OFAC vs BIS vs SAM.gov: which lists do you actually need to check?
A direct comparison of the three U.S. government restricted-party lists most companies encounter — OFAC SDN, BIS Entity List, and SAM.gov exclusions — and which combinations make sense for different businesses.

Every founder who has ever set up a compliance program has asked some version of the same question: "which lists do I actually need to check?" The answer depends on what you do, but the confusion usually comes from lumping together three lists that live at three different agencies and enforce three different things.
Informational only, not legal advice.
The three lists
OFAC SDN — Treasury Department. Sanctioned individuals and companies. Assets blocked; U.S. persons prohibited from dealing. This is the "sanctions" list people usually mean when they say "sanctions."
BIS Entity List — Commerce Department. Foreign parties subject to specific license requirements for exports of items subject to the Export Administration Regulations. Not asset-blocking — this is about controlling what you can ship, not who you can pay.
SAM.gov Exclusions — General Services Administration. Persons and entities excluded from U.S. federal contracting, subcontracting, and certain federal assistance and benefit programs. Managed as the "System for Award Management" exclusion records.
Comparison
| OFAC SDN | BIS Entity List | SAM.gov Exclusions | |
|---|---|---|---|
| Agency | Treasury (OFAC) | Commerce (BIS) | GSA |
| Primary purpose | Sanctions | Export controls | Federal-contract debarment |
| What it does | Blocks U.S. dealings and freezes assets | Requires license for EAR-controlled exports | Excludes from federal contracting/assistance |
| Who has to check | All U.S. persons | Any exporter of EAR items | Federal contractors, grantees, and awarding agencies |
| Update cadence | Rolling (multiple times/week) | Rolling | Rolling |
Which lists match which businesses
A U.S. fintech with no federal customers Minimum: OFAC SDN + OFAC Consolidated. Consider adding UN/EU/UK Consolidated if you have international users.
A U.S. exporter of hardware, semiconductors, or dual-use tech Minimum: OFAC SDN + BIS Entity List + BIS Denied Persons List. Consider adding OFAC Consolidated and (for defense-adjacent items) State Department lists.
A U.S. federal contractor or grantee Minimum: SAM.gov Exclusions + OFAC SDN. Contract-specific requirements will likely dictate more.
A marketplace or platform with mixed U.S. and international counterparties Minimum: OFAC SDN + OFAC Consolidated + BIS Entity List + UN Consolidated + EU CFSP + UK OFSI.
An importer Minimum: OFAC SDN + BIS Entity List (for supplier due diligence and forced-labor risk under UFLPA-adjacent lists). Add trade-specific lists (e.g., DHS UFLPA Entity List) if you source from higher-risk regions.
Why "check all of them" is a reasonable default
Screening additional lists at ingestion time is cheap. The operational cost is in reviewing potential hits, not in loading more lists. For most businesses, screening against all ten of these government sources is the pragmatic default, and then tuning your review threshold so lower-priority lists only surface high-confidence matches.
Kleerance covers all ten:
- OFAC SDN
- OFAC Consolidated
- BIS Denied Persons List
- BIS Entity List
- State Department DTC Debarred
- State Department ISN Nonproliferation
- SAM.gov Exclusions
- UN Consolidated
- EU CFSP
- UK OFSI
See the full watchlist catalog for the underlying primary sources.
Common mistakes
- Treating OFAC SDN as the whole program. It is one of ten government sources you probably need.
- Assuming SAM.gov is only for federal contractors. Anyone with grant or benefit exposure may need it.
- Skipping the Entity List because "we're not an exporter." SaaS, cloud services, and even some technical support qualify as exports.
- Screening once at onboarding. The lists change every week — sometimes every day.
Where to go next
- How to screen vendors against the OFAC SDN list
- What is the BIS Entity List
- Restricted-party audit trails, and why they matter
Or start a free trial of Kleerance and run a real screening against all ten lists in one query.
This article is for informational purposes only and is not legal advice. Consult a qualified sanctions or export-controls attorney for guidance on your specific obligations.
Related articles
- What is a restricted-party screening audit trail, and why it mattersAn audit trail is what turns a screening tool into a compliance program. Here is what a defensible audit trail looks like, what regulators and banks expect to see, and how to keep one without slowing your team down.
- What is the BIS Entity List (and who needs to check it)The BIS Entity List restricts exports to specific foreign parties for national-security reasons. Here is what it covers, how it differs from OFAC SDN, and who needs to screen against it.
- Do I need sanctions screening for my fintech?A direct, honest answer for founders of payments, neobank, lending, and crypto startups: when sanctions screening is legally required, and what a lean program looks like at seed and Series A.
- How to screen vendors against the OFAC SDN listA practical walkthrough of screening vendors and counterparties against the U.S. Treasury OFAC SDN list — what to check, how often, and how to keep a defensible audit trail.