Sanctions Screening for Crypto: OFAC, EU, and Travel Rule Compliance
Crypto sanctions screening requires address-based, entity-based, and transaction-level checks. Here's how to build a screening system that passes OFAC examination.
Sanctions compliance in crypto is fundamentally different from sanctions compliance in traditional finance. In traditional finance, you screen names, addresses, and identification numbers against sanctions lists. In crypto, you must additionally screen blockchain addresses — and the transactions flowing through those addresses — against a growing universe of designated addresses.
OFAC added its first cryptocurrency addresses to the Specially Designated Nationals (SDN) list in 2018. Since then, the number of designated addresses has grown steadily, and the enforcement actions for sanctions violations in crypto have increased in both frequency and severity. Bittrex paid $24 million in 2022 for apparent sanctions violations. Tornado Cash was designated in 2022, and multiple individuals associated with it face criminal charges.
The stakes are clear. For any crypto firm with US touchpoints — US users, US-dollar denominated stablecoins, US-based counterparties — OFAC compliance is not optional. And with the GENIUS Act establishing full BSA compliance for stablecoin issuers and FinCEN proposing effectiveness-based AML assessments, the screening standard is rising.
The Three Layers of Crypto Sanctions Screening
Layer 1: Entity-Based Screening
Entity-based screening is the traditional layer — matching customer names, addresses, dates of birth, and identification numbers against sanctions lists. This is the same screening that banks, broker-dealers, and money service businesses have conducted for decades.
For crypto firms, entity-based screening occurs at onboarding (screening every new customer against all applicable lists before account activation), on a recurring basis (rescreening the entire customer base whenever lists are updated), and at trigger events (rescreening when customer information changes — name updates, address changes, new identification documents).
The lists that crypto firms must screen against include OFAC SDN List (US), OFAC Consolidated Sanctions List (US), EU Consolidated List, UN Consolidated List, and country-specific lists relevant to your operating jurisdictions (UK, Australia, Canada, etc.).
Layer 2: Address-Based Screening
Address-based screening is unique to crypto. It evaluates whether blockchain addresses involved in a transaction appear on sanctions lists or are associated with sanctioned entities.
OFAC has designated specific blockchain addresses on the SDN list. These designations make it illegal for US persons to transact with those addresses. But the challenge extends beyond listed addresses. Sanctioned entities can create new addresses at will — and often do, specifically to evade address-based screening.
Effective address-based screening therefore requires direct matching against designated addresses, indirect association analysis (evaluating whether an address has transacted with designated addresses within a specified number of hops), and cluster analysis (identifying groups of addresses controlled by the same entity, where any address in the cluster is designated).
Blockchain analytics providers — Chainalysis, Elliptic, TRM Labs, and others — maintain databases of attributed addresses that extend far beyond the OFAC list, covering addresses associated with sanctioned jurisdictions, darknet markets, ransomware operators, fraud operations, and other illicit actors.
Layer 3: Transaction-Level Screening
Transaction-level screening evaluates individual transactions for sanctions risk, considering not just the direct counterparty but the broader transaction context.
Transaction-level screening incorporates geographic risk assessment (is the transaction's origin or destination associated with a comprehensively sanctioned jurisdiction?), pattern analysis (does the transaction pattern suggest sanctions evasion — rapid movement through multiple addresses, use of mixers or privacy tools, conversion through decentralized exchanges?), and value assessment (is the transaction value consistent with the customer's profile, or does it suggest structured evasion?).
The Travel Rule Connection
The FATF Travel Rule requires VASPs to collect and transmit originator and beneficiary information for qualifying transfers. This creates a sanctions screening intersection: the information collected under the Travel Rule (originator name, account number, address) must be screened against sanctions lists before the transfer is completed.
The Travel Rule thresholds vary by jurisdiction. In the EU under MiCA and the Transfer of Funds Regulation, the threshold is €1,000 for transfers from hosted wallets. In the US, the BSA threshold is $3,000. The CLARITY Act implementing rules, once finalized, may modify these thresholds for crypto-specific transfers.
For sanctions screening, the Travel Rule creates both an obligation and an opportunity. The obligation is that you must screen the originator and beneficiary information collected under the Travel Rule before processing the transfer. The opportunity is that this information enables entity-based screening on the counterparty — something that was previously impossible for crypto transfers where you only knew the blockchain address, not the identity of the person behind it.
Building the Screening Architecture
List Management
Sanctions lists change frequently. OFAC updates the SDN list multiple times per month. The EU consolidated list is updated with each new sanctions program or designation round. Managing these updates requires automated list ingestion, version control, retroactive screening (when a new designation is added, rescreening your entire customer base and transaction history against the new entry), and multi-list consolidation.
Fuzzy Matching
Name-based screening requires fuzzy matching algorithms that account for transliteration variations, spelling differences, partial matches, reversed name order, and nickname/alias usage. A screening system that only catches exact matches will miss obvious variations — 'Mohammed' vs 'Muhammad' vs 'Mohamed,' for example, are all valid transliterations of the same name.
The challenge is calibrating fuzzy matching sensitivity. Too loose and you generate overwhelming false positives. Too tight and you miss legitimate matches. Most screening systems use a similarity threshold — typically 80-90% — and require human review for matches above the threshold.
Address Screening in Real Time
Blockchain address screening must occur in real time — before a transaction is processed, not after. This requires an address attribution database that is updated continuously, a screening API with sub-second response time, integration into the transaction processing pipeline at the pre-execution stage, and fallback procedures for cases where the screening system is unavailable.
The OFAC Examination: What Examiners Look For
An OFAC examination of a crypto firm evaluates whether the firm has a sanctions compliance program with the five essential components: management commitment, risk assessment, internal controls, testing and auditing, and training. The examiner specifically looks for evidence that the firm screens against all applicable lists, that screening occurs at the required trigger points, that matches are dispositioned by qualified personnel, that true matches result in appropriate action (blocking, rejecting, or reporting), and that the entire process is documented with an audit trail.
The most common examination findings include failure to screen at all required trigger points, inadequate fuzzy matching (exact match only), failure to update lists promptly after new designations, inadequate documentation of match disposition decisions, and lack of retroactive screening when new designations are published.
Crypto Sanctions Screening FAQ
- What sanctions lists must crypto firms screen against?
- At minimum: OFAC SDN list, OFAC Consolidated Sanctions List, EU Consolidated List, and UN Consolidated List. Additional country-specific lists apply based on your operating jurisdictions.
- What is address-based sanctions screening?
- Evaluating whether blockchain addresses involved in a transaction appear on sanctions lists or are associated with sanctioned entities. This extends beyond direct list matching to include indirect association analysis and cluster analysis.
- How does the Travel Rule interact with sanctions screening?
- The Travel Rule requires collecting originator and beneficiary information for qualifying transfers. This information must be screened against sanctions lists before processing the transfer — creating a sanctions checkpoint that did not exist before Travel Rule implementation.
- What is the penalty for sanctions violations in crypto?
- OFAC penalties can reach millions of dollars per violation. Criminal penalties for willful violations include imprisonment. Bittrex paid $24 million. The severity is increasing as enforcement precedent accumulates.
- How quickly must I screen against new designations?
- Best practice is to ingest and implement new designations within 24 hours of publication. Some firms implement same-day updates for OFAC designations. Retroactive screening of your customer base should occur immediately upon list update.
Relevant Articles
What is deepidv?
Not everyone loves compliance — but we do. deepidv is the AI-native verification engine and agentic compliance suite built from scratch. No third-party APIs, no legacy stack. We verify users across 211+ countries in under 150 milliseconds, catch deepfakes that liveness checks miss, and let honest users through while keeping bad actors out.
Learn More