Calder & Vance International Sanctions & Compliance Counsel

Sanctions Risk & Compliance · OFAC

Sanctions risk assessment under OFAC: compliance counsel

A cross-border trading business has grown quickly. New counterparties in three continents, a supply chain that crosses six jurisdictions, and a compliance programme built for a smaller operation. One morning, the treasury team flags a payment instruction. The beneficiary's ultimate parent may have a blocked shareholder. Does the business have a sanctions problem? And, more pressingly, does it know the full extent of its exposure across the rest of the portfolio?

A sanctions risk assessment (a structured review of a business's exposure to OFAC-administered prohibitions, conducted against its counterparty relationships, transaction flows, product lines, and geographic footprint) is the foundational step in a defensible compliance programme. Under OFAC's published enforcement framework, the quality and timeliness of a firm's risk assessment directly influences how a potential violation is characterised and penalised. As of August 2026, OFAC's five-element compliance programme standard – which treats the risk assessment as the first and most critical element – remains the governing benchmark for evaluating whether a business has exercised reasonable care.

This page sets out what a professional sanctions risk assessment under OFAC involves, how it differs from equivalent exercises under OFSI and the EU, where businesses most commonly underestimate their exposure, and how Calder & Vance approaches this work for cross-border clients.

What does an OFAC sanctions risk assessment actually cover?

An OFAC sanctions risk assessment maps a business's potential touchpoints with OFAC-administered programmes against its commercial activities – its customers, suppliers, counterparties, products, services, geographic presence, and transaction channels. The output is a prioritised risk register, not a pass/fail certificate.

OFAC's five-element compliance programme framework – tone from the top, risk assessment, internal controls, testing and audit, and training – places the risk assessment at the centre. Without it, a business cannot calibrate its controls, cannot defend a potential violation as the product of reasonable care, and cannot demonstrate to OFAC that it understood what it was managing. In our experience, businesses that have never conducted a structured assessment frequently discover that their informal screening practices cover only first-tier direct counterparties, leaving supplier chains, distributor networks, and correspondent banking relationships entirely unexamined.

The scope of a thorough assessment typically spans five dimensions. First, counterparty exposure: who does the business transact with, and what is the ownership and control chain behind each relationship? Second, geographic exposure: where do funds move, where do goods ship, and which of those routes pass through or involve persons or territories subject to OFAC programmes? Third, product and service exposure: are any goods, technology, or services subject to category-specific restrictions under OFAC programmes or the EAR (the Export Administration Regulations administered by the US Bureau of Industry and Security)? Fourth, channel exposure: does the business use US-dollar clearing, US financial intermediaries, or US-person involvement at any point? Fifth, structural exposure: does the business have US-person employees, directors, or shareholders whose own activities are subject to OFAC jurisdiction even when operating outside the United States?

Each dimension requires a different analytical lens. The counterparty analysis turns on the 50 percent rule (OFAC's rule treating entities owned 50 percent or more in the aggregate by blocked persons as themselves blocked, regardless of whether those entities appear on a sanctions list). The channel analysis turns on the breadth of primary sanctions jurisdiction. The structural analysis often produces surprises for European and Asian businesses that have brought in US-person capital or leadership without fully considering the compliance implications.

How does OFAC's risk assessment standard compare to OFSI and the EU?

The OFAC five-element standard is the most explicitly documented risk-assessment methodology among the major Western sanctions regimes, but OFSI and the EU impose their own expectations that diverge in important technical respects. Understanding those differences is essential for any business that operates across more than one jurisdiction – and in our cross-border practice, nearly every client does.

OFAC's ownership test, as noted, is mechanical: 50 percent or more, in the aggregate, triggers blocked-person status for the entity. The question of control is largely irrelevant to that calculation. OFSI and the EU apply both an ownership test and a control test. An entity can be caught by either limb under OFSI's guidance and under the relevant EU Council regulations, even where the ownership percentage falls below fifty percent. That broader reach means that a business relying solely on OFAC-calibrated screening – designed around the fifty-percent ownership threshold – may be compliant under US rules but exposed under UK or EU rules, or vice versa.

There is also a structural difference in the nature of the prohibitions. OFAC's primary sanctions apply to US persons and to US-nexus activity (US dollars, US territory, US persons in the chain). Secondary sanctions extend potential consequences to non-US persons in defined circumstances. OFSI and the EU impose asset-freeze and dealing prohibitions that apply to persons within their jurisdiction – typically UK or EU-incorporated entities, persons located in the UK or EU, and conduct that takes place in whole or in part within those territories. A single cross-border transaction may therefore engage multiple regimes simultaneously, each with its own designated list, its own ownership and control test, and its own reporting and licence pathway. Does your existing risk assessment reflect all of the regimes in play, or only the one your screening vendor defaults to?

For businesses with Singapore, Japanese, or UAE counterparties, an additional layer applies. Singapore's MAS-administered regime, Japan's METI-administered controls, and the UAE's sanctions framework each impose obligations on entities operating in or through those jurisdictions. A global risk assessment that omits these regimes produces a false picture of the business's actual exposure.

The position above covers the standard case. Your facts – the counterparty structure, the goods category, the dollar-clearing route, and the mix of regimes in play – change the analysis materially. For a preliminary assessment of your cross-regime exposure, contact Calder & Vance at info@caldervance.com.

What are the most common gaps that a professional assessment uncovers?

The most common and consequential gap in business sanctions compliance is treating the SDN List (OFAC's list of Specially Designated Nationals and blocked persons) as the only relevant screening target, and treating a clean screen result as the end of the inquiry. It is not.

In practice, the gaps we identify most frequently fall into six categories. First, incomplete ownership tracing: businesses screen the direct counterparty but do not map the ownership chain to ultimate beneficial owners, missing aggregation scenarios where two or more blocked persons together breach the fifty-percent threshold without either doing so alone. Second, stale data: screening databases are not updated in real time, and a counterparty that was clean at onboarding may have acquired a blocked shareholder since. Third, US-nexus blindness: businesses transacting in non-US goods, between non-US parties, in non-US currencies still route US-dollar clearing through correspondent banks, creating OFAC exposure they have not assessed. Fourth, employee and director exposure: US-person employees or board members create a personal compliance obligation under OFAC rules that the business entity has not addressed in its programme. Fifth, product misclassification: goods that should be assessed under both OFAC programme restrictions and the EAR are assessed under only one. Sixth, geographic overconfidence: businesses with no direct presence in a sensitive jurisdiction assume they have no exposure there, without examining whether their goods, software, or services reach end-users in that territory through intermediaries.

Each of these gaps is potentially material. OFAC's enforcement data – discussed qualitatively, since penalty amounts vary widely by programme, nature of the violation, and aggravating or mitigating factors – shows that voluntary self-disclosure, a well-documented compliance programme, and prompt remediation consistently produce more favourable outcomes than reactive engagement after a regulator's inquiry. The moment to address gaps is before they become apparent violations.

What is the procedure for conducting a formal sanctions risk assessment?

A formal OFAC sanctions risk assessment follows a defined sequence. The business and its counsel first establish scope: which legal entities, which transaction categories, which time period, and which regimes are to be assessed. Scope decisions are themselves a risk management exercise – a narrowly scoped assessment may miss the exposure that sits just outside its boundary.

The assessment then proceeds through five stages. Stage one is data gathering: transaction records, counterparty lists, ownership documentation, account structures, product classifications, and geographic footprint data. Stage two is the legal mapping: each data category is assessed against the applicable OFAC programme prohibitions, the SDN List and other relevant OFAC lists, the ownership and control rules, and the secondary-sanctions perimeter. Stage three is gap analysis: the existing compliance controls are compared against the risk exposures identified, producing a prioritised list of control deficiencies. Stage four is the remediation plan: for each deficiency, the assessment specifies a recommended control, a responsible owner within the business, and a timeline for implementation. Stage five is documentation: the assessment, its methodology, its findings, and the remediation plan are recorded in a form that can be presented to OFAC, a board, a regulator, or an acquirer as evidence of the business's good faith.

Timelines depend on complexity. A single-entity, single-jurisdiction assessment for a business with a defined product range and well-organised records can be completed in a matter of weeks. A group-level assessment spanning multiple legal entities, several regimes, and complex ownership structures in the counterparty base is a more substantial undertaking. In our experience, underestimating the time needed for data gathering – particularly for counterparty ownership documentation from non-cooperative third parties – is the most common cause of delay.

One procedural point matters for businesses that discover a potential violation during the assessment. The assessment exercise itself does not automatically trigger a reporting obligation. However, if the assessment reveals conduct that may constitute an apparent violation, the question of VSD (voluntary self-disclosure to OFAC) arises immediately. OFAC's enforcement framework treats a timely, complete VSD as a significant mitigating factor. The decision whether to file, and how to frame the disclosure, requires specialist counsel. We regularly advise clients who have reached this decision point mid-assessment.

If a transaction has already been flagged, or an internal review has surfaced a potential violation, early engagement with counsel can preserve options that narrow quickly. Write to info@caldervance.com to discuss your position in confidence.

When should a business treat the OFAC risk assessment as urgent?

Several circumstances make a sanctions risk assessment time-sensitive rather than merely prudent. The most common is a pending or recently closed transaction – an acquisition, a joint venture, a new distribution arrangement – that brings in counterparty relationships the business has not previously assessed. A second trigger is a change in the regulatory environment: the addition of new designations, the expansion of an existing OFAC programme, or the introduction of secondary-sanctions measures that now reach activity the business has been conducting without restriction.

A third – and in our experience increasingly frequent – trigger is regulatory pressure from a financial institution. Banks and payment firms subject to their own OFAC compliance obligations increasingly require their corporate clients to demonstrate a conducted risk assessment, particularly for clients operating in higher-risk sectors or jurisdictions. A client that cannot produce evidence of a current assessment may find that its banking relationships are at risk through no fault of its own compliance history.

A fourth trigger is a corporate transaction: M&A due diligence now routinely includes a sanctions risk component, and a target that has not maintained a current risk assessment faces a material diligence discount or a deal condition requiring remediation before closing. We assist both acquirers – mapping the target's sanctions exposure before closing – and targets – preparing a clean risk picture that supports the transaction.

A fifth trigger is a screening alert that the internal team cannot resolve. When a business's screening system flags a counterparty and the compliance team is uncertain whether the flag is a true positive, a false positive, or a matter requiring escalation to counsel, the appropriate response is a focused risk assessment of that relationship – not a unilateral decision to clear the alert and proceed.

How does Calder & Vance conduct OFAC sanctions risk assessments?

Calder & Vance approaches each risk assessment as a matter of legal analysis, not a box-checking exercise. Our starting point is your specific commercial footprint – the actual entities, relationships, and transaction flows – not a generic template applied uniformly to every client in every sector.

For an OFAC risk assessment engagement, we assess eligibility for the approach, gather the relevant data and ownership documentation, map each exposure category against the applicable OFAC programme rules and list obligations, test the existing controls against the identified risks, and produce a written assessment with a prioritised remediation plan. Where the assessment identifies a potential apparent violation, we advise immediately on the voluntary self-disclosure question and manage the engagement with OFAC if disclosure is required.

Our practice covers the full range of OFAC programmes – not only the most widely screened programmes but also the sector-specific and thematic programmes that catch businesses whose primary activity does not obviously engage US sanctions at first reading. We also address the interaction between OFAC requirements and BIS/EAR classification obligations, which frequently arise in the same assessment for businesses dealing in goods with both sanctions and export-control dimensions.

Cross-regime coverage is a structural feature of how we work, not an optional add-on. Where a client's risk picture requires analysis under OFSI, the EU Council regulations, or the Singapore or UAE regime, we address those regimes within the same engagement. For matters requiring local counsel in a jurisdiction outside our direct coverage, we identify and coordinate that input transparently.

In a recent matter, a technology distribution business with US-dollar invoicing and a network of sub-distributors in multiple regions engaged us after its bank raised concerns about the compliance documentation for a counterparty. We conducted a targeted risk assessment of the relevant distributor relationships, mapped the ownership chains to identify SDN-adjacent shareholders, assessed the US-nexus created by the dollar-clearing route, and produced a remediation plan that addressed the bank's specific questions. The matter was resolved without escalation to OFAC.

Related practices

A common misconception: does a clean screen mean no OFAC risk?

A persistent misconception among in-house teams is that a clean result from a screening tool against the SDN List constitutes an OFAC compliance sign-off. It does not, and acting on that assumption is one of the most reliable paths to an OFAC enforcement matter.

Screening is necessary but not sufficient. The SDN List is one of several OFAC lists; the full set includes the Sectoral Sanctions Identifications List, the Foreign Sanctions Evaders List, the Non-SDN Menu-Based Sanctions List, and others. A counterparty that does not appear on the SDN List may still be subject to restrictions under a sectoral programme – which prohibit defined transaction types rather than all dealings with the listed person. A business that screens for SDN List hits only, and approves a transaction with a sectoral-programme-listed entity without checking the sectoral restrictions, has committed a potential violation regardless of the clean screen result.

Beyond the list landscape, the fifty-percent rule means that a counterparty that does not appear on any list may still be a blocked person through its ownership structure. A screening tool that checks only direct hits, without mapping ownership, misses this category entirely. And secondary-sanctions exposure does not depend on list membership at all – it depends on the nature of the transaction, the sector, and the degree of involvement with designated persons or programmes. None of that is captured by a screening query.

We regularly advise clients who have operated a clean-screen-equals-compliance approach for years without incident, and who have reached out only when a bank, a new counterparty, or an internal audit has questioned whether their controls are genuinely adequate. The earlier that question is asked and answered, the more options the business retains.

Frequently asked questions

How long does carrying out a sanctions risk assessment take under OFAC?
The timeline depends on the scope and complexity of the business. A focused assessment for a single legal entity with a defined counterparty set and well-organised records can be completed within a few weeks. A group-level assessment involving multiple entities, layered ownership structures in the counterparty base, and multiple sanctions regimes in scope is a more substantial exercise. In our experience, the primary variable is the time required to obtain complete and current ownership documentation from counterparties – particularly those in jurisdictions where beneficial ownership registers are limited. We set out a realistic scope and timeline at the outset of each engagement so the business can plan accordingly. Verify current regulatory timelines before relying on any general estimate.
What are the main risks in a sanctions risk assessment under OFAC?
The principal risks fall into three categories. First, discovery risk: the assessment may surface an existing apparent violation – conduct that has already occurred and that may require voluntary self-disclosure to OFAC. A well-managed assessment anticipates this possibility and has a response protocol in place before the assessment begins. Second, scope risk: an assessment that is too narrowly scoped provides false assurance; gaps in the scope become the source of the next compliance failure. Third, remediation risk: identifying deficiencies without a credible plan to address them leaves the business with a documented risk map but no improved control environment. A properly conducted assessment produces a prioritised remediation plan, not merely a list of problems.
Do we need specialist counsel for a sanctions risk assessment?
A business can conduct an internal risk assessment, and many large compliance teams do so for routine review cycles. Specialist counsel adds distinct value in three circumstances: where the assessment may surface a potential violation requiring careful management of the disclosure decision; where the assessment must satisfy a regulator, a bank, or a counterparty as evidence of adequate compliance; and where the business's exposure spans multiple sanctions regimes and the analysis requires regime-by-regime legal mapping rather than a single-list screening exercise. In our experience, the cost of specialist counsel at the assessment stage is routinely lower than the cost of managing a voluntary self-disclosure or an enforcement response that a thorough, properly documented assessment might have avoided.

Talk to Caldervance

For a scoped view of your exposure, contact info@caldervance.com.

Discuss your matter

This publication is general information and does not constitute legal advice. For advice on your situation, contact info@caldervance.com.