Start free trial
fintechguidesOFAC

Do I need sanctions screening for my fintech?

A direct, honest answer for founders of payments, neobank, lending, and crypto startups: when sanctions screening is legally required, and what a lean program looks like at seed and Series A.

Kleerance Editorial
Do I need sanctions screening for my fintech?

The short answer is almost certainly yes. If you touch money movement — cards, ACH, wires, stablecoins, remittance, on-chain payouts, custodial wallets, or any adjacent product — U.S. sanctions law applies to you, whether or not your banking partner has asked about it yet.

The longer answer is more useful, because a lot of fintech founders either overbuild (buy enterprise compliance software before product-market fit) or underbuild (assume Stripe or their sponsor bank "handles it").

Informational only, not legal advice.

What actually requires screening

Three broad triggers pull a fintech into sanctions screening obligations:

1. You are a "U.S. person" under OFAC. U.S.-incorporated entities, U.S. citizens and residents anywhere in the world, and any entity's U.S. branches. Almost all U.S.-founded fintechs qualify.

2. Your transactions have a "U.S. nexus." You clear USD through a correspondent bank. You use a U.S.-based processor. You interact with U.S. dollar rails, U.S. custodians, or U.S. exchanges. This pulls in many non-U.S. fintechs.

3. Your regulator, sponsor bank, or partner requires it contractually. Nearly every card sponsor, payment processor, and BaaS provider has a sanctions-screening clause in the agreement. Failing to comply is a contract breach in addition to any regulatory issue.

If any of those apply — which for a real fintech is essentially always — you are in scope.

What FinCEN and OFAC actually expect

There is no single "sanctions program regulation" that spells out the exact controls. The expectation, roughly, is a risk-based program with:

  • Written policies and procedures
  • Screening at customer onboarding
  • Ongoing (typically real-time or near-real-time) transaction screening
  • Periodic re-screening of the customer base
  • Escalation and reporting procedures
  • Record retention (5 years is a defensible default)
  • Training for relevant staff

Enforcement over the past several years has emphasized that "we relied on our vendor" is not an acceptable defense. You cannot outsource the program itself; you can outsource the tooling.

A lean fintech sanctions program at seed / Series A

Here is what a minimum viable program looks like when you have three engineers and no compliance officer:

1. Written policy (2–4 pages). Who you screen, when you screen, which lists, review thresholds, escalation path, record retention. Have counsel review it once; then update it as the program evolves.

2. Onboarding screen. Every new customer (individual or business) is screened against OFAC SDN and OFAC Consolidated before they can transact. Businesses: screen the entity name, DBAs, and — for anything higher-risk — beneficial owners.

3. Transaction screening. Payment beneficiaries and originators are screened at the time of the transaction, not just at onboarding. For crypto-native fintechs, this includes wallet-address screening against OFAC's SDN crypto addresses.

4. Continuous re-screening. Existing customers are re-screened at least monthly (daily is better) so that new designations are caught without waiting for the customer to transact again.

5. Audit trail. Every screening event is logged with a timestamp, list version, score, and adjudication decision. This is non-negotiable — see the audit trail post.

6. Escalation. A single named person is responsible for adjudicating potential hits and, if a true match is confirmed, freezing the transaction and (in the U.S.) filing a blocking report with OFAC within 10 business days.

What lists to screen against

For a U.S. fintech at minimum:

  • OFAC SDN
  • OFAC Consolidated (Sectoral Sanctions, Non-SDN Menu-Based Sanctions, etc.)
  • SAM.gov exclusions (if you have any government-facing exposure)

For a fintech with cross-border users, add:

  • UN Consolidated
  • EU CFSP
  • UK OFSI

Kleerance indexes all of the above. See the OFAC vs BIS vs SAM.gov comparison for the reasoning behind the coverage pick.

Common mistakes

  • Assuming your sponsor bank handles it. They handle their own screening. You still owe your own.
  • Screening only names, not aliases. SDN aliases are where a lot of misses happen.
  • Weekly manual CSV downloads. The list changes multiple times a week. Automate.
  • No audit trail. The single most common finding in enforcement actions.
  • Overbuilding. You do not need a six-figure enterprise platform at seed. A defensible, well-documented lean program is more credible than an unused expensive one.

When to level up

Move beyond a lean program when any of these become true:

  • You hit $1M+ ARR or your sponsor bank asks for a formal program review
  • You expand beyond the U.S. and pick up EU/UK obligations
  • You add higher-risk products (money remittance, crypto off-ramps, cross-border payouts)
  • You get your first bank exam or SOC 2 audit that touches sanctions

How Kleerance fits

Kleerance is built for the SMB fintech case: fast fuzzy screening across ten government watchlists, a per-account audit trail, monitoring for continuous re-screening, and pricing that starts at $100/month — not $60k/year. Start a free trial or browse the watchlists.

This article is for informational purposes only and is not legal advice. Consult a qualified sanctions or export-controls attorney for guidance on your specific obligations.

Related articles