E-Commerce Export Compliance: What Online Sellers Must Do
Shipping a product overseas through Shopify, Amazon, or your own storefront feels routine — until a government investigator knocks. U.S. export laws apply to every seller who ships internationally, regardless of how small the order or how consumer-grade the product looks. If you sell across borders without a compliance process, you are already exposed.
This guide explains exactly what e-commerce export compliance requires, which rules trigger screening obligations, and what a practical compliance workflow looks like for online sellers in 2026.
Why E-Commerce Sellers Have Export Compliance Obligations
Many online sellers assume export controls only apply to manufacturers of military hardware or sensitive technology. That assumption is wrong.
Export Administration Regulations (EAR), administered by the Bureau of Industry and Security (BIS), cover the vast majority of commercial goods sold online — electronics, software, industrial components, chemicals, and more. Even products classified as EAR99 (the lowest-control category) still carry restricted party screening obligations. You cannot ship an EAR99 item to someone on a U.S. denied party list without violating federal law.
OFAC sanctions programs add a second, independent layer. The Office of Foreign Assets Control administers over 30 active sanctions programs targeting countries including Russia, Iran, North Korea, and Cuba, as well as individuals and entities tied to terrorism, narcotics trafficking, and cyber operations. As of 2026, OFAC administers sanctions across these programs and maintains the Specially Designated Nationals (SDN) List — a database containing individuals, companies, and entities with whom U.S. persons are prohibited from transacting.
The compliance obligation follows the transaction, not the product. It does not matter what you sold. It matters who you sold it to.
The Regulatory Landscape in 2026
Enforcement has escalated sharply. In 2025, OFAC's civil penalties totaled approximately $265.7 million — including a single enforcement action exceeding $215 million. BIS brought 26 criminal cases and added more than 340 entities to the Entity List in 2024 alone, with enforcement continuing at that pace into 2026.
Two 2026 developments are directly relevant to online sellers:
OFAC's March 2026 "Sham Transactions and Sanctions Evasion" guidance confirmed that the 50 Percent Rule — which treats any entity owned 50% or more by a blocked person as itself blocked — is a floor, not a ceiling. OFAC now explicitly expects companies to look beyond legal ownership formalities to the underlying economic realities of a counterparty relationship. A buyer whose name does not appear on any list may still be a blocked entity if sanctioned parties own it.
The BIS Affiliates Rule, which would have extended Entity List restrictions to entities 50% or more owned by listed parties (mirroring OFAC's standard), was suspended for one year effective November 2025 through November 2026. It is expected to take effect in November 2026. Compliance teams should prepare for this expansion now.
OFAC also penalized a Florida school in February 2026 for receiving tuition payments, via third parties, from Mexican cartel-related sanctioned parties — explicitly warning that even organizations that consider themselves "predominantly domestic" face sanctions risk. Cross-border payments through third-party processors expose e-commerce sellers to the same logic.
What "Strict Liability" Means for Online Sellers
OFAC enforces most sanctions on a strict-liability basis. You can be held civilly liable even if you had no knowledge that a transaction was prohibited. There is no "I didn't know" defense for a civil penalty.
Civil penalties in 2026 can reach up to $377,700 per violation under IEEPA, or twice the transaction value — whichever is greater. A seller who processed 50 prohibited transactions with a sanctioned counterparty could theoretically face exposure in the tens of millions of dollars on deals that may have been worth a few thousand each.
Recent 2026 enforcement actions have resulted in penalties ranging from $1.1 million to $3.77 million per case. The $3.77 million individual penalty in February 2026 was exactly 10× the statutory IEEPA base amount — indicating OFAC found the circumstances egregious.
The SDN List is updated multiple times per week, sometimes daily. A buyer who was clean when you quoted them may be designated by the time you ship. Screening once at onboarding is not enough.
Which Parties Must You Screen?
Every party to a transaction — not just the end customer — needs to be checked against restricted party lists before the transaction closes. This includes:
- Buyers and end users — the person or entity receiving the goods
- Freight forwarders and logistics providers — they can trigger liability even if you are not the one moving the goods
- Payment processors and banks — particularly relevant for high-volume sellers routing through intermediaries
- Distributors and resellers — if you sell wholesale to a distributor who re-exports, the obligation applies to the entire chain
- New business partners at onboarding — and periodically throughout the relationship, since list status can change
Screening should happen before the order ships and before money changes hands. It should also recur periodically on existing customer accounts, because denied party list additions happen without warning and without publicity.
The OFAC 50 Percent Rule: Why Name Matching Is Not Enough
The SDN List contains over 12,000 individuals and entities. But OFAC does not list every blocked entity by name. Under the 50 Percent Rule, any entity owned 50% or more — directly, indirectly, or in the aggregate — by one or more blocked persons is automatically treated as blocked, even if it does not appear on the SDN List.
The aggregation element catches many compliance teams off guard: if two SDN-listed individuals each own 25% of a company, that company is blocked because their combined ownership reaches the 50% threshold. OFAC does not publish a separate list of these entities. It is the seller's responsibility to identify them.
For e-commerce sellers, the practical implication is significant. Buyers in high-risk jurisdictions — the UAE, Turkey, Central Asian republics, and others OFAC has specifically identified as transshipment hubs — may appear clean on a name search while being beneficially owned by blocked parties. OFAC's March 2026 guidance on sham transactions confirmed this: the 50% Rule is a floor, and enforcement will extend to situations where sanctioned persons control or benefit from transactions even without majority ownership.
This does not mean every e-commerce seller needs to conduct a full corporate ownership investigation on every retail customer. It does mean that for B2B orders, wholesale customers, and high-value transactions, ownership diligence beyond a name search is now an expected baseline.
A Practical Export Compliance Workflow for Online Sellers
Building an e-commerce export compliance program does not require a dedicated legal team. It requires a consistent process applied before every international transaction.
Step 1: Classify Your Products
Determine whether your products have an Export Control Classification Number (ECCN) or fall under EAR99. Even EAR99 products require restricted party screening. Products with specific ECCNs may require export licenses for certain destinations — check the Commerce Country Chart.
Step 2: Screen Every Party Before Each Transaction
Run the buyer, freight forwarder, and any known intermediaries against the U.S. Consolidated Screening List (CSL), which aggregates the major lists from BIS, the State Department, and OFAC. For B2B buyers and wholesale accounts, also screen known principals and beneficial owners.
The CSL is a reasonable starting point but has limitations — it does not include all 200+ U.S. restricted party lists, and it does not surface entities blocked solely under the OFAC 50 Percent Rule. A purpose-built screening tool that ingests and cross-references multiple lists is more defensible.
Step 3: Build an Audit Trail
Document every screening: who was screened, which lists were checked, the date of the screen, and how any potential matches were resolved. This record is your primary protection in an audit. BIS explicitly treats a demonstrated screening history as a "strong mitigating factor" in enforcement cases where a violation may have occurred. OFAC similarly weights documented compliance programs heavily in penalty calculations.
Screenings stored as screenshots in a shared folder do not constitute a compliance record. A timestamped, searchable audit trail that links each screening result to a specific transaction does.
Step 4: Know What to Do With a Hit
If a screening returns a potential match, do not ship and do not process payment. A potential match requires human review to determine whether the match is a true positive (same entity) or a false positive (similar name, different person). If confirmed as a true positive, halt the transaction, do not inform the counterparty, and consult legal counsel. Voluntary self-disclosure to OFAC, where appropriate, is a mitigating factor in enforcement.
Step 5: Rescreen Existing Customers Periodically
New designations are published continuously. A customer who cleared screening six months ago may be on a list today. Set a cadence — at minimum quarterly — for rescreening your active customer base against current lists.
The Record-Keeping Requirement
U.S. regulations require maintaining export-related records — including screening results — for five years from the date of export or the date of the relevant compliance transaction. These records must be readily accessible for government audits.
For e-commerce businesses processing hundreds or thousands of transactions per month, manual record-keeping quickly becomes unmanageable. This is where automated screening software with built-in audit logging provides material compliance value: every screening result is timestamped, stored, and retrievable by transaction, customer name, or date range.
The Baseline Is Non-Negotiable
Online sellers often discover export compliance obligations after a violation has already occurred. The enforcement record from 2025 and 2026 shows that regulators are not confining actions to large manufacturers and financial institutions — a Florida school, a securities platform, and logistics providers all received penalties this cycle.
The compliance floor for e-commerce export compliance in 2026 is straightforward: screen every international counterparty against U.S. denied party lists before the transaction clears, document the results, and repeat on a defined schedule. Everything above that baseline is risk management. Everything below it is exposure.
Screen your first name free — takes 10 seconds
Related: Restricted Party Screening: 2026 Guide
Related: OFAC Screening: The 2026 Guide for U.S. Exporters
Related: How to Screen Your Vendor List for Export Compliance