← Back to guides

Sanctions Screening for Crypto Transactions

2026-04-01 · Web3 Compliance AI

The Sanctions Compliance Obligation

Sanctions screening is a legal requirement, not optional risk management. In the US, OFAC regulations apply to all US persons and US-nexus transactions — strict liability means intent is irrelevant. The EU, UK, and other jurisdictions impose similar obligations. For crypto businesses, sanctions compliance has unique challenges: pseudonymous addresses, cross-border transactions, and rapidly evolving designations.

What Must Be Screened

Customer Screening

Screen all customers against sanctions lists at onboarding and on an ongoing basis. Lists include: OFAC SDN List and Consolidated Sanctions List, EU Consolidated Financial Sanctions List, UN Security Council Sanctions List, and HMT (UK) Financial Sanctions List. Screen names, aliases, dates of birth, nationalities, and identity document numbers. Use fuzzy matching to catch transliteration variations and aliases.

Transaction Screening

Screen wallet addresses involved in every transaction — both deposits and withdrawals. OFAC has designated specific cryptocurrency addresses on the SDN List (beginning with the Tornado Cash action in 2022 and continuing since). Screen against: OFAC's published crypto addresses, addresses identified by blockchain analytics providers as associated with sanctioned entities, and addresses with direct exposure to sanctioned jurisdictions (North Korea, Iran, Syria, etc.).

Blockchain Analytics Integration

Raw address matching against OFAC lists is necessary but not sufficient. Blockchain analytics tools (Chainalysis, Elliptic, TRM Labs) provide: indirect exposure analysis (e.g., funds that passed through a sanctioned mixer), cluster analysis linking addresses to sanctioned entities, risk scoring based on transaction history, and real-time alerts on newly designated addresses.

Implementation Architecture

Real-Time vs. Batch

Customer screening can be batch (daily re-screening of your entire customer base against updated lists) plus real-time (screening at onboarding and when lists are updated). Transaction screening must be real-time — block or flag transactions before they are processed.

Screening Workflow

  1. Pre-transaction check — Before processing a withdrawal, screen the destination address. Block if sanctioned.
  2. Deposit monitoring — When funds arrive, screen the source address. If sanctioned, freeze and report.
  3. Alert handling — When a potential match is found, escalate to compliance for investigation. Do not automatically clear false positives without human review.
  4. Blocking and rejection — If a true match is confirmed, block the transaction, freeze the account, and file a blocking report (OFAC requires this within 10 business days).

Jurisdictional Nuances

OFAC (US)

Strict liability regime. No intent required. Penalties can reach millions per violation. OFAC expects a risk-based sanctions compliance program with five elements: management commitment, risk assessment, internal controls, testing/auditing, and training. Voluntary self-disclosure significantly reduces penalties.

EU

EU sanctions prohibit making funds or economic resources available to designated persons. The 2024 updates to EU sanctions regulations explicitly address crypto-assets. Each member state has a competent authority for enforcement.

Secondary Sanctions

US secondary sanctions can apply to non-US persons who transact with sanctioned entities. Crypto businesses outside the US must still consider OFAC exposure, particularly if they process USD-denominated stablecoins or serve US customers.

Ongoing Maintenance

Sanctions lists are updated frequently — sometimes daily. Your screening system must ingest updates promptly. OFAC publishes updates via RSS feed and API. Maintain an audit trail of every screening event, including the list version used, the match results, and any investigation notes.

Common Failures

Enforcement actions in crypto have targeted: failure to screen wallet addresses (not just names), failure to update sanctions lists promptly, over-reliance on automated clearing without human review, and failure to file blocking reports within the required timeframe. Build your program to address all of these explicitly.