OFAC (Sanctions) Screening & Barred Parties

The Legal Obligation No AP Function Can Delegate

OFAC sanctions operate on strict liability. Ignorance of a vendor's sanctioned status is not a defense. For accounts payable, this means that screening against the SDN list and all applicable international watchlists is not a best practice — it is a legal duty that attaches before the first payment is authorized.

Accounts payable sits at the terminal point of the disbursement cycle — the moment at which an obligation becomes a payment and organizational funds transfer to a counterparty. At that moment, a question of law applies with uncommon severity: is this payee a party with whom transactions are legally prohibited?

The sanctions and barred-parties screening regime is one of the very few compliance domains in which the standard of liability is strict. The law does not require intent. It does not require knowledge. It requires only that a prohibited transaction occurred.

For AP professionals, this reframes screening from a procedural formality into a legal control obligation of first-order importance. The question is not whether to screen — it is how comprehensively to screen, at what frequency, and against which lists. This article addresses the architecture of that obligation under U.S., UK, and EU frameworks.

The Legal Foundation: OFAC and the Strict Liability Standard

The Office of Foreign Assets Control (OFAC), a division of the U.S. Department of the Treasury, administers and enforces economic and trade sanctions based on U.S. foreign policy and national security objectives. Its authority derives principally from the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), as supplemented by a range of executive orders and sector-specific statutes.

OFAC's sanctions framework applies to all U.S. persons — defined to include all U.S. citizens and permanent residents wherever located, all persons physically present in the United States, and all entities organized under U.S. law including their foreign branches. The critical compliance implication is that OFAC enforces on a strict liability basis: a prohibited transaction is a violation regardless of whether the transacting party knew the counterparty was designated or intended to circumvent sanctions. As OFAC has stated in its own FAQs, civil penalties may be imposed even if the violating party had no knowledge of the underlying designation.

Strict Liability — The Controlling Legal Standard

OFAC may impose civil monetary penalties on a strict liability basis. A U.S. person may be held civilly liable even if it had no knowledge that the transaction was prohibited. While "good faith" and the existence of a documented compliance program are mitigating factors in calculating the penalty, they are not defenses against the underlying violation. The occurrence of a prohibited payment is itself the violation.

OFAC Civil Penalty Exposure Per Violation (2026)

• Statutory maximum per violation, adjusted for inflation (IEEPA-based programs): $377K

• Transaction value — applied when it exceeds the base figure, which is common for large payments: 2x

• Maximum criminal imprisonment for willful violations, plus fines up to $1M per violation: 20 yrs

The Primary U.S. Screening List: The SDN

The Specially Designated Nationals and Blocked Persons List — universally referred to as the SDN list — is OFAC's primary enforcement instrument and the most critical list for AP screening purposes. It identifies individuals, companies, vessels and aircraft whose assets are blocked and with whom U.S. persons are generally prohibited from conducting transactions in any form. The SDN list includes designees across all of OFAC's programs: terrorists, narcotics traffickers, weapons proliferators, foreign government officials subject to targeted sanctions, and entities operating in sanctioned sectors.

The SDN is dynamic. It is updated frequently — sometimes multiple times in a single week — as OFAC adds, modifies, or removes designations in response to geopolitical events, enforcement actions, and license activities. Screening the SDN only at vendor onboarding is insufficient. An approved vendor today can become a blocked person tomorrow, and if a payment is processed to a subsequently designated party without re-screening, the transaction is a violation regardless of when the designation was added.

The 50 Percent Rule: The Hidden SDN Problem

One of the most significant — and frequently misunderstood — aspects of OFAC compliance is the 50-Percent Rule. Under this rule, any entity that is owned 50 percent or more in the aggregate by one or more SDN-listed persons is itself treated as blocked, even if that entity does not appear on the SDN list by name. The blocked status flows through the ownership chain automatically by operation of law, not by explicit listing.

For AP, this means that screening only the vendor's trade name or legal entity name against the SDN is necessary but not sufficient. Beneficial ownership structures must be investigated, particularly for vendors with foreign ownership or complex holding structures. A vendor incorporated in a third country with a 60% SDN-designated parent is a blocked entity even if its own name has never appeared on any list.

Practical Implication

Screening only the vendor's company name is a compliance failure waiting to happen. Best practice requires screening the legal entity, all known aliases and DBA names, and the key principals and beneficial owners — and then investigating ownership chains for any entity with foreign or non-transparent ownership.

The Full OFAC List Universe: Beyond the SDN

The SDN list is the most prominent but not the only OFAC list. OFAC publishes a Consolidated Sanctions List that aggregates the SDN with all other non-SDN lists into a single searchable dataset. A complete AP screening program checks against the full Consolidated Sanctions List, not the SDN alone. The major component lists include the following.

OFAC Consolidated Sanctions List — Component Lists

SDN List

Specially Designated Nationals and Blocked Persons. The primary enforcement list — blocked assets, prohibited transactions for all U.S. persons. Updated multiple times weekly. The mandatory baseline for all AP screening.

Sectoral Sanctions Identifications (SSI) List

Entities operating in designated sectors of the Russian economy. Restrictions apply to specific types of debt and equity transactions — not full blocking, but transactional prohibitions that must be assessed for vendor payment terms and financing structures.

Non-SDN Chinese Military-Industrial Complex (NS-CMIC) List

Chinese companies with connections to China's military-industrial complex. Subject to U.S. investment and securities restrictions. Relevant for organizations acquiring equity or transacting with Chinese entities in the defense and surveillance technology sectors.

Correspondent Account / Payable-Through Account (CAPTA) List

Foreign financial institutions subject to restrictions or prohibitions on correspondent account relationships with U.S. banks. Relevant when vendors route payments through foreign financial institutions on this list.

Foreign Sanctions Evaders (FSE) List

Foreign persons who have facilitated deceptive transactions for sanctioned parties or violated U.S. Iran or Russia sanctions. Transactions by U.S. persons involving FSEs are prohibited. As of December 2025, the list was emptied — but new designations may be added at any time.

Non-SDN Menu-Based Sanctions (NS-MBS) List

Persons subject to targeted sanctions that are less than full blocking but include specific transactional prohibitions defined on a record-by-record basis. Requires review of the specific restriction applicable to each listed entity.

Country-Based Programs: Comprehensive Prohibitions

In addition to list-based sanctions targeting specific individuals and entities, OFAC administers country-based comprehensive programs that impose near-total prohibitions on trade and financial transactions involving entire jurisdictions. Unlike the SDN, which requires a match to a named party, country-based sanctions apply to the jurisdiction itself — any transaction with a counterparty in a comprehensively sanctioned country is presumptively prohibited unless covered by an OFAC general or specific license.

As of 2026, the countries subject to comprehensive U.S. sanctions embargoes are Cuba, Iran, and North Korea. The Donetsk People's Republic and Luhansk People's Republic regions of Ukraine have been subject to comprehensive-style prohibitions since Executive Order 14065 in February 2022, and the Crimea region has been under comprehensive sanctions since 2014.

Syria presents a notable and fluid situation. Comprehensive sanctions had been in place since 2004 and were significantly expanded following the 2011 civil war. Following the fall of the Assad regime in late 2024, OFAC issued General License 24 in January 2025 authorizing certain transactions with new Syrian governing institutions, and President Trump signed Executive Order 14312 in June 2025 revoking the executive orders that had formed the backbone of the Syria program. The formal sanctions framework technically remained in place as of mid-2026, however, and AP organizations with any Syrian counterparty exposure should seek current legal guidance before processing payments.

Beyond comprehensive programs, OFAC administers targeted programs for a broader set of jurisdictions — including Russia, Belarus, Venezuela, Afghanistan, and others — where general trade may continue but transactions involving designated persons or specific sectors are prohibited. The sanctions landscape for Russia and Belarus has been among the most dynamically evolving since 2022, with hundreds of additional designations of oligarchs, state-owned enterprises, and financial institutions added across that period, including Rosneft and Lukoil in October 2025.

Geopolitical Volatility and AP Exposure

The sanctions landscape shifts with geopolitical events in near real-time. Colombia's president was added to the SDN list in October 2025. Venezuela's status remains in flux following developments in early 2026. Organizations with any international vendor exposure — even indirect, through second-tier supply chains — cannot treat their sanctions screening program as a static or annual exercise.

What Must Be Screened: The Scope of the Check

A common failure mode in AP sanctions compliance is screening only the vendor's primary trade name. This satisfies neither the legal standard nor any reasonable interpretation of adequate due diligence. The screening obligation extends across the entire counterparty profile.

1. Legal entity name and all registered aliases

Screen the vendor's full legal registered name, all trade names and DBAs, and any prior names under which the entity has operated. Designation records frequently include known aliases — a vendor who has changed its name to avoid screening remains a blocked person.

2. Key principals and beneficial owners

Screen the individuals identified as officers, directors, managing members, and — critically — beneficial owners of the vendor entity. Under OFAC's 50 Percent Rule, a vendor majority-owned by an SDN-designated individual is itself blocked. Ownership screening is not optional.

3. Jurisdictional associations

Screen the vendor's country of incorporation, countries of operation, and banking jurisdictions. A vendor incorporated in a neutral jurisdiction but banking through a comprehensively sanctioned country's financial system presents elevated risk that may not be captured by name screening alone.

4. Subsidiary and affiliated entities

Where a vendor operates through subsidiaries or is itself a subsidiary of a larger entity, the ownership chain should be traced to identify any sanctioned parent, grandparent, or affiliate. A payment to a legitimate subsidiary of a blocked parent may itself be a blocked transaction under the 50 Percent Rule.

5. Banking and remittance intermediaries

Review the financial institutions through which vendor payments will route. The CAPTA list identifies foreign financial institutions for which correspondent account relationships are prohibited or restricted. Payments routed through a CAPTA-listed institution present independent compliance exposure.

"Screening only the vendor's company name is the compliance equivalent of reading the cover and calling the book read. The sanctioned party is often the owner, not the sign over the door."

Fuzzy Matching: The Name Resolution Problem

Sanctions lists are maintained across multiple languages, transliteration standards, and naming conventions. A designated Russian oligarch will appear in Cyrillic in the underlying source data and in multiple Romanized transliterations across different list versions. A sanctioned Iranian entity may have an Arabic legal name, a Persian trade name, and multiple Romanized variants. A single SDN entry may carry dozens of known aliases.

Manual exact-name matching against sanctions lists is therefore not a compliant screening methodology for any organization with meaningful vendor volume or international exposure. A screening system that flags only exact character-string matches will produce false negatives that are invisible to the compliance team — the match exists but was not identified because the name was transliterated differently.

Compliant screening systems employ fuzzy matching algorithms — phonetic matching, edit-distance calculations, and alias expansion — that surface probable matches for human review rather than requiring exact character alignment. The tradeoff is false positives: legitimate vendors whose names are similar to designated parties will be flagged and require manual adjudication. This is not a defect in the system; it is the system functioning as intended. A robust AP sanctions program has a documented false-positive adjudication process that records the basis for clearing each potential match.

Screening Frequency: Onboarding Is Not Enough

Because sanctions lists are updated continuously — OFAC's SDN can change multiple times in a single week — a screening performed at vendor onboarding does not remain valid for the life of the vendor relationship. An approved vendor in the vendor master today can be designated by OFAC, added to the UK Sanctions List, or included in a new EU Council Regulation tomorrow. If a payment is subsequently processed without re-screening, the organization has made a prohibited payment.

Best practice, as articulated in OFAC compliance guidance and reflected in the standard functionality of platforms such as VendorInfo, includes three screening moments: at initial onboarding before the vendor is admitted to the approved vendor master; periodically on a defined cycle against the existing vendor master (weekly automated re-screens are the current standard in automated platforms, with immediate re-screen triggered by any list update); and at the point of payment processing for high-risk vendor categories or jurisdictions. Platforms capable of monitoring for new additions to the SDN and running automated re-screens of the entire vendor master eliminate the window of exposure that exists when screening is treated as a one-time event.

Red Flags That Should Trigger Enhanced Screening

Beyond the baseline screening protocol, certain vendor characteristics should trigger heightened scrutiny and potentially escalation to legal or compliance counsel before onboarding is completed. These are not automatic disqualifiers — they are indicators that the standard screening process may be insufficient and that additional investigation is warranted.

• Unusual banking jurisdictions. A vendor incorporated in one country but maintaining banking in a high-risk or comprehensively sanctioned jurisdiction. Frequent or unexplained changes to banking information after onboarding — a common fraud indicator — may also signal sanctions evasion.

• Non-transparent ownership structure. A vendor that declines to identify its beneficial owners, that uses nominee shareholders, or whose ownership traces to jurisdictions with limited corporate transparency (shell company registers in offshore financial centers). The 50 Percent Rule makes ownership opacity a direct sanctions risk.

• Politically exposed persons (PEPs) in ownership or control. Foreign government officials, state-owned enterprise executives, and their immediate family members and close associates are classified as PEPs and present elevated sanctions and corruption risk. PEP status does not itself indicate SDN designation, but it warrants enhanced due diligence and ongoing monitoring.

• Geographic exposure to sanctioned jurisdictions. A vendor with operations, facilities, or supply chain dependencies in comprehensively sanctioned countries, or with principals who are nationals or residents of sanctioned jurisdictions, presents indirect sanctions exposure even if the vendor itself is not designated.

• Names similar to known designees. A potential match — even one that does not pass a strict name match — should be investigated rather than dismissed. The obligation is not to prove a match but to rule one out with documented evidence.

• Payments routed through third parties. A vendor that requests payment to a third-party account — a different entity, a different country, or a different name than the contracted vendor — is exhibiting a pattern consistent with sanctions evasion as well as payment fraud. Both concerns warrant escalation before payment is processed.

When a Match Is Found: The Blocking and Reporting Obligation

A confirmed OFAC SDN match — or a transaction involving a comprehensively sanctioned country — triggers a mandatory legal response that is distinct from and additional to the internal compliance review. U.S. persons who identify a transaction involving a blocked party must block the funds and report the blocked transaction to OFAC within ten business days of the blocking. Separately, rejected transactions — transactions that are prohibited but have not resulted in blocked property — must be reported to OFAC within ten business days of the rejection decision.

Organizations must also file annual reports of blocked property with OFAC by September 30 each year. These reporting obligations are legal requirements, not internal compliance elections. Failure to report is itself a violation. Documentation of the match, the investigation, the blocking action, and the report must be retained for a minimum of five years.

Where a potential match is identified but not confirmed — the common false-positive scenario — the organization must document the investigation, the basis for the determination that the vendor is not the designated party, and the names and roles of individuals who made that determination. This documentation is what enables an organization to demonstrate, in the event of a later regulatory inquiry, that its screening program was functioning and that its adjudication decisions were made in good faith.

The Compliance Program as Penalty Mitigation

OFAC's strict liability standard means that violations can occur even in organizations with excellent compliance programs. The existence and quality of the compliance program does not eliminate liability, but it is the central factor in how OFAC calculates the penalty for a violation that is discovered or self-disclosed. OFAC's Economic Sanctions Enforcement Guidelines identify the nature of a compliance program at the time of the violation as a primary mitigating or aggravating factor.

OFAC has articulated five pillars of an adequate sanctions compliance program: management commitment, risk assessment, internal controls, testing and auditing, and training. For AP, the internal controls pillar is the most operationally immediate — it encompasses the screening procedures, vendor master access controls, payment release protocols, and escalation procedures that sit under AP's direct governance.

Voluntary self-disclosure to OFAC of a discovered violation is treated as a significant mitigating factor and can reduce the applicable base penalty by up to 50%. The decision to self-disclose should involve legal counsel and senior management, but the existence of the option reinforces the importance of having a monitoring and detection program capable of discovering violations internally before they are identified through external enforcement.

Integrating the Multi-Jurisdictional Obligation

For organizations with any international footprint — whether through vendors, banking relationships, or operations — the practical compliance challenge is managing three distinct and partially overlapping but non-identical sanctions regimes: OFAC for U.S. obligations, the UK Sanctions List for UK obligations, and the EU Consolidated Sanctions List for EU obligations. The UN Consolidated List underlies all three but is not a substitute for any of them.

The lists overlap substantially, particularly on major programs such as Russia, Iran, and North Korea, where U.S., UK, and EU sanctions designations tend to be coordinated. But they are not identical. Each regime has its own designation process, its own timelines, and its own scope of persons and entities. A party not designated by OFAC may be on the UK Sanctions List; a party designated by OFAC may not have an EU equivalent. Organizations that screen only OFAC are compliant with U.S. law but may be non-compliant with UK or EU obligations if they have a nexus to those regimes.

Purpose-built automated multi-list screening platforms resolve the multi-list management problem by consolidating screening across 21 or more watchlists into a single workflow, with results returned simultaneously rather than requiring sequential checks against separate sources. For AP departments that cannot support a manual multi-list screening operation, automated platforms are not merely a convenience but a compliance necessity.

"In a sanctions environment where geopolitical events can add a vendor's ownership chain to the SDN list between Tuesday and Wednesday, the organization that screens only at onboarding has not built a compliance program — it has installed a checkpoint with no guards."

Conclusion: AP as the Last Legal Line

Accounts payable is, in the language of sanctions compliance, the last U.S. person in the transaction chain before funds leave the organization. That position carries legal weight that no other function in the procure-to-pay cycle bears as directly. When payment is authorized and processed, the liability question is settled — and under strict liability, it is settled regardless of what anyone knew.

This is why sanctions screening is not a task that AP can treat as a formality completed elsewhere in the organization and inherited as a cleared result. The screening obligation is intrinsic to the disbursement control function. Vendor authentication — the subject of the prior article in this resource — establishes that the vendor is who it claims to be. Sanctions screening establishes that the vendor is someone with whom payment is legally permitted. Both conditions must be satisfied before a disbursement is authorized. Neither is a prerequisite to the other; both are conditions of the same authorization act.

The architecture of that screening — which lists, at what frequency, to what scope of the counterparty profile, with what documentation and under what adjudication protocol — is the substance of a defensible AP sanctions compliance program. The strict liability standard demands that the architecture be built before a violation occurs, not assembled in response to one.