OFAC vs BIS: Which Agency Applies to Your Export Transaction

Lenzo Compliance Team

OFAC Screening

BIS Entity List

Export Compliance

Sanctions Screening

Export Violations

A semiconductor distributor shipped $50,000 worth of ICs to a Dubai trading company in January 2025. Two weeks later, enforcement letters arrived from both Treasury and Commerce. Same shipment. Two agencies. Two separate violations. The customer appeared on OFAC's SDN List and the BIS Entity List—something the compliance manager hadn't even known was possible.

Our team sees this scenario at least once a month from companies reaching out after the fact. Roughly four in ten mid-market exporters discover the dual-agency problem only during their first enforcement encounter. Their screening covered OFAC or BIS. Rarely both.

Key Takeaways

OFAC (Treasury) controls who you can transact with; BIS (Commerce) controls what items you can export and to whom—both agencies can apply to a single shipment
OFAC's SDN List contains over 15,000 blocked persons; BIS Entity List includes 3,163 entries as of September 2025 (Treasury.gov, BIS.gov)
BIS adopted OFAC-style 50% ownership rules in September 2025, automatically extending restrictions to unlisted subsidiaries of designated entities
Joint enforcement actions increased 50% in 2025 through the Disruptive Technology Strike Force (DOJ)
Maximum civil penalties: OFAC at $377,700 per violation; BIS at twice transaction value or $364,992 per violation (2025 adjusted rates)

What Does Each Agency Actually Control?

OFAC blocks transactions with specific people, entities, and sometimes entire countries. BIS restricts exports of specific items based on technical specs and end-use concerns. They answer completely different questions about your shipment, and they operate under separate statutory authorities.

OFAC's question: "Who is involved?" The agency runs the SDN List—a roster of blocked individuals and entities. Getting caught sending a payment to an SDN means strict liability kicks in. Your intent doesn't matter. The screen failed, the penalty follows.

BIS asks something else entirely: "What's in the box, where's it going, and who's using it?" The Export Administration Regulations classify items by ECCN and impose licensing requirements based on destination, end-user, and end-use. A 4A003 advanced computer headed to a Chinese chip fab gets different treatment than EAR99 consumer goods going to the same address.

Most teams get tripped up assuming these regimes are mutually exclusive. They're not.

A technology shipment to a Russian entity could trigger BIS licensing under Part 746 of the EAR and OFAC blocking prohibitions if that company or its beneficial owners sit on the SDN List. You'd need authorization from both. A BIS license won't cure an OFAC violation. OFAC authorization won't satisfy BIS requirements.

When Do Both Agencies Apply to the Same Shipment?

The overlap happens in three main scenarios. Recognizing them before goods leave your facility separates a working compliance program from an expensive settlement.

Scenario 1: Embargoed Destinations

Cuba, Iran, North Korea, Syria—the Group E countries under both regimes. OFAC maintains country-level embargoes prohibiting virtually all transactions involving these places. BIS separately requires licenses for any EAR-controlled items going there, typically with denial as the default policy. Ship anything to Iran without authorizations from both agencies, and you've created two parallel violations from one transaction.

Scenario 2: Parties Listed by Both Agencies

An entity can land on OFAC's SDN List and BIS's Entity List at the same time. BIS's March 2025 SDN Crossover Rule extended EAR licensing requirements to parties designated under 11 OFAC programs. If your counterparty shows up as an SDN under Russia sanctions and has a matching Entity List entry, you've got dual exposure. BIS has said its export controls "act as a backstop for activities over which OFAC does not exercise jurisdiction"—they're explicitly filling gaps.

Scenario 3: Items With Both Financial and Technical Restrictions

Some transactions implicate export controls and create blocked property interests simultaneously. Picture this: you're providing technology services to a Russian energy firm. The company itself isn't blocked. But the ultimate beneficial owner is an SDN oligarch. Under OFAC's 50% rule, that company's property is constructively blocked. Meanwhile, BIS's Russia rules may require a license for the tech transfer regardless of the end-user's sanctions status.

How Did the September 2025 Affiliates Rule Change Everything?

BIS finally adopted OFAC's 50% ownership standard on September 29, 2025. Before that date, BIS restrictions applied only to named entities and their legally indistinct branches. Subsidiaries walked away clean.

Not anymore.

The Affiliates Rule extends Entity List and Military End-User List restrictions to any foreign entity owned 50% or more—directly, indirectly, individually, or in aggregate—by listed parties. An unlisted joint venture in Singapore majority-owned by a Chinese Entity List company now needs the same BIS license as the parent would.

The operational headache is real. BIS explicitly warned that the Consolidated Screening List no longer covers these ownership-derived restrictions. CSL is a starting point, not the finish line. Your screening protocol must now pull beneficial ownership data—the same due diligence you presumably already run for OFAC compliance. BIS aligned the standard deliberately so teams wouldn't need duplicate workflows. But that only helps if you'd actually built the OFAC ownership screening in the first place.

We've watched the agencies move closer together on enforcement too. The Disruptive Technology Strike Force—a joint DOJ, Commerce, and FBI unit—ramped up prosecutions for export control evasion tied to sanctions violations throughout 2025. BIS reviewed over 1,200 Suspicious Activity Reports from Treasury's FinCEN network, acting on more than 150 of them. They're sharing intelligence. They're coordinating cases. Microsoft got hit by both OFAC and BIS in the same settlement.

What Questions Should Every Shipment Answer?

The decision tree isn't complicated. Most mid-market exporters just don't run through it systematically.

First: Is any party to this transaction blocked?

Screen everyone—buyer, intermediate consignee, ultimate consignee, freight forwarder, financing bank—against OFAC's SDN List. Don't skip the 50% check. If any party is majority-owned by SDNs, their property is blocked even without a specific listing.

Second: Does the item need a BIS license?

Classify your product. Find the ECCN. Check the Commerce Control List against destination and end-use restrictions. If your counterparty or their majority owners appear on the Entity List or MEU List, you need a license regardless of what's in the box.

Third: Is there country-level overlap?

Russia, Belarus, Iran, Cuba, North Korea, Syria, plus several others carry restrictions from both agencies. Confirm you have proper authorization from each before anything ships.

Fourth: Have you verified who actually owns your counterparty?

This became non-negotiable after September 2025. Request shareholding disclosures from foreign buyers. Verify beneficial ownership using commercial intelligence tools. Document everything. BIS added a new Red Flag (number 29) requiring you to resolve ownership questions or get a license before proceeding. "I didn't know" stopped being a defense.

Teams that handle this well treat OFAC and BIS as complementary, not alternative. Run both screens. Document both analyses. Train people on when each applies—and when both apply together.

FAQ

Can an OFAC general license authorize a transaction that also requires a BIS license?

No. The authorizations run on separate tracks. If OFAC issues a general license permitting wind-down activities with a newly designated SDN, that only addresses the OFAC blocking prohibition. If the same transaction involves EAR-controlled items and the SDN sits on the Entity List, you still need separate BIS authorization. Same works in reverse—a BIS license exception won't waive OFAC blocking requirements.

How do penalty calculations differ between the two agencies?

OFAC civil penalties under IEEPA reach $377,700 per violation as of 2025 inflation adjustments, or twice the transaction value if that's greater. Criminal penalties for willful violations hit $1 million and 20 years. BIS civil penalties under ECRA reach $364,992 per violation or twice transaction value. Criminal penalties max out at $1 million and 20 years per violation. Get caught violating both, and you face cumulative exposure from each agency plus potential DOJ prosecution.

If a company is on the BIS Entity List but not OFAC's SDN List, can I still pay them?

Technically, yes—for certain things. The Entity List creates export licensing requirements, not automatic transaction blocks. You can pay an Entity List company for services that don't involve controlled items. That payment alone doesn't violate the EAR. But many Entity List parties also appear on OFAC lists, or their beneficial owners do. And banks increasingly refuse Entity List counterparties regardless of what the law strictly requires. The practical restrictions often outrun the legal ones.

The regulatory gap between OFAC and BIS has been shrinking for years, and September 2025 accelerated that trend. Platforms aggregating both frameworks—Descartes, SAP GTS, Lenzo—handle the data consolidation piece, but the underlying requirement remains: understanding which agency's rules apply to which piece of your transaction. Running a screen isn't the same as running an analysis. The screen tells you what matched. The analysis tells you what to do about it.