3 Ways to Maintain OFAC Compliance Beyond Vendor Setup

blog 25cover.png

The Office of Foreign Assets and Control (OFAC) Specially Designated Nationals (SDN) list contains names of individuals, banks businesses, etc that have been blocked from doing business in the US. The US government prohibits US citizens, US based entities and US branches of foreign companies from doing business with parties on the SDN list. Compliance with OFAC regulations by is required and failure to comply can result in both civil and criminal penalties.

During vendor setup, you are performing the OFAC SDN check to ensure the vendor does not appear on the list (if not check out my blog post). That’s great, but compliance is just beginning.

Why is Monitoring of Existing Vendors Required?

OFAC regularly updates the SDN list, which means a new vendor you setup today can be an existing vendor that may be added to the list in the future. The excerpt below is a FAQ response on the US Department of the Treasury FAQ site showing that the civil and criminal penalties can exceed “several million dollars”:

blog 25 pic 1.png

How Can I Monitor My Existing Active Vendors?

OFAC Site: OFAC maintains full SDN lists and also publishes updates to the sanctions list. Both the full list and list of changes are available for download in in PDF and Text formats. You may request to be sign up for the email subscription service to be notified of changes. Sign up here. They also have a RSS feed that is updated whenever the OFAC site is updated. Manually verify vendors on the SDN list (or change list) do not exist in your vendor master file. This is a great manual task to automate using Robotics Process Automation (RPA) or other automation solution to compare names on the report to vendor names in your vendor master file.

TINCheck.com – If you are already using TINCheck.com for your IRS TIN Matching, you already know that the service also checks the OFAC SDN list (in addition to other watch lists). Monthly (or more) you can use the bulk option to revalidate against the OFAC SDN List. When you use the bulk option you don’t have to input the vendors Tax ID – just use 9 “0”s for the TIN and upload. There is a base cost for the upload which increases for volumes over 875. You also have to contact TINCheck.com to have them turn that function on, otherwise you won’t see it as a tab option.

Continuous Monitoring Software – This can be via a vendor self-registration portal, your vendor risk screening process or a separate compliance service. Since the functions of self-registration portals and screening services can vary, verify with your 3rd party provider that this function is available and turned on. This is the most expensive route to take, but not when compared to the potential penalties for non-compliance.

Have another way you monitor your existing vendors for OFAC compliance? Comment and share.

Your existing active vendors need to be revalidated at least monthly. Check to make sure the Legal Name and Tax ID still match, whether their status should be changed to inactive if they have done business with your company in a designated number of months, and most importantly, whether they are now on the OFAC SDN list.

Haven’t revalidated lately? See my 5 Day Vendor Master File Clean-Up

Want a handy Cheat Sheet that includes the links to vendor validation resources?  Sign up for my mailing list to download the Vendor Validation Reference List and share with your entire team!

Protect the Vendor Master File from Fraud.  Keep it Clean. 

#stayhappy #puttingtheapinhappy #Vendorsetup #vendormasterfile #accountspayable #ofac


Debra R. Richardson,


Debra is an accounts payable speaker, consultant, and trainer with over 20 years of experience in AP, AR, general ledger, and financial reporting for Fortune 500 companies including Verizon, General Motors and Aramark.

For the past eight years, Debra has focused on Global Vendor Maintenance, and implemented a vendor self-registration portal for 140k+ global vendors across five Accounting Systems/ERPs. In her consultancy, she focuses on internal controls and authentication to prevent fraud in the vendor master file.