OFAC Compliance for Cross-Border Payments: What Finance Teams Need to Know

When a U.S. business pays an international vendor, the transaction isn’t a simple bank-to-bank transfer. It’s a regulated event that touches sanctions law, anti-money-laundering rules, and the compliance programs of every financial institution in the payment chain. The agency at the center of that chain is the Office of Foreign Assets Control, or OFAC, a unit of the U.S. Department of the Treasury that administers and enforces economic and trade sanctions.

OFAC sanctions apply to all U.S. persons, which includes U.S.-incorporated businesses, U.S. citizens, U.S. permanent residents, and anyone physically located in the United States. They also reach certain non-U.S. parties through secondary sanctions and through the dollar-clearing system that nearly every cross-border payment touches. Penalties for violations can be high, and OFAC pursues civil enforcement on a strict-liability basis, which means intent is not required for a violation to occur.

For a finance team that simply wants to pay a designer in Buenos Aires or a manufacturer in Vietnam, this can feel disproportionate. The good news is that most cross-border payment risk can be managed with a clear screening process, the right banking partner, and a basic understanding of the rules. Slash is a neobank that supports cross-border payments to 180+ countries;¹ finance teams can move money internationally with the compliance guardrails in place by default. This guide walks through the OFAC framework as it applies to cross-border payments and what an effective program looks like in practice.

What is OFAC and what does it regulate?

The Office of Foreign Assets Control is responsible for implementing economic and trade sanctions that support U.S. foreign policy and national security goals. OFAC's authority extends across financial transactions, trade, and other commercial dealings that involve sanctioned countries, regimes, organizations, or individuals.

OFAC sanctions take several forms. Comprehensive country programs target specific jurisdictions, while list-based sanctions target named individuals, companies, vessels, and aircraft. Sectoral sanctions restrict specific sectors of certain economies, such as the Russian financial services or energy sectors. Each program has its own scope and licensing framework.

Who must comply with OFAC sanctions on cross-border payments?

OFAC compliance is required for all U.S. persons and entities, including U.S.-incorporated businesses regardless of where they operate. Foreign subsidiaries of U.S. companies must comply with certain OFAC programs, notably those covering Cuba and Iran. Banks and other financial institutions involved in dollar-clearing must screen transactions even when the originator and beneficiary are both outside the U.S., because the payment is being processed in U.S. dollars through the U.S. financial system.

This last point matters more than some finance teams realize. A cross-border payment from a U.S. company to a foreign vendor will typically pass through multiple correspondent banks, each of which screens the payment against OFAC lists. A hit at any step can freeze the payment, trigger reporting obligations, and require an OFAC license to release the funds.

OFAC sanctions programs that affect cross-border payments

Not every cross-border payment intersects with every sanctions program. Most finance teams that pay international vendors encounter a few specific OFAC programs more often than others. Understanding the scope of each helps clarify which payments need closer review.

Comprehensive country sanctions

The most restrictive OFAC programs prohibit most transactions with sanctioned countries entirely. Currently, comprehensive sanctions apply to Iran, North Korea, Cuba, Syria, and specific regions of Ukraine. With limited exceptions for humanitarian aid or specific licensed activities, U.S. persons cannot transact with parties in these jurisdictions. A payment to a vendor located in or operating from one of these countries should be presumed prohibited until a thorough review confirms otherwise.

List-based sanctions and the SDN list

The Specially Designated Nationals and Blocked Persons list, commonly called the SDN list, names individuals, companies, vessels, and aircraft that are subject to blocking sanctions. U.S. persons are prohibited from transacting with any party on the SDN list, regardless of where that party is located. If a vendor in Germany or Brazil is on the SDN list, paying them would constitute a sanctions violation. The SDN list updates frequently and currently contains thousands of entries.

The 50 Percent Rule

OFAC's 50 Percent Rule extends blocking sanctions to any entity that is owned 50 percent or more by one or more blocked persons. An entity that does not appear on the SDN list but is majority-owned by SDN parties is itself considered blocked for OFAC purposes. This rule is one of the most common sources of unintended sanctions exposure for U.S. businesses, since ownership structures are not always transparent and a foreign vendor's parent companies may not be obvious from invoices or contracts.

Sectoral sanctions and the SSI list

Sectoral sanctions impose restrictions on specific sectors of certain economies rather than full blocking. The Sectoral Sanctions Identifications, or SSI list, applies to parts of the Russian financial services, energy, and defense sectors, among others. Restrictions vary by directive; some prohibit new equity or debt transactions, others restrict specific types of transactions or limit financing terms. Cross-border payments to or from SSI-listed entities require careful analysis of which directive applies.

Slash business banking

Works with cards, crypto, plus cards, crypto, accounting, and more.

Open Account

5 elements of an effective OFAC compliance program for cross-border payments

OFAC has published expectations for what a risk-based sanctions compliance program should include. For most finance teams paying international vendors, this translates into a handful of operational practices that can be embedded into existing AP and treasury workflows.

1. Senior management commitment and clear ownership

OFAC compliance is most effective when leadership has explicitly assigned responsibility for sanctions screening and remediation, allocated resources to the program, and documented its commitment to compliance. For many small and mid-sized businesses, ownership sits with the CFO or controller, with operational responsibility delegated to the AP manager or compliance lead.

2. Risk assessment of customers, vendors, and payment corridors

A sanctions risk assessment identifies where the business is most exposed. Risk factors include the countries where customers and vendors are located, the products and services being transacted, the volume and value of cross-border payments, and the payment methods used. A business that pays a handful of vendors in Canada and the UK has a very different risk profile than one that pays manufacturers in the Middle East or Eastern Europe. The risk assessment should be documented and reviewed at least annually.

3. Sanctions screening at onboarding and on each payment

Screening is the operational core of the program. At minimum, every vendor and customer should be screened against the SDN list and other relevant OFAC lists at onboarding. Each cross-border payment should also be screened against current lists at the time the payment is initiated, since list contents change. Effective screening systems use fuzzy matching to catch spelling variations and transliterations, since OFAC list entries can include multiple aliases.

4. Investigation, escalation, and reporting procedures

When a screening system flags a potential match, finance teams need a defined process to investigate. While many flags are false positives caused by common names, each must be reviewed and the disposition documented. Confirmed matches typically require blocking the payment, filing a report with OFAC within ten business days for blocked transactions, and applying for a license if continued business activity is contemplated. Some violations may also need to be reported through a voluntary self-disclosure to mitigate penalties.

5. Training and documentation

Finance, AP, and customer-facing teams should receive sanctions training appropriate to their roles. Training should cover what OFAC sanctions are, how to recognize potential red flags, and how to escalate within the organization. Documentation of training, screening results, investigations, and program reviews creates the audit trail that OFAC examiners look for during enforcement reviews.

OFAC penalties and enforcement for cross-border payment violations

OFAC enforces sanctions through civil and, in egregious cases, criminal penalties. Civil penalties are assessed on a strict-liability basis, which means the agency does not need to prove that a violator intended to break the law. Penalties can reach over $200,000 per violation or twice the value of the underlying transaction, indexed for inflation, with most sanctions programs allowing per-transaction stacking.

OFAC publishes enforcement actions and settlement agreements on its website, which gives finance teams a useful reference point for the kinds of conduct that draw enforcement attention. Recent settlements have involved fintech platforms that processed payments to sanctioned jurisdictions, banks that failed to screen counterparty banks adequately, and businesses whose foreign subsidiaries transacted with SDN-listed parties.

Aggravating and mitigating factors

OFAC's Enforcement Guidelines lay out aggravating factors that increase penalty exposure, such as willful or reckless conduct, awareness of the violation, harm to U.S. policy objectives, and the size and sophistication of the violator. Mitigating factors that reduce penalties include the existence of a sanctions compliance program at the time of the violation, prompt remedial action, cooperation with OFAC's investigation, and voluntary self-disclosure prior to OFAC discovering the violation.

In practice, a documented compliance program and prompt remediation are often the difference between a public enforcement action and a private cautionary letter.

Common OFAC compliance mistakes in cross-border payments

Even well-intentioned finance teams can trip on the same handful of issues. Knowing these patterns helps focus attention on the parts of the workflow most likely to fail. Some easy mistakes include:

Screening only at onboarding: A vendor that cleared OFAC screening when they were added to the system can still appear on the SDN list later. Effective programs screen vendors continuously or at least at the time of each payment, not just at initial onboarding.
Missing ownership and the 50 Percent Rule: Many vendors aren’t on the SDN list themselves, but they’re owned by blocked parties. Without ownership analysis, the 50 Percent Rule will not be caught by name-based screening. KYB processes that collect beneficial ownership information at onboarding are a baseline mitigation for this risk.
Relying solely on the bank to catch problems: U.S. banks screen every cross-border payment they process, and finance teams sometimes assume this covers them. Bank screening serves the bank's own compliance obligations rather than yours, and may not catch issues your own program would identify earlier. A bank flag often arrives after a payment has already been attempted, with the funds blocked and a more complicated remediation path ahead.
Ignoring secondary sanctions exposure: Secondary sanctions can apply to non-U.S. persons that engage in certain transactions with sanctioned parties. A U.S. business whose foreign vendor transacts with an SDN-listed Russian bank, for example, can face downstream exposure even when the immediate payment is to the foreign vendor. Risk assessments should account for the broader corridor of activity, not just the next counterparty.
Inadequate documentation: When OFAC reviews a compliance program, documentation is key evidence. A program that exists in practice but is not written down or audited regularly will look weaker on examination than one that has been formally documented, even if both perform similarly day-to-day.

Optimize your cross border payment strategy with Slash

OFAC compliance shows up at the point of payment, not as a separate process. When a U.S. business pays an international vendor, each transaction needs to be screened against sanctions lists, and any potential match has to be reviewed before funds are released. In many setups, this happens across multiple systems or after the payment has already been initiated, which creates delays and increases the risk of blocked or rejected transfers.

Slash handles this within the payment flow. Each outgoing payment is screened against sanctions lists, with KYB onboarding used to establish counterparty details upfront. If a payment is flagged, it is held for review before funds leave the account. Teams can resolve potential matches in the same interface they use to initiate payments, with transaction-level records available for audit and reporting. The platform also consolidates payment activity, counterparty data, and logs in a single dashboard, which reduces the need to reconcile across systems.

Key capabilities for finance teams managing cross-border payment compliance include:

Detailed transaction logs: Maintain an audit-ready record of every payment, with searchable metadata for compliance reviews and regulator requests.
AI-powered finance: Our platform comes with Twin, a built-in AI agent that can be prompted with natural language to complete complex tasks. Users can ask it to create cards, pay invoices, review your cash flow, and much more.
Slash Visa® Platinum Card: The Slash Card allows you to set customizable spending controls and issue unlimited virtual cards for handling team expenses, vendor payments, subscriptions, and more. Users can also earn up to 2% cash back on business purchases.
Native cryptocurrency support: Hold, send, and receive USD-pegged stablecoins USDC and USDT across eight supported blockchains for faster, lower-cost global payments.⁴
Sanctions screening on outbound payments: Screen payment beneficiaries before submission to surface potential SDN or sector-list hits early.
KYB onboarding for counterparties: Capture beneficial ownership information at onboarding to support 50 Percent Rule analysis.

Apply in less than 10 minutes today

Join the 5,000+ businesses already using Slash.

Frequently Asked Questions

Do small businesses need an OFAC compliance program?

Yes, in proportion to risk. All U.S. persons are subject to OFAC sanctions, including small businesses. The program doesn’t need to look like a Fortune 500 bank's, but it should reflect the business's risk profile. A small business that pays a few vendors in low-risk countries can implement a simpler program than one paying vendors in higher-risk corridors. Using a banking platform like Slash that performs sanctions screening on outbound payments can cover much of the operational lift for smaller teams.

What happens if a cross-border payment is blocked under OFAC?

When a financial institution determines that a payment involves a blocked party, the funds must be placed in a blocked account at the institution rather than returned to the sender or forwarded to the beneficiary. The institution is required to report the blocked transaction to OFAC within ten business days, and the funds typically remain blocked until OFAC issues a license authorizing release. Releasing blocked funds usually requires the originator to apply directly for an OFAC license.

How often does the OFAC SDN list update?

OFAC updates the SDN list on a continuous basis, with changes published as needed rather than on a fixed schedule. New designations, removals, and amendments can occur multiple times per week. Compliance programs that rely on a static list snapshot can miss recent additions, which is why many effective programs re-screen counterparties on every cross-border payment using the most current list.

Are cryptocurrency and stablecoin payments subject to OFAC sanctions?

Yes. OFAC treats cryptocurrency and stablecoin transactions the same as fiat transactions for sanctions purposes. U.S. persons cannot use stablecoins like USDC or USDT to transact with SDN-listed parties, sanctioned jurisdictions, or other blocked counterparties. OFAC has published guidance specifically for the virtual currency industry and can bring enforcement actions against crypto platforms that fail to implement adequate sanctions screening.