Vetting Against OFAC Sanctions Part 2

 In OFAC Complinace, Uncategorized, Vetting

This is the second of two parts.  If you have not yet read Part 1, we recommend doing so before reading Part 2.

Review from Part 1

As a business, you are responsible for knowing who your customers are and whether or not they are on the OFAC  Sanctions list.  OFAC is the Office of Foreign Assets Control, and it maintains a list of individuals and businesses that are sanctioned by the United States government.  Sanctions can include anything from economic restrictions to a full travel ban.  If you do business with someone who is on the OFAC list, you could face heavy fines.  So it’s important to check your customers against the list regularly to avoid any run-ins with the law.

You don’t want to get caught doing business with a sanctioned entity because first of all, you don’t want to aid the enemy, but secondarily you don’t want to pay the hefty fines that might be levied against you.  How big are the fines you may ask?  We did a quick check of the fines levied in 2022.  The smallest fine we saw was over $45,000 and this was to a very small company with annual revenue of less than $150,000 per year!  Furthermore, this company was taking reasonable efforts to check its customers against prevailing lists but made some mistakes.  A fine resulted.

Who must comply with OFAC regulations?  According to the US Treasury, “all U.S. persons must comply with OFAC regulations, including all U.S. citizens and permanent resident aliens regardless of where they are located, all persons and entities within the United States, all U.S. incorporated entities and their foreign branches.”

This may be one of the best-kept secrets of the US government!  But if you ignore this requirement the fines can be astronomical.  If you do comply you may still get fined, but an honest effort gets you a big reduction in fines.  But they can still be very large.



You will Need a Sanctions Compliance Program (Continued)

In Part 1, we began the discussion on creating a Sanctions Compliance Program or SCP as it is generally referred to in OFAC documentation.  Part 1 covered:

  1. Senior Management Commitment
  2. Risk Assessment
  3. Internal Controls

In Part 2 we will continue this discussion with information about

  1. Testing Processes
  2. How you Periodically Train your Staff

We will also discuss the different types of violations, how fines are structured, and how you should respond to notices.

Testing Processes

The US Treasury strongly encourages the SCP to include a substantial audit element.  Consider that any manual process allows users to bypass manual controls.  It is therefore very beneficial to use transparent processes to perform as many of the Internal Controls as possible.  For example, if you have an accounting system in which you log all sales activity, and that system includes the identity of the customer, you should seriously consider using a service that will perform your sanctions searches for you.  The system should automatically record all the steps that it goes through in making a determination as to whether or not the customer is known to have sanctions or may potentially have sanctions.

The audit system should be able to provide you with all of the audit trail information that you will need for you to internally verify that the sale is valid and that your customer is sanctions-free.  On the other hand, if it turns out that there is a sanction that is discovered after the fact, then you will have the information that you need to supply to OFAC.  Such checks should provide you will an alert in real-time whether or not a match has been found during the sanctions check process of the internal controls.OFAC Sanctions testing

If applying this level of automation is not possible, then it is strongly recommended that different staff members are responsible for the initial bookings and the auditing of such activity.  Every effort should be made to build as much division between the sale in the primary system and the audit activity.  Senior management should be engaged in observing the records of both activities.  Senior management must be proactive if the total bookings from the sales activities do not match those in the audit system.  This should be a flag that sales may be getting through that may not be getting vetted against the sanctions list as is expected.   Any disparities should be researched and the reasons for the disparities should be properly and clearly documented.

Whether you are fully automated or fully manual or anything in between, all procedures to book the sale, fulfill the sale, and accept and record payments should be fully documented.  The identities of all buyers should be clearly recorded.  As my old accounting professor used to say, consistency counts.  Once a process has been established, follow the same process each time.

Unfortunately, the risks that are the subject of this blog will change over time.  Your processes whether automated, manual,  or anything in between must be reviewed and changed as the risks change and evolve.  Your SCP should also include how these reviews are conducted.  These reviews should also be documented and filed for inspection when required.

The following text is from the US Treasury Department’s A Framework for OFAC Compliance Commitments the following should be considered when writing your SCP:

“A comprehensive, independent, and objective testing or audit function within an SCP ensures that entities are aware of where and how their programs are performing and should be updated, enhanced, or recalibrated to account for a changing risk assessment or sanctions environment, as appropriate. Testing or audit, whether conducted on a specific element of a compliance program or at the enterprise-wide level, are important tools to ensure the program is working as designed and identify weaknesses and deficiencies within a compliance program.


  1. The organization commits to ensuring that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, resources, and authority within the organization.
  2. The organization commits to ensuring that it employs testing or audit procedures appropriate to the level and sophistication of its SCP and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of the organization’s OFAC-related risk assessment and internal controls.
  3. The organization ensures that, upon learning of a confirmed negative testing result or audit finding pertaining to its SCP, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated.” We would add to item III that all weaknesses and how they are being remedied should also be documented and placed in a report.”


OFAC recommends that training should be provided to all employees that take an active role in selling to, collecting from, and accounting for funds transacted between your company and your customer base.  At a minimum, training should be conducted annually.  But holding training whenever there is a turnover or additional employees are brought in makes sense.

The training program should provide training that is specific to each employee’s assignments.  Each employee should be taught not only how to do their respective jobs but also be taught the reasons for the training.OFAC Sanctions Training

Senior management should conduct annual interviews with each employee with a role in preventing OFAC infractions.  We would further suggest that each employee should be familiar with the SCP document.

The following text is from the US Treasury Department’s A Framework for OFAC Compliance Commitments the following should be considered when writing your SCP:

An effective training program is an integral component of a successful SCP.  The training program should be provided to all appropriate employees and personnel on a periodic basis (and at a minimum, annually) and generally should accomplish the following:

  • Provide job-specific knowledge based on need
  • Communicate the sanctions compliance responsibilities for each employee
  • Hold employees accountable for sanctions compliance training through assessments

An adequate training program, tailored to an entity’s risk profile and all appropriate employees and stakeholders, is critical to the success of an SCP.


  1. The organization commits to ensuring that its OFAC-related training program provides adequate information and instruction to employees and, as appropriate, stakeholders (for example, clients, suppliers, business partners, and counterparties) in order to support the organization’s OFAC compliance efforts. Such training should be further tailored to high-risk employees within the organization.
  2. The organization commits to providing OFAC-related training with a scope that is appropriate for the products and services it offers; the customers, clients, and partner relationships it maintains; and the geographic regions in which it operates.
  3. The organization commits to providing OFAC-related training with a frequency that is appropriate based on its OFAC risk assessment and risk profile.
  4. The organization commits to ensuring that, upon learning of a confirmed negative testing result or audit finding, or other deficiency pertaining to its SCP, it will take immediate and effective action to provide training to or other corrective action with respect to relevant personnel.
  5. The organization’s training program includes easily accessible resources and materials that are available to all applicable personnel.”

OFAC Responses to Suspected Violations

In OFAC vernacular, an individual or business that is suspected of committing a violation is known as the “subject.”

The penalties imposed by the US Treasury Department are a very serious matter.  The base amounts of the penalties are based on formulas, but the amounts can go up or down based on how well the company tried to do the right things and how well they documented their procedures, and how well they documented each transaction.  The willingness of the potentially penalized company goes a long way in affecting the final penalty.

These are the some of the types of responses that the US Treasury might have when a company is suspected of having a violation:

  1. No Action: No action may be taken when OFAC determines that there is insufficient evidence that a violation has occurred.
  2. Request Additional Information: OFAC may request additional information when it needs more information to make a determination if a violation occurred. There are many different ways that this may occur.  For example, OFAC may issue an Administrative Subpoena.
  3. Cautionary Letter: OFAC may issue a cautionary letter if it has insufficient information to conclude that a violation has occurred but believes that the subject is likely to have committed a violation it if continues on its present track.  This is considered a “final enforcement response” unless the subject continues without heeding OFAC’s warning.
  4. Finding of Violation: OFAC determines that a violation has occurred but has also determined that a financial penalty is not appropriate.  The subject needs to make changes in its conduct because a repeat of the violation will likely lead to a financial penalty.
  5. Civil Monetary Penalty: A Civil Monetary Penalty notice will be delivered to the subject if OFAC determines that a violation has occurred, and a monetary penalty is warranted.  The possible amounts of the penalty will be discussed below.
  6. Criminal Referral: OFAC may refer the subject to the appropriate law enforcement agency for criminal investigation and prosecution.  Civil penalties may also be levied to the subject.
  7. Other Administrative Actions: There are other administrative actions that may be taken.  These could include License Denials. Suspensions, Modifications, Revocations, and Cease and Desist Orders.

Penalty Amounts

The penalty amounts are a multifaceted topic.  An entire blog could be devoted to this topic.  This description is not exhaustive but serves only to describe what may be expected if a violation is suspected.

Non-Egregious Violations

A non-egregious violation is a violation where the subject did not intend on doing anything wrong.  The violation may have been committed in ignorance, or maybe they attempted to do things according to policies, maybe they even had an SCR in place but still failed to prevent a violation from happening.  OFAC takes this into account and the penalties are much smaller than they would be otherwise.

If you are suspected of committing a violation, but in fact did not, but because you have not done the necessary due diligence and you have not implemented good records keeping which enables you to comply with OFAC requests, you can receive a penalty in the amount of $25,542.  If the transaction which results in a suspected violation exceeds $500,000, the penalty can be as high as $63,855.

Failure to comply with OFACs request for information can be construed as a continuing violation and the penalties described above can be levied each month until the necessary information has been provided which will enable OFAC to bring their investigation to a conclusion.

If you discover that you have committed a violation and self-report, the penalties can be as high as one-half of the transaction amount up to $165,474.

If OFAC becomes aware of the violation by means other than your self-reporting, then the penalty shall be capped at $330,947 per penalty.

Egregious Violations

An egregious violation is a violation that has been committed in spite of the subject having knowledge of the OFAC policies.  Such cases are sometimes referred to as willful or reckless violations of law.  In those cases, the starting point for the calculations of the penalty will be twice that of a non-egregious violation penalty.

Penalty Amount Adjustments

OFAC will adjust penalty amounts based on what they refer to as “General Factors.”  The largest discounts on penalties occur when the subject self-reports.  In these cases and especially when the violation is a first violation OFAC may even elect to not levy a penalty.

If the subject complies with OFAC requests but did not self-report, the reductions in penalty amounts will likely be between 25% to 40%.

Pre-Penalty Notice

OFAC will send a Pre-Penalty Notice which will provide details of the believed violation and the proposed amount of the penalty.  This is the starting point of the amount of penalty.  In no case can the amount of penalty increase by more than 10%.  OFAC will send a new Pre-Penalty Notice if OFAC finds more violations which will increase the amount of penalty and the clock leading to resolution restarts.


Either the subject or OFAC may initiate settlement discussions once the investigations have concluded, and the subject has submitted all the facts that affect the findings of the violation(s).


The subject of sanctions and penalties levied by violating sanctions is a highly complex topic.  Protecting against being on the wrong side of an investigation involves a dedicated effort by senior management, lawyers, and accountants.  Sanctions have been talked about a lot in the news these days but very little gets said about sanctions violations and what happens to businesses that commit violations.  No matter your course of action, it is imperative that you are aware of your customer base and how well you determine if any of your customers are subject to any of the prevailing sanctions.

Please contact us if you would like to know more about vetting your customers against the many sanction lists published by OFAC.

Recent Posts
Click to Call