OFAC Screening: 2026 Compliance Guide for U.S. Businesses
In February 2026, OFAC penalized a Florida school for accepting tuition payments routed through third parties from sanctioned individuals tied to Mexican cartels. The takeaway, in OFAC's own words to industry: even companies that consider themselves "predominantly domestic" have sanctions risk.
If a private school can land on the wrong side of an OFAC enforcement notice, so can almost any U.S. business that takes payments, ships goods, or onboards customers. OFAC screening is the front-line control that keeps you out of that notice. This guide explains what it is, who has to do it, and how to build a process that survives an audit in 2026.
What is OFAC screening?
OFAC screening is the process of checking the names of your customers, vendors, partners, and counterparties against sanctions lists administered by the U.S. Treasury's Office of Foreign Assets Control (OFAC) — most importantly, the Specially Designated Nationals and Blocked Persons (SDN) List.
OFAC administers and enforces economic and trade sanctions against targeted foreign countries, businesses, regimes, and individuals that the U.S. Government has designated as terrorists, narcotics traffickers, or those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States. U.S. citizens, permanent residents and protected individuals are generally prohibited from doing business with, including providing services to, individuals, entities or countries on this Specially Designated National (SDN) List without a specific license.
Unlike the BIS Entity List (which is export-focused) or the State Department's debarred parties list (defense-focused), OFAC sanctions reach almost every kind of transaction — wire transfers, tuition payments, SaaS subscriptions, real estate closings, and supply contracts.
Who has to do OFAC screening?
Short answer: every U.S. person and every entity owned or controlled by a U.S. person. That includes:
- Banks, fintechs, and payment processors
- Importers and exporters
- SaaS and e-commerce companies with international customers
- Manufacturers and distributors
- Investment advisers, private equity firms, and venture funds
- Law firms, accounting firms, and corporate service providers
- Universities and research institutions
- Any business that takes payments from foreign nationals
OFAC has been explicit about widening its enforcement net. In 2026, OFAC will intensify its enforcement crackdown on gatekeepers – professional service providers such as investment advisors, accountants, attorneys and providers of trust and corporate services – who fail to properly understand and mitigate sanctions risks associated with their provision of services. In 2025, numerous enforcement actions highlighted the risks of transacting with entities whose structures obscured a blocked person's interest – a term that OFAC defines broadly – and OFAC repeatedly emphasized that gatekeepers must undertake robust diligence that looks beyond mere corporate formalities. OFAC enforcement actions targeted players in the private equity, venture capital, real estate and legal markets – a focus that will continue in the year ahead.
The penalties for skipping OFAC screening
OFAC penalties are calculated per transaction, not per relationship. That math gets ugly fast.
OFAC violation penalties in 2026 can reach up to $377,700 per civil violation under IEEPA (or twice the transaction value, whichever is greater), and up to $1 million per criminal violation plus 20 years imprisonment.
It is critical to understand that these penalties apply per transaction. A company that processed 100 prohibited transactions with a sanctioned counterpart could theoretically face up to $37.7 million in civil penalties under IEEPA alone. OFAC routinely aggregates violations across multiple transactions when calculating settlement amounts, which is why some enforcement actions reach into the hundreds of millions of dollars.
And OFAC operates on strict liability — you don't need to know the counterparty was sanctioned to be penalized. OFAC may impose civil penalties for sanctions violations on a strict liability basis.
What lists does OFAC screening cover?
The SDN List is the cornerstone, but "OFAC screening" in practice means checking several Treasury-administered lists:
| List | What it covers |
|---|---|
| SDN List | Specially Designated Nationals and blocked persons across all sanctions programs |
| Sectoral Sanctions Identifications (SSI) | Russian energy, finance, and defense entities subject to sector-specific restrictions |
| Non-SDN Menu-Based Sanctions (NS-MBS) | Targets subject to selective restrictions short of full blocking |
| Foreign Sanctions Evaders (FSE) | Persons who violated, attempted to violate, or facilitated sanctions evasion |
| Palestinian Legislative Council (NS-PLC) | Restricted political figures |
Most compliance teams screen against the U.S. Consolidated Screening List (CSL), which bundles OFAC's lists with BIS and State Department lists in one feed. That's a good baseline, but it isn't sufficient on its own.
The 50% Rule: why name matching isn't enough
OFAC's most important screening pitfall is the 50 Percent Rule. Sanctions extend automatically to entities that are owned 50% or more by one or more blocked persons — even if those subsidiaries never appear on any list.
A recent example: when OFAC sanctioned Russian oil giants Rosneft and Lukoil in late 2025, the designations rippled outward through their global subsidiaries. All entities owned 50 percent or more, directly or indirectly, by the sanctioned companies are also considered to be blocked, including a sprawling global network of international subsidiaries and assets. Concurrent with the designations of Rosneft and Lukoil, OFAC issued general licenses authorizing transactions ordinarily incident and necessary to the wind-down of activities involving the blocked entities, as well as for the contingent divestment of their non-Russian assets.
A name-only screen of a Lukoil subsidiary would return clean. The deal would still be a violation. Practical implication: OFAC screening must include beneficial ownership review, not just exact-name matching.
When to run OFAC screening
A single screen at customer onboarding is not enough. Sanctions designations happen weekly — sometimes daily. OFAC's Self Disclosure Portal provides a streamlined, secure method for submitting voluntary self-disclosures of potential violations of OFAC-administered sanctions programs, and the volume of new actions is heavy: in late April 2026 alone, OFAC published Iran-related Designations; Counter Terrorism and Iran-related Designation Update; Issuance of Iran-related General License · April 24, 2026 · Counter Terrorism, Counter Narcotics, and Cyber-related Designations · April 23, 2026 · Counter Terrorism Designations; Non-Proliferation Designations · April 21, 2026.
Run OFAC screening at four checkpoints, plus continuously between transactions:
- Account setup — before you spend sales effort on a prospect
- Order acceptance — list updates may have flagged the party since onboarding
- Pre-shipment or pre-service-delivery — last chance to stop a violation
- Pre-payment — banks, intermediaries, and beneficial owners all in scope
- Continuous rescreening — your customer book is checked against every list update
Recordkeeping: the OFAC 10-year rule
In 2024, OFAC extended its recordkeeping requirement from five years to ten. That change matters more than most companies realize.
Most U.S. export regulations require that you maintain these records of your screenings for at least five years, although recent updates to the OFAC regulations now set a minimum 10-year timeframe. Being able to provide a history of your denied party screenings, as well as all your other export compliance efforts, will help demonstrate you are doing your due diligence to maintain compliance.
If the Office of Export Enforcement, FBI, or OFAC's enforcement division requests documentation, you need to produce: who you screened, when, against which lists, what version of those lists, and what you did with any potential matches. A spreadsheet of names won't cut it.
What a defensible OFAC screening process looks like
Four ingredients separate compliant programs from at-risk ones:
- Coverage of every party in a transaction — buyer, end user, intermediate consignee, freight forwarder, bank, beneficial owners. Don't screen just the contracting entity.
- Fuzzy matching with documented review — sanctioned parties use aliases, transliterations, and spelling variants. Exact-match-only screening misses real hits.
- Audit trail with timestamps — every screen logged with who ran it, against which list version, and how matches were resolved.
- Continuous rescreening — automated re-checks of your customer book against every OFAC list update, with notifications when a previously-clean party is newly designated.
Documented screening is also OFAC's most heavily weighted mitigating factor. A robust, documented compliance program is one of OFAC's most heavily weighted mitigating factors — it can be the difference between a no-action determination and a multi-million dollar penalty.
Common OFAC screening mistakes
- Screening only at onboarding. A clean customer at sign-up can be designated next week.
- Ignoring the 50% Rule. Name-only screening misses subsidiaries of sanctioned parents.
- Not screening intermediaries. Banks, freight forwarders, and payment processors are part of the transaction.
- Treating matches as binary. A potential match needs documented review, not a yes/no decision.
- Letting screening drift to a manual spreadsheet. When an enforcement officer asks for proof, you need a system, not a folder of CSVs.
The Florida school case is instructive: the school wasn't shipping anything, didn't think of itself as an exporter, and almost certainly never ran OFAC screening on tuition payers. That's the new enforcement reality. If money or services flow through your business, OFAC screening is your problem.
Get OFAC screening right
ScreenShield runs every name against the OFAC SDN List, the rest of the Consolidated Screening List, and ownership-aware checks — with fuzzy matching for aliases and a 10-year audit trail built in by default.
Screen your first name free — takes 10 seconds
Related: How to Screen Against the Consolidated Screening List
Related: Cadence's $140M BIS Penalty: A Denied Party Screening Cautionary Tale