OFAC vs EU Sanctions: Update Frequency Differences

Lenzo Compliance Team

OFAC Screening

Sanctions Screening

Sanctions Compliance

Watchlist Screening

Export Compliance

OFAC published sanctions list updates on December 23, 19, 18, 17, and 11 in the final weeks of 2025 (Treasury.gov). The EU Consolidated List operates on a different calendar entirely—Council Decisions bundle designations into packages that drop every few weeks rather than every few days. When your screening cadence is built around one authority's publication patterns and you ship to both jurisdictions, that mismatch creates compliance gaps. And regulators on both sides of the Atlantic have started asking uncomfortable questions about those gaps.

Key Takeaways

OFAC updates the SDN list 3-4 times weekly with no fixed schedule; the EU Consolidated List updates after Council Decisions with 24-72 hour Official Journal publication windows (Treasury.gov, EUR-Lex)
The EU Directive 2024/1226 transposition deadline passed on May 20, 2025; the Commission opened infringement procedures against 18 member states on July 24, 2025 for incomplete implementation (European Commission)
Maximum OFAC civil penalties under IEEPA reach $377,700 per violation or twice the transaction value as of January 15, 2025; EU member states must now implement fines up to 5% of global turnover or €40 million for companies (Federal Register, EU Official Journal)
Synchronization lag between OFAC designations and EU mirror listings can stretch from 48 hours to three weeks, creating screening windows where entities appear on one list but not the other (OpenSanctions analysis)

How Often Does OFAC Update the SDN List?

OFAC operates without a published update schedule. The list changes when it changes—sometimes multiple times in a single week, occasionally going quiet for ten days. In December 2025, Treasury posted designation updates targeting Venezuela, Iran, Russia, Syria, and transnational criminal organizations across seven separate publication dates within three weeks (Treasury.gov Recent Actions).

The Friday afternoon pattern persists. OFAC drops significant Russia-related or Iran-related designations late Friday with documented regularity. For companies running screening batches Friday morning, that creates a 62+ hour exposure window until Monday's check picks up the update.

We saw this exact scenario burn a client twice in Q4 2025. Shipment cleared Friday at 11am EST. Entity designated Friday at 4pm EST. By the time Monday's screening ran, the goods were in transit to Dubai. The shipment wasn't blocked—it was a service provider on the Entity List addition, not an SDN—but the scramble to verify consignee relationships and document the timeline consumed most of that week. Not a violation, but not a position anyone wants to explain in an audit.

The SDN list now exceeds 15,000 entries when counting all aliases, with Russia-related designations adding several hundred entities since February 2022. Each entry can have multiple aliases, and OFAC creates separate entries for each variant spelling. That inflates screening workload compared to the raw entity count—and it generates more false positive hits than equivalent EU entries.

OFAC also maintains non-SDN lists requiring separate attention: the Sectoral Sanctions Identifications List, the Foreign Sanctions Evaders List, and the Non-SDN Menu-Based Sanctions List. Each carries different prohibitions. Combining them into unified screening is where most mid-market compliance programs fall short.

How Often Does the EU Update Its Consolidated List?

The EU Consolidated Financial Sanctions List follows Council Decisions, which require unanimous agreement among 27 member states. The EU adopted its 19th Russia sanctions package on October 23, 2025, followed by additional shadow fleet designations on December 15 and December 18 (Council of the EU press releases).

Unlike OFAC's rolling updates, EU sanctions arrive in large batches. The October 2025 package targeted LNG imports, crypto providers, third-country banks, and dozens of vessels in a single action. This bundled approach means compliance teams face periodic surges of screening activity rather than OFAC's constant drip.

Here's the gap that trips people up: a significant lag exists between Official Journal publication and Consolidated List database updates. OpenSanctions documented delays exceeding 20 days in one case—sanctions taking legal effect via the Official Journal while the downloadable Consolidated List file remained unchanged. For SMB exporters running names against that database, the exposure is real. Sanctions bind the moment they hit the Official Journal, not when the database refresh happens.

The EU currently maintains over 40 distinct sanctions regimes. The Russia program alone accounts for roughly 2,500 designated individuals and entities as of December 2025 (European Commission sanctions overview).

Where OFAC and EU Lists Don't Align

The assumption that OFAC and EU sanctions lists mirror each other is operationally wrong.

Designation criteria differ between authorities. OFAC designates under U.S. national security and foreign policy objectives; the EU designates under Common Foreign and Security Policy frameworks. An oligarch threatening U.S. interests may not meet EU thresholds. The overlap between lists runs roughly 60-70% for Russia-related entries, leaving substantial gaps.

Timing creates screening windows. When OFAC designates a vessel on Tuesday and the EU adds it to the next Council package two weeks later, any EU-only screening during that window misses the U.S. prohibition entirely. Dual-jurisdiction exporters relying on a single list get caught.

The alias problem compounds mismatches. OFAC includes extensive alias information—transliterations, known pseudonyms, spelling variants. EU entries tend toward sparse identification data. A Cyrillic-to-Latin transliteration captured by OFAC might be absent from the EU record, causing screening hits on one list but not the other for the same individual.

Enforcement Divergence After May 2025

The EU Sanctions Directive (2024/1226) required member state transposition by May 20, 2025. That deadline passed with 18 member states—including Germany, France, Italy, and Spain—facing infringement procedures by July 24, 2025 for failing to fully implement the required criminal penalty framework (European Commission, July 2025 infringement package).

Under the new regime, EU member states must provide maximum corporate fines of at least 5% of worldwide annual turnover or €40 million for the most serious violations. Individuals face up to five years imprisonment for intentional breaches, with serious negligence involving military or dual-use goods also triggering criminal liability. This represents a dramatic escalation from the patchwork of administrative penalties that previously existed.

Italy provides a cautionary example of implementation complexity. The Italian Parliament passed delegation legislation in June 2025—but gave the government 18 months to issue implementing decrees. Italy could remain functionally behind schedule until late 2026.

OFAC enforcement operates differently but hits similarly hard. The maximum civil penalty under IEEPA reached $377,700 per violation in January 2025, or twice the transaction value—whichever is greater (Federal Register, January 15, 2025). GVA Capital paid $215,988,868 in June 2025 for managing assets of a designated Russian oligarch after OFAC found willful violations. Interactive Brokers settled for $11,832,136 in July 2025 for 12,367 apparent violations across multiple programs—down from a statutory maximum exceeding $5 billion, but still a figure that would bankrupt most mid-market exporters.

The enforcement philosophy differs too. OFAC emphasizes voluntary self-disclosure, with penalty reductions reaching 50% or more for companies that proactively report. EU enforcement traditionally resided with member states, producing uneven outcomes. The new directive aims to change that, though implementation will take years to mature.

What Screening Cadence Actually Works

Daily screening against consolidated data sources is the minimum defensible position for dual-jurisdiction exporters. Weekly batch screening missed designations in multiple documented OFAC cases. Monthly screening is essentially indefensible if regulators come asking.

The math for a 150-person exporter running 200+ partners through screening: manual list downloads and spreadsheet checks consume 15-20 hours weekly for basic coverage. That figure doesn't include false positive resolution, which typically generates three times more hits from OFAC's alias-heavy entries than EU equivalents.

Quarterly batch screening doesn't work. We tried it with a client in 2023—ran names monthly against OFAC but only quarterly against EU lists due to "lower perceived risk." The March 2024 EU designations following a Council Decision caught a Turkish intermediary they'd been using for Black Sea shipments. The intermediary wasn't on OFAC's radar. By the time quarterly screening picked it up, three shipments had cleared.

Real-time monitoring for designation changes requires either internal infrastructure polling Treasury.gov and EUR-Lex, or subscription to a consolidated data provider. Building internal polling demands developer resources most SMB exporters don't have. Enterprise platforms like Dow Jones or Refinitiv carry pricing north of $50K annually—sensible for banks, prohibitive for a $25M machinery distributor.

Platforms like Lenzo have emerged specifically for this mid-market gap, consolidating OFAC, EU, UN, and UK lists with same-day update integration at price points below $12K annually.

The 72-Hour Problem

Assuming your screening database updates instantly when authorities publish doesn't work.

Commercial data providers operate on their own schedules. Major platforms typically process OFAC updates within 24-48 hours. EU updates take longer due to multi-language publication requirements and quality assurance workflows. Some providers batch updates before pushing to customers, introducing additional lag.

For an SMB exporter shipping to Dubai on Thursday morning, a Wednesday OFAC designation of a UAE-based front company might not appear in your screening tool until Friday or Saturday. If the shipment clears before the database updates, that "screened clean" documentation becomes a liability rather than a defense.

The fix is boring but necessary: retain timestamped screening logs documenting which database version was in force at screening time. This establishes reasonableness of your due diligence even when designations post-date your screening. It won't prevent a violation, but it demonstrates the good-faith compliance effort that influences OFAC penalty calculations and can move you from "egregious" to "non-egregious" categorization.

FAQ

What is the difference between the OFAC SDN list and the EU Consolidated List?

The SDN list is maintained by the U.S. Treasury's Office of Foreign Assets Control and contains individuals, entities, and vessels whose assets are blocked and with whom U.S. persons cannot transact. The EU Consolidated Financial Sanctions List is published by the European Commission and implements Council Decisions under the Common Foreign and Security Policy. They serve parallel purposes but operate under different legal frameworks, designation criteria, and update cycles. Compliance with one does not satisfy obligations under the other.

How quickly do I need to update my sanctions screening after a new designation?

Designations take legal effect immediately upon publication—not when your screening database updates. OFAC entries become binding the moment they post to Treasury.gov. EU sanctions bind upon Official Journal publication, which can precede Consolidated List database updates by days or weeks. The practical answer: screening data should refresh at least daily, and you need audit trails showing the database version used for each screening event.

Can I use a single sanctions list for both U.S. and EU compliance?

No. Screening only against OFAC lists leaves EU regulatory exposure. Screening only against EU lists misses U.S.-specific designations. The lists overlap substantially but not completely, and new designations rarely synchronize between authorities. Dual-jurisdiction exporters must screen against both authorities' lists, plus any relevant UN or UK sanctions for specific trade lanes.

What triggers an OFAC enforcement investigation?

Common triggers include voluntary self-disclosure, suspicious activity reports from financial institutions, referrals from other agencies like BIS or CBP, transaction pattern analysis, whistleblower tips, and correspondent banking alerts. OFAC explicitly considers whether a company had a functioning compliance program at the time of violation—both the existence of policies and evidence of their actual implementation factor into penalty calculations.

How long should I retain sanctions screening records?

OFAC's statute of limitations for civil violations runs five years from the transaction date. The EU Directive 2024/1226 establishes similar limitation periods for member state enforcement. Retaining screening records for seven years provides buffer against delayed investigations and aligns with standard export compliance document retention practices. Records should include screening date, database version identifier, entities screened, and disposition of any hits including resolution documentation.