OFAC Sanctions Compliance Checklist
A comprehensive checklist for building and maintaining an OFAC-compliant sanctions screening program.
Onboarding screening
- Screen every new customer against current SDN list
- Fuzzy matching with name variants and aliases
- Screen beneficial owners and control persons
- Document screening results with timestamps
Ongoing monitoring
- Re-screen all customers when SDN list updates (min daily)
- Monitor transactions in real time against SDN
- Wallet address screening for crypto transactions
- Geolocation checks on IP and payment rails
Investigation workflow
- Alert triage SLA (24 hours)
- Escalation path for confirmed matches
- Blocking and rejection procedures
- OFAC reporting requirements (10-day window)
Program governance
- Designated compliance officer
- Annual risk assessment
- Employee training program
- Independent audit every 12-24 months
Why this checklist exists
This checklist was built for teams handling OFAC screening API. Each item addresses a common failure mode we've seen in real workflows. Skipping a step doesn't save time — it creates rework, disputes, or missed signals downstream.
Related resources
1. Designate a compliance owner
OFAC expects to find a named person responsible for sanctions compliance. For solo operators, that is you. For companies, designate a specific individual and document their role in writing. This is the first question OFAC asks in any enforcement inquiry.
2. Map your transaction types
List every scenario where value moves: direct wallet payments, x402 micropayments, smart contract interactions that transfer tokens, tipping or donation functions, and subscription payments. Each path needs a pre-payment screening gate. An agent that screens wallet payments but not smart contract interactions has a gap.
3. Implement pre-payment screening
Add an inline sanctions check before every payment your agent authorizes. Screen the counterparty wallet, name, and jurisdiction. If flagged, halt the transaction and alert a human. SanctionsAI provides this as a single API call under 100ms with a free tier of 5 checks/day.
4. Maintain an audit trail
Record every screen: timestamp, wallet/name/country checked, result, OFAC list version, and which agent initiated the check. A documented, timestamped audit trail is the single most powerful mitigating factor in any OFAC enforcement action. SanctionsAI paid plans include automatic audit logging in the compliance dashboard.
5. Set up escalation
Configure your agent to alert a human when a sanctions match occurs. A blocked transaction that sits silently in a log is useless. The human reviewer needs to assess the match within a reasonable time window and decide whether to escalate to legal counsel.
6. Document your compliance program
Write down what you built: which screening API you use, which payment paths are covered, who the compliance owner is, and how alerts are handled. OFAC's Enforcement Guidelines treat documented compliance programs as a significant mitigating factor. A one-page summary is sufficient for most deployments.
7. Review and rescreen
The OFAC SDN list changes daily. A wallet clean today may be sanctioned tomorrow. Never cache screening results — rescreen before every payment. Set a recurring monthly review to verify your screening pipeline still works end to end and that list updates are being consumed.