Sanctions Screening Explained for Finance Apps with Onchain Digital Assets

The moment an app lets someone buy crypto/stablecoins with a card or a bank transfer, it takes on a duty that used to sit with banks alone. Keep sanctioned people, companies and wallets out of the financial system. Sanctions screening is how that duty is met.

The process of sanctions screening involves comparing every customer, counterparty and transaction against official lists of parties the law forbids you from dealing with, and it decides what to do when something matches.

This guide explains how screening works, why crypto made it harder, and what regulated platforms do to stay on the right side of it.

Sanctions screening is the process of checking customers, counterparties, wallet addresses and transactions against government lists of sanctioned people, companies and countries. When a match is confirmed, the business must block or reject the transaction, freeze any related assets, and report it to the relevant authority. The aim is to keep prohibited parties out of the financial system.

Screening sits inside a wider anti-money laundering programme, next to KYC checks. The two answer different questions.

• KYC asks who a customer is.
• Sanctions screening asks whether that customer, or the destination of their money, is someone you are barred from serving.

A platform can verify an identity perfectly and still be obliged to turn the person away if they appear on a list.

It also reaches beyond the customer in front of you. Payment firms screen both sides of a transfer and the institutions in between, and in case of onchain digital assets that includes the wallet on the other end.

Also Read: How Transak Enables Stablecoin Payroll Without Putting Companies in the Crypto Flow

In the United States, the Office of Foreign Assets Control (OFAC), part of the Treasury, administers most sanctions. Its central tool is the Specially Designated Nationals and Blocked Persons List, known as the SDN List, which names parties US persons are generally prohibited from dealing with. The UK, the EU and the UN maintain their own lists, and most of them run in parallel.

OFAC operates more than 30 sanctions programmes and updates the SDN List frequently, sometimes several times a week. Two features make its reach wider than a single list suggests.

1. The first is the 50 Percent Rule, under which any company owned 50 percent or more by sanctioned parties is itself blocked, even if its name never appears on the list.
2. The second is strict liability. A firm can breach US sanctions without knowing or intending to, and the obligation can extend to non-US businesses whenever a transaction touches US dollars or US persons.

Screening runs at two moments.

First at onboarding, when a new customer's details are matched against the lists. Then continuously, as transactions and counterparties are checked and existing customers are re-screened whenever a list changes. Matching is rarely a clean one-to-one. Systems use fuzzy logic to catch aliases and spelling variants, which can produce false alerts that a compliance team has to review.

At onboarding, a platform collects identifiers such as full name, date of birth, nationality and a government ID, then compares them against watchlist entries.

The hard part is that names are messy. The same person can appear under aliases, nicknames and different transliterations from another alphabet, so screening tools match approximately rather than exactly. That tuning is a balance. Set the threshold too loose and real matches slip through. Set it too tight and the system flags thousands of innocent customers who happen to share a name.

Transactions are checked in real time, and customers are re-screened as designations are added or removed. Behaviour matters too, because patterns of activity feed a risk rating that decides how closely an account is watched.

In crypto, this is also where the Travel Rule applies, the requirement to pass identifying information between firms on transfers above a set threshold.

Large institutions screen millions of transactions a day, and most alerts are false positives. Each one still has to be reviewed and documented, which is slow and costly, and it is where many programmes struggle.

Clearing a true match by mistake is a violation. Holding up a false one delays a legitimate customer and adds cost. Neither error is free, and getting the balance right is most of the day-to-day work.

Crypto added a second screening surface. Beyond names, firms now have to screen wallet addresses.

OFAC began publishing cryptocurrency addresses in its SDN designations on 28 November 2018, and more than 600 individual addresses now sit on the list. Checking an address against those entries, and tracing whether it has dealt with sanctioned ones, needs blockchain analytics that name-screening never required.

OFAC has also sanctioned entire services, not just individuals. For example, it designated the mixer Blender.io in May 2022, the first crypto mixer to be sanctioned, and then Tornado Cash in August 2022 for laundering more than $455 million stolen from the Ronin Bridge by the North Korea-linked Lazarus Group. Exchanges such as Garantex and Suex have been designated for processing criminal funds.

The problem is that wallet addresses are pseudonymous, funds move across blockchains and through mixers, and an address that looks clean today can receive tainted funds tomorrow. To trace these flows, OFAC works with blockchain analytics firms including Chainalysis and Elliptic.

The rules here are still being argued.

A federal appeals court found in late 2024 that OFAC had overstepped by sanctioning Tornado Cash's immutable smart contracts, since code that no one controls is hard to treat as property, and the Treasury removed Tornado Cash from the list in March 2025. The episode is a reminder that sanctions law for decentralized software is unsettled, and that compliance teams have to track not only new designations but the court decisions that reshape them.

The same pressure is now reaching stablecoins, where issuers freeze wallets tied to sanctioned addresses on-chain.

Sanctions violations carry strict liability, so a firm can be penalised even with no intent. Under the International Emergency Economic Powers Act, civil penalties reach the greater of $377,700 per violation or twice the value of the transaction, and willful breaches can bring criminal fines of up to $1 million and 20 years in prison. Because each transaction counts as a separate violation, totals add up quickly.

Enforcement is active and increasingly aimed at digital assets. In 2025, OFAC announced more than $266 million in penalties across 14 public actions. Crypto firms are squarely in scope. In December 2025 the agency settled with a non-custodial wallet provider for $3.1 million over more than 250 violations of Iran sanctions, even though the company never processed the transactions itself and only acted as a front end to third-party exchanges. OFAC pointed to its support staff recommending VPNs to get around geo-blocking as part of the conduct. Months earlier, a digital asset exchange settled more than 17,000 apparent violations for $750,000.

The lesson for anyone building an app is that you do not have to hold the funds or run the matching engine to carry the obligation. If your product is the front door to buying or moving crypto, the duty is yours.

OFAC's Framework for OFAC Compliance Commitments sets out five components every programme should have:

1. Management commitment
2. Risk assessment
3. Internal controls
4. Testing and auditing
5. Training

Its 2021 guidance for the virtual currency industry applies the same five to crypto firms and adds one point. Build screening in before launch rather than bolting it on later.

OFAC has noted that crypto companies often add sanctions controls months or years after they start operating, and that gap is exactly where exposure builds. Screening designed into a product from the first release is cheaper, and far less risky, than screening retrofitted after the first enforcement letter arrives.

For most fintech and crypto apps, building sanctions screening in-house means licensing, watchlist data feeds, blockchain analytics, a team to review alerts and audited controls, all kept current as lists change daily. Rather than assemble that themselves, many embed a regulated on-ramp and off-ramp that already carries the screening obligation.

As a regulated on-ramp and off-ramp used across more than 600 apps, our infrastructure screens every customer against OFAC, the UK's OFSI and other government watchlists as part of our customer checks, runs risk-based transaction monitoring, and holds the registrations the work requires, including authorisation by the FCA in the UK and money services business registration in the US.

Through KYC Reliance, a partner app can let Transak verify and screen a user once instead of asking that person to verify twice. The app keeps its own interface and brand. The screening and the regulatory responsibility sit with infrastructure built for them.

KYC verifies who a customer is. Sanctions screening checks whether that customer, or the destination of their funds, appears on a government list of parties you are barred from dealing with. KYC can pass while screening still requires you to reject the customer. Both belong to the same anti-money laundering programme.

Yes. Since 28 November 2018, OFAC has published cryptocurrency addresses in its sanctions designations, and more than 600 now appear on the SDN List. Regulated crypto firms screen wallet addresses, using blockchain analytics to check whether an address is sanctioned or has dealt with sanctioned ones.

The business must stop the transaction, block or freeze any related assets, and report the match to the relevant authority, such as OFAC in the US or OFSI in the UK. It must also keep records of the decision. Acting on a confirmed match is mandatory.

Yes. US sanctions operate on strict liability, so a firm can be penalised even without intent or knowledge. A strong compliance programme and prompt voluntary disclosure are treated as mitigating factors and usually reduce the penalty, but they do not remove the underlying liability.

Frequently, sometimes several times a week and occasionally daily. New designations are added and existing ones removed, as the Tornado Cash delisting in March 2025 showed. This is why screening has to run continuously and why customers are re-screened whenever a list changes.

If your product touches crypto, start with a simple exercise. Write down every point where money enters or leaves, and name who screens at each one. Where the answer is "no one" or "we are not sure," that is the first gap to close. Teams that would rather not build and maintain the full apparatus can reach the same standard by embedding a regulated on-ramp that screens by default, and spend their own effort on the product instead.

This material is for general information only and is not legal, financial or compliance advice.