Beancount.io LogoBeancount.io

OFAC Sanctions Compliance for Small Businesses: SDN Screening, the 50% Rule, and Voluntary Self-Disclosure

14 min readMike ThriftMike Thrift
OFAC Sanctions Compliance for Small Businesses: SDN Screening, the 50% Rule, and Voluntary Self-Disclosure

A California guitar maker selling instruments online recently paid $41,591 to settle OFAC charges. The statutory maximum it faced? $3,313,224 — roughly eighty times higher. The difference came down to one decision: the company voluntarily disclosed the violations before regulators found them.

That ratio is the entire story of sanctions enforcement in 2026. Treasury's Office of Foreign Assets Control (OFAC) is no longer chasing only Wall Street banks. Real estate investors, fintech startups, e-commerce sellers, music instrument importers, and crypto wallet providers have all landed on the enforcement list in the past eighteen months. The maximum civil penalty under the International Emergency Economic Powers Act (IEEPA) now sits at $377,700 per violation — or twice the transaction value, whichever is greater — and OFAC applies strict liability, meaning intent is not required.

If your business has customers, vendors, or payment counterparties outside the United States — or even inside it — you are already exposed. Here is what an effective OFAC program looks like for a company that does not have a dedicated compliance department.

Why Small Businesses Are Suddenly on OFAC's Radar

For most of OFAC's history, enforcement focused on banks. That changed during the past five years. The agency has openly stated that enforcement will "steer away from traditional banking towards new high-risk sectors, such as fintech and cryptocurrency," and recent actions back that up:

  • Exodus Movement (crypto wallet): more than 254 apparent violations of Iranian Transactions and Sanctions Regulations, including 12 egregious and non-voluntarily disclosed
  • Poloniex: $7.6 million settlement
  • Payoneer: $1.5 million settlement
  • BitPay: $507,375 settlement
  • Kraken: $362,158 settlement
  • A single real estate investor: $4.7 million civil penalty
  • 2026 year-to-date across just three published enforcement actions: $6,607,661

The pattern is clear. Any business that touches money, goods, or services across borders — or even hosts a website that a sanctioned person can pay for — needs a sanctions program. That includes Shopify stores, SaaS companies invoicing customers internationally, freelance marketplaces, payment processors, crypto exchanges, real estate firms collecting rent from foreign owners, and accounting firms onboarding clients who hold offshore assets.

What OFAC Actually Restricts

OFAC administers more than thirty distinct sanctions programs. They fall into two broad categories.

Comprehensive Embargoes (Full Country Bans)

As of 2026, four countries face near-total prohibitions on trade, financial transactions, and services with U.S. persons:

  • Cuba
  • Iran
  • North Korea (DPRK)
  • Syria

The occupied Ukrainian regions of Crimea, Donetsk, and Luhansk also fall under comprehensive sanctions. Doing business in or with these jurisdictions requires a specific OFAC license — or you are violating the law.

Targeted and Sectoral Sanctions

Russia is the most heavily sanctioned country in the world today, but it is not under a comprehensive embargo. Instead, OFAC has layered targeted prohibitions across the energy, financial, defense, and technology sectors, plus thousands of individual and entity designations. Venezuela, Belarus, and Myanmar all carry significant targeted regimes as well.

In addition to country programs, OFAC maintains list-based sanctions targeting narcotics traffickers, terrorists, human-rights abusers, cyber actors, and corrupt foreign officials regardless of nationality.

The Sanctions Lists You Actually Need to Screen Against

Saying "we check the SDN list" is the single most common compliance shortcut — and the single most common compliance failure. OFAC publishes several lists, and skipping one of them is how penalties stack up.

ListWhat It CoversWhen You Must Block
Specially Designated Nationals (SDN) ListIndividuals, entities, vessels, and aircraft. Property of SDNs must be blocked.Always
Consolidated Sanctions ListA master file aggregating all non-SDN listsAlways
Sectoral Sanctions Identifications (SSI) ListRussian energy, financial, and defense sector targetsDepends on directive
Foreign Sanctions Evaders (FSE) ListPersons who help evade U.S. sanctionsAlways
Non-SDN Menu-Based Sanctions (NS-MBS) ListTargeted measures, often under CAATSAPer the menu item applied
Palestinian Legislative Council (NS-PLC) ListMembers of the PLC who participated in electionsAlways for blocking

You can search all of these for free at the OFAC Sanctions List Search tool (sanctionssearch.ofac.treasury.gov), but the free tool is designed for one-off lookups, not bulk screening. Production environments use commercial screening providers, automated APIs, or in-house tooling that ingests the daily delta files OFAC publishes.

The 50 Percent Rule: Why Name-Matching Is Not Enough

Here is the rule that catches almost every business off guard:

Any entity owned 50% or more — directly, indirectly, or in the aggregate — by one or more blocked persons is itself blocked, even if it is not named on any OFAC list.

Two implications matter:

  1. Aggregation across SDNs counts. If SDN A owns 30% of a Cayman holding company and SDN B owns 25%, that holding company is blocked — even though neither owner reaches 50% individually.
  2. Indirect ownership counts. A target person's 60% interest in a parent that owns 60% of a subsidiary makes the subsidiary blocked, even though the direct chain math (60% × 60% = 36%) suggests otherwise. OFAC treats the parent as wholly blocked, which means its full ownership of the subsidiary flows through.

This rule is why pure name-screening fails. A vendor named "Atlas Logistics LLC" will not appear on the SDN List. But if its ultimate beneficial owners are sanctioned Russian oligarchs holding 51% in aggregate through three layers of shell companies, you are about to violate U.S. sanctions law by paying their invoice.

Practical responses for small businesses:

  • Require beneficial ownership disclosure from vendors and high-value customers, ideally tied to a UBO certification
  • Use a screening provider that resolves ownership relationships, not just names
  • For counterparties in high-risk jurisdictions (BVI, Cayman, UAE, Cyprus, Hong Kong, Russia, China-Hong Kong cross-border structures), request corporate registry extracts down to the natural-person level
  • Re-screen periodically, not just at onboarding — OFAC adds new SDNs every week

OFAC's Five Pillars: What a Compliance Program Must Look Like

Treasury published its Framework for OFAC Compliance Commitments to spell out what an "effective" sanctions compliance program (SCP) contains. There are five components, and OFAC explicitly weighs each one when calculating penalties.

1. Management Commitment

Senior leadership must approve and resource the program. For a small company, this means the founder, CEO, or CFO signs the written policy, names a compliance lead, and reviews program effectiveness at least annually. Token sign-off is not enough; OFAC expects evidence that leaders engaged.

2. Risk Assessment

Document the specific OFAC risks your business faces. A SaaS company selling globally has different exposures than a domestic real estate firm or a cross-border payment processor. The assessment should cover:

  • Customer base — geography, industries, beneficial ownership patterns
  • Products and services — anything routed cross-border or denominated in non-USD
  • Distribution channels — direct, marketplaces, third-party resellers, affiliates
  • Geographic footprint — jurisdictions where customers, vendors, employees, or counterparties operate
  • Partners and intermediaries — agents, brokers, payment processors

Update the assessment when your business model changes — a new market, a new payment rail, a new acquisition channel.

3. Internal Controls

This is where the program becomes operational. Internal controls include:

  • Written policies and procedures
  • A documented screening workflow (when to screen, what lists, what thresholds, who reviews hits)
  • Clear escalation paths when a potential match surfaces
  • Recordkeeping — OFAC requires five years of transaction and screening records for blocked or rejected transactions
  • A blocking mechanism — bank accounts that can quarantine funds, order systems that can freeze fulfillment
  • Reporting workflows for filing the mandatory reports (annual reports of blocked property by September 30, initial reports of blocked or rejected transactions within ten business days)

4. Testing and Auditing

Independent testing verifies the program actually works. For a small company this can be a quarterly self-test (run dummy SDN names through your screening tool) plus an annual external review. Findings must be documented and remediated.

5. Training

All employees whose roles touch sanctions risk must be trained — sales, customer onboarding, finance, AR/AP, vendor management, and engineering teams that build screening logic. OFAC expects training at minimum annually, plus role-specific training when a new program launches or a new sanctions program takes effect.

When You Find a Match: The Block-or-Reject Decision

Discovering an apparent match during screening triggers a tight set of obligations.

Step 1: Confirm the match. False positives are routine — "John Smith" and "Vladimir Petrov" both yield many hits. Use date of birth, address, passport number, place of business, and any other identifying data OFAC publishes.

Step 2: If confirmed, decide whether to block or reject.

  • Block when the target appears on the SDN List or is owned 50%+ by an SDN — you must freeze the property/funds in a segregated interest-bearing account and report within ten business days
  • Reject when the transaction is prohibited but no SDN property is involved (for example, an unlicensed transaction with Iran that has not yet sent money) — you decline to process and report within ten business days

Step 3: File the reports. Initial reports of blocked or rejected transactions go to OFAC via the OFAC Reporting and License Application Forms portal. Annual reports of blocked property are due by September 30 each year. Failing to file is itself a separate violation.

Step 4: Apply for a license if needed. Many transactions that would otherwise be prohibited can be authorized under a specific or general license — humanitarian goods, certain personal remittances, agricultural and medical exports, journalism, internet communication services.

The Voluntary Self-Disclosure Decision

When you discover that a violation already happened — a payment cleared to a sanctioned counterparty before screening caught it, a shipment went to a blocked jurisdiction, an SDN-owned customer was onboarded by mistake — you face the most consequential decision in OFAC compliance.

Disclose or don't?

What Voluntary Self-Disclosure (VSD) Buys You

Under OFAC's Economic Sanctions Enforcement Guidelines (31 CFR Part 501, Appendix A), a qualifying VSD:

  • Cuts the base penalty calculation by 50 percent in both egregious and non-egregious cases
  • In non-egregious cases, caps the base amount at half the transaction value, with a $188,850 per-violation ceiling
  • Counts as a major mitigating factor in OFAC's overall penalty determination

Combined with other mitigating factors — strong compliance program, remedial measures, cooperation — the final settlement can land an order of magnitude below the statutory maximum. The Córdoba Music Group case (statutory max $3.3M, settlement $41,591) is illustrative.

What "Voluntary" Actually Means

A disclosure is only "voluntary" if it is self-initiated and made before OFAC or another federal, state, or local agency discovers the apparent violation or a "substantially similar" one. If a counterparty's bank already filed a SAR that mentions your transaction, your disclosure may not qualify. If a competitor or whistleblower has already reported you, it won't qualify.

This is why speed matters. The moment you suspect a violation, run the clock.

The New 2026 VSD Portal

In February 2026, OFAC launched an online Voluntary Self-Disclosure Portal at disclosure.ofac.treasury.gov. It replaces the patchwork of email submissions and faxes that dominated for decades. The portal offers a more secure channel, structured fields, and confirmation of receipt — but the substantive rules have not changed:

  • An initial notification describes what happened in summary form
  • A detailed follow-up report is due within 180 days, covering root cause, scope, remediation, and personnel involved

Companies still need counsel involved before the initial submission. The portal does not change the legal stakes; it just changes the mailroom.

Penalty Math: What You Are Really Exposed To

Under IEEPA (the statute governing most modern sanctions programs), per-violation civil penalties for 2026 are:

  • Statutory maximum: $377,700 (adjusted annually for inflation)
  • Or twice the transaction value, whichever is greater

Each transaction can be a separate violation. A single customer who places forty orders over two years represents forty violations.

OFAC's penalty calculation flows through three steps:

  1. Base amount — depends on whether the case is egregious, whether VSD applied, and the transaction value (statutory schedule)
  2. Adjustments — for aggravating factors (intent, awareness, harm to sanctions program objectives, sophisticated party, lack of compliance program) and mitigating factors (cooperation, remedial action, first violation, small size, financial condition)
  3. Final proposed penalty — issued in a Pre-Penalty Notice, which the subject can contest

Criminal penalties stack on top for willful violations: up to $1 million per violation and up to twenty years in prison for individuals.

A Practical Compliance Checklist for Small Businesses

Use this as a starting point. It is not a substitute for legal advice but it covers what the agency has called out repeatedly in published enforcement findings.

Foundation

  • Written sanctions compliance policy signed by senior leadership
  • Named compliance lead (can be a founder or CFO; do not leave the role unassigned)
  • Documented risk assessment, updated when the business changes materially
  • Inventory of all sanctioned jurisdictions and persons relevant to your business

Screening

  • All customers, vendors, payees, and counterparties screened at onboarding
  • Daily or weekly rescreening against updated SDN/Consolidated/SSI lists
  • Beneficial-ownership disclosure required for high-risk counterparties
  • Documented procedure for evaluating potential matches (false positives vs. true positives)
  • Geolocation/IP filtering for known embargoed jurisdictions on web platforms

Transactions

  • Block-or-reject decision tree, with clear authority to halt fulfillment
  • Segregated interest-bearing account ready for any blocked funds
  • OFAC license application workflow for transactions that may qualify

Recordkeeping and Reporting

  • Five-year retention of screening records and transaction records
  • Initial blocked/rejected transaction reports filed within ten business days
  • Annual blocked property reports filed by September 30
  • Audit trail for every screening hit and disposition

Testing and Training

  • Quarterly self-tests (dummy data run through screening tool)
  • Annual independent review (external counsel or compliance consultant)
  • Annual training for all relevant employees, documented attendance

Incident Response

  • Pre-identified outside counsel familiar with OFAC matters
  • Documented VSD decision protocol — who makes the call, what evidence triggers it, who drafts the submission

Common Mistakes That Trigger Enforcement

Patterns from published OFAC penalties almost always include one or more of these:

  1. "We only screen the SDN List." Missing the Consolidated, SSI, FSE, or NS-MBS lists is a frequent finding.
  2. Static screening. Onboarding-only checks fail because SDN lists change weekly. A customer screened clean in January can be designated in June.
  3. Ignoring beneficial ownership. A counterparty's name comes up clean while the 60% owner sitting two layers up is sanctioned.
  4. Geofencing gaps. A web platform blocks IPs from Iran but allows VPN traffic to flow uncontested; OFAC has cited this in fintech cases.
  5. No documented procedure for potential matches. Customer-facing employees making ad hoc judgment calls without escalation guidance.
  6. Failure to file required reports. Even when the underlying transaction was properly blocked, missing the ten-day report or the annual September 30 filing is its own violation.
  7. Inadequate training. Sales staff promising service to embargoed jurisdictions because they never received OFAC training.
  8. Slow disclosure. Sitting on a discovered violation while another agency uncovers it independently — losing VSD eligibility and the 50% penalty reduction.

Keep Your Financial Records OFAC-Ready

Sanctions compliance lives or dies on documentation. Every blocked transaction, every rejected payment, every screening decision, every license application — OFAC may ask for any of it during a five-year audit window. A bookkeeping system that quietly hides those entries behind a black-box ledger interface is going to slow your response to a subpoena.

Beancount.io takes the opposite approach: plain-text accounting where every entry is a readable line, every change is version-controlled, and every account can be tagged for the kind of cross-border activity that draws OFAC attention. When your auditor — or your outside counsel preparing a voluntary self-disclosure — asks for the full history of payments to a particular counterparty, you can produce it in minutes, not days. Get started for free and bring the same transparency to your finances that OFAC expects from your compliance program.