Learn more about the latest security and privacy threats
Back

OFAC check

Updated June 3, 2026

Table of contents
  • An OFAC check screens a person or entity against sanctions lists maintained by the US Office of Foreign Assets Control, above all the Specially Designated Nationals and Blocked Persons List.
  • Its purpose is to ensure a business does not transact with sanctioned parties, which is prohibited and enforced on a strict-liability basis.
  • An OFAC check is not only name matching: the 50 percent rule means an entity owned 50 percent or more by blocked persons is itself blocked, even if it never appears on a list.
  • Almost all US persons and businesses, and many non-US firms with US touchpoints, must comply, making screening a near-universal control.
  • Penalties for violations can be severe, and OFAC's strict-liability approach means a firm can be liable even without intent.
  • The main operational challenge is false positives, since common names generate many alerts that must be resolved without blocking legitimate customers or payments.

An OFAC check screens a customer, counterparty or transaction against the sanctions lists maintained by the US Office of Foreign Assets Control, principally the Specially Designated Nationals and Blocked Persons List, to ensure a business does not deal with sanctioned parties. Because OFAC sanctions apply on a strict-liability basis, screening is mandatory for US persons and many connected firms.

TL;DR

An OFAC check screens people, entities and transactions against US sanctions lists, principally the Specially Designated Nationals and Blocked Persons List, to make sure a business does not deal with sanctioned parties. It is more than name matching: under the 50 percent rule, an entity owned 50 percent or more by blocked persons is itself blocked even if unlisted, so ownership must be checked too. Compliance is near-universal for US persons and many non-US firms with US links, and OFAC applies strict liability, so a firm can be penalised even without intent. The practical challenge is resolving the false positives that common names generate.

What is an OFAC check?

An OFAC check is the act of screening a name, entity or transaction against the sanctions lists administered by the US Office of Foreign Assets Control to confirm the party is not sanctioned. If a match is confirmed, the business must generally block or reject the transaction and, in many cases, report it, because dealing with sanctioned parties is prohibited.

Sanctions screening of this kind is a foundational financial-crime control, performed at onboarding and continuously throughout a relationship, and on payments as they are processed. It sits alongside identity verification and other checks in a compliance programme, but it answers a distinct question: not who is this customer, but is this party someone we are legally forbidden to deal with. Because the consequences of getting it wrong are severe, such screening is treated as a hard control rather than a discretionary one, and it connects directly to the firm's broader sanctions screening and AML compliance processes.

What is OFAC and the SDN List?

OFAC, the Office of Foreign Assets Control, is part of the US Treasury and administers and enforces US economic and trade sanctions against targeted countries, regimes, terrorists, traffickers and others. It is the body whose lists most sanctions screening is built around, and its programmes can target entire jurisdictions or specific named parties.

The most prominent list is the Specially Designated Nationals and Blocked Persons List, the SDN List, which names individuals and entities whose assets are blocked and with whom US persons are generally prohibited from dealing. OFAC also maintains other lists for specific programmes, such as sectoral or non-SDN lists, so a thorough OFAC check considers more than the SDN List alone. The lists change frequently as designations are added and removed, which is why screening must be continuous and run against current data rather than a stale snapshot.

How does an OFAC check work?

At its core, the check compares the details of a customer, counterparty or transaction against the names and identifiers on OFAC's lists. Because exact spelling rarely lines up, screening uses fuzzy matching to catch variations, transliterations and aliases, then surfaces potential matches for review. A human typically assesses each alert to decide whether it is a true match or a false positive.

A robust check goes beyond a single screen at onboarding. It screens customers continuously, because designations change, and it screens transactions in real time, because a payment may involve a sanctioned party even when the customer is clear. It also considers context such as date of birth, nationality and known identifiers to distinguish a genuine match from a coincidental name overlap. And, as the next section explains, it must look through ownership structures, not just at the named party, which means an OFAC check is increasingly intertwined with beneficial ownership analysis.

What is the OFAC 50 percent rule?

The 50 percent rule is one of the most important and most overlooked aspects of sanctions compliance. Under it, any entity that is owned 50 percent or more, directly or indirectly, in aggregate, by one or more blocked persons is itself considered blocked, even though it does not appear on the SDN List by name. The block flows down through ownership.

The practical consequence is that name screening alone is not enough. A company can be perfectly clean on the list yet still be off-limits because a sanctioned party, or several together, own a majority of it through one or more intermediate entities. Complying with the rule therefore requires ownership due diligence: understanding who ultimately owns and controls a counterparty, and aggregating the stakes of blocked persons across the structure. This is why a thorough this screening connects to beneficial-ownership resolution and is a recurring theme in enhanced due diligence, particularly for complex corporate customers.

Who must perform an OFAC check?

OFAC sanctions apply broadly. All US persons, including US citizens and permanent residents wherever located, entities organised under US law and their foreign branches, and anyone physically in the US, must comply, which in practice means virtually every US business that handles payments or onboards customers performs sanctions screening. Many non-US firms also screen, because transactions touching the US financial system, US dollars or US persons can bring them within scope.

The breadth is the point: sanctions are designed to deny prohibited parties access to the financial system, so the obligation reaches across banks, payment firms, fintechs, crypto platforms, insurers, exporters and many others. For any business onboarding customers or moving money, an OFAC check is part of the baseline, integrated into KYC software and payment flows rather than treated as an optional extra.

What are the penalties for OFAC violations?

Penalties for sanctions violations can be severe, and the most important feature is that OFAC enforces civil violations on a strict-liability basis. That means a business can be held liable even if it did not know, and did not intend, that a transaction involved a sanctioned party. Lack of intent is not a defence to a civil penalty, although it can affect the size of any penalty.

Civil penalties can be substantial, calculated per violation and, in many cases, tied to the value of the transactions involved, and serious or wilful violations can also carry criminal liability. Beyond the direct penalty, enforcement actions bring reputational damage and remediation costs. OFAC's published enforcement guidelines reward firms that maintain a risk-based sanctions compliance programme, so demonstrable controls, screening, escalation procedures and documented decisions, both reduce the chance of a violation and mitigate penalties if one occurs. The strict-liability standard is precisely why screening is treated as a hard control.

How do firms reduce OFAC false positives?

The defining operational challenge of sanctions screening is false positives. Because matching must be broad enough to catch aliases and spelling variations, it inevitably flags many customers and payments that are not actually sanctioned, especially where names are common. Each alert must be reviewed, and excessive false positives slow payments, frustrate customers and consume analyst capacity.

Reducing them without weakening the control is a discipline in itself, covered in depth in our guide to sanctions screening false positives. The levers include better-quality reference and customer data, smarter matching that uses identifiers such as date of birth and nationality to discount coincidental matches, and well-designed workflows that let analysts clear genuine non-matches quickly while escalating real concerns. Continuous, perpetual KYC and clean identity data feed directly into screening accuracy, because the more reliable the information about a customer, the easier it is to separate a true match from noise.

The bottom line

An OFAC check is the control that keeps a business from dealing with sanctioned parties, screening customers, counterparties and transactions against OFAC's lists, above all the SDN List. Two features make it unforgiving: the 50 percent rule, which blocks entities majority-owned by sanctioned persons even when unlisted and forces ownership due diligence, and strict liability, which means a firm can be penalised without intent. That combination is why screening is a hard, continuous control rather than a one-off check, and why resolving false positives efficiently, with good data and smart matching, is the real day-to-day work of sanctions compliance.

Related resources

Cited sources

Frequently Asked Questions

An OFAC check is the process of screening a customer, counterparty or transaction against the sanctions lists maintained by the US Office of Foreign Assets Control, principally the Specially Designated Nationals and Blocked Persons List, to ensure a business does not deal with sanctioned parties. It is a mandatory control for US persons and many non-US firms.

The Specially Designated Nationals and Blocked Persons List is OFAC's main list of individuals and entities whose assets are blocked and with whom US persons are generally prohibited from dealing. It includes terrorists, traffickers and parties tied to sanctioned regimes, and it changes frequently as designations are added and removed.

The 50 percent rule provides that an entity owned 50 percent or more, directly or indirectly and in aggregate, by one or more blocked persons is itself blocked, even if it does not appear on the SDN List. It means name screening alone is insufficient and firms must check ownership structures.

Yes, for civil violations. A business can be held liable for dealing with a sanctioned party even without knowledge or intent. Lack of intent is not a defence to a civil penalty, though it can reduce the penalty amount. This is why sanctions screening is treated as a hard control.

All US persons, US-organised entities and their foreign branches, and anyone in the US must comply, so virtually every US business handling payments or onboarding customers screens. Many non-US firms also screen because transactions involving the US financial system, US dollars or US persons can bring them within scope.

A confirmed match generally requires the business to block or reject the transaction and, in many cases, report it to OFAC. Because matching is broad, a potential match must first be reviewed to confirm it is genuine rather than a false positive before any blocking action is taken.

KYC verifies who a customer is, while an OFAC check determines whether a party is sanctioned and therefore prohibited. They are complementary controls run together in onboarding: identity verification establishes identity, and sanctions screening checks that identity against prohibited-party lists.

Because matching must be broad enough to catch aliases, transliterations and spelling variations, it inevitably flags customers and payments that are not actually sanctioned, particularly where names are common. Each alert must be reviewed and resolved using identifiers and context to confirm or clear it.

Related products

Know Your Customer

Verify users seamlessly and securely

Verify users in 190+ countries with 99.8% document matching accuracy and reusable identity credentials that enable one-click onboarding for up to 70% higher completion rates.

Learn more →

Decentralized KYC

agents on a substrate where users own their identity

Decentralized KYC verifies users with AI agents on a substrate where customers own their credentials. Users reuse identities across platforms; you never become the honeypot.

Learn more →
Compliance without the data honeypot

Zyphe verifies identity without holding your customers' PII. See it in action.

Book a demo