Calder & Vance International Sanctions & Compliance Counsel

Sanctions Risk & Compliance · OFAC

Payment-processing controls under OFAC: a practical guide

A payment-operations team at a mid-sized financial institution receives a wire transfer. The originator name looks clean. The beneficiary passes the automated screen. The transaction settles. Three weeks later, compliance discovers that the correspondent bank in the chain had been processing for a company owned by a blocked person – and the institution's controls never looked at the intermediary. That single gap is how OFAC exposure materialises in payments.

Payment-processing controls under OFAC (the US Treasury's Office of Foreign Assets Control, which administers US economic sanctions) require firms to screen all parties to a transaction, block or reject prohibited payments, and report to OFAC within defined timeframes. As of mid-2026, OFAC's enforcement posture treats inadequate payment controls as an aggravating factor in any penalty calculation. The controls apply regardless of where the processing entity is incorporated, provided a US nexus exists.

This guide walks through the five practical steps for building and maintaining effective OFAC payment controls, compares the position under OFSI and the EU, and identifies the risk flags that most commonly produce enforcement action.

Step 1: Understand who and what OFAC payment controls cover

OFAC payment controls apply to any US person, any person within the United States, and any transaction processed through the US financial system – regardless of where the processing firm sits geographically. That extraterritorial reach is the foundation of OFAC's authority under IEEPA and the relevant executive orders.

The scope catches more parties than most compliance teams assume. A non-US bank that routes a wire through a US correspondent account is within scope for that payment. A non-US payment aggregator that settles in US dollars through a New York clearing arrangement is subject to OFAC rules on every settlement it touches. In our experience, the extraterritorial point is where mid-tier payment firms – those with no physical US presence – most frequently underestimate their exposure.

The obligation is binary for prohibited transactions: block the payment and report it, or reject it and (in many cases) report it. Partial screening that catches only the account holder and ignores the originating or correspondent bank is not adequate. OFAC expects controls to reach every party the firm can identify in the transaction chain.

What parties must be screened? At minimum: the originator, the originator's bank, the beneficiary, the beneficiary's bank, any named intermediary institution, and any reference party whose name appears in the payment message. The message fields that contain this data – SWIFT MT or MX formats in cross-border payments – must all feed the screening engine.

Step 2: Configure and test the screening engine

An OFAC-compliant screening system must check every named party in a payment against the SDN List (OFAC's list of Specially Designated Nationals and blocked persons), the relevant sectoral or programme-specific lists, and any consolidated UN Security Council list the firm is required to apply. The system must also apply the 50 percent rule (OFAC's rule treating entities owned 50 percent or more by blocked persons as themselves blocked, even if they do not appear by name on any list).

Configuration errors are endemic. The most consequential: allowing the fuzzy-match threshold to be set so high that name variants and transliterations pass undetected, and failing to include the ownership-aggregation logic required by the 50 percent rule. Screening tools that flag only direct list hits miss the bulk of the real risk.

Testing matters as much as configuration. Firms should run a representative sample of true-match and near-miss test payments through the engine at least quarterly, and after any significant update to the lists or the engine itself. We regularly advise clients to keep records of each test cycle – the inputs, the results, and any tuning decisions – because OFAC's examination process will ask to see this documentation.

A second dimension of testing is latency. If the screening engine runs on an overnight batch rather than in real time, the firm is exposed during the settlement window. OFAC expects real-time or near-real-time screening for payment flows above a material volume threshold. Batch-only screening is a documented risk factor.

How does the 50 percent rule affect payment screening?

The 50 percent rule requires firms to treat any entity owned in the aggregate at 50 percent or more by one or more blocked persons as itself blocked, even if that entity's name does not appear on any OFAC list. This is one of the most technically demanding aspects of OFAC payment controls because no list tells you the entity is caught – the firm must work it out from ownership data.

In a payment context, this means that a corporate beneficiary that is not on the SDN List may still be a blocked person if its ultimate ownership chain includes one or more listed persons holding the threshold in aggregate. Screening the beneficiary name alone gives a false negative. Have you mapped the beneficial-ownership structure of your highest-volume corporate counterparties?

The aggregation calculation must capture indirect as well as direct holdings. Two blocked persons each holding twenty-six percent of a target entity together satisfy the threshold even if neither does so individually. Automated tools handle this only if they are fed current ownership data – and ownership data for privately held companies in high-risk jurisdictions is frequently incomplete.

Where ownership data is unavailable or unreliable, the firm should apply a risk-based escalation. That means enhanced due diligence on the counterparty, referral to a sanctions specialist before settlement, and documented reasoning for any decision to proceed. The record of that reasoning is what OFAC will examine if the payment is later challenged.

Step 3: Establish a clear blocking, rejection, and reporting procedure

When a payment matches a prohibited party or is associated with a prohibited transaction, the firm must choose the correct response: block or reject. The distinction is consequential.

A blocking obligation arises when property or an interest in property belonging to a blocked person is involved. The funds must be placed into an interest-bearing blocked account and cannot be returned to the sender without an OFAC licence. Reporting to OFAC is required within a defined statutory window. OFAC's regulations specify the reporting deadline; verify the current period before building your procedure, as it has been updated in recent cycles.

A rejection obligation applies where the transaction is not itself blocked-property but is a transaction the firm is prohibited from processing – for example, a payment that would constitute a prohibited service to a sanctioned country's financial sector. Rejected funds are returned to the originator. A separate annual reporting obligation applies to rejected transactions above a threshold volume; the precise requirements are set out in OFAC's regulations and should be confirmed against the current text.

The internal procedure must be written. It must specify: who receives the alert, who makes the block-or-reject decision, within what time, with what documentation, and who files the OFAC report. An undocumented procedure – even one that functions correctly in practice – is treated by OFAC as an internal-controls deficiency. In a recent matter, a payment firm had operationally correct blocking practices but no written procedure; that gap was cited in the resulting compliance commitment.

Record-keeping is a parallel obligation. OFAC requires that records of blocked property and of transactions involving blocked or rejected payments be kept for five years from the date of the transaction, or for the duration of the blocking, whichever is longer. Build this retention requirement into the case-management system from the outset; retrofitting it is expensive.

The position above covers the standard blocking and rejection case. Your specific facts – the type of payment, the parties involved, the routing, and the programme in scope – change the analysis materially. For an initial assessment of your controls, contact Calder & Vance at info@caldervance.com.

Step 4: Map and manage the cross-regime picture

OFAC is not the only regime that bites on a cross-border payment. A firm with operations in both the United States and the United Kingdom must simultaneously satisfy OFSI's requirements under SAMLA and the relevant UK thematic regulations, and those requirements diverge from OFAC's in ways that create operational complexity.

The ownership and control test illustrates the divergence most clearly. Under OFAC, the 50 percent rule is purely mechanical – ownership of 50 percent or more, direct or aggregated, triggers blocked status. Under OFSI (the UK's Office of Financial Sanctions Implementation) and EU sanctions, the test also captures ownership and control – a broader concept under which a non-listed entity may be caught even where ownership falls below 50 percent, if a listed person controls it in fact. That means a payment that passes OFAC's ownership screen may still be prohibited under UK or EU rules.

The EU position adds a further layer. EU persons are prohibited from making funds available to designated persons or for their benefit. That "benefit" test can reach a payment routed through a non-listed entity if the economic benefit ultimately accrues to a listed party. Screening for direct ownership only, without a benefit analysis, does not satisfy the EU standard.

Where both OFAC and EU or UK rules apply to the same payment, the stricter prohibition governs. A compliance function that manages each regime independently, with separate procedures and separate alert queues, typically produces operational gaps at exactly the point where the two regimes interact. Our practice addresses this by building a single escalation path that surfaces the most restrictive position across applicable regimes before settlement.

For payments touching Canada, Australia, or Switzerland, additional national regimes apply. These do not replicate OFAC exactly. Canada's SEMA programme, Australia's autonomous sanctions regime, and SECO's ordinances each carry their own list, their own ownership test, and their own reporting rules. A payment processor operating in these markets must maintain controls calibrated to the domestic rules, not merely a transposition of OFAC logic.

If a transaction has already been flagged, or a filing has been refused, an early review can preserve options that narrow with time. Contact us at info@caldervance.com for a confidential review.

Step 5: Build governance, training, and the escalation path

Technical controls alone do not constitute an adequate OFAC compliance programme. OFAC's published guidance identifies five components of an effective programme: management commitment, risk assessment, internal controls, testing and auditing, and training. Payment-processing controls address the third component; the other four must be in place and documented for the overall programme to be defensible.

Management commitment means that the sanctions compliance function has a direct reporting line to senior management and the board, a defined mandate, and adequate resources. An under-resourced compliance function that escalates payment alerts to a business line rather than an independent reviewer is a structural weakness. OFAC looks at governance architecture when it assesses whether a compliance failure was systemic or isolated.

Risk assessment for payment operations should be specific to the payment types the firm processes, the corridors it services, and the counterparty types it onboards. A generic enterprise risk assessment that treats all payments identically is not adequate. We advise conducting a payments-specific sanctions risk assessment annually, and after any material change to the product range, the counterparty population, or the applicable lists.

Training must reach the operations teams that process payments, not only the compliance function. Alert-review staff must understand the difference between a block and a rejection, the reporting obligation, and the documentation standard. In our experience, alert-handling errors – accepting an override without sufficient documentation, or closing an alert without escalating a near-miss – account for a disproportionate share of control failures identified in OFAC examinations.

The escalation path must be tested, not only written. Firms should run tabletop exercises in which a realistic alert is fed into the system and teams are asked to handle it from first alert to OFAC report. The exercise identifies procedural gaps before an examiner does.

Common risk flags and the myth of the "clean correspondent"

Several recurring patterns produce OFAC exposure in payment operations, and awareness of them is the first step toward designing controls that catch them.

The most common risk flag is correspondent-bank reliance. A firm that routes payments through a correspondent without independently screening the underlying parties assumes that the correspondent has already run adequate controls. OFAC does not accept this as a defence. You are responsible for the controls you apply; you cannot delegate that responsibility to an upstream counterparty. The "clean correspondent" assumption – that because a well-known bank processed the payment without objection, the payment must have been lawful – is one of the most persistent myths in payment compliance.

A related risk flag is de-risking (a financial institution exiting a relationship to avoid sanctions exposure) without a structured off-boarding review. Firms that terminate correspondent relationships under sanctions pressure sometimes do so without checking whether any blocked property was already held in accounts maintained under that relationship. Those funds must be blocked and reported; simply closing the account does not discharge the obligation.

A third flag is rapid structural change in a counterparty's ownership. A payment counterparty that was clean at onboarding may become a blocked entity mid-relationship if its ownership changes to give a listed person a controlling interest. Periodic re-screening of the active counterparty population – not only at onboarding – is a required element of an adequate programme. How frequently does your firm re-screen its existing counterparty book?

A fourth flag is the use of nested accounts. In correspondent banking, a nested account is one in which a respondent bank's customers access correspondent services indirectly, through the respondent's account. The correspondent may not know the identity of the nested customer. OFAC expects correspondents to conduct due diligence on the respondent's sanctions controls rather than treating the nested population as invisible.

Finally, cryptocurrency and virtual-asset payment flows present a distinct screening challenge. The VASP (virtual-asset service provider) sector operates under OFAC authority, and the obligations – to screen wallet addresses and transaction parties against the SDN List and the 50 percent rule – apply in full. Wallet-address screening is a technical process distinct from name screening, and many VASPs operate controls designed for name screening only. That is a documented gap in current industry practice.

Related practices

Frequently asked questions

What are the steps to control sanctions risk in payments under OFAC?
Effective OFAC payment controls require five steps: understanding the full scope of who is covered (including the extraterritorial reach to non-US processors handling US-dollar transactions); configuring and testing a screening engine that applies the 50 percent rule and covers all message fields; establishing a written block-or-reject-and-report procedure with defined timeframes; mapping and managing the cross-regime picture where OFSI or EU rules also apply; and building governance, training, and a tested escalation path that meets OFAC's five-component standard. Documentation throughout is not optional – it is the evidence base OFAC examines first.
What is the most common mistake in payment-processing controls?
The most common mistake is screening only the direct counterparty – the account holder – and ignoring the originating bank, the correspondent bank, and the ownership chain behind the counterparty. This leaves the 50 percent rule unapplied and misses the most frequent pattern of actual exposure: a clean-named entity that is blocked because of who owns it. A second, closely related mistake is relying on the correspondent bank's controls as a substitute for the firm's own screening obligations. OFAC treats both as internal-controls deficiencies.
How does OFAC differ from other regimes here?
OFAC's ownership test is mechanical: a 50 percent aggregate ownership threshold triggers blocked status automatically. The UK OFSI and EU regimes also apply a control test, catching entities a listed person controls even below 50 percent. The EU "benefit" test can reach payments where the economic benefit of a transaction ultimately accrues to a listed party, even if the direct counterparty is not designated. Where both OFAC and UK or EU rules apply to the same payment, the stricter prohibition governs. A payment that clears OFAC's screen may still be prohibited under OFSI or EU rules – and a firm subject to both must apply both.

Talk to Caldervance

For a scoped view of your exposure, contact info@caldervance.com.

Discuss your matter

This publication is general information and does not constitute legal advice. For advice on your situation, contact info@caldervance.com.