OFAC Compliance Checklist for Fintechs: What You Need Before Launch

#ofac #sanctions #fintech #compliance

OFAC Compliance Checklist for Fintechs: What You Need Before Launch

You are building a fintech product. You have the funding, the team, and the product roadmap. Before you process your first transaction, you need OFAC compliance in place. Not eventually. Before launch.

This is the checklist your compliance officer (or your lawyer, if you do not have a compliance officer yet) needs to see completed.

Who Must Screen

If your company does any of the following, OFAC screening is a legal requirement:

Money Services Businesses (MSBs): payment processors, money transmitters, prepaid card issuers
Neobanks and challenger banks: whether you hold a charter or partner with a sponsor bank
Crypto exchanges and custodians: FinCEN treats virtual asset service providers as MSBs
Lending platforms: marketplace lenders, BNPL providers, invoice factoring
Cross-border payment providers: remittance, B2B payments, FX services
Insurance companies: underwriting and claims
Any US person or entity: if you are a US company, OFAC applies to all your transactions globally

The common mistake is thinking OFAC only applies to international transactions. It does not. A domestic ACH transfer between two US bank accounts must be screened if you are the facilitating institution.

The Penalties

OFAC violations carry civil penalties up to $356,413 per violation (adjusted annually for inflation). Criminal penalties can reach $20 million and 30 years imprisonment.

The critical legal detail: OFAC operates under strict liability. You do not need to know the person is sanctioned. You do not need intent to violate. If you process a transaction involving a sanctioned party, you are liable. Period.

This is why screening must be automated and comprehensive. Manual spot-checks are not a defense.

The Checklist

1. Screen All Customers at Onboarding

Every new customer, business entity, or beneficial owner must be screened against the SDN list before you open an account or process a transaction.

Implementation with the EasySolutions OFAC API:

const screenNewCustomer = async (customer) => {
  const response = await fetch(
    'https://ofac-screening-production.up.railway.app/screen',
    {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'x-api-key': process.env.OFAC_API_KEY,
      },
      body: JSON.stringify({
        name: customer.fullName,
        type: 'Individual',
        dateOfBirth: customer.dob || null,
        country: customer.country || null,
        threshold: 0.85,
      }),
    },
  );

  const result = await response.json();

  // Store the screening result for audit purposes
  await saveScreeningRecord({
    customerId: customer.id,
    screenedName: customer.fullName,
    screenedAt: result.screenedAt,
    listVersion: result.listVersion,
    matchCount: result.matchCount,
    matches: result.matches,
    disposition: result.matchCount === 0 ? 'CLEAR' : 'PENDING_REVIEW',
  });

  return result;
};

Set the threshold at 0.85 for onboarding. This catches strong and exact matches while minimizing false positives. Your compliance team reviews anything that comes back with matches.

2. Re-Screen When the SDN List Updates

Treasury updates the SDN list frequently -- sometimes multiple times per week. Every time the list changes, your existing customer base must be re-screened.

Use batch screening to re-screen your entire customer database:

const rescreenAllCustomers = async (customers) => {
  const BATCH_SIZE = 100;
  const results = [];

  for (let i = 0; i < customers.length; i += BATCH_SIZE) {
    const batch = customers.slice(i, i + BATCH_SIZE);
    const names = batch.map((c) => ({
      name: c.fullName,
      type: 'Individual',
      dateOfBirth: c.dob || null,
      country: c.country || null,
    }));

    const response = await fetch(
      'https://ofac-screening-production.up.railway.app/screen/batch',
      {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
          'x-api-key': process.env.OFAC_API_KEY,
        },
        body: JSON.stringify({ names, threshold: 0.85 }),
      },
    );

    const data = await response.json();
    results.push(...data.results);
  }

  return results;
};

Check the /data-info endpoint to see when the SDN list was last updated. Compare it to your last re-screening date.

3. Screen All Transactions Above Threshold

Beyond customer onboarding, screen transaction counterparties. For wire transfers, screen both the sender and receiver names. For ACH, screen the originator and beneficiary.

Your risk-based approach determines the threshold. Most compliance programs screen all transactions, but at minimum screen:

All international transactions
All transactions above $3,000 (the FinCEN recordkeeping threshold)
All transactions to high-risk jurisdictions (Iran, North Korea, Cuba, Syria, Russia, etc.)

4. Document All Screenings with an Audit Trail

Every screening must be recorded with:

Who was screened (the name and any identifying details submitted)
When the screening occurred (timestamp)
Which list version was used (the SDN publish date)
What the result was (clear, match found, or false positive after review)
Who reviewed it (if a match was found and dispositioned)

The EasySolutions API returns screenedAt and listVersion in every response. Store these fields alongside the customer or transaction record. When an examiner asks to see your screening history, you produce these records.

5. Have a Process for Reviewing Matches

Not every match is a true positive. The SDN list contains common names, and fuzzy matching will surface partial matches that are not actual sanctioned persons.

Build a review workflow:

Automated clear: If matchCount is 0, the screening is clear. No human review needed.
Automated escalation: If matchCount > 0, flag the record for compliance review.
Human review: A compliance analyst compares the match details (name, date of birth, country, programs) against your customer's known information.
Disposition: The analyst marks the match as either a true positive (block the transaction, file an SAR) or a false positive (document the reasoning, allow the transaction).
Record the decision: Store the analyst's name, the decision, the reasoning, and the timestamp.

The match details from the API help analysts make faster decisions. A match score of 0.99 with matching date of birth and country is almost certainly a true positive. A score of 0.86 where only the last name matches is likely a false positive.

6. Train Staff on Escalation Procedures

Your compliance program must include:

Written procedures for what happens when a match is found
Training records showing staff completed OFAC training
Escalation paths from front-line staff to compliance officer to legal counsel
SAR filing procedures for confirmed matches (file within 30 days via FinCEN BSA E-Filing)
OFAC reporting: if you identify a blocked transaction, report it to OFAC within 10 business days

Implementation Timeline

For a pre-launch fintech, here is a realistic timeline:

Week 1: Integrate the screening API into your onboarding flow. Store screening results.
Week 2: Build the review workflow for matches. Set up the re-screening job.
Week 3: Write the compliance procedures document. Train the team.
Week 4: Run a full test with sample data. Have legal review the procedures.

You do not need a $50,000 enterprise platform to launch with compliant OFAC screening. You need an API that screens reliably, returns audit-ready results, and costs what a startup can afford.