OFAC Compliance: Legal Framework, Enforcement Risks, and 2024–2025 Enforcement Developments

When it comes to OFAC rules, compliance isn’t optional. Violations can lead to heavy fines and even criminal charges. In this article, we break down the legal framework, explain key compliance responsibilities, and highlight recent enforcement trends—all to help businesses and individuals understand the risks and stay ahead in today’s fast-changing sanctions landscape.

The Office of Foreign Assets Control (OFAC), part of the U.S. Department of the Treasury, is the agency responsible for enforcing U.S. economic and trade sanctions. Its activity covers U.S. citizens, green card holders, companies registered in the U.S., and in many cases, even their foreign subsidiaries. In fact, non-U.S. businesses and individuals can also face serious consequences if their actions cause a U.S. person or company to break sanctions.

When it comes to OFAC rules, compliance isn’t optional. Violations can lead to heavy fines and even criminal charges. Over the past two years (2024–2025), enforcement has intensified, with record-breaking penalties and rapid regulatory changes.

Statutory and Regulatory Framework

OFAC’s powers are derived from a series of federal statutes and executive authorities:

•  International Emergency Economic Powers Act (IEEPA), 50 U.S.C. §§ 1701–1707 – Provides the President authority to regulate commerce during national emergencies.
• Trading with the Enemy Act (TWEA), 50 U.S.C. App. §§ 1–44 – Still applied in the Cuba program.
• United Nations Participation Act (UNPA), 22 U.S.C. § 287c – Implements sanctions adopted by the UN Security Council. 
• Foreign Narcotics Kingpin Designation Act, 21 U.S.C. §§ 1901–1908 – Targets transnational narcotics traffickers. 
• Global Magnitsky Human Rights Accountability Act and CAATSA – Expand sanctions to human rights violators and foreign adversaries.

These sanctions rules are set out in the Code of Federal Regulations (31 C.F.R. Parts 500–599), with each section covering a specific sanctions program. To help businesses and individuals understand who is restricted, OFAC also publishes several sanctions lists—including the well-known Specially Designated Nationals and Blocked Persons List (SDN List) and the Sectoral Sanctions Identifications List (SSI List).

Enforcement and Penalties

Sanctions violations can result in:

• Civil Penalties of up to $330,947 per violation under IEEPA (adjusted annually).
• Criminal Penalties including fines of up to $1 million and imprisonment of up to 20 years for willful violations.

OFAC evaluates whether conduct is egregious or non-egregious, voluntary disclosure, and cooperation in enforcement inquiries. The penalties imposed in 2024–2025 demonstrate OFAC’s willingness to punish both large institutions and smaller businesses.

2024–2025 Enforcement Actions

Recent enforcement cases illustrate the breadth of OFAC’s focus:

• GVA Capital Ltd. (2025): $215.99 million penalty for managing U.S. investments linked to a sanctioned Russian oligarch and failing to comply with an OFAC subpoena. 
• Unicat Catalyst Technologies, LLC (2025): $3.88 million penalty for violations of Iran and Venezuela sanctions. 
• Key Holding, LLC (2025): $608,825 penalty for Cuban sanctions violations committed by a Colombian subsidiary.
• Harman International Industries, Inc. (2025): $1.45 million penalty for Iran sanctions violations. 
• Haas Automation, Inc. (2025): $1.04 million penalty. 
• Family International Realty LLC (2025): $1.08 million penalty. 
• Interactive Brokers LLC (2025): $11.83 million penalty for servicing clients in multiple sanctioned jurisdictions. 
• Fracht FWO Inc. (2025): $1.61 million penalty for logistics violations. 
• SkyGeek Logistics, Inc. (2024): $22,172 penalty for aviation parts shipments linked to sanctioned parties.

Recent Sanctions Developments (2024–2025)

Key developments:

• Russia: Sanctions on Russia’s energy exports, targeting shadow fleet vessels and oil trades with China and India. 
• Iran: Sanctions on global networks disguising Iranian oil as Iraqi exports to China; designation of senior energy officials. 
• Venezuela: Sanctions against Tren de Aragua gang leaders. 
• Yemen: Sanctions on maritime companies supplying oil to Houthi rebels.
• Cyber: Sanctions on Chinese hackers linked to the Ministry of State Security.
• Regulatory: Removal of the Syria Sanctions Regulations; new general licenses and FAQs for Russia-related sanctions.

Compliance Obligations

OFAC requires that all U.S. persons, companies, and—often—their foreign affiliates comply with sanctions. Compliance isn’t just about running names through a screening list. It’s about building a culture of sanctions awareness and risk management throughout the organization.

The five pillars of an effective program:

1. Management Commitment
   Compliance starts at the top. Senior leadership must show visible, documented commitment—appointing compliance officers, allocating resources, and ensuring board-level oversight. Regulators regularly flag weak leadership engagement as a major red flag in enforcement cases.
   
   
2. Risk Assessment
   Companies need to carry out thorough and ongoing assessments of risks tied to geography, customers, products, and transactions. This means reviewing beneficial ownership structures, screening politically exposed persons, and monitoring dual-use goods. Importantly, these assessments must be documented and updated on a recurring basis.
   
   
3. Internal Controls
   Strong compliance requires more than policies on paper. Written manuals, automated screening tools, escalation channels, clear segregation of duties, and at least five years of recordkeeping are all essential to demonstrating a serious program.
   
   
4. Testing and Auditing
   Regular, independent audits and testing allow organizations to spot weaknesses before regulators do. Audit findings should be elevated to management and followed by measurable remediation steps.
   
   
5. Training
   Training must be practical and role-specific. Shipping and logistics staff need to understand vessel sanctions, finance teams must know how to flag risky payments, and executives should be trained on both compliance and reputational risks.

Strategic Compliance Considerations

Beyond the basics, today’s sanctions compliance demands that organizations stay agile and responsive to fast-changing enforcement priorities and geopolitical realities. Here are the areas that matter most:

1. Enhanced Screening and Due Diligence
   Sanctions evasion techniques are increasingly sophisticated. Screening systems can’t just check names—they must account for ownership and control (the 50 Percent Rule), indirect transactions, and maritime red flags such as ship-to-ship transfers, vessel renaming, or AIS manipulation.
2. Cross-Border Coordination
   Global businesses face the challenge of overlapping and sometimes conflicting regimes. U.S. sanctions may diverge from EU, U.K., Canadian, or UN measures. In such cases, companies must balance compliance with avoiding violations of “blocking statutes”—a task that often requires careful legal input.
3. Sectoral Expansion
   Sanctions now extend far beyond traditional finance and trade. Technology, cybersecurity, logistics, real estate, investment, and even cryptocurrency platforms are squarely in scope. Freight forwarders, venture funds, and digital asset companies are learning that they, too, are part of the compliance landscape.
4. Agility and Adaptability
   Sanctions programs can shift overnight. Policies and systems need to be flexible enough for immediate updates—illustrated by OFAC’s 2025 decision to remove the Syria Sanctions Regulations, which forced businesses to adjust in real time.
5. Responding to Enforcement Inquiries
   The stakes are high. Record penalties, such as GVA Capital’s $215.99M settlement, show what happens when companies ignore subpoenas or delay responses. Every organization should have a clear playbook for enforcement inquiries, with legal counsel brought in from the start.
6. Integration with Enterprise Risk Management
   Sanctions compliance should never sit in isolation. It must connect with AML/CTF programs, export controls (ITAR/EAR), and broader corporate governance. When integrated into enterprise risk management, sanctions compliance becomes a shield—reducing exposure, strengthening resilience, and protecting reputation.

Best Practices

1. Regular Risk Assessments – Risk reviews must keep pace with global events. Geopolitical changes can instantly reshape exposure, so assessments should be updated continuously, not just once a year.
   
   
2. Comprehensive Screening Systems – Screening should extend beyond direct customers to cover subsidiaries, affiliates, and beneficial ownership structures. Hidden connections are often where violations surface.
   
   
3. Clear Escalation Procedures – When potential matches arise, staff should know exactly how to escalate the issue, who is responsible for review, and what timelines apply.
   
   
4. Detailed Recordkeeping – Every compliance decision, including how subpoenas and enforcement requests were handled, must be documented thoroughly. Records are often the difference between demonstrating good faith and facing penalties.
   
   
5. Sector-Specific Training – High-risk industries—such as shipping, fintech, and energy—require tailored training that addresses their unique risks rather than generic compliance refreshers.
   
   
6. Early Legal Counsel Engagement – For licenses, complex transactions, or potential enforcement actions, involving counsel early ensures that businesses act quickly, confidently, and defensibly.
   
   

OFAC compliance is not static—it is dynamic, complex, and high-stakes. The enforcement trends of 2024 and 2025 confirm three realities: penalties are escalating, industries in scope are broadening, and regulatory change is accelerating. The cost of underinvesting in compliance far exceeds the investment required to build a strong program. In this environment, robust compliance is not just a legal necessity—it is a strategic advantage.