OFAC Compliance for Non-Financial Companies: What AP Teams Are Responsible For and Where Programs Fall Short

OFAC penalties don't require intent. Civil fines of up to $330,947 per violation apply whether or not your organization knew a vendor was sanctioned. In 2025 alone, OFAC enforcement actions have already exceeded $254 million - hitting companies in manufacturing, logistics, real estate, and technology, not just banks. For AP teams at non-financial companies, this matters because your department is often the last checkpoint before a payment leaves the organization. If a vendor on the SDN list gets paid, that's a violation regardless of how the vendor got into your system.

What OFAC Is and Who It Applies To

The Office of Foreign Assets Control (OFAC) is a division of the U.S. Department of the Treasury that administers and enforces economic and trade sanctions based on U.S. foreign policy and national security objectives. Sanctions target individuals, entities, and countries involved in terrorism, drug trafficking, weapons proliferation, human rights abuses, cybercrime, and threats to U.S. national security.

OFAC compliance applies to:

  • All U.S. citizens and permanent residents, anywhere in the world
  • All entities organized under U.S. law, including their foreign branches
  • Anyone physically located in the United States
  • In many cases, foreign subsidiaries of U.S. companies

The scope is broader than most non-financial companies realize. It's not limited to international transactions or companies with global operations. A domestic vendor payment to a party that has since been added to the SDN list is a violation. A U.S. company paying a subcontractor who is a designated individual is a violation. The fact that your company isn't a bank doesn't change the obligation.

The Penalty Structure: No-Intent Required

OFAC operates a strict liability framework for civil violations. You do not need to have known a party was sanctioned to face a civil penalty.

Violation Type Maximum Penalty
Civil penalty (per violation, no intent required) $330,947
Criminal penalty (willful violations) $1,000,000 per violation and/or 20 years imprisonment
Egregious violations with no voluntary disclosure Penalties calculated at the top of the base penalty range

Mitigating factors can reduce penalties significantly: voluntary self-disclosure, a first-time violation, strong existing compliance program, prompt remediation, and cooperation with OFAC's investigation. These factors matter, but they only help if you have documentation to show them.

Aggravating factors that increase penalties: willful or reckless conduct, concealment, senior management awareness or involvement, harm to sanctions program objectives, and prior OFAC violations.

The practical implication for AP teams: the quality of your screening program and your documentation of screening activity directly affects your penalty exposure if a violation occurs.

2024-2025 Enforcement: It's Not Just Banks

A common misconception is that OFAC enforcement targets financial institutions. The 2024-2025 enforcement record shows otherwise:

  • Unicat Catalyst Technologies (2025): $3.88 million penalty - a specialty chemicals manufacturer, for Iran and Venezuela sanctions violations
  • Harman International Industries (2025): $1.45 million penalty - a consumer electronics company, for Iran sanctions violations
  • Haas Automation (2025): $1.04 million penalty - a machine tool manufacturer
  • Key Holding, LLC (2025): $608,825 penalty - a real estate company, for Cuban sanctions violations through a Colombian subsidiary
  • SkyGeek (2024): enforcement action involving an aerospace parts distributor for sales to jurisdictions presenting higher sanctions risk

As of late 2025, OFAC civil penalties for the year had already exceeded $254 million. The industries represented span manufacturing, logistics, technology, real estate, and distribution. These are companies with AP departments making vendor payments - exactly the function where sanctions screening either works or doesn't.

A significant development in March 2025: OFAC extended sanctions-related record-keeping requirements from five years to ten years. Every compliance decision, screening result, and documentation of due diligence now needs to be retained for a decade.

Where AP Teams Are the Exposure Point

For most non-financial companies, the AP department processes the transactions that could constitute an OFAC violation. Specifically:

Vendor onboarding - when a new vendor is added to the system, are they screened against the SDN list and other applicable OFAC lists before the first payment?

Ongoing vendor payments - OFAC lists are updated continuously. A vendor who was clean at onboarding may be designated months or years later. Screening only at onboarding misses this entirely.

Bank account changes - a sanctioned party taking over a legitimate vendor relationship will often change the bank account details. Bank account change requests are a high-risk moment that should trigger re-screening.

Beneficial ownership - sanctioned entities frequently operate through shell companies or subsidiaries that don't appear directly on OFAC lists. The SDN list includes entities in which designated parties own 50% or more (the "50 percent rule"). Screening only against names on the list misses this category of exposure.

International vendors - any vendor with operations in or payments routed through high-risk jurisdictions (Russia, Iran, North Korea, Cuba, Syria, Belarus, and others) warrants heightened scrutiny even if they don't appear directly on a list.

The SDN List Is Not the Only List

A common shortcut is to screen only against OFAC's Specially Designated Nationals and Blocked Persons (SDN) list. The SDN list is the most important, but it's not the only relevant list for a comprehensive sanctions compliance program.

Key OFAC lists:

  • SDN List - individuals and entities whose assets are blocked and with whom U.S. persons are generally prohibited from dealing
  • Sectoral Sanctions Identifications (SSI) List - entities subject to sector-specific restrictions under the Ukraine/Russia programs; certain transactions prohibited but not full blocking
  • Foreign Sanctions Evaders (FSE) List - foreign individuals and entities sanctioned for evading U.S. sanctions or facilitating transactions for sanctioned parties
  • Non-SDN Menu-Based Sanctions List (NS-MBS) - entities subject to specific menu-based sanctions
  • Consolidated Sanctions List - combines multiple OFAC lists for consolidated screening

Beyond OFAC, a thorough sanctions compliance program for companies with international vendor relationships also covers:

  • BIS Entity List - U.S. Bureau of Industry and Security; export control restrictions
  • FBI/DEA/ICE lists - domestic law enforcement watchlists
  • FinCEN 311 Special Measures - foreign financial institutions of primary money laundering concern
  • EU, UK, and UN sanctions lists - relevant for companies paying EU or UK-based vendors, or operating internationally

The coverage gap between "OFAC SDN only" and comprehensive multi-list screening is where violations slip through.

What a Basic AP Screening Program Requires

OFAC doesn't prescribe a specific compliance program structure for non-financial companies, but its enforcement actions make clear what it considers adequate. A defensible program for an AP team includes:

1. Screening at onboarding - every new vendor screened against applicable sanctions lists before the first payment is processed.

2. Ongoing re-screening - periodic re-screening of the full vendor master, not just new additions. Frequency should be risk-based; monthly is a reasonable baseline for active vendor populations.

3. Re-screening on trigger events - bank account changes, ownership changes, business name changes, and any indication of a change in the vendor's structure or beneficial ownership should trigger immediate re-screening.

4. Clear match review process - fuzzy name matching generates false positives. Every potential match needs a defined review process: who reviews it, what information is required to clear or escalate it, and how the decision is documented.

5. Documentation of all screening activity - screening results, match reviews, clearance decisions, and escalations need to be retained. With the record-keeping requirement now extended to 10 years, this is not optional.

6. Response procedures for confirmed matches - if a confirmed match is identified, what happens? Payments must be blocked, OFAC may need to be notified, and legal counsel should be involved immediately.

The Voluntary Self-Disclosure Advantage

If your organization discovers a potential OFAC violation - a payment made to a sanctioned party - voluntary self-disclosure to OFAC is the single most powerful mitigating factor available. OFAC consistently cites voluntary disclosure as a basis for substantially reduced penalties.

The practical implication: if you find a problem, disclose it before OFAC finds it. The difference in penalty outcome between voluntary disclosure and a violation discovered by OFAC can be dramatic.

This makes the screening program and its documentation doubly important. You can only self-disclose a violation you detected. A screening program that catches issues also creates the opportunity to manage the response.

How TIN Comply Supports OFAC Screening

TIN Comply's OFAC and sanctions screening covers 250+ global watchlists including the full suite of OFAC lists, EU and UK sanctions lists, law enforcement lists, and PEP databases - in a single vendor file submission alongside TIN matching and EIN lookup.

For AP teams, running sanctions screening as part of the same bulk validation as TIN matching means your vendor file is checked across both compliance dimensions simultaneously - no separate workflow, no separate login, no gap between when TIN matching runs and when sanctions screening runs.

Key capabilities relevant to AP compliance programs:

  • Bulk screening - upload your full vendor master and receive results across all 250+ lists
  • Ongoing monitoring - re-screen on a schedule without manual file preparation
  • Audit trail - every screening result documented with timestamp for your 10-year retention requirement
  • False positive management - clear process for reviewing and documenting potential matches
  • API integration - embed screening into your ERP or AP workflow so new vendors are screened automatically at onboarding

Start a free trial or learn more about sanctions screening coverage.

Quick Reference: OFAC Compliance Checklist for AP Teams

  • All new vendors screened against SDN and other applicable lists before first payment
  • Full vendor master re-screened on a regular schedule (monthly recommended)
  • Bank account change requests trigger immediate re-screening
  • Beneficial ownership reviewed for high-risk vendors (50% rule)
  • Match review process documented with clear escalation path
  • All screening results retained (10-year requirement as of March 2025)
  • Voluntary self-disclosure procedures in place for confirmed violations
  • Screening covers more than SDN only - includes SSI, FSE, and relevant non-OFAC lists
  • International vendor payments reviewed for jurisdiction risk

This article is for informational purposes only and does not constitute legal or tax advice. Consult qualified legal counsel for guidance on OFAC compliance specific to your organization.