Sanctions Compliance Program
A formal framework of policies and procedures an organization establishes to ensure compliance with OFAC sanctions — OFAC's counterpart to the broader Export Compliance Program.
Definition
A Sanctions Compliance Program (SCP) is a formal, written framework of policies, procedures, and internal controls that an organization establishes to ensure it does not conduct transactions prohibited by OFAC's sanctions programs. OFAC published its Framework for OFAC Compliance Commitments in 2019, identifying five essential components that an effective SCP must include. While the term is most commonly used in the financial services context, any company engaged in international trade — including manufacturers and distributors — is expected by OFAC to have an SCP or equivalent controls in place.
OFAC's Five Essential Components
OFAC's 2019 Framework for OFAC Compliance Commitments identifies five components that an effective Sanctions Compliance Program must include:
- Management commitment — senior leadership must actively support and resource the compliance function; a "tone from the top" that treats sanctions compliance as a genuine priority
- Risk assessment — a documented evaluation of the organization's specific sanctions exposure, covering customers, counterparties, transactions, products, and geographies
- Internal controls — written policies and procedures governing sanctions screening, transaction review, license management, and escalation of potential violations
- Testing and auditing — regular internal reviews and independent audits to verify that the program is functioning as designed and controls are operating effectively
- Training — regular, role-appropriate training for all employees who interact with transactions, customers, or counterparties
Sanctions Compliance vs. Export Compliance
A Sanctions Compliance Program and an Export Compliance Program (ECP) are related but distinct frameworks. An SCP focuses specifically on OFAC's sanctions programs — ensuring transactions do not involve sanctioned parties, countries, or activities. An ECP is broader, covering party screening plus export licensing, product classification under the EAR and ITAR, end-use controls, and deemed export obligations.
For many U.S. exporters, particularly those in regulated industries, both frameworks apply simultaneously. The restricted party screening element — checking counterparties against OFAC's SDN List and other sanctions lists — is an obligation under both the SCP and the ECP. Maintaining a single, documented screening process that satisfies both frameworks is more efficient than running separate programs.
How OFAC Uses the SCP in Enforcement
The existence, quality, and actual operation of a Sanctions Compliance Program is the single most important factor in how OFAC treats a potential violation. OFAC explicitly considers the adequacy of the SCP as both a mitigating factor (for companies with strong programs that self-disclose) and an aggravating factor (for companies with no program, or a program that exists on paper but is not followed in practice).
OFAC's published enforcement actions frequently cite the absence of a compliance program or specific failures within a program — inadequate screening, failure to train staff, lack of management oversight — as factors justifying larger penalties. A company with a genuine, operational SCP that discovers and voluntarily discloses a potential violation will almost always face significantly lower penalties than one that did not screen at all.
Restricted Party Screening Within a Sanctions Compliance Program
Sanctions screening — checking counterparties against the OFAC SDN List and other OFAC-maintained lists — is the most operationally critical element of any SCP. OFAC expects companies to screen at every transaction, not just at onboarding, because the SDN List is updated multiple times per week. A party that was clean at account opening may be newly designated before the next transaction.
The screening element of an SCP must document which lists are checked, using what tool or process, with what frequency, and how potential matches are reviewed and resolved. Without this documentation, a company cannot demonstrate to OFAC that its screening program is operational.
How TradeLasso Helps
TradeLasso supports the sanctions screening pillar of your Sanctions Compliance Program by querying the OFAC SDN List and all other OFAC-maintained lists — alongside BIS and State Department lists — in every search, generating a timestamped PDF report that documents the database version used.
Frequently Asked Questions
Is a Sanctions Compliance Program legally required?
OFAC does not mandate a specific written program by regulation. However, OFAC's Framework for OFAC Compliance Commitments makes clear that the existence and quality of a compliance program is evaluated in every enforcement matter. The practical effect is that companies without a program face higher penalties when violations occur — and OFAC treats the absence of a program as an aggravating factor that justifies larger penalties.
What is the difference between a Sanctions Compliance Program and an Export Compliance Program?
A Sanctions Compliance Program (SCP) is specifically focused on OFAC's sanctions obligations — ensuring transactions don't involve prohibited parties, countries, or activities. An Export Compliance Program (ECP) is broader, encompassing party screening plus licensing, product classification under EAR and ITAR, end-use monitoring, and deemed export controls. For exporters, both apply simultaneously. The restricted party screening component satisfies obligations under both frameworks.
How does OFAC evaluate whether a compliance program is adequate?
OFAC evaluates compliance programs against its five-component Framework: management commitment, risk assessment, internal controls, testing and auditing, and training. OFAC looks not just at whether a program exists on paper, but whether it is genuinely operational — whether staff are actually trained, whether screening is actually happening at every transaction, and whether potential violations are actually escalated and reviewed.
Do non-financial companies need a Sanctions Compliance Program?
Yes. OFAC sanctions apply to all U.S. persons and companies — not just financial institutions. Manufacturers, distributors, software companies, and service providers that engage in international transactions are all subject to OFAC jurisdiction and are expected to have appropriate compliance controls. The sophistication of the program should be proportionate to the company's level of sanctions exposure, but the underlying obligation to screen and avoid prohibited transactions applies regardless of industry.