Technical writing
OFAC Civil Penalties: The Federal Database Behind Sanctions Violations and Treasury Enforcement
The Treasury Department Office of Foreign Assets Control publishes every civil penalty settlement for sanctions violations—the banks, corporations, and individuals who conducted transactions with sanctioned countries or entities—with penalties ranging from thousands to over $1 billion, creating the most comprehensive public record of US sanctions enforcement against financial institutions and multinational corporations.
This article covers the legal authorities behind OFAC's civil and criminal enforcement powers, the Specially Designated Nationals (SDN) List as a public data asset, the historical civil penalty settlement record including landmark cases against major global banks, compliance program design requirements for financial institutions, the extraterritorial reach of US secondary sanctions, how to access OFAC's enforcement data and SDN List downloads, and Python code to parse and analyze the SDN List XML.
What OFAC is
The Office of Foreign Assets Control is an agency of the United States Department of the Treasury, operating under the authority of the Under Secretary of the Treasury for Terrorism and Financial Intelligence. OFAC administers and enforces economic and trade sanctions based on US foreign policy and national security goals, targeting foreign countries, regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy, or economy of the United States.
OFAC traces its institutional history to the Office of Foreign Funds Control, established in 1940 to block Axis power assets following Germany's invasion of Norway. The office was reconstituted as OFAC in 1950 in the context of the Korean War. Today OFAC administers more than thirty distinct sanctions programs targeting specific countries, regions, and categories of actors. Country-based programs cover Iran, North Korea, Cuba, Syria, Russia, Belarus, Venezuela, Burma (Myanmar), Sudan, Zimbabwe, and others. List-based programs target transnational threats regardless of nationality: al-Qaeda and the Islamic State under the Global Terrorism sanctions program; the Medellin and Cali cartels under the Narcotics Trafficking program; human rights abusers under the Global Magnitsky program; state-sponsored cyber actors; and foreign adversary intelligence services.
Legal authorities
OFAC derives its authority from a layered set of statutory grants and executive orders. The primary peacetime authority is the International Emergency Economic Powers Act (IEEPA), 50 U.S.C. §§ 1701–1708, enacted in 1977, which authorizes the President to declare a national emergency with respect to any unusual and extraordinary threat to national security, foreign policy, or the economy of the United States, and to block the property of, and prohibit transactions with, those contributing to the threat. Every major OFAC sanctions program since 1977 is grounded in an IEEPA executive order, often supplemented by program-specific legislation: the Iran Sanctions Act, the North Korea Sanctions and Policy Enhancement Act, the Global Magnitsky Human Rights Accountability Act, and the Countering America's Adversaries Through Sanctions Act (CAATSA) of 2017.
The Trading With the Enemy Act (TWEA), 50 U.S.C. §§ 4301–4341, enacted in 1917 and substantially amended in 1977, now applies only during congressionally declared war and serves as the legal basis for the Cuba sanctions program, which predates IEEPA. Cuba's sanctions framework—established under TWEA in the early 1960s and codified by the Cuban Assets Control Regulations (31 C.F.R. Part 515)—is therefore structurally older and in some respects more restrictive than IEEPA-based programs. The United Nations Participation Act provides authority to implement certain UN Security Council sanctions resolutions as a matter of US domestic law, supplementing the executive order framework for programs involving Security Council-mandated sanctions regimes.
The SDN List
The Specially Designated Nationals and Blocked Persons List (SDN List) is OFAC's primary designations database and the most consequential regulatory list in international commerce. As of 2026, the SDN List contains more than 10,000 entries spanning individuals, entities, vessels, and aircraft. US persons are broadly prohibited from transacting with any SDN-listed party, and the property of SDN-listed parties that comes within US jurisdiction must be blocked.
Each SDN List entry contains a name (in the original script where applicable, plus transliterated Latin-script version), the entry type (individual, entity, vessel, or aircraft), address information, alias names (also-known-as, or AKA, fields that can include dozens of alternative transliterations and informal names), identification numbers (passport numbers, national identification numbers, company registration numbers, IMO vessel numbers, and D-U-N-S numbers for commercial entities), and one or more sanctions program designations (such as IRAN, DPRK, SDGT, SDNTK, or CAATSA). The program field is critical for compliance purposes because the applicable regulatory prohibitions and license exceptions differ by program.
Beyond the SDN List, OFAC publishes four additional lists that together constitute the Consolidated Sanctions List: the Foreign Sanctions Evaders (FSE) List, the Sectoral Sanctions Identifications (SSI) List, the Non-SDN Palestinian Legislative Council (NS-PLC) List, and the Non-SDN Menu-Based Sanctions (NS-MBS) List. The SSI List is particularly significant for financial institutions with Russia exposure: it does not impose the outright prohibitions of SDN designation, but instead restricts certain categories of transactions (new debt with greater than 14-day maturity, new equity) with listed Russian financial institutions and energy companies. The Chinese Military-Industrial Complex Companies (CMIC) List, a separate program, restricts US persons from purchasing or selling publicly traded securities of listed Chinese companies linked to the PLA.
Civil penalties enforcement
OFAC has both civil and criminal enforcement authority for sanctions violations. Civil penalty authority derives from the underlying statutes (IEEPA, TWEA, and program-specific acts) and is codified in OFAC's Economic Sanctions Enforcement Guidelines at 31 C.F.R. Part 501, Appendix A. Criminal authority under IEEPA provides for up to $1 million in fines and 20 years of imprisonment per violation; criminal cases are referred to the Department of Justice, with OFAC serving in an advisory and fact-gathering capacity. The civil and criminal tracks can run simultaneously, as they did in most of the major bank enforcement actions of the 2010s.
Civil penalty structure
Civil penalties under IEEPA may not exceed the greater of $250,000 per violation or twice the amount of the transaction that is the basis of the violation. Under TWEA (Cuba), the statutory maximum is $65,000 per violation. Program-specific statutes sometimes impose higher limits: the Iran Threat Reduction and Syria Human Rights Act of 2012 raised the maximum IEEPA penalty to $1 million per violation for Iran-related violations, where the greater-of formula would exceed that floor. In practice, multi-year institutional violations involve hundreds or thousands of individual transactions, and the statutory maximum exposure quickly reaches figures in the hundreds of millions of dollars before any penalty negotiation.
OFAC's enforcement guidelines establish a structured penalty calculation methodology. The starting point is a base penalty, which for most violations is 50 percent of the applicable statutory maximum per transaction. OFAC then applies upward and downward adjustments based on general factors enumerated in the guidelines: the existence of a formal compliance program, the degree of willfulness or recklessness in the conduct, the harm caused to US foreign policy objectives, whether the conduct was isolated or systemic, the size and sophistication of the institution, whether the violation was voluntarily self-disclosed, and cooperation with the investigation.
Voluntary self-disclosure (VSD) is the single most significant penalty mitigant in the OFAC framework. An institution that discovers a potential violation and discloses it to OFAC before the agency independently learns of it qualifies for VSD credit, which reduces the base penalty by up to 50 percent. OFAC defines a “cautionary letter”—an outcome short of a formal civil penalty—as a disposition for non-egregious violations with voluntary self-disclosure, and a “no-action letter” for violations that, while technical, had no sanctions nexus and caused no harm to US foreign policy goals. The substantial difference in outcomes between VSDs and independently discovered violations drives the compliance incentive: institutions that identify potential violations through their own screening programs face materially better penalty exposure than those discovered through third-party reporting or US government intelligence.
Deferred prosecution agreements and monitors
In major institutional enforcement actions, OFAC frequently coordinates with the Department of Justice, which pursues parallel criminal charges. The standard resolution structure for large bank cases involves a deferred prosecution agreement (DPA) with DOJ under which the bank agrees to the facts, pays a criminal fine, and accepts a compliance monitor, with the criminal charges held in abeyance for a specified period (typically two to three years) and dismissed if the bank satisfies its compliance obligations. OFAC simultaneously settles the civil sanctions violations through a consent agreement or settlement agreement that addresses the specific OFAC violations and imposes compliance commitments separate from the DOJ monitor. The total penalty in such cases is the sum of the DOJ criminal fine and the OFAC civil settlement amount, which may be allocated differently for reporting purposes.
OFAC also has independent authority to block assets: property of SDN-listed parties or property in which an SDN-listed party has an interest must be blocked upon coming within US jurisdiction, regardless of whether a formal penalty action is pending. Financial institutions that receive wire transfers involving SDN-listed counterparties are required to block the funds and report the blocking to OFAC within 10 business days. Blocked assets earn interest at the applicable rate and are returned to the owner if the sanctions program ends or the designation is revoked, but cannot be released or transferred without an OFAC license.
Major enforcement actions
OFAC's civil penalty settlement record contains some of the largest financial regulatory penalties in US history. The pattern across major cases is consistent: a global financial institution with operations in multiple currencies and correspondent banking relationships processes transactions for Iranian, Cuban, Sudanese, or other sanctioned country counterparties through its US operations, frequently by stripping identifying information from SWIFT payment messages to prevent detection by US correspondent banks. The conduct typically spans years and involves hundreds of millions or billions of dollars in transaction value.
BNP Paribas (2015): $963 million in OFAC civil penalties, the largest OFAC-only civil settlement at the time of announcement, and part of a coordinated resolution with DOJ, NYDFS, and the Federal Reserve totaling approximately $8.9 billion. BNP Paribas processed approximately $30 billion in transactions through its US operations for clients in Sudan, Iran, and Cuba between 2004 and 2012, using payment message stripping— removing identifying information about the sanctioned counterparties from wire transfers before routing them through US correspondent banks—to conceal the sanctions nexus. The conduct was willful and systematic, involved senior management approval, and spanned multiple geographic units. BNP Paribas pleaded guilty to a criminal violation of the Trading With the Enemy Act as part of the DOJ resolution, a criminal conviction that is extraordinary for a major global bank.
Standard Chartered (2019): $639 million in combined OFAC and DOJ penalties, resolving a second enforcement action against the UK-based bank following its 2012 settlement. OFAC's portion of the 2019 settlement was $639 million, covering Iranian transactions processed through the bank's New York branch. Standard Chartered had processed approximately $240 billion in transactions for Iranian clients between 2009 and 2014, after the bank's 2012 settlement imposed compliance obligations that the bank failed to honor in full. The 2019 settlement included findings that Standard Chartered had not remediated the root causes of its compliance failures after the first action.
UniCredit (2019): $611 million in combined US penalties, with the OFAC portion approximately $100 million. UniCredit's Italian and German banking units processed transactions for Iranian, Libyan, and Russian clients through US correspondent banking relationships, stripping payment message fields to remove sanctions identifiers before transactions reached US processing points. The DOJ criminal component involved charges against UniCredit Bank AG (the German subsidiary) for criminal violations under IEEPA. The case illustrated that OFAC's enforcement reach extends to the European and Asian banking units of global groups, not only to US chartered subsidiaries.
Société Générale (2018): $53.9 million in OFAC civil penalties, part of a broader $1.3 billion coordinated settlement with DOJ, NYDFS, and the Commodity Futures Trading Commission covering both sanctions violations and LIBOR manipulation. The OFAC-specific violations involved transactions processed through the bank's US operations for Cuban clients, including the Cuban central bank and Cuban state-owned entities, during the period when the comprehensive Cuba embargo was in full force. The case was notable for illustrating that even relatively smaller sanctions violation components of a coordinated action carry significant penalties when the underlying program (Cuba) carries TWEA authority rather than IEEPA.
Nordea Bank (2019): $35.3 million in OFAC civil penalties for processing transactions for clients in Cuba, Sudan, and Iran through US correspondent banks without adequate sanctions screening. Nordea, a Nordic financial institution headquartered in Helsinki, processed the transactions through its correspondent banking relationships with major US institutions. The case illustrated the compliance risk that sanctions screening gaps at non-US banks create for US correspondent banks, who face both blocking obligations and potential secondary liability for facilitating sanctions evasion by foreign correspondents.
Berkshire Hathaway (2018): $4.1 million in OFAC civil penalties, an unusual enforcement action against a non-financial institution. Berkshire Hathaway's subsidiary Berkshire Hathaway Specialty Insurance Company underwrote reinsurance contracts with European companies that had Cuban exposures without obtaining the required OFAC specific license for Cuba-related insurance transactions. The case was resolved as a non-egregious violation with no finding of willfulness; Berkshire cooperated and self-disclosed.
Amazon (2020): $134,523 in OFAC civil penalties for selling to prohibited persons. Amazon's e-commerce platforms processed orders from individuals in the Crimea region of Ukraine (subject to OFAC geographic sanctions), orders for accounts associated with SDN-listed individuals, and orders from buyers using shipping addresses in Iran and Cuba. The relatively small penalty reflected that the transactions were individually low-value and non-willful, and that Amazon had a compliance program in place that identified and self-disclosed the violations. The case was widely cited in compliance communities as a reminder that OFAC sanctions apply to all US persons in all industries, not only financial institutions.
Apple (2021): $467,500 in OFAC civil penalties for sales to SDN-listed individuals and to buyers in sanctioned jurisdictions. Apple processed Apple Store purchases from accounts whose billing addresses were in Cuba, Iran, Sudan, Syria, and the Crimea region, and fulfilled orders placed by individuals the company had information linking to SDN-listed parties. Like Amazon, the Apple case reinforced that OFAC's coverage encompasses technology companies, software vendors, and app stores, not only the banking sector. Apple self-disclosed and received VSD credit.
Deutsche Bank (2023): Deutsche Bank's 2023 OFAC-related settlement was subsumed within a broader consent order addressing Russia-related exposure in the bank's wealth management and correspondent banking businesses. The total penalty across OFAC, FinCEN, and NYDFS components was approximately $629 million. Deutsche Bank had maintained correspondent banking relationships with Russian financial institutions after Russian entities were added to the SSI Sectoral Sanctions list following the 2014 Crimea annexation, and had conducted transactions that fell within the restricted categories (new debt with maturity over 14 days) for SSI-listed parties.
The SDN List as a data asset
OFAC publishes the SDN List as a free, public download in multiple formats: fixed-width text, CSV, XML, and JSON. The primary programmatic access point is the XML file at https://www.treasury.gov/ofac/downloads/sdn.xml, updated daily. The XML schema defines a root sdnList element containing individual sdnEntry elements, each of which encodes a single designated party. Each entry includes a uid (the OFAC internal identifier, which is stable across updates and serves as the primary key for change tracking), lastName (or entity name), firstName(for individuals), sdnType (Individual, Entity, Vessel, or Aircraft),programs (a list of sanctions program designations), akaList(alias names and alternative spellings), and idList (identification documents including passports, national ID numbers, D-U-N-S numbers, vessel IMO numbers, and registration numbers for legal entities).
The full Consolidated Sanctions List, which includes the SDN List plus the FSE, SSI, and other OFAC sublists, is available at the Sanctions List Service API at https://sanctions.ofac.treas.gov. The API supports REST queries by name, UID, or program, and returns results in JSON format. Treasury also publishes a separate XML for the SSI List, the CMIC List, and each other supplemental list. The SDN XML is approximately 10–15 MB uncompressed; the Consolidated Sanctions List XML is larger given the additional entries across all sublists.
For compliance applications, the SDN List is tracked as a delta: each published version carries a publication date, and changes—additions, removals, and modifications—are also published as update notices through the OFAC Recent Actions page and the sanctions API. Financial institutions typically run a daily comparison between the current SDN List and the prior version, extracting the set of newly designated parties and initiating screening of all existing customer relationships against the delta. The stable uid field is the correct join key for this workflow; names alone are unreliable because of transliteration changes, spelling corrections, and the intentional use of many aliases.
Compliance program design
Financial institutions subject to OFAC jurisdiction—which includes any US person and any foreign financial institution that maintains US dollar correspondent banking relationships or processes US dollar transactions—are expected to maintain risk-based OFAC compliance programs. OFAC does not publish detailed prescriptive program requirements equivalent to FinCEN's four-pillar AML framework, but the enforcement guidelines describe the compliance program attributes OFAC considers in evaluating violations, and OFAC's Framework for OFAC Compliance Commitments (published 2019) identifies five essential components: management commitment, risk assessment, internal controls, testing and auditing, and training.
Payment screening and name matching
The core technical requirement for most financial institution OFAC compliance programs is payment screening: every outgoing and incoming wire transfer, ACH transaction, trade finance instrument, and new customer onboarding must be screened against the SDN List and applicable supplemental lists before the transaction is processed or the relationship is established. Screening against a list of more than 10,000 entries sounds straightforward, but in practice it is one of the most technically demanding problems in financial compliance. The fundamental challenge is name matching under uncertainty.
SDN entries frequently include names of common occurrence in certain geographies. An SDN-designated Iranian individual named Mohammad Ali Hassan will match algorithmically against hundreds of legitimate customers in a large bank's book of Iranian expatriate account holders. The false positive rate—the fraction of screening alerts that turn out to involve legitimate customers rather than true SDN matches—is typically 99 percent or higher at major financial institutions. A US bank with 50 million customers processing millions of transactions daily may generate tens of thousands of screening alerts per day that require human review. The cost of that review—the RegTech industry estimates it at over $2 billion annually across US financial institutions—is one of the primary drivers of investment in more sophisticated fuzzy-matching and entity resolution technology.
Fuzzy matching algorithms for SDN screening typically combine multiple approaches: exact string matching (highest precision, lowest recall for transliterated names), edit-distance algorithms (Levenshtein distance, Jaro-Winkler), phonetic encoding (Soundex, Double Metaphone, Beider-Morse for Slavic names), and transliteration normalization (converting Arabic, Persian, Cyrillic, and Chinese scripts to a canonical Latin-script form before comparison). Machine learning approaches using trained entity matching models have entered production at larger institutions, offering better calibration of the precision-recall tradeoff than rule-based systems at the cost of interpretability.
Geographic screening adds a second dimension: OFAC country-based programs (Cuba, Iran, North Korea, Syria, Crimea) prohibit transactions with persons in those geographies regardless of whether those persons are individually listed on the SDN List. Payments to accounts with addresses in sanctioned countries, trade finance transactions for goods destined for sanctioned jurisdictions, and insurance policies covering property in sanctioned locations all trigger review requirements. IP geolocation (for digital services), shipping destination screening (for e-commerce and logistics), and invoice address screening (for trade finance) are all components of a comprehensive geographic compliance program.
OFAC licenses
OFAC can authorize otherwise-prohibited transactions through two types of licenses. General licenses are published regulations that permit specified categories of transactions without requiring an individual application—for example, 31 C.F.R. Part 515.582, which authorizes certain telecommunications services to Cuba, or the general licenses that permit humanitarian food and medicine exports to sanctioned countries. Compliance personnel must track applicable general licenses for each sanctions program to correctly identify which transactions are permissible without further authorization.
Specific licenses are individual authorizations granted by OFAC upon application, permitting a named applicant to conduct a described transaction or category of transactions. Specific license applications are submitted through OFAC's online licensing portal and may take weeks to months to process depending on the complexity of the proposed transaction and the applicable sanctions program. Specific licenses are appropriate for transactions with bona fide sanctions exceptions—legal support for SDN-designated individuals in criminal proceedings, medical care for persons in sanctioned countries, or authorized journalism in sanctioned jurisdictions.
Secondary sanctions
US sanctions have a primary and a secondary dimension. Primary sanctions prohibit US persons from transacting with sanctioned parties; they apply to US citizens, US permanent residents, US entities, and persons present in the United States, as well as US-dollar transactions flowing through US correspondent banking relationships. Secondary sanctions extend US enforcement reach to non-US persons who engage in covered transactions with sanctioned parties.
The Iran secondary sanctions framework established under CAATSA 2017 and its predecessor statutes provides the clearest example. Section 1245 of the National Defense Authorization Act for Fiscal Year 2012 required the President to impose sanctions on any foreign financial institution that conducts significant financial transactions with the Central Bank of Iran, cutting off that institution's access to the US correspondent banking system. This provision forced European, Asian, and Middle Eastern banks to choose between their Iranian business and their US dollar clearing access. The result was a near-total withdrawal of non-US financial institutions from Iranian correspondent banking, demonstrating the coercive power of the threat to revoke US market access even where the primary sanctions do not technically apply.
Russia's CAATSA secondary sanctions provisions (Sections 231 and 232, covering the defense and intelligence sector and the energy export pipeline sector respectively) operate similarly. Section 231 requires the President to impose sanctions on persons who knowingly engage in a significant transaction with the Russian defense or intelligence sector, applying to both US and non-US persons. The 2017 imposition of CAATSA Section 231 sanctions on China's Equipment Development Department, in response to China's purchase of Russian S-400 air defense systems and Su-35 fighter aircraft, demonstrated that the US was willing to use secondary sanctions against allied and partner countries' defense establishments, creating significant diplomatic friction with European allies who were independently considering S-400 purchases.
The extraterritorial reach of secondary sanctions has been a persistent source of tension between the United States and its European allies. The European Union has enacted blocking statutes—most notably the EC Blocking Statute (Council Regulation 2271/96, updated in 2018)— that prohibit EU persons from complying with certain US secondary sanctions and entitle EU companies to sue for damages caused by compliance with those sanctions in EU courts. In practice, European financial institutions and corporations largely comply with US secondary sanctions because their US market access, US dollar funding, and correspondent banking relationships are more valuable than the sanctioned-country business they forfeit. The asymmetry of the US dollar's role in global trade finance is the mechanism that gives US secondary sanctions their coercive power.
OFAC enforcement data
OFAC publishes civil penalties and enforcement information on its Recent Actions page at home.treasury.gov/policy-issues/financial-sanctions/recent-actions. Each enforcement action is announced through a press release describing the respondent, the penalty amount, the violation period, the specific sanctions programs violated, and a summary of the underlying conduct. Settlement agreement documents are typically published as PDFs containing the full factual record, the specific violations cited by program and regulatory citation, the base penalty calculation, the applicable mitigating and aggravating factors, and the compliance commitments required of the respondent going forward.
OFAC brings between 50 and 100 enforcement actions per year, spanning a wide range of penalty magnitudes. The majority of actions by count are relatively small—cautionary letters, no-action letters, and penalties in the range of tens of thousands to hundreds of thousands of dollars for non-financial institution respondents (e-commerce companies, software vendors, exporters) with isolated compliance failures. The distribution is heavily right-skewed: a handful of major financial institution settlements account for the overwhelming majority of total penalty dollars in any given year. The 2010s were defined by a wave of major bank settlements averaging over $100 million per resolved action.
By industry sector, financial services accounts for roughly 40 percent of OFAC enforcement actions by count and a much higher share by penalty value. Technology and software companies (typically for sales to sanctioned-country users or SDN-listed persons through digital platforms) are the fastest-growing enforcement category by count. Insurance, reinsurance, and shipping/logistics companies each generate consistent enforcement action volumes, often for underwriting or transportation of goods with sanctioned-country nexus. The settlement documents for shipping cases frequently involve flag-of-convenience vessel operators or shipping intermediaries who obscure the ultimate cargo destination or beneficial owner of the vessel.
There is no bulk structured download of the civil penalty database comparable to the SDN List XML. The enforcement record exists as a collection of HTML press releases and PDF settlement documents. For structured analysis, the press release text contains sufficient information—respondent name, penalty amount, violation period, applicable programs—to build a machine-readable dataset through web scraping and regex parsing. The PDF settlement documents contain the complete factual record including the specific transaction details and compliance program failure analysis, and are parseable with standard PDF extraction libraries.
Python: parsing the OFAC SDN List XML
The following script downloads the OFAC SDN List XML using the legacy Treasury download URL, parses the XML tree using Python's standard library xml.etree.ElementTree, counts entries by SDN type (Individual, Entity, Vessel, Aircraft), and tallies all sanctions program designations across the list to identify the 15 most populated programs. The namespace prefix used in the legacy SDN XML schema is http://tempuri.org/sdnList.xsd; the newer Sanctions List Service API uses a different schema. Requirements: requestsand pandas.
import requests
import xml.etree.ElementTree as ET
import pandas as pd
# OFAC SDN List -- XML download (updated daily)
sdn_url = "https://www.treasury.gov/ofac/downloads/sdn.xml"
resp = requests.get(sdn_url, timeout=60)
root = ET.fromstring(resp.content)
# Count entries by type
ns = {"o": "http://tempuri.org/sdnList.xsd"}
entries = root.findall(".//o:sdnEntry", ns)
print(f"OFAC SDN List total entries: {len(entries):,}")
# Count by sdn_type
type_counts = {}
for e in entries:
t = e.findtext("o:sdnType", namespaces=ns, default="Unknown")
type_counts[t] = type_counts.get(t, 0) + 1
print("SDN entries by type:")
for t, c in sorted(type_counts.items(), key=lambda x: -x[1]):
print(f" {t:<20} {c:>5,}")
# Count by sanctions program
program_counts = {}
for e in entries:
for prog in e.findall(".//o:program", ns):
p = prog.text or "Unknown"
program_counts[p] = program_counts.get(p, 0) + 1
top_programs = sorted(program_counts.items(), key=lambda x: -x[1])[:15]
print("\nTop 15 sanctions programs by entry count:")
for p, c in top_programs:
print(f" {p:<20} {c:>5,}")
The output illustrates the composition of the SDN List across program types. The IRAN and SDGT (Specially Designated Global Terrorist) programs typically account for the largest shares of individual designations. Vessel and aircraft entries are concentrated in programs involving maritime sanctions evasion (Iran, North Korea) and aviation sanctions (Venezuela). The DPRK (North Korea) program has seen substantial growth in entity designations as OFAC has expanded its targeting of front companies and financial institutions used to support the North Korean economy and weapons program in circumvention of UN Security Council resolutions.
For production compliance applications, the recommended approach is to use the Sanctions List Service API at sanctions.ofac.treas.govrather than the legacy XML download. The API supports incremental delta queries by publication date, returning only the entries that were added, modified, or removed since a specified date. This eliminates the need to re-parse the full list daily and reduces the data processing burden for compliance systems. The API's stable fixedRef identifier (equivalent to the uid in the legacy XML) is the correct primary key for tracking entity identity across list revisions.
Limitations and research notes
The OFAC civil penalty database has several structural features that affect quantitative analysis. Penalty announcements do not always correspond to the year in which the violations occurred; a settlement announced in 2019 may cover conduct from 2009 through 2014. Comparing penalty totals by announcement year therefore captures the rhythm of enforcement resolutions rather than the underlying violation incidence. Total penalty dollars are also a function of the number of transactions and the applicable statutory maximum per transaction, not solely the severity of the compliance failure; an institution that processed a large volume of small transactions can accumulate a higher raw statutory maximum than one that processed fewer but larger transactions.
The settlement amounts disclosed in OFAC press releases for coordinated multi-agency actions require careful attribution. In major bank cases, the total headline figure in press releases and news coverage is the sum across all agencies—OFAC, DOJ, NYDFS, OCC, Federal Reserve, CFTC, and others. The OFAC-specific component is often substantially smaller than the headline number. BNP Paribas's often-cited $8.9 billion total included approximately $963 million attributable to OFAC, with the remainder comprising the DOJ criminal fine, the NYDFS penalty, and Fed and OCC components. For research purposes, cross-referencing the OFAC press release against the DOJ press release and the NYDFS consent order is necessary to isolate the OFAC-specific penalty figure.
SDN designations are administrative actions subject to judicial review under the Administrative Procedure Act. Designated parties may challenge their designation in the D.C. Circuit Court of Appeals. The standard of review is deferential to OFAC, but successful challenges have occurred, typically where OFAC relied on classified evidence that the court found insufficient under the applicable procedural standard or where the designating executive order was challenged on constitutional grounds. The Office of Foreign Assets Control Procedures and Guidelines provide a formal reconsideration request process for designated parties, and OFAC maintains a dedicated licensing and reconsideration process for parties who believe their designation was made in error or whose circumstances have changed.