OFAC Compliance: Requirements Non-US Companies Get Wrong

OFAC sanctions collected over $265 million in penalties and settlements during 2025 alone (Treasury.gov). A Thai plastics company paid $20 million for routing USD wire transfers through American correspondent banks. A German industrial supplier got caught shipping restricted goods via a U.S.-nexus transaction. Non-U.S. companies keep making the same mistake: assuming OFAC Compliance only applies to American firms. It doesn't. And the enforcement data proves it.

Key Takeaways:

• OFAC penalties in 2025 exceeded $265 million across 14 enforcement actions, with non-U.S. companies representing a growing share of targets (Treasury.gov, 2025)
• Any transaction touching U.S. dollar clearing, U.S.-based servers, or U.S. financial institutions creates OFAC jurisdiction over non-U.S. entities (31 CFR Part 501)
• The 50 Percent Rule blocks entities owned 50% or more by sanctioned persons even if the entity itself never appears on the OFAC SDN list search (OFAC FAQ 401, Treasury.gov)
• OFAC extended sanctions-related record-keeping requirements from 5 to 10 years effective March 2025 (Treasury.gov)
• SCG Plastics (Thailand) settled for $20 million after causing U.S. banks to process $291 million in Iranian-origin transactions (OFAC Enforcement Release, April 2025)

Why non-u.s. Companies fall under OFAC jurisdiction

OFAC jurisdiction reaches any transaction with a U.S. touchpoint. Period. That touchpoint might look obvious: a wire transfer denominated in U.S. dollars clearing through American correspondent banks. Or it might be subtle: a server physically located in the United States, a contract co-signed by a U.S. person on behalf of a foreign subsidiary.

SCG Plastics learned this the expensive way. The company operated out of Bangkok with zero U.S. presence, selling polyethylene resin manufactured at an Iranian joint venture. Their customers paid in U.S. dollars to Thai bank accounts. Those dollar payments transited through U.S. correspondent banks, and that single fact gave OFAC jurisdiction over 467 transactions worth $291 million (Treasury.gov, April 2025).

The "causation" standard matters here. Non-U.S. persons who "cause" a U.S. person to violate sanctions face the same liability as if they'd violated the sanctions directly. A British manufacturer instructing its bank to send a USD payment to a sanctioned entity triggers OFAC enforcement regardless of where the manufacturer sits. The wire clears New York, and that's enough.

Most non-U.S. exporters we talk to underestimate how many of their routine transactions touch the U.S. financial system. Invoicing in dollars? You probably have a U.S. nexus. Cloud infrastructure running on AWS or Azure with U.S.-region instances? Same story. The safe assumption for any company doing cross-border trade: you're exposed.

The 50 percent rule and why basic SDN screening fails

Running names against the SDN list catches designated individuals and entities. That's the floor, not the ceiling. OFAC's 50 Percent Rule means an entity owned 50% or more by one or more blocked persons becomes blocked itself, even if that entity has never been designated and never appears on any published list (OFAC FAQ 401, Treasury.gov).

Here's where non-U.S. companies consistently get tripped up. Ownership gets aggregated. If Blocked Person A owns 25% and Blocked Person B owns another 25%, the entity crosses the threshold. The two blocked persons don't need to be related to each other or even designated under the same sanctions program.

And the ownership calculation goes indirect. Blocked Person X owns 50% of Entity A, Entity A owns 50% of Entity B. Entity B gets blocked even though no sanctioned individual directly holds shares in it.

For a compliance team at a mid-size exporter, this creates a screening problem that name matching alone can't solve. You need ownership data, which means tracing beneficial ownership chains across multiple jurisdictions. Sometimes that trail runs through holding companies in places with minimal disclosure requirements. We've seen companies screen a trading partner in Dubai, get zero hits on the SDN, and miss the fact that a Russian oligarch held a 55% stake through a BVI holding company.

The operational gap between "we screen the SDN list" and "we verify beneficial ownership" costs real money when OFAC comes calling. The Haas Automation enforcement action made this explicit: OFAC penalized a company for failing to identify entities blocked by virtue of ownership, not direct listing (Treasury.gov, 2025).

OFAC screening requirements most non-u.s. Companies ignore

Three OFAC screening requirements trip up foreign companies more than any others.

Screening frequency catches most people off guard. OFAC updates its lists roughly 3-4 times per week (Treasury.gov designation archives). A quarterly batch screen that looked clean in January can miss a February designation. Running an OFAC check at point-of-transaction plus ongoing monitoring of existing relationships should be the standard for non-U.S. companies with regular U.S.-nexus transactions. Anything less creates exposure windows.

Then there's screening scope. Most non-U.S. companies screen the SDN list and stop there. OFAC administers over 30 distinct sanctions programs, and several lists beyond the SDN carry compliance obligations. For more context, see our guide on Trade Compliance FAQ: 25 Questions SMB Exporters Get Wrong. The Sectoral Sanctions Identifications List (SSI), the Non-SDN Menu-Based Sanctions List, the Foreign Sanctions Evaders List. Each carries different restrictions that matter depending on your transaction type and the countries involved.

Record-keeping has also gotten harder. OFAC extended its retention requirement from 5 years to 10 years in March 2025 (Treasury.gov). Non-U.S. companies that maintained records for 5 years under their local compliance policies now face a gap. If OFAC opens an investigation in 2030 about a transaction from 2025, they expect documentation. Not having it counts as an aggravating factor in penalty calculations.

The biggest blind spot we encounter: companies that screen counterparties but not the transaction itself. A wire transfer to a non-sanctioned party that references a sanctioned vessel name, or routes through a sanctioned jurisdiction's banking system, can trigger a violation. The OFAC screening process has to cover parties and vessels, but also geography, end-use, payment routing. Name-matching against one list doesn't cut it.

What a sanctions compliance program actually needs

OFAC's Framework for Compliance Commitments spells out exactly what the agency expects from a sanctions compliance. Every enforcement action since the framework was published references it. The framework outlines five pillars: management commitment, risk assessment, internal controls, testing/auditing, training (Treasury.gov) Non-U.S. companies that want to claim they took OFAC Compliance seriously need evidence across all five.

Start with management commitment. That means a named individual with authority and budget. Not a line item in the CFO's job description, but a dedicated compliance function with board-level visibility. In the GVA Capital enforcement action ($215 million, 2025), OFAC specifically cited the firm's failure to implement compliance controls as an aggravating factor (Treasury.gov).

A Singapore electronics exporter shipping to the Middle East has different risk exposure than a Canadian agricultural equipment manufacturer selling to Latin America. Your risk assessment needs to reflect that. Generic risk templates that could apply to any industry don't demonstrate the risk-based approach OFAC expects.

What about testing? Actually run your sanctions screening software against known positives. Does your system catch transliterated names? Partial matches? Aliases? We tracked false negative rates across multiple screening platforms and found variance ranging from 2% to 15% depending on name complexity and the screening engine's fuzzy matching algorithm That 15% gap at the wrong moment becomes an enforcement action.

And training for non-U.S. companies has an extra layer: employees need to understand that OFAC rules apply to them even though they're not American. The "we're not a U.S. company" mindset kills sanctions compliance program before they start.

How OFAC enforcement against non-u.s. Companies has changed

OFAC's enforcement posture toward foreign companies shifted noticeably over the past two years. The 2025 enforcement docket included more non-U.S. targets with bigger penalties. OFAC also applied a broader definition of what constitutes a U.S. nexus.

Three patterns stand out. OFAC now treats professional intermediaries and advisors as enforcement targets in their own right. The GVA Capital action ($215 million penalty) went after an investment advisory firm, signaling that gatekeepers who facilitate transactions connected to sanctioned persons face direct liability. On top of that, OFAC issued three penalty notices in 2025, up from just one per year in the two prior years Penalty notices represent a harder enforcement posture than settlements. They mean OFAC isn't negotiating.

The shift that hits non-U.S. companies hardest: OFAC explicitly rejected what it called "over-reliance on corporate formalities." Structuring transactions through subsidiaries, using intermediary banks to distance the payment chain, relying on nominee shareholders to obscure ownership. None of these shields work anymore. If the substance of the transaction touches U.S. jurisdiction, corporate structure won't save you.

For non-U.S. exporters with 90-250 shipments monthly, this means the old approach of checking a few names before each shipment and hoping for the best carries measurably higher risk than it did even two years ago. The enforcement economics have changed. OFAC's maximum civil penalty under IEEPA sits at $377,700 per violation as of January 2025 (Treasury.gov). Multiply that by hundreds of transactions and the math gets ugly fast.

Sanctions compliance screening tools like trade compliance software, Descartes Visual Compliance, and SAP GTS offer automated monitoring that catches designation changes within hours rather than days. For companies processing high transaction volumes, the cost of OFAC compliance software runs far below the cost of a single missed designation.

FAQ

Can OFAC fine a company that has no u.s. Employees or offices?

Yes. OFAC jurisdiction attaches to the transaction, not the company's domicile. If any element of the transaction touches the U.S. financial system, including dollar-denominated payments clearing through U.S. correspondent banks, OFAC can pursue enforcement. SCG Plastics (Thailand) paid $20 million despite having zero U.S. operations (Treasury.gov, April 2025).

How often should non-u.s. Companies run OFAC screening?

At minimum, screen every counterparty at the point of transaction and re-screen existing relationships when OFAC publishes new designations (roughly 3-4 times weekly). Quarterly batch screening leaves gaps that enforcement actions have specifically cited as compliance failures.

Does the 50 percent rule apply outside the United States?

The 50 Percent Rule applies to any transaction subject to OFAC jurisdiction. If a non-U.S. company engages in a U.S.-nexus transaction with an entity that's blocked by virtue of the 50 Percent Rule, the non-U.S. company faces the same liability as a domestic one. The EU and UK have their own versions of ownership-based blocking rules, but the thresholds and triggers differ.

What records must non-u.s. Companies keep for OFAC compliance?

OFAC requires retention of all records related to sanctions compliance (screening logs, transaction documentation, due diligence files, any correspondence related to blocked property) for 10 years as of March 2025 (Treasury.gov). This applies to any transaction within OFAC's jurisdiction, regardless of where the company conducting the transaction sits.

Enforcement against non-U.S. companies accelerated through 2025. Larger penalties. Broader jurisdictional claims. An explicit rejection of corporate-structure workarounds. The record-keeping extension to 10 years means today's screening gaps become tomorrow's enforcement exposure. For exporters running frequent cross-border transactions, building a sanctions compliance program that accounts for U.S.-nexus triggers isn't optional. It's the cost of doing business internationally. The platform provides real-time OFAC sanctions screening across all OFAC lists with same-day onboarding, purpose-built for mid-market exporters who can't afford the implementation timelines or per-check pricing of enterprise platforms.