Do I need sanctions screening for my fintech?
A direct, honest answer for founders of payments, neobank, lending, and crypto startups: when sanctions screening is legally required, and what a lean program looks like at seed and Series A.

The short answer is almost certainly yes. If you touch money movement — cards, ACH, wires, stablecoins, remittance, on-chain payouts, custodial wallets, or any adjacent product — U.S. sanctions law applies to you, whether or not your banking partner has asked about it yet.
The longer answer is more useful, because a lot of fintech founders either overbuild (buy enterprise compliance software before product-market fit) or underbuild (assume Stripe or their sponsor bank "handles it").
Informational only, not legal advice.
What actually requires screening
Three broad triggers pull a fintech into sanctions screening obligations:
1. You are a "U.S. person" under OFAC. U.S.-incorporated entities, U.S. citizens and residents anywhere in the world, and any entity's U.S. branches. Almost all U.S.-founded fintechs qualify.
2. Your transactions have a "U.S. nexus." You clear USD through a correspondent bank. You use a U.S.-based processor. You interact with U.S. dollar rails, U.S. custodians, or U.S. exchanges. This pulls in many non-U.S. fintechs.
3. Your regulator, sponsor bank, or partner requires it contractually. Nearly every card sponsor, payment processor, and BaaS provider has a sanctions-screening clause in the agreement. Failing to comply is a contract breach in addition to any regulatory issue.
If any of those apply — which for a real fintech is essentially always — you are in scope.
What FinCEN and OFAC actually expect
There is no single "sanctions program regulation" that spells out the exact controls. The expectation, roughly, is a risk-based program with:
- Written policies and procedures
- Screening at customer onboarding
- Ongoing (typically real-time or near-real-time) transaction screening
- Periodic re-screening of the customer base
- Escalation and reporting procedures
- Record retention (5 years is a defensible default)
- Training for relevant staff
Enforcement over the past several years has emphasized that "we relied on our vendor" is not an acceptable defense. You cannot outsource the program itself; you can outsource the tooling.
A lean fintech sanctions program at seed / Series A
Here is what a minimum viable program looks like when you have three engineers and no compliance officer:
1. Written policy (2–4 pages). Who you screen, when you screen, which lists, review thresholds, escalation path, record retention. Have counsel review it once; then update it as the program evolves.
2. Onboarding screen. Every new customer (individual or business) is screened against OFAC SDN and OFAC Consolidated before they can transact. Businesses: screen the entity name, DBAs, and — for anything higher-risk — beneficial owners.
3. Transaction screening. Payment beneficiaries and originators are screened at the time of the transaction, not just at onboarding. For crypto-native fintechs, this includes wallet-address screening against OFAC's SDN crypto addresses.
4. Continuous re-screening. Existing customers are re-screened at least monthly (daily is better) so that new designations are caught without waiting for the customer to transact again.
5. Audit trail. Every screening event is logged with a timestamp, list version, score, and adjudication decision. This is non-negotiable — see the audit trail post.
6. Escalation. A single named person is responsible for adjudicating potential hits and, if a true match is confirmed, freezing the transaction and (in the U.S.) filing a blocking report with OFAC within 10 business days.
What lists to screen against
For a U.S. fintech at minimum:
- OFAC SDN
- OFAC Consolidated (Sectoral Sanctions, Non-SDN Menu-Based Sanctions, etc.)
- SAM.gov exclusions (if you have any government-facing exposure)
For a fintech with cross-border users, add:
- UN Consolidated
- EU CFSP
- UK OFSI
Kleerance indexes all of the above. See the OFAC vs BIS vs SAM.gov comparison for the reasoning behind the coverage pick.
Common mistakes
- Assuming your sponsor bank handles it. They handle their own screening. You still owe your own.
- Screening only names, not aliases. SDN aliases are where a lot of misses happen.
- Weekly manual CSV downloads. The list changes multiple times a week. Automate.
- No audit trail. The single most common finding in enforcement actions.
- Overbuilding. You do not need a six-figure enterprise platform at seed. A defensible, well-documented lean program is more credible than an unused expensive one.
When to level up
Move beyond a lean program when any of these become true:
- You hit $1M+ ARR or your sponsor bank asks for a formal program review
- You expand beyond the U.S. and pick up EU/UK obligations
- You add higher-risk products (money remittance, crypto off-ramps, cross-border payouts)
- You get your first bank exam or SOC 2 audit that touches sanctions
How Kleerance fits
Kleerance is built for the SMB fintech case: fast fuzzy screening across ten government watchlists, a per-account audit trail, monitoring for continuous re-screening, and pricing that starts at $100/month — not $60k/year. Start a free trial or browse the watchlists.
This article is for informational purposes only and is not legal advice. Consult a qualified sanctions or export-controls attorney for guidance on your specific obligations.
Related articles
- What is a restricted-party screening audit trail, and why it mattersAn audit trail is what turns a screening tool into a compliance program. Here is what a defensible audit trail looks like, what regulators and banks expect to see, and how to keep one without slowing your team down.
- OFAC vs BIS vs SAM.gov: which lists do you actually need to check?A direct comparison of the three U.S. government restricted-party lists most companies encounter — OFAC SDN, BIS Entity List, and SAM.gov exclusions — and which combinations make sense for different businesses.
- What is the BIS Entity List (and who needs to check it)The BIS Entity List restricts exports to specific foreign parties for national-security reasons. Here is what it covers, how it differs from OFAC SDN, and who needs to screen against it.
- How to screen vendors against the OFAC SDN listA practical walkthrough of screening vendors and counterparties against the U.S. Treasury OFAC SDN list — what to check, how often, and how to keep a defensible audit trail.