Most exporters assume that if they ship to a sanctioned party by mistake, a good-faith explanation will shield them from penalties. That assumption is wrong — and it is the most expensive mistake in U.S. trade compliance. U.S. sanctions enforcement operates on a strict liability standard, which means the government does not need to prove you knew the party was sanctioned. It only needs to prove the transaction happened. Intent is irrelevant. Knowledge is irrelevant. Whether your screening program failed or never existed in the first place is irrelevant to the question of liability — it only affects the size of the penalty.
This post explains exactly what happens when a U.S. exporter ships to a sanctioned party: the legal mechanism that triggers liability, what OFAC does next, how penalties are calculated, and what real enforcement settlements show about the actual cost of getting this wrong. It also explains what to do if you discover you already have.
Strict Liability: The Legal Framework That Eliminates Intent as a Defense
Under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), OFAC can impose civil penalties on any U.S. person who engages in a prohibited transaction — regardless of whether they knew the counterparty was sanctioned. Intent is not a required element of a civil sanctions violation.
This is structurally different from how most business regulation works. Environmental violations require negligence. Employment violations require discriminatory intent. For OFAC civil penalties, none of that applies. If you transacted with a party on the SDN List, you violated the law. Your defense does not begin with "I didn't know" — it begins with "here is why the penalty should be lower."
The legal basis for this standard is well-established. In Holy Land Foundation for Relief and Development v. Ashcroft, the D.C. Circuit affirmed OFAC's authority to impose strict liability penalties for civil sanctions violations. Courts have repeatedly declined to import a knowledge requirement into IEEPA's civil enforcement framework. This is not an obscure technicality — it is the foundation of how OFAC enforcement functions.
Criminal liability is different. Criminal prosecution under IEEPA does require proof of willfulness — meaning the government must show you knew the conduct was illegal and proceeded anyway. The maximum criminal penalty is $1 million per violation and 20 years imprisonment for individuals. But most exporters face civil enforcement, not criminal. The civil track is where the volume of OFAC enforcement action occurs, and it requires no proof of knowledge.
Who OFAC Can Reach: Jurisdictional Scope
A common misconception is that OFAC sanctions only apply to U.S. companies operating inside the United States. This is incorrect. OFAC's jurisdiction extends to:
- U.S. persons wherever they are located in the world
- Any transaction that transits the U.S. financial system — including U.S. dollar wire transfers processed through U.S. correspondent banks
- Any transaction involving U.S.-origin goods or technology, regardless of where the seller is located
- Non-U.S. subsidiaries of U.S. parent companies in many sanctions programs
- Non-U.S. persons who cause U.S. persons to violate sanctions through facilitation or conspiracy
The practical effect is that a non-U.S. company that pays in U.S. dollars, uses U.S.-made components, or routes transactions through a U.S. bank can be subject to OFAC jurisdiction. Nordgas S.r.l., an Italian company, learned this in 2023 when it settled with OFAC for $950,000 for transactions involving Iran — despite being incorporated and operating entirely outside the United States. The connecting link was U.S. dollar payments routed through U.S. banks.
This jurisdictional reach is intentional. It is one of the primary mechanisms by which the U.S. government uses its economic leverage to enforce foreign policy objectives globally.
The Immediate Consequences After a Violation Is Identified
The moment a prohibited transaction is identified — whether by your own compliance program, a bank's screening, or OFAC — several things happen simultaneously:
Funds and property are blocked. If money or goods are in transit, banks are required to freeze them. Funds already received by you from the sanctioned party become blocked property. You cannot return these funds to the counterparty (that would be a separate violation), transfer them, or apply them to any business purpose without an OFAC license. They sit in a segregated account, potentially indefinitely.
Reporting obligations attach. Under 31 C.F.R. § 501.603 and § 501.604, you are required to report blocked property to OFAC within 10 business days and to file annual reports on blocked property held as of June 30 each year. A rejected transaction involving certain types of sanctioned parties must also be reported. Failure to meet these reporting deadlines is an independent violation — you can compound your exposure simply by mishandling the aftermath.
OFAC may open an investigation. OFAC's Civil Penalties and Enforcement Division can issue administrative subpoenas for records, transaction logs, counterparty files, screening documentation, and internal communications. These investigations are not quick — they can run for two to four years from discovery to settlement. During that period, your compliance program will be under sustained scrutiny, and every weakness in your historical practices will be documented.
Your banking relationships may be affected. Banks that process your transactions have their own OFAC compliance obligations. If a violation involving your company comes to their attention, they may exit the relationship or impose enhanced due diligence requirements. Several OFAC enforcement cases have involved banks separately fined for processing transactions on behalf of companies that were violating sanctions — banks have strong incentives to distance themselves from any client in enforcement proceedings.
How OFAC Calculates Civil Penalties
OFAC's penalty calculation methodology is published in Appendix A to 31 C.F.R. Part 501. The statutory maximum per violation under IEEPA is the greater of $377,700 (adjusted annually for inflation) or twice the transaction value. Each prohibited transaction is a separate violation — a company that shipped monthly to a sanctioned party for 18 months faces 18 stacked violations.
The actual settlement penalty is determined by a factors matrix:
| Factor | Penalty Direction |
|---|---|
| Willful or reckless conduct | Aggravating — higher penalty |
| Voluntary self-disclosure | Mitigating — up to 50% reduction |
| Egregious harm to U.S. foreign policy | Aggravating |
| Robust pre-existing compliance program | Mitigating |
| Cooperation with investigation | Mitigating |
| Remediation steps taken | Mitigating |
| Prior OFAC violations | Aggravating |
| Management awareness of conduct | Aggravating |
| De minimis transaction value | Mitigating |
For non-egregious violations with voluntary self-disclosure, the base penalty is typically 50% of the statutory maximum. For egregious violations without self-disclosure — meaning OFAC found it before you reported it — the base penalty is the full statutory maximum, applied to every transaction in the violation set.
The practical effect of voluntary self-disclosure is significant enough to dominate the settlement calculation in large cases. The difference between a company that discloses and a company that doesn't can easily exceed $10 million for multi-transaction enforcement actions.
Real Enforcement Cases: What Actually Gets Paid
Public OFAC settlement records show what the penalty math looks like in practice. Every case below is a matter of public record on the Treasury Department's website.
British American Tobacco — $635 Million (2023)
BAT's settlement — the largest OFAC civil penalty on record at the time — involved a subsidiary selling tobacco products to North Korea through intermediaries in Singapore. The parent company received profits from these transactions and did not disclose them to U.S. regulators. The conduct spanned multiple years and included deliberate steps to obscure the North Korea nexus. Key lesson: Parent companies bear liability for subsidiary conduct, and using non-U.S. intermediaries does not insulate U.S.-connected transactions from OFAC jurisdiction.
Binance — $4.3 Billion (2023)
Binance settled simultaneously with OFAC, FinCEN, and DOJ for allowing users in sanctioned jurisdictions — Iran, North Korea, Syria, Cuba — to transact on its platform. Binance had implemented some geographic controls, but they were easily circumvented. OFAC's finding was that implementing a control you know to be ineffective is functionally equivalent to having no control at all. Key lesson: Knowing about circumvention and not closing the gap counts as facilitation, not due diligence.
Toll Global Forwarding — $6.1 Million (2022)
Toll, a logistics provider, facilitated shipments to Iran, Sudan, North Korea, and Syria over six years. The case was significant because Toll did not own or originate the goods — it was acting as a freight forwarder. OFAC's position was clear: freight forwarders, logistics providers, and shipping intermediaries are subject to OFAC liability regardless of whether they have a direct customer relationship with the sanctioned party. If you move the goods, you have exposure.
Apple Inc. — $466,912 (2019)
Apple settled for apparent violations involving apps distributed through its App Store that were connected to a Slovenian company on OFAC's SDN list. The company's screening missed the designation because it was operating from a list that was not updated daily. The penalty was relatively modest — Apple cooperated, disclosed, and had a compliance program — but the case established clearly that platform companies are responsible for their counterparties' sanctions status. Key lesson: Stale list data is not a defense.
Nordgas S.r.l. — $950,000 (2023)
Nordgas, an Italian company with no U.S. operations, settled with OFAC for selling industrial equipment to an Iranian company. The U.S. nexus was U.S. dollar payments routed through U.S. correspondent banks. This case is regularly cited as evidence that the "we're a foreign company" argument provides no protection if there is any U.S. financial touchpoint. Key lesson: Dollar-denominated transactions are enough to establish OFAC jurisdiction over non-U.S. entities.
Herbalife — $370,992 (2023)
Herbalife settled for processing payments from Cuban distributors through its U.S. payment platform — a category of violation that would be easily preventable with geographic screening. The settlement was relatively small because Herbalife voluntarily disclosed and cooperated, demonstrating again that self-disclosure and program remediation have a measurable effect on outcome. Key lesson: The mitigation framework works if you use it correctly.
The Secondary Consequences Beyond the Fine
The civil penalty is the most visible consequence of a sanctions violation, but it is often not the most damaging one.
Reputational exposure. OFAC publishes enforcement actions publicly on the Treasury website. Every settlement — including the company name, the violation description, the penalty amount, and the findings — is a permanent public record. Potential customers, banking partners, and investors conduct OFAC enforcement searches as part of due diligence. A public finding can damage relationships that took years to build.
Banking relationship risk. Correspondent banks that process your dollar transactions have their own OFAC compliance requirements. Clients with known sanctions violations are compliance liabilities for banks. Following an OFAC settlement, companies frequently face enhanced due diligence requirements from their existing banking relationships, and some lose accounts entirely. De-risking by banks is a well-documented secondary consequence of sanctions enforcement.
Export privilege loss. For violations that overlap with BIS jurisdiction — particularly where goods on the Commerce Control List were involved in the transaction — BIS may seek to suspend or revoke export privileges in addition to OFAC's civil penalty. A denial order from BIS effectively ends a company's ability to export.
Individual liability. OFAC can and does bring enforcement actions against individual officers and employees in cases involving willful or egregious conduct. Individual officers can be personally fined, and in criminal referrals, personally prosecuted. Company indemnification agreements do not shield individuals from OFAC's direct enforcement authority.
What to Do If You Discover a Potential Violation
If your compliance program or an external event surfaces a transaction that may have involved a sanctioned party, the sequence matters:
- Stop all further activity with the counterparty immediately. Do not attempt to complete, close out, or reverse the transaction — additional activity compounds the violation set.
- Preserve all records — emails, contracts, invoices, shipping documents, wire instructions, and screening results. Destruction of records during an active or anticipated OFAC investigation is a criminal obstruction offense separate from the underlying violation.
- Engage OFAC-specialized counsel within 72 hours. The decisions made in the first few days — particularly about voluntary self-disclosure — have an outsized effect on the eventual outcome. This is not a general commercial attorney situation.
- Assess the scope carefully. Is this a single inadvertent transaction, or a pattern of conduct? Does it involve multiple OFAC sanctions programs? Are there third-party intermediaries who may have separate exposure? The scope assessment drives the disclosure strategy.
- Evaluate voluntary self-disclosure with counsel. In most cases involving meaningful violations, VSD is the right decision — the 50% penalty reduction plus the benefit-of-the-doubt treatment by OFAC in subsequent dealings is significant. But timing and presentation of the disclosure matter, and they should be handled by experienced counsel.
How to Prevent This in the First Place
The entire liability chain described above is preventable with a functioning restricted party screening program. The screening requirements are not complex, but they must be consistent and documented.
At minimum, every exporter should:
- Screen every new counterparty against the OFAC SDN List, BIS Entity List, Denied Persons List, and AECA Debarred List before the first transaction
- Re-screen existing counterparties regularly — lists update daily and a party with a clean record today can be added tomorrow
- Screen beneficial owners, not just the legal entity — the OFAC 50% Rule deems any entity 50% or more owned by an SDN-listed party to itself be sanctioned, even if it does not appear on the list by name
- Use fuzzy matching — exact-name search misses transliterations, aliases, and minor name variations that sanctioned parties routinely use
- Document every screen — a screening you cannot produce records of is, for OFAC enforcement purposes, a screening that did not happen
The companies in the enforcement cases above — BAT, Binance, Toll, Apple — all had compliance resources. The violations happened because their programs had gaps: stale data, ineffective controls, incomplete counterparty coverage. A functioning screening program does not guarantee zero violations, but it is the primary evidence that any violation was not willful, which is the single most important factor in penalty calculation.
Frequently Asked Questions
Is ignorance of sanctions a defense? No. OFAC applies strict liability for civil violations — the government does not need to prove you knew the party was sanctioned. Ignorance does not eliminate liability; it may reduce the penalty compared to a willful violation, but only if your compliance program shows genuine good-faith effort, not merely the absence of knowledge.
What is the maximum OFAC civil penalty per violation? Under IEEPA, the statutory maximum is the greater of approximately $377,700 (indexed annually for inflation) or twice the transaction value. Each prohibited transaction is a separate violation, so penalties stack. A company with 20 transactions to a sanctioned party over two years can face 20 stacked violations, each subject to the statutory maximum.
Can I be criminally prosecuted for a sanctions violation? Criminal prosecution requires proof of willfulness — you knew the conduct was illegal and did it anyway. Most enforcement actions resolve civilly. But egregious or deliberate violations can result in criminal referrals, including for individual officers and executives, with penalties up to $1 million per violation and 20 years imprisonment.
Does voluntary self-disclosure really reduce the penalty? Yes, substantially. OFAC's guidelines provide for up to a 50% reduction in the base penalty for timely voluntary self-disclosure. Beyond the numerical reduction, VSD affects OFAC's overall posture in the investigation — companies that disclose promptly and cooperate fully consistently receive better treatment than those OFAC discovers through its own investigation.
My company is outside the U.S. — does OFAC still apply? Yes, if there is a U.S. nexus. Any transaction involving U.S. dollar payments (which route through U.S. correspondent banks), U.S.-origin goods, U.S. persons, or U.S.-based infrastructure can create OFAC jurisdiction regardless of where the company is incorporated. Nordgas, an Italian company, paid nearly $1 million in 2023 solely on the basis of U.S. dollar payment routing.
What happens to funds that have already been received from a sanctioned party? They become blocked property. You are required to hold them in a segregated interest-bearing account, report them to OFAC within 10 business days, and cannot return or transfer them without an OFAC license. Returning blocked funds to the sanctioned party is a separate violation.
How long does an OFAC investigation take? OFAC investigations typically run two to four years from the initial inquiry to final settlement. During that period your compliance program, transaction records, and internal communications are under scrutiny. The statute of limitations for civil violations under IEEPA is five years from the date of the violation.
Can a freight forwarder or logistics provider be liable even if they don't own the goods? Yes. As the Toll Global Forwarding case demonstrates, OFAC holds intermediaries liable for transactions they facilitate, even without ownership of the goods. If you move, arrange, or finance a shipment involving a sanctioned party, you have potential exposure regardless of your role in the transaction chain.
How does TradeLasso help prevent sanctions violations? TradeLasso screens every counterparty against all 13 U.S. government sanctions and export control watchlists, updated daily, with fuzzy matching to catch name variations and aliases. Every screening action is automatically logged with timestamps for audit documentation — the exact trail OFAC expects to see when evaluating whether a violation was isolated or systemic. Learn more about TradeLasso's data sources.