sanctions compliance (1) adequate IT and/or Cybersecurity controls to (i) protect its sanctions compliance information from an unauthorized alteration and/or (ii) ensure that the most current list of Specially Designated Nationals (SDNs) is downloaded from OFAC’s web site on an as needed basis, i.e. on a real time basis as new sanctions are added.

6. Component 4: Testing and Auditing

A compliance program that appears to function effectively but ultimately fails, providing a false sense of security, is worse than having no compliance program in place at all.

An audit needs to be comprehensive, to be objective and to be done by an independent party (or department). These can be internal auditors or external compliance consultants, implementing different methodologies to test an SCP. A key aspect to test are the Screening processes of an SCP and their accuracy, followed by the accuracy of the whole compliance process (manual and / or computer-aided).

  • Screening Accuracy (The "Bypass" Test): The testing component of written audits must involve a review of the screening process with the use of ‘test data’ for example, a list of SDNs, or names and locations of sanctioned cities and verify that the automated screening system detects all the known Sanctioned Parties in the test data. When ‘test data’ is utilized with changes to a name (i.e. “Ibrahim” versus “Abeeram” – notice the change of a vowel) or an alias is used (i.e. “David O’Brien” versus “David OBrien” or “Mr. O’Brien”) the screening system should detect the name as a match to a Sanctioned Person.If the automated screening system does not find a Person when it uses test data this means the Sanctioned Person screening system is not good at finding matches that are not exact. This can lead to a high-risk of a Sanctioned Person bypassing the screening system.
  • The False Positive (FP) Rate: When a compliance program generates too many false positives (i.e. suspicious individuals or entities that are not actually sanctioned) it can create a significant amount of work to verify whether or not the entities in question are in fact compliant with sanctions. However, where a large number of false positives is not generated, the converse could be true and that all individuals and entities of risk could be screened with filters that are too tight thus failing to identify entities of high risk. In order to test for accurate screening, the tester must ensure that the FP Rate is adequate.
  • Review for Timeliness: In addition to testing the software, your audit also should test the humans who implement your SCP after the computer processing has identified a potential match. How long does a Compliance Officer take to deal with a pending item after the computer flags it? The Compliance Officer has to make sure they document everything when they process an item (e.g. whether an item is cleared or pending). Furthermore, the time to process a hit must be a reasonable time, not allowing an item to be delayed indefinitely by one person.
  • Alignment with Risk Assessment: If your Risk Assessment (Component 2) identified "Middle Eastern trade finance" as a high-risk area, the audit must verify that specific controls were placed on those transactions and that they are being tested more rigorously than low-risk retail transactions.

7. Component 5: Training

The final pillar of a robust SCP is Training. Even the most advanced AI-driven screening systems can be bypassed by an employee who doesn't understand why compliance matters or how to spot a "red flag." OFAC emphasizes that training must be more than a generic "annual video."

An effective training program should offer different "learning paths" for various stakeholders:

  • General Staff: People need to know what sanctions are, how to handle an inquiry and why the SDN list is important. This is about creating a culture of compliance at the ground level.
  • Front-Line & Sales Teams: Red Flags during training are needed to pay attention. For example if a customer is being really secretive about who's going to use a product that is a Red Flag. Also if a customer asks for a payment plan that does not make any sense that is another Red Flag.
  • Leadership and the Board: Training focused on "Strict Liability" and the personal and corporate consequences of a breach. Leadership needs to know the reason for the compliance budget.
  • Third-Party Partners: If you rely on agents or distributors in high-risk regions, your SCP should ideally extend some level of training or certification requirements to them to ensure they aren't inadvertently creating a nexus for a violation.

You need to keep a record of all your training sessions, including when they happened, who was there, and how well people did on their assessments. This is important because it shows OFAC that your team doesn't just know about sanctions, but they also know how to handle them properly.

8. How OFAC Evaluates Your SCP During Enforcement

When something goes wrong, OFAC doesn't just focus on the problem at hand - they take a closer look at the company as a whole. OFAC wants to know if your company has a good compliance program in place and if you're taking steps to fix any issues that have arisen. This is a key factor in determining the outcome of any violation.

If you have a robust SCP in place:

  • Penalty Reduction: A high-quality SCP can lead to a significant percentage reduction in the "base penalty" amount.
  • The "Egregious" Threshold: One of the most important binary choices OFAC makes is whether a case is "egregious" or "non-egregious." A robust SCP is often the deciding factor that keeps a case in the "non-egregious" category, where fines are dramatically lower.
  • Public vs. Private Action: In general, a robust SCP and self-report of a violation by a company could lead to the issue of a private Cautionary Letter by OFAC as opposed to a very public Civil Monetary Penalty which could cause severe reputational harm.

On the other hand, if OFAC finds your SCP to be either non-existent or woefully inadequate, it will likely be considered an aggravating factor subject to the upper end of the otherwise applicable statutory fine.

9. Common SCP Weaknesses That Lead to Enforcement

A lot of firms will check a customer out when they first sign up, but then they never look at them again. If one of your long-time clients gets in trouble with the law a year after you started working with them and you keep helping them with their money without knowing about the trouble you are doing something wrong. To stay out of trouble companies need to have systems in place to watch what is going on like checking a lot of clients at the same time or keeping an eye on their existing client lists all the time. This way, they can catch any changes to a customer's status and make sure they're not doing business with someone who's been sanctioned. Sanction Scanner’s AI-driven risk intelligence platform FUSION’s ongoing monitoring feature, does exactly this. It's not enough to just check customers when they first sign up - companies need to be constantly monitoring their customers to make sure they're complying with the rules.

Inadequate Risk Assessment

Companies often get in trouble with OFAC for not considering their connection to countries under sanctions. If your risk assessment doesn't look closely at your supply chain and the other companies you work with, it's not doing its job. You need to really dig in and understand who you're working with and where they operate to make sure you're not accidentally doing business with someone who is under sanctions.

Failing the "50% Rule" and UBO Verification

One big mistake companies make is just taking their customers' word for it. If someone or a group owns more than 50% of a company, it's automatically sanctioned, even if it's not on a list. Not checking who really owns a company, using things like forensic data and verified databases, is a main reason companies get fined for not following the rules. Companies need to make sure they're doing a good job of figuring out who really owns a company, another words, the ultimate beneficial owner, rather than just relying on what the customer says. This is important because it can help prevent sanctions and fines, and make sure companies are doing business with people they're allowed to.

Untested Escalations and "Human Error"

In several high-profile settlements in 2025, the breakdown didn't occur in the software, but in the escalation workflow. Automated systems often flag a "hit," but overworked or under-trained staff "clear" the alert as a false positive without sufficient investigation. Without a "Second-Level Review" or a documented rationale for every cleared hit, your program has a gaping hole that OFAC will inevitably find during an audit.

10. Building an SCP

Phase 1: Risk Assessment

Consider your level of risk before selecting software or drafting policies.

  • Audit your data: Every business has a wealth of data that may have once seemed rich with meaning, until you started a business. Then all that data looks pretty superficial. But it is still important to understand who your customers are and how you get paid.
  • Identify the Sanctions Nexus: Does your business operate in areas related to US-origin goods, US-person employees, or USD transactions? Understanding these connections is crucial for compliance.
  • Set the Risk Appetite: Define the bounds within which the organisation is prepared to operate and the jurisdictions or industries which are off limits.

Phase 2: Policies + Screening

Once the risks are identified, build the walls.

  • Draft the Manual: Create clear, written procedures for onboarding, transaction monitoring, and blocking assets.
  • Deploy Technology: Use a screening tool such as Sanction Scanner on a daily basis to protect your business. The tool should be configured to the appropriate level of risk for your business and include “fuzzy matching” for higher risk countries where a closer match is required.
  • Establish Controls: Ensure all cyber and data breaches are managed by establishing a clear "escalation chain" of contact and having a nominated Compliance Officer.

Phase 3: Training + Testing

  • Launch Role-Specific Training: Kick off the role-specific training for your sales and IT teams, so they understand their respective roles in detection and compliance data protection. Train your sales team on the “red flags,” while educating your IT team on key logging and surveillance techniques and tools.
  • Conduct "Alpha Testing": Leave the Computer alone for a few minutes and run a few known SDNs to test for correct flagging.
  • Baseline Audit: Do A Mini Audit 6 Months After Implementation to Catch Errors Emerging Early.

Phase 4: The Evolution

We’re passing through the age of AI, and everything is happening quicker than ever before. Your SCP will have to keep up.

  • Annual Reviews: As a matter of policy, you should update your risk assessment every 12 months or on entry to any new markets.
  • Remediate Failings: While you're fixing the transaction from the "near-miss", make sure you remediate the failing policy as well.
  • Keeping Pace with the Regulatory Environment: Reminder to review OFAC Guidance and Update "Internal Controls" in Light of Recent Developments.
Minhac Celik

Minhac Celik

Marketing Lead

View full profile →
You Might Also Like
What Are Financial Crimes in Casinos?

What Are Financial Crimes in Casinos?

Previous
Terrorist Financing Red Flags: What Compliance Teams Should Actually Look For

Terrorist Financing Red Flags: What Compliance Teams Should Actually Look For

Next
Contents