Sanctions Compliance

Money transmitters are not allowed to facilitate transactions involving sanctioned parties or sanctioned jurisdictions. This is a federal requirement, enforced by the Office of Foreign Assets Control (OFAC), which is part of the Treasury Department. Sanctions compliance is non-negotiable and carries severe penalties for violations.

I've watched companies face OFAC enforcement actions, and the consequences are severe. Fines in the tens of millions, trading halts, license revocation, reputational damage. A company that violates sanctions repeatedly gets labeled as a sanctions compliance risk. Once you have that label, it's difficult to get funding, difficult to get insurance, difficult to partner with banks. Sanctions compliance is existential.

Unlike transaction monitoring, which aims to detect potential money laundering, sanctions compliance is purely mechanical: is this party or transaction covered by sanctions? If yes, stop it. If no, proceed. There's less judgment involved, but the execution must be perfect.

OFAC and the SDN List

OFAC administers several sanctions programs. The most commonly encountered is the Specifically Designated Nationals (SDN) list, which is a list of individuals, companies, and other entities deemed to be supporting terrorism, drug trafficking, or other activities harmful to US national security.

The SDN list includes thousands of names. It includes known terrorists, drug traffickers, members of terrorist organizations, companies owned by sanctioned individuals, and foreign government officials in countries that are subject to sanctions.

When you receive a transaction, OFAC requires that you screen the transaction against the SDN list. You must check: - The name of the person or company sending the money - The name of the person or company receiving the money - The name of any intermediary or beneficial owner involved in the transaction

If any of those parties matches a name on the SDN list, OFAC prohibits you from processing the transaction. If you process it anyway, you're violating sanctions.

Beyond the SDN list, OFAC administers country-based sanctions programs. Some countries are subject to comprehensive sanctions (Iran, North Korea, Syria, Cuba). You cannot send money to anyone in those countries, regardless of whether they're on the SDN list. Some countries are subject to partial sanctions (Russia, certain entities in Crimea). You can send money to those countries, but only if the transaction doesn't involve sanctioned parties.

The SDN list is updated regularly—new names are added, names are removed, aliases are added. Your screening system must use the current SDN list. If your system is using an SDN list from six months ago, you might miss a recently sanctioned party.

Who Must Screen and When

Every money transmitter must screen: - Every customer at account opening (to ensure the customer isn't sanctioned) - Every transaction (to ensure sender, recipient, and intermediaries aren't sanctioned) - Every agent (if you use agents to accept customer transactions) - Every payee (any party receiving funds from your customers)

Screening is mandatory for every transaction, regardless of size. There's no de minimis exception—even $10 transactions must be screened.

The screening occurs at the point of transaction initiation. A customer initiates a transaction. The transaction data (sender, recipient, amount, purpose) is screened against OFAC lists. If there's no match, the transaction is approved. If there's a match, the transaction is blocked.

Real-Time Screening vs. Batch Screening

Screening can be done in real-time or in batch.

Real-time screening occurs as the transaction is being processed. The customer provides the transaction details. The system screens the details against OFAC lists. If clear, the transaction proceeds. If there's a hit, the transaction is blocked or referred for investigation. Real-time screening is immediate and prevents prohibited transactions from being processed.

Batch screening occurs after transactions have been processed. At the end of a day or week, the transaction file is screened against updated OFAC lists. If there are hits, the company investigates and potentially reverses the transaction. Batch screening catches transactions that might have been cleared at the time of processing but have since become sanctioned.

Both are required. Real-time screening prevents most violations. Batch screening catches transactions where new sanctions were imposed after the transaction was processed.

A company screening only in real-time might process a transaction that was clear at that moment but becomes sanctioned hours later when OFAC updates the list. If the company doesn't do batch screening, it won't catch that transaction.

I recommend using both. Implement real-time screening for transaction approval. Implement batch screening daily or at minimum weekly against updated OFAC lists.

Fuzzy Matching and False Positives

One of the challenges with OFAC screening is false positives. The SDN list includes names like "Ahmed Hassan" or "Mohammad Ahmed." When a legitimate customer named Ahmed Hassan wants to send money, the screening system flags them as a potential OFAC match.

This is "fuzzy matching"—the screening system doesn't require an exact match; it flags potential matches based on name similarity. Fuzzy matching is necessary because people's names can be spelled multiple ways, transliterated differently from other languages, or include variations (full name vs. nickname). But fuzzy matching also creates false positives.

Handling false positives requires a process: 1. The screening system flags a match 2. The compliance team reviews the match and gathers information about the customer 3. The team compares the customer's information (name, date of birth, location, occupation) to the SDN match 4. If the information is clearly different, the match is resolved as a false positive and the transaction is approved 5. If the information is similar, the transaction is escalated for further investigation or blocked

The challenge is that for a customer named Ahmed Hassan, the false positive rate can be very high. In a busy transaction flow, resolving each false positive takes time. Some operators implement whitelisting—once a customer has been verified as not matching a sanctioned party, that customer is added to a whitelist and doesn't generate false positive matches on future transactions. This is efficient but requires care: the whitelist must be maintained and validated periodically.

Screening Customers, Beneficiaries, and Intermediaries

Most money transmitters screen customers (the person sending money) and direct beneficiaries (the person receiving money). But OFAC also requires screening of intermediaries and beneficial owners.

An intermediary is a party involved in the transaction chain but not the direct customer or beneficiary. If customer A sends money to money transmitter B, which sends the money to correspondent bank C, which delivers it to recipient D, then correspondent bank C is an intermediary. OFAC rules require screening of intermediaries if they're identified.

In practice, most money transmitters don't screen intermediaries because intermediaries aren't identified in the transaction data. But if an intermediary is known (the transaction is being routed through a specific correspondent bank, for example), that intermediary should be screened.

Beneficial owners are the ultimate owners of an account or company. If a company opens an account and a sanctioned individual is a beneficial owner, the account should be blocked even if the company itself isn't sanctioned. Screening beneficial owners requires information about company ownership, which is part of customer due diligence (covered in Chapter 14).

Country-Based Restrictions and Embargoes

Beyond OFAC's SDN list, certain countries are subject to comprehensive sanctions that prohibit almost all transactions.

Currently, the countries subject to comprehensive sanctions programs include: - Iran (no transactions) - North Korea (no transactions) - Syria (limited exceptions) - Cuba (limited exceptions)

Some countries have partial sanctions (Russia, certain entities in Ukraine). You can transact with entities in those countries, but only if the entities aren't sanctioned and the transaction doesn't involve sanctioned products or services.

Your transaction monitoring should include country-based rules: block all transactions to comprehensive sanctions countries, and apply additional scrutiny to partial sanctions countries.

A company that processes a transaction to Iran violates sanctions, regardless of whether the parties involved are on the SDN list. The violation is automatic.

What to Do When You Get a Hit

When your screening system flags a match (either to the SDN list or to country-based restrictions), a process needs to be followed.

First, verify that the match is accurate. Review the flagged name against the SDN list. Verify that the customer is actually the sanctioned party or if it's a false positive. For a fuzzy match (Ahmed Hassan vs. Ahmed Al-Hassan), you need to determine whether this is actually the same person.

If it's a clear match and the customer is the sanctioned party: - Block the transaction immediately - Do not process any funds - Freeze any existing customer accounts - Do not inform the customer that they're under sanction (this is called "tipping off" and is prohibited)

If the customer disputes the match and claims they're not the sanctioned party: - Gather additional information about the customer (date of birth, occupation, location, etc.) - Compare to the SDN listing - If clearly different, clear the match - If still unclear, you have the option to refer to OFAC for guidance, but most operators either block or seek guidance based on the severity of the match

All OFAC hits must be documented. You must maintain records of: - The transaction that triggered the hit - The SDN match (which party, what name matched) - The investigation conducted - The resolution (match resolved, transaction blocked, referred to OFAC) - The date and person responsible

If a match is resolved (determined to be a false positive), the documentation must explain why the match was not a violation.

OFAC Licensing (Specific OFAC Licenses, Not MTL)

OFAC issues licenses that authorize specific transactions otherwise prohibited by sanctions. These are different from money transmitter licenses.

For example, if a company operates in Iran, most transactions are prohibited. But OFAC can issue a license authorizing specific transactions (humanitarian aid, food purchases, etc.). The license is narrowly tailored to the specific transactions authorized.

A money transmitter rarely needs an OFAC license because the business model doesn't inherently require transactions with sanctioned countries. But if a money transmitter wants to facilitate transactions with Iran (for humanitarian purposes, for example), it would need an OFAC license.

OFAC licenses are applied for directly with OFAC, not through the state licensing process. The application requires detailed information about the proposed transactions, the business purpose, and how the company will comply with restrictions.

Most money transmitters don't pursue OFAC licenses because the regulatory burden is heavy and the business case is weak. It's easier to simply avoid sanctioned jurisdictions.

Record Retention for Sanctions Screening

You must retain records of all sanctions screening. Specifically: - The transaction data screened - The screening results (match or no match) - For matches, the investigation conducted and resolution - For blocks, documentation of the blocked transaction and the reason

Records must be retained for at least five years.

During examination, regulators will review your sanctions screening records. They'll verify that: - You screened all transactions - Screening was conducted against current SDN lists - Hits were investigated appropriately - Blocks were documented and justified - No prohibited transactions were processed

Common Mistakes That Lead to Enforcement

OFAC enforcement actions result from specific violations. The most common include:

Processing transactions with sanctioned parties: A transaction is processed that should have been blocked. This is the most basic violation and indicates a failure in screening.

Using outdated SDN lists: The company screened against an SDN list that was weeks or months old. A newly sanctioned party was not on the list at the time, so the transaction wasn't blocked.

Inadequate investigation of hits: The screening system flagged a match, but the company didn't investigate or investigated superficially. The match was actually accurate, but the transaction was processed.

Incomplete screening: The company screened the direct sender and recipient but not intermediaries or beneficial owners. A sanctioned intermediary was involved in the transaction.

Inadequate documentation: The company processed or blocked transactions but didn't document the screening or investigation. There's no record to show that screening occurred.

Willful blindness: The company knew or should have known that a transaction was problematic but processed it anyway. This can result in criminal charges, not just civil fines.

I worked with a company that processed multiple transactions to Iran, a comprehensive sanctions country. The company's owner claimed he didn't realize Iran was subject to sanctions. That's not a defense. The company should have had basic knowledge of comprehensive sanctions programs. The company faced a multi-million-dollar fine.