OFAC Enforcement: Civil Penalties, Aggravating Factors, Mitigation, and Compliance Risk
The Office of Foreign Assets Control, commonly known as OFAC, is the primary agency within the U.S. Department of the Treasury responsible for administering and enforcing U.S. economic and trade sanctions. OFAC sanctions affect a wide range of transactions, including banking, wire transfers, investments, imports and exports, professional services, technology services, shipping, insurance, real estate, securities, cryptocurrency, and cross-border payments.
For companies and individuals involved in international business, OFAC compliance is not merely a banking issue. It is a legal obligation. A transaction that appears routine from a commercial perspective may create sanctions exposure if it involves a sanctioned country, a blocked person, a prohibited service, a restricted sector, a sanctioned vessel, or an entity owned by a blocked person.
OFAC enforcement may result in blocked funds, rejected transactions, subpoenas, civil monetary penalties, settlement agreements, reputational harm, loss of banking relationships, and, in serious cases, referral to the Department of Justice for criminal investigation. Because OFAC civil enforcement can be based on strict liability, a person or company may face civil penalties even without intentionally violating sanctions.
Understanding how OFAC enforcement works is therefore essential for U.S. persons, foreign companies with U.S. touchpoints, financial institutions, investors, exporters, professional-service firms, and individuals involved in cross-border transactions.
What OFAC Enforces
OFAC administers and enforces U.S. sanctions programs issued under federal statutes, executive orders, and implementing regulations. These sanctions programs may target foreign governments, regions, individuals, companies, financial institutions, vessels, industries, terrorist organizations, narcotics traffickers, human rights abusers, cyber actors, and other persons deemed to threaten U.S. national security or foreign policy interests.
OFAC sanctions may prohibit or restrict, among other things:

OFAC’s authority is broad because sanctions often apply not only to direct transactions, but also to indirect dealings, attempted transactions, facilitation, evasive conduct, and transactions that cause a U.S. person to violate sanctions.
Who Must Comply with OFAC Sanctions

Foreign persons may also face OFAC risk when their activity has a U.S. nexus. A U.S. nexus may exist where a transaction involves U.S.-dollar clearing, U.S. banks, U.S. persons, U.S.-origin goods, U.S. technology, U.S. services, U.S. servers, U.S. platforms, U.S. insurance, U.S. investors, or conduct designed to cause a U.S. person to participate in a prohibited transaction.
This means that non-U.S. companies cannot assume that OFAC rules are irrelevant simply because they are incorporated outside the United States. If the transaction touches the U.S. financial system, involves U.S. persons, or uses U.S.-origin goods or services, sanctions risk may arise.
The 50 Percent Rule
One of the most important OFAC compliance principles is the “50 Percent Rule.”

This rule is particularly important in transactions involving private companies, holding companies, trusts, offshore structures, joint ventures, investment vehicles, family offices, and complex ownership chains. A sanctions screening search that checks only the name of the immediate counterparty may be insufficient. Beneficial ownership analysis may be required to determine whether a blocked person owns a prohibited interest.
The 50 Percent Rule creates practical compliance challenges because blocked ownership may be hidden behind multiple layers of corporate entities. Businesses and financial institutions should therefore conduct appropriate due diligence on ownership and control, especially where a transaction involves high-risk jurisdictions, politically exposed persons, sanctioned industries, or complex corporate structures.
Strict Liability in OFAC Civil Enforcement
OFAC civil enforcement is especially serious because civil penalties may be imposed under a strict liability standard. In practical terms, this means that a person subject to U.S. jurisdiction may be held civilly liable even if the person did not know that the transaction was prohibited.
Lack of knowledge may still be relevant. It may affect OFAC’s assessment of intent, awareness, culpability, and mitigation. However, lack of knowledge is not automatically a complete defense in a civil OFAC matter.
As a result, businesses cannot rely only on good intentions. A sanctions violation may occur because of inadequate screening, outdated customer information, weak beneficial ownership diligence, poor payment review, failure to escalate red flags, misunderstanding of OFAC regulations, or use of third-party intermediaries without sufficient compliance controls.
How OFAC Enforcement Matters Begin
OFAC enforcement matters may begin in several ways. A financial institution may block or reject a transaction and report the matter. A company may discover a potential violation during internal review and consider voluntary self-disclosure. OFAC may issue an administrative subpoena or request for information. Another government agency may refer the matter to OFAC. A counterparty, whistleblower, auditor, regulator, bank, or foreign authority may identify suspicious activity.
Common OFAC enforcement triggers include:

Many OFAC matters begin not because a company intended to violate the law, but because its compliance system failed to identify a sanctions nexus before the transaction occurred.
Types of OFAC Enforcement Responses
OFAC has discretion to resolve apparent violations in different ways depending on the facts. Not every apparent violation results in a civil monetary penalty. OFAC may:

- A cautionary letter may be issued where OFAC determines that a violation may have occurred but a formal penalty is not appropriate.
- A Finding of Violation is more serious and may be issued where OFAC concludes that a violation occurred, even if no monetary penalty is imposed.
- A civil monetary penalty or settlement agreement may be used where OFAC determines that a stronger enforcement response is warranted.
In cases involving willfulness, concealment, evasion, false statements, falsified documents, repeat violations, or serious national-security implications, the matter may also create criminal exposure. OFAC itself is a civil enforcement agency, but willful sanctions violations may be referred to the Department of Justice.
Civil Penalties and Penalty Calculation
OFAC’s Economic Sanctions Enforcement Guidelines, codified at 31 C.F.R. Part 501, Appendix A, provide the general framework for evaluating apparent violations and determining an appropriate enforcement response.
OFAC considers whether the case is egregious or non-egregious and whether the subject person made a qualifying voluntary self-disclosure. These two issues are central to penalty calculation. A voluntary self-disclosure may significantly reduce the base penalty amount. An egregious case may result in a substantially higher penalty.
OFAC’s analysis is highly fact-specific. The agency does not evaluate an apparent violation only by looking at the dollar amount of the transaction. Instead, OFAC considers the totality of the circumstances, including the person’s conduct, awareness, compliance program, sanctions, harm cooperation, remedial actions, and prior history.
A small transaction may create serious risk if it involved concealment, evasion, false statements, senior-management approval, or repeated disregard of sanctions warnings. Conversely, a larger transaction may receive substantial mitigation if the violation was isolated, promptly disclosed, fully investigated, and followed by meaningful remediation.
Aggravating Factors in OFAC Enforcement
Aggravating factors are facts that may increase the seriousness of an apparent violation and support a more severe enforcement response. These factors may affect whether OFAC treats the matter as egregious, whether it imposes a civil monetary penalty, and the amount of any penalty.
Important aggravating factors may include:

OFAC may view conduct as particularly serious where a person or company knew or had reason to know that a transaction involved a sanctioned jurisdiction, blocked person, restricted sector, prohibited service, sanctioned vessel, or entity owned by a blocked person. Ignoring obvious warning signs may be treated as reckless even if the company later claims it did not intend to violate sanctions.
Concealment is also a major aggravating factor. The use of false invoices, misleading payment descriptions, altered shipping documents, front companies, third-country intermediaries, non-transparent ownership structures, or coded communications may indicate an attempt to evade sanctions. Such conduct can materially increase civil exposure and may also raise criminal concerns.
Senior-management involvement may further aggravate the matter. If executives approved or directed the transaction despite sanctions concerns, OFAC may view the violation as more serious than an isolated operational error by lower-level personnel. Similarly, repeated violations after prior warnings, blocked transactions, rejected payments, or compliance alerts may demonstrate a systemic failure rather than a one-time mistake.
The absence of an adequate sanctions compliance program can also be aggravating. OFAC may expect a higher level of compliance sophistication from financial institutions, multinational companies, investment firms, technology companies, exporters, logistics providers, insurance companies, and professional-service firms engaged in cross-border business. Where a company operates in high-risk markets but lacks basic screening, escalation, training, and internal controls, OFAC may view the compliance failure as a significant aggravating circumstance.
Mitigating Factors in OFAC Enforcement
Mitigating factors are facts that may reduce the severity of OFAC’s enforcement response or lower the penalty amount. These factors are often central to the outcome of an OFAC matter.
Important mitigating factors may include:

A violation may be viewed more favorably where it was isolated, inadvertent, promptly corrected, and inconsistent with the company’s normal compliance procedures. OFAC may also consider whether the company immediately stopped the prohibited conduct, blocked or rejected the transaction where required, preserved relevant documents, conducted an internal investigation, identified the root cause, disciplined responsible personnel, enhanced screening systems, updated policies, and trained employees.
Cooperation is another important mitigating factor. OFAC may provide credit where the subject person responds promptly and completely to requests for information, provides organized records, identifies all relevant transactions, explains the factual background, makes employees available where appropriate, and avoids misleading or incomplete submissions.
A strong compliance program may also mitigate the penalty. Even where a violation occurred, OFAC may distinguish between a company with no meaningful sanctions controls and a company that maintained a reasonable risk-based program but experienced an isolated failure. Written policies, screening records, escalation procedures, audit results, training materials, and remediation documentation may help demonstrate good-faith compliance.
The practical importance of mitigating factors cannot be overstated. Two transactions involving similar dollar amounts may result in very different enforcement outcomes depending on the surrounding facts. A transaction involving concealment and senior-management approval may lead to a substantial penalty. An isolated error followed by voluntary disclosure, cooperation, and remediation may result in a reduced penalty or a less severe enforcement response.
Voluntary Self-Disclosure
A voluntary self-disclosure can be one of the most important mitigation tools in an OFAC matter.

However, voluntary disclosure should not be made casually or prematurely. Before submitting a disclosure, counsel should conduct a privileged review of the relevant facts, identify the applicable sanctions programs, determine the scope of the transactions, assess whether the matter is isolated or systemic, evaluate criminal risk, and prepare a remediation strategy.
A voluntary self-disclosure should be accurate, complete, and carefully supported. A rushed or incomplete disclosure may create additional problems if later facts contradict the initial submission. In some cases, it may be appropriate to submit an initial notification followed by a more detailed report after further investigation. The correct approach depends on the facts, urgency, scope, and risk profile of the matter.
Voluntary self-disclosure is not a guarantee of no penalty. However, it may substantially reduce the base penalty and may favorably affect OFAC’s view of the party’s cooperation, transparency, and good faith.
Sanctions Compliance Programs
OFAC expects organizations to maintain a risk-based sanctions compliance program. A sanctions compliance program should be tailored to the company’s size, industry, geographic exposure, customers, counterparties, products, services, payment methods, transaction volume, and use of intermediaries.
OFAC’s compliance framework identifies core components of an effective sanctions compliance program, including:
- management commitment
- risk assessment
- internal controls
- testing and auditing, and
- training.
Management commitment is essential. Senior leadership should support sanctions compliance, allocate sufficient resources, empower compliance personnel, and ensure that business pressure does not override legal obligations.
Risk assessment requires the company to understand where sanctions exposure may arise. Relevant risk areas may include:
- customers & vendors
- investors & counterparties
- countries & shipping routes
- products & services
- payment flows
- ownership structures, and
- third-party intermediaries.
Internal controls should include:
- written policies
- screening procedures
- beneficial ownership review
- escalation protocols
- payment-message review
- transaction holds
- approval workflows
- reporting obligations, and
- procedures for blocking or rejecting transactions where required.
Testing and auditing help determine whether the compliance program works in practice. A policy that exists only on paper is insufficient if employees do not follow it, screening tools are poorly calibrated, or alerts are closed without meaningful review.
Training should be practical and risk-based. Employees involved in sales, finance, shipping, onboarding, investments, legal, compliance, and international operations should understand relevant sanctions risks, red flags, escalation procedures, and documentation requirements.
Common Root Causes of OFAC Violations
OFAC enforcement actions frequently identify recurring root causes. These include
- failure to understand OFAC regulations
- lack of formal compliance procedures
- inadequate screening
- poor customer due diligence
- deficient beneficial ownership review
- failure to monitor changes in sanctions lists
- improper reliance on third parties
- decentralized decision-making, and
- inadequate post-acquisition integration.
Other common problems include screening only direct counterparties while ignoring owners and intermediaries, failing to review payment messages, processing transactions despite sanctions alerts, relying on outdated customer information, and failing to recognize that U.S. persons may not facilitate transactions that they could not conduct directly.
Foreign companies may also misunderstand the reach of U.S. sanctions. Even where a company is located outside the United States, it may create OFAC exposure by using U.S. banks, U.S.-dollar clearing, U.S. software, U.S. platforms, U.S.-origin goods, U.S. insurance, U.S. investors, or U.S. personnel.
Blocked and Rejected Transactions
When a transaction involves property or interests in property of a blocked person, a U.S. person may be required to block the property and report it to OFAC. Blocking generally means freezing the property and placing it into a blocked account, where it cannot be transferred, withdrawn, or dealt in without authorization from OFAC.
In other situations, a transaction may be prohibited but not involve blocked property. In such cases, the transaction may need to be rejected rather than blocked. Whether a transaction must be blocked or rejected depends on the applicable sanctions program, the parties involved, and the nature of the property interest.
This distinction is important because financial institutions and businesses must know whether they are required to freeze funds, reject the transaction, file a report, or seek guidance or authorization from OFAC.
OFAC Licenses and Release of Blocked Funds
In some cases, a transaction that would otherwise be prohibited may be authorized by a general license or a specific license.

Where funds have been blocked, a party may need to submit a specific license application requesting authorization to release or transfer the funds. Such applications require careful factual and legal support, including documentation of the parties, source of funds, purpose of the transaction, sanctions nexus, ownership, banking history, and legal basis for authorization.
A blocked funds matter should be handled carefully because statements made to banks, counterparties, or OFAC may affect the outcome. The application should be consistent, documented, and legally grounded.
Recordkeeping and the 10-Year Period
Recordkeeping is a critical part of OFAC compliance. Parties involved in international transactions should preserve relevant contracts, invoices, payment records, shipping documents, customer files, ownership documentation, compliance reviews, screening results, internal communications, and correspondence with banks.
The limitations and recordkeeping landscape has become more demanding. For many sanctions violations under IEEPA- and TWEA-based programs, the relevant period has been extended from five years to ten years. This makes long-term documentation especially important for companies engaged in cross-border business.
A company may face difficulty defending itself if it cannot reconstruct the transaction history, identify counterparties, explain payment flows, or prove that compliance reviews were conducted. Good records are often essential to mitigation.
Criminal Exposure and DOJ Referral
Most OFAC enforcement matters are civil. However, willful sanctions violations may create criminal exposure. Criminal risk is more likely where there is evidence of intentional evasion, concealment, false statements, falsified documents, use of front companies, repeated violations, senior-management involvement, or conduct involving national-security concerns.
The Department of Justice may investigate sanctions violations under statutes such as the International Emergency Economic Powers Act. Criminal enforcement may involve subpoenas, search warrants, interviews, asset seizure, indictment, deferred prosecution agreements, non-prosecution agreements, guilty pleas, fines, forfeiture, and imprisonment in individual cases.
When criminal exposure is possible, the response strategy should be developed carefully. A civil OFAC disclosure, bank communication, or internal investigation may have consequences for a parallel criminal matter. Counsel should evaluate whether the matter requires coordination with criminal defense counsel, export-control counsel, sanctions counsel, or other specialists.
What to Do After Discovering a Potential OFAC Violation
When a potential OFAC violation is discovered, the first step is to stop any ongoing prohibited activity and preserve relevant records. The company should avoid deleting communications, altering documents, or contacting counterparties in a way that could compromise the investigation.
A proper response plan should include:

The company should also determine whether the issue is isolated or systemic. A single flagged payment may reveal a broader compliance failure involving multiple transactions, counterparties, or business units.
Practical Risk Areas
OFAC enforcement risk may arise in many industries. Financial institutions face risk from payments, wire transfers, securities, trade finance, correspondent banking, and customer onboarding. Exporters face risk from restricted destinations, end users, and transshipment. Technology companies face risk from software access, cloud services, subscriptions, downloads, and IP addresses. Investment firms face risk from investors, portfolio companies, securities restrictions, and ownership by sanctioned persons.
Professional-service firms may also face sanctions risk. Lawyers, accountants, consultants, brokers, trustees, real estate professionals, and corporate service providers may encounter sanctions issues when advising foreign clients, handling funds, managing assets, forming entities, or facilitating transactions.
Real estate, trust, and private-client matters may present special challenges because beneficial ownership, source of funds, citizenship, residency, and sanctions status may be complex. Transactions involving Russian, Iranian, Cuban, Venezuelan, Syrian, North Korean, or other high-risk sanctions contexts require particularly careful review.
Conclusion
OFAC enforcement is a significant legal risk for any person or business involved in international activity. U.S. sanctions may apply through U.S. persons, U.S. banks, U.S.-dollar clearing, U.S.-origin goods or services, ownership by blocked persons, facilitation, or indirect dealings.
Because OFAC civil penalties may be imposed even without intent, sanctions compliance must be proactive. A strong compliance program, proper due diligence, accurate screening, beneficial ownership review, escalation procedures, employee training, and careful documentation can significantly reduce enforcement risk.
Where a potential violation has already occurred, the outcome may depend heavily on aggravating and mitigating factors. Willful conduct, concealment, repeated violations, senior-management involvement, and lack of compliance controls may increase exposure. Voluntary self-disclosure, cooperation, prompt remediation, absence of willfulness, and a reasonable risk-based compliance program may reduce exposure.
OFAC matters should be handled carefully from the beginning. The first communications with banks, counterparties, regulators, and government agencies may affect the entire case. Parties facing blocked funds, rejected payments, sanctions inquiries, apparent violations, or voluntary self-disclosure issues should seek qualified sanctions counsel before taking action.
Arabic (العربية)
English
Español
Русский
Turkish
Persian (فارسی)
简体中文 (中国)