OFAC Sanctions Guidelines

Regulation Summary

Establishment: OFAC was formally established in December 1950, following the Chinese intervention in the Korean War, to administer economic sanctions programs.
Ongoing Updates: Sanctions programs are continually updated to address emerging global threats and foreign policy objectives.

Financial Institutions: Banks and other financial entities must ensure they do not process transactions involving sanctioned individuals or entities.
Exporters and Importers: Companies involved in international trade must verify that their business partners are not on OFAC's sanctions lists.
Insurance Companies: Insurers need to ensure they are not underwriting policies for sanctioned parties.
Technology Firms: Companies offering digital services or products internationally must prevent access by sanctioned countries or individuals.

General Licenses: OFAC may issue general licenses authorizing certain transactions that would otherwise be prohibited, such as specific humanitarian activities.
Specific Licenses: Businesses can apply for specific licenses to conduct transactions that are otherwise restricted, evaluated on a case-by-case basis.

Risk Assessment: Conduct regular assessments to identify potential OFAC-related risks in operations, customers, and transactions.
Compliance Programs: Develop and maintain robust sanctions compliance programs tailored to the company's risk profile.
Screening Processes: Implement effective screening procedures to ensure no dealings with sanctioned parties.
Training: Provide ongoing training for employees on OFAC regulations and internal compliance procedures.
Reporting: Promptly report any suspected violations to OFAC.

Access Restrictions: Implement measures to prevent access to services or products from sanctioned countries or individuals.
User Screening: Use tools to screen users against OFAC's sanctions lists before allowing access to certain services.
Disclosure: Clearly communicate in terms of service or user agreements that transactions with sanctioned parties are prohibited.
Monitoring: Continuously monitor user activities to detect and prevent prohibited transactions.

50% Rule: Entities owned 50% or more, directly or indirectly, by one or more blocked persons are also considered blocked, even if not explicitly listed by OFAC.
Secondary Sanctions: Non-U.S. entities may face sanctions for conducting business with sanctioned parties, even if no U.S. nexus exists

Not a Privacy Regulation: OFAC guidelines do not grant specific data subject rights.
Data Protection: Businesses should protect personal data collected during compliance processes, aligning with applicable data protection laws.

Civil Penalties: OFAC can impose fines for violations, with amounts varying based on the specific sanctions program. Under the International Emergency Economic Powers Act (IEEPA), civil penalties can reach up to $356,579 per violation.
Criminal Penalties: Willful violations can lead to criminal charges, including fines of up to $1 million per violation and/or up to 20 years of imprisonment.
Compliance Expectations: OFAC expects organizations to maintain effective sanctions compliance programs and may consider the adequacy of these programs when determining enforcement actions.