OFAC compliance is often treated as a point-in-time obligation: screen the customer at account opening, check the SDN list, clear the hit, done. That framing misses the actual regulatory expectation. OFAC sanctions compliance is an ongoing obligation, and for neobanks processing high volumes of account opens and transactions, the frequency, methodology, and documentation of screening decisions matter as much as whether you screen at all.
What the SDN List Actually Is — and What It Isn't
The OFAC Specially Designated Nationals and Blocked Persons List (SDN List) is the primary sanctions list US financial institutions must screen against. It includes individuals and entities subject to US sanctions programs across dozens of country programs, narcotics-related designations, terrorism-related designations, and others. As of recent counts, the SDN List contains more than 12,000 entries.
But the SDN List is not the only thing OFAC requires you to consider. Sectoral sanctions under programs like CAPTA and SSI lists impose asset-freeze and transaction-prohibition requirements on specific classes of transactions with named parties, even when those parties are not on the SDN List. The OFAC 50% Rule — not always well understood by digital bank compliance teams — provides that any entity owned 50% or more, directly or indirectly, by one or more SDN-listed parties is itself treated as blocked, regardless of whether that entity appears on the SDN List by name.
For consumer-facing neobanks, the 50% Rule is most relevant in business account onboarding, not individual consumer accounts. But it's worth understanding the scope because OFAC guidance has been explicit about it since the 2014 advisory on ownership determinations.
Screening Frequency: The Re-Screening Obligation
The most common gap we see in neobank OFAC programs isn't the initial screen — it's the ongoing re-screening obligation. OFAC updates its sanctions lists in real time. New designations appear without advance notice. A customer who cleared OFAC screening at account opening in February can be designated by March.
The industry practice — and what examiners will evaluate — is some form of ongoing screening cadence against your full customer database. The frequency question doesn't have a single regulatory answer; OFAC guidance doesn't prescribe a specific interval. What it does specify is that institutions are expected to have a reasonable program that would detect prohibited transactions, including transactions with parties designated after account opening.
In practice, digital banks operating at more than 100,000 active accounts typically run daily or weekly batch re-screens of the full customer base against current SDN and OFAC consolidated lists. Institutions with lower account counts and lower transaction velocity can often justify less frequent re-screening with appropriate documentation of the risk-based rationale. What you cannot document defensibly is "we don't re-screen after account opening." That is a program gap, not a risk-based decision.
Fuzzy Matching: The Threshold Problem
Name-matching against the SDN List is not an exact-match problem. Sanctions targets appear under multiple name variants, aliases, dates of birth, and identification numbers. A screening system that only matches exact strings will miss a designated individual operating under a slightly different name spelling. A screening system calibrated too loosely will generate false hits on every customer with a common Arabic or Persian surname who has no sanctions connection whatsoever.
The fuzzy-matching threshold is where neobanks make consequential tradeoffs. A matching threshold set at 85% similarity (using a standard edit-distance or token-matching algorithm) will catch more genuine hits than a threshold at 95%, but will also generate substantially more false hits requiring manual review. A threshold at 95% will produce a manageable false-hit queue but risks missing a genuine match where the name has been transliterated differently.
We're not saying there is a universally correct threshold — the right calibration depends on the institution's customer risk profile, geographic concentration, and analyst capacity. What we are saying is that the threshold is a decision that needs to be made deliberately, documented with a rationale, and reviewed periodically as the customer base evolves. The default settings of a third-party screening vendor are not the same as a risk-based methodology tailored to your institution.
Hit Review: The Documentation Gap
When a screening system generates a potential match, the required workflow is: review the hit, make a determination (clear or escalate), and document the basis for the determination. The documentation requirement is where programs get thin under examination.
A common pattern: analyst reviews a potential match, sees that the customer's date of birth doesn't match the SDN entry, marks it cleared, and moves on. No written record of what was compared, why the clearing was appropriate, or who made the decision. Six months later during an exam, the institution cannot reconstruct whether the hit review was substantive or cursory for any given case.
Adequate hit review documentation includes: the date of the potential match, the list entry that generated the hit, the data elements compared (name, date of birth, address, identification number), the determination made, and the analyst who made it. This is not a bureaucratic nicety. It is the evidence chain that demonstrates the institution's screening program was operating as designed.
Blocking vs. Rejecting Transactions: A Distinction That Matters
OFAC distinguishes between transactions that must be blocked (funds held in a separate blocked account, reported to OFAC within 10 business days) and transactions that must be rejected (transaction refused, counterparty not an SDN but transaction otherwise prohibited). Neobank compliance teams sometimes conflate these two categories operationally, which creates reporting problems.
If a funds transfer involves property of a designated party, the institution is required to block the funds and file a blocking report with OFAC. Returning the funds to the sender is not compliant. The blocked funds must be held in an interest-bearing blocked account and reported. Getting this wrong — rejecting when you should have blocked, or blocking when you should have rejected — is itself an OFAC violation even if the underlying identification was correct.
Most neobanks will encounter far more rejection situations than blocking situations in consumer business. But the distinction needs to be in the written program, and the staff handling hit review needs to understand it.
