Sanctions Risk Assessment: OFAC Compliance Guide

What Is a Sanctions Risk Assessment?

A sanctions risk assessment evaluates your organization's exposure to transactions, relationships, or activities involving sanctioned countries, entities, and individuals. It determines how likely your operations are to encounter sanctions-related risks and whether your screening and compliance controls are adequate to prevent violations.

The Office of Foreign Assets Control OFAC administers and enforces U.S. economic and trade sanctions programs. Violations can result in civil penalties exceeding $300,000 per transaction and criminal penalties up to $1 million and 20 years imprisonment. OFAC has consistently emphasized that a risk-based sanctions compliance program, grounded in a thorough risk assessment, is the foundation of effective compliance. Because violating sanctions is a strict liability offense under U.S. sanctions laws, financial institutions and other organizations face penalties regardless of intent.

OFAC's Framework for Sanctions Compliance

In May 2019, OFAC published "A Framework for OFAC Compliance Commitments," outlining five essential components of a sanctions compliance program (SCP):

1. Management commitment — Senior management support, adequate resourcing, and organizational authority
2. Risk assessment — Identification and analysis of sanctions-related risks
3. Internal controls — Policies, procedures, and processes to manage identified risks
4. Testing and auditing — Independent evaluation of SCP effectiveness
5. Training — Sanctions awareness for all relevant personnel

The risk assessment is the analytical engine that drives the design and calibration of the other four components.

Sanctions Risk Factors

Customer and Counterparty Risk

• Direct sanctions exposure — Do you have customers, counterparties, or beneficial owners on the SDN list or otherwise subject to sanctions?
• Indirect exposure — Do your customers transact with sanctioned parties, or do they have ownership or control links to designated entities?
• Geographic connections — Do customers operate in, have offices in, or frequently transact with comprehensively sanctioned countries (Cuba, Iran, North Korea, Syria, Crimea region)?
• Industry risk — Certain industries face elevated sanctions risk: energy, defense, financial services, maritime shipping, and technology sectors dealing with sanctioned jurisdictions

Product and Service Risk

Different products carry different sanctions risk profiles:

Geographic Risk

Geographic risk assessment should consider:

• Comprehensively sanctioned countries — Cuba, Iran, North Korea, Syria, Crimea/Donetsk/Luhansk regions
• Sectoral sanctions programs — Russia (specific sectors), Venezuela (government sector), Myanmar
• Countries with elevated diversion risk — Jurisdictions commonly used to transship goods or reroute transactions to evade sanctions
• Emerging sanctions — Monitor for new designations and program expansions under each sanction regime (OFAC updates its SDN list frequently)

Transaction Risk

• Volume and velocity — High-volume international transaction processing increases the probability of encountering sanctioned parties
• Transaction complexity — Multi-leg transactions, intermediary banks, and trade finance chains create opacity
• Currency and routing — Transactions routed through multiple jurisdictions, especially those with weaker sanctions enforcement
• Payment message quality — Incomplete originator or beneficiary information hinders screening effectiveness

Conducting the Sanctions Risk Assessment

Step 1: Map Your Sanctions Universe

Identify every point in your operations where a sanctioned party, country, or transaction could intersect your business:

• Customer onboarding and ongoing relationships
• Payment processing (incoming, outgoing, pass-through)
• Trade finance and letter of credit processing
• Correspondent banking relationships
• Investment and lending activities
• Vendor and supplier relationships
• Employee hiring and payments

Step 2: Identify Applicable Sanctions Programs

Determine which sanctions regimes apply to your organization:

• OFAC programs — All U.S. persons must comply, plus any transactions touching the U.S. financial system
• EU sanctions — Applicable to EU persons and entities, and transactions within the EU
• UN sanctions — Implemented through national legislation in member states
• HMT/OFSI (UK) — UK Financial Sanctions regulations
• Other national programs — Australia, Canada, Switzerland, and others as applicable to your operations

Step 3: Assess Inherent Risk

For each sanctions risk factor, rate the inherent exposure:

• What is the volume of international transactions, particularly involving higher-risk geographies?
• How complex are your customer and transaction structures?
• What is the likelihood of encountering a sanctioned party given your customer base and product mix?
• What would be the impact of a sanctions violation (financial penalties, reputational damage, loss of correspondent banking relationships)?
• Which areas present high risk exposure to sanctions based on your customer mix and geographic footprint?

Step 4: Evaluate Your Screening Program

Assess the adequacy of your sanctions screening controls:

• Coverage — Are all applicable transactions, customers, and counterparties screened against all relevant lists?
• Technology — Does your screening system use fuzzy matching to catch name variants, transliterations, and alternate spellings?
• Timeliness — Are new SDN list updates loaded promptly? Is screening performed before transactions are processed?
• Hit resolution — Are potential matches reviewed by qualified analysts with access to adequate information?
• Interdiction — Are true matches properly blocked, rejected, or reported within required timeframes?
• Record keeping — Are screening results, match dispositions, and blocking reports documented and retained?

Step 5: Determine Residual Risk

Combine your inherent risk assessment with your control evaluation to determine residual risk. Areas where inherent risk is high and controls are inadequate represent your greatest exposure and should receive immediate attention.

Step 6: Develop and Implement Remediation Plans

Address identified gaps with specific, actionable plans:

• Upgrade screening technology to improve matching accuracy
• Expand list coverage to include all applicable sanctions programs
• Enhance due diligence for higher-risk customer segments
• Improve payment message quality through SWIFT standards compliance
• Increase analyst training on sanctions red flags and evasion typologies
• Establish escalation procedures for complex sanctions determinations

Sanctions Screening Best Practices

Screen early and often. Screen customers at onboarding, screen transactions before processing, and re-screen the entire customer base when sanctions lists are updated.

Calibrate matching thresholds carefully. Overly strict settings generate excessive false positives that overwhelm analysts; overly loose settings miss true matches. Regularly test and tune your thresholds.

Don't rely solely on automated screening. Educate frontline staff to recognize sanctions red flags: unusual geographic routing, evasive customer behavior, requests to remove beneficiary information, and transactions structured to avoid screening triggers.

Maintain an audit trail. OFAC expects you to demonstrate not just that you screen, but how you screen, how you resolve matches, and how you handle identified sanctions exposure. Document everything.

Stay current. OFAC updates its sanction lists multiple times per month. Subscribe to OFAC alerts, monitor geopolitical developments, and ensure your screening systems reflect the latest designations within 24 hours of publication.

When Things Go Wrong

If you identify a potential sanctions violation:

1. Block the transaction or reject the payment immediately
2. File a blocking or rejection report with OFAC within 10 business days
3. Investigate to determine the scope and nature of the exposure
4. Consider voluntary self-disclosure (VSD) — OFAC views VSD favorably and may reduce penalties by up to 50%
5. Engage legal counsel for guidance on reporting obligations and mitigation strategies
6. Remediate the control failures that allowed the exposure to occur

Building Long-Term Sanctions Resilience

Sanctions programs are evolving rapidly — new designations, secondary sanctions, sector-specific restrictions, and cryptocurrency-related measures expand the compliance landscape continuously. Organizations that invest in robust risk assessments, effective screening technology, and trained personnel position themselves to adapt to these changes without scrambling reactively. A proactive approach to sanctions risk management protects both your bottom line and your reputation. A well-designed sanctions risk assessment is the starting point for building effective sanctions controls and long-term resilience.

Frequently Asked Questions

How often should a sanctions risk assessment be updated?

Review your sanctions risk assessment at least once a year. You should also update it whenever your organization enters new markets, launches new products, or when a major sanction regime changes. Staying current with risk assessments helps you catch emerging threats early.

What is the difference between inherent and residual sanctions risk?

Inherent risk is your exposure to sanctions before controls are applied. Residual risk is what remains after your screening, due diligence, and monitoring controls reduce that exposure. The goal of any effective sanctions program is to bring residual risk within your organization's tolerance level.

Can small businesses face OFAC enforcement?

Yes. OFAC enforcement applies to all U.S. persons and businesses, regardless of size. Even small organizations can face significant penalties for violating sanctions. A proportionate sanctions risk assessment helps smaller firms focus their limited resources on the areas of greatest exposure to sanctions violations.