OFAC Risk Assessment Template: Sanctions Exposure Scoring for Financial Institutions

TL;DR

• OFAC sanctions liability is strict — intent doesn’t matter, and a single missed sanctioned counterparty can trigger civil penalties up to $330,947 per violation under IEEPA (adjusted annually).
• OFAC’s Framework for Compliance Commitments names risk assessment as one of five essential components, and Treasury has cited inadequate risk assessments in nearly every major enforcement action of the past five years — including Binance’s $968 million settlement in 2023.
• The risk assessment must score four dimensions: customers, geographies, products/services, and channels. Each dimension feeds inherent risk, which combines with control effectiveness to produce residual risk.
• The fintech and crypto enforcement wave (Payoneer, Poloniex, Kraken, BitPay) has made one thing clear: charter type doesn’t change the expectation. If you move money or hold customer funds, you need a documented OFAC risk assessment.

A bank that didn’t update its OFAC risk assessment after Russia invaded Ukraine got hit at exam — twice. The risk assessment didn’t reflect the new comprehensive Russia sanctions, didn’t address the 50% Rule expansion, and didn’t drive a list update for the bank’s screening tool. The findings weren’t about a missed hit. They were about the absence of governance — a stale assessment that didn’t connect to the controls. Examiners flagged it as a Matter Requiring Attention before they even tested a single transaction.

That’s the OFAC risk assessment in 2026. It’s not an academic exercise. It’s the document that ties your sanctions program to actual exposure — and it’s the first thing OFAC, the OCC, NYDFS, and your sponsor bank’s TPRM team want to see.

This walkthrough covers the OFAC Framework for Compliance Commitments, the four dimensions every assessment must score, a defensible scoring methodology, and where examiners and auditors look first.

Why Risk Assessment Sits at the Center of OFAC Compliance

OFAC’s 2019 Framework for Compliance Commitments named five essential components of an effective sanctions compliance program (SCP):

1. Management commitment
2. Risk assessment
3. Internal controls
4. Testing and auditing
5. Training

Risk assessment isn’t just one of five — it’s the input that drives the other four. Management commitment is sized to risk. Internal controls are calibrated to risk. Testing scope follows risk. Training audience and frequency follow risk. A weak risk assessment makes everything downstream incoherent.

OFAC made this explicit in the Framework: the assessment should be a “holistic review of the organization from top-to-bottom,” covering external touchpoints where the organization may directly or indirectly violate sanctions. Customers, products, services, supply chain, intermediaries, counterparties, transactions, and geographies — all in scope.

What Recent Enforcement Tells Us

Treasury issued 12 public OFAC enforcement actions in 2024, assessing roughly $48.8 million in civil monetary penalties. The 2023 number was $1.5 billion — anchored by Binance’s $968,618,825 settlement for 1,667,153 apparent violations. The lessons across both years:

• Geographies aren’t optional. Half of OFAC’s 2024 actions involved Iran sanctions. Iran, Russia/Ukraine, North Korea, Cuba, Syria, and the comprehensively-sanctioned regions of Ukraine continue to dominate. If your geography risk factor doesn’t address every comprehensive program, that’s a finding.
• Charter type doesn’t matter. Poloniex ($7.6M), Kraken ($362K), BitPay ($507K), Payoneer ($1.5M), and ALICO ($178K) all ended up in OFAC enforcement releases. None of them looked like traditional banks. All of them had inadequate risk assessments at the time of the conduct.
• Algorithmic excuses don’t work. OFAC’s Binance announcement made the point explicitly: “It is no defense that an algorithm or other ‘autonomous’ system or formula serves as the mechanism for the underlying transactions. Companies are responsible for the operation and consequences of the technologies they employ.” Your risk assessment must address how automated systems decide whom to onboard, screen, and transact with.
• Remedial credit comes from the program. Under General Factor F of the Economic Sanctions Enforcement Guidelines, OFAC mitigates penalties when the subject person had an effective compliance program built around the five components. The risk assessment is the artifact OFAC examines first to evaluate that defense.

The Four Dimensions Every OFAC Risk Assessment Must Score

A defensible OFAC risk assessment scores inherent risk across four dimensions, layered with control effectiveness to produce residual risk. Examiners look for all four, scored separately, with documented reasoning.

1. Customer Risk

Score the customer base by sanctions-relevant attributes:

• Customer type: Retail, commercial, correspondent, fintech-as-customer, money services businesses
• Beneficial ownership complexity: Direct individuals vs. multi-tier corporate structures vs. trusts
• PEP and adverse media exposure: Heightened diligence customers
• Geographic footprint of customer activity: Where does the customer transact, not just where they’re domiciled
• Industry sector: Energy, defense, dual-use technology, shipping, virtual asset services — all higher inherent risk

Document the population — number of accounts, percentage in each tier — so the assessment shows you measured rather than asserted.

2. Geographic Risk

This is the dimension regulators examine first. Score by:

• Comprehensive sanctions programs: Cuba, Iran, North Korea, Syria, Crimea, Donetsk, Luhansk, Kherson, Zaporizhzhia
• List-based sanctions programs: Russia, Belarus, Venezuela, Myanmar, Sudan, Zimbabwe, and the dozens of program-specific lists
• High-risk financial crime jurisdictions: FATF gray-list and black-list jurisdictions
• Bordering and transshipment risk: UAE, Türkiye, China, Hong Kong, and other jurisdictions where sanctions evasion typologies cluster
• Customer location vs. transaction location: A US customer wiring through a UK correspondent to a Hong Kong beneficiary touches three jurisdictions, all of which need scoring

Your geographic risk factor should be updated whenever OFAC adds a comprehensive program or a major secondary sanctions expansion. The 2022 Russia program is the modern stress test for whether the assessment is alive or stale.

3. Product and Service Risk

Different products carry different inherent sanctions risk. Score by:

• Cross-border vs. domestic-only products: Wire transfers, SWIFT messaging, correspondent banking, FX, trade finance
• Cash equivalents and prepaid products: Stored value cards, money orders, prepaid debit
• Virtual asset products: Crypto custody, exchange, on-ramp/off-ramp, stablecoin issuance
• Trade finance and letters of credit: Dual-use goods exposure, vessel financing, oil and energy
• Correspondent banking and nested relationships: Indirect risk through respondents
• Lending products: Trade-based money laundering exposure, specially designated nationals as guarantors

The Binance enforcement action was effectively about a product — a global virtual currency exchange — operating without geographic controls. Your product risk needs to assess whether the product structure itself creates exposure.

4. Channel and Delivery Risk

How the customer interacts with the institution materially changes inherent risk.

• Face-to-face vs. fully digital onboarding: Identity verification quality
• Third-party introducers and partners: Banking-as-a-Service relationships, broker-dealer correspondents, agent networks
• API and aggregator channels: Open banking, BaaS, embedded finance
• Mobile-only access from sanctioned regions: VPN and IP geofencing failures
• Self-onboarding and instant funding: Time pressure that compresses screening

Fintechs and crypto firms typically score highest here — and that’s where most recent OFAC enforcement has landed.

Scoring Methodology

A defensible scoring methodology has three layers and a transparent calculation.

Layer 1: Inherent Risk

Score each risk factor on a consistent scale. Most institutions use 3-tier or 5-tier:

Score each customer segment, geography, product, and channel separately. Document the rationale.

Layer 2: Control Effectiveness

For each inherent risk factor, score the effectiveness of mitigating controls. Common controls to evaluate:

• Sanctions list screening: SDN, Consolidated Sanctions List, Sectoral Sanctions Identifications, Non-SDN Menu-Based Sanctions, jurisdiction-specific lists, internal watchlists
• Screening fuzzy logic and tuning: False positive rate, hit-to-clear time, threshold testing
• 50% Rule and beneficial ownership screening: Whether the screening tool resolves indirect ownership
• Transaction monitoring for sanctions typologies: Vessel-based AIS data, dual-use goods red flags, trade-based money laundering
• Geographic IP and VPN controls: Especially for digital-only channels
• Pre-transaction controls: Pre-funding screening, beneficiary verification
• Lookback and remediation processes: When a sanctions list update creates a backward-looking exposure

Score each control on effectiveness — typically Strong / Adequate / Weak / Inadequate — and document the testing or evidence supporting the score.

Layer 3: Residual Risk

Combine inherent risk and control effectiveness. A common matrix:

The output isn’t a single number. It’s a residual risk profile across customer, geography, product, and channel — each driving specific actions: more screening lists, tighter thresholds, enhanced training, additional testing.

Connecting the Risk Assessment to the Program

A risk assessment that doesn’t drive the program isn’t worth writing. Map the residual risk findings to specific actions:

Document this mapping in the risk assessment itself. Examiners and auditors will trace residual risk findings backward to the controls — if they don’t trace, the assessment reads as paper-only.

What Examiners Actually Look For

Across OCC, FDIC, NYDFS, FINRA, and Federal Reserve exams, the consistent findings on OFAC risk assessment:

1. Stale assessment. Older than 12 months, or doesn’t reflect a major sanctions update (2022 Russia, 2023 secondary sanctions expansion, 2024 IRGC-related designations).
2. Missing geographic depth. Treats Iran, North Korea, and Russia as a single bucket without distinguishing comprehensive vs. list-based programs.
3. No documented methodology. Scoring scale isn’t defined; risk factors are scored inconsistently across business units.
4. No connection to screening configuration. Risk assessment recommends list expansion that the screening tool doesn’t actually load.
5. Customer segmentation too shallow. “Commercial customers” treated as one segment without distinguishing MSBs, crypto firms, foreign correspondents, or trade-finance customers.
6. Channel risk ignored. Digital-only fintechs especially miss this — assessment focuses on customer risk and skips how the customer reaches the institution.
7. Control effectiveness scored on assertion, not testing. The assessment claims controls are “Strong” without referencing recent independent testing or audit results.
8. No board-level visibility. Assessment isn’t presented to the board or risk committee with documented action items.

The PayPal NYDFS settlement, the Binance OFAC settlement, and the recent crypto-firm enforcement actions all turned at least in part on weaknesses in the upstream risk assessment — not just the downstream control failure.

What Goes in the OFAC Risk Assessment Document

A defensible OFAC risk assessment document includes:

1. Executive Summary: One page residual risk profile, key findings, action items, sign-off
2. Methodology: Scoring scale, risk factor definitions, data sources
3. Customer Risk: Population, segmentation, scoring by segment
4. Geographic Risk: Comprehensive program inventory, list-based program inventory, FATF and high-risk jurisdiction overlay
5. Product and Service Risk: Inventory of products, sanctions exposure analysis per product
6. Channel Risk: Onboarding, transaction, and ongoing channel analysis
7. Control Inventory and Effectiveness: Screening, transaction monitoring, training, governance — each with effectiveness rating and evidence
8. Residual Risk Conclusions: Heat map or matrix output, with supporting narrative
9. Action Plan: Specific remediation, ownership, deadlines
10. Appendices: Sanctions list inventory, key thresholds, recent regulatory updates
11. Approval Page: Senior management and board/committee sign-off with date

So What — Why This Document Decides Your Penalty Outcome

OFAC has been explicit: when assessing whether a violation warrants a penalty and at what amount, the existence and adequacy of a risk-based compliance program matters. Under General Factor E, OFAC may consider the existence, nature, and adequacy of an SCP and may mitigate a civil monetary penalty on that basis. Under General Factor F, remedial response — including upgrades to the risk assessment after the violation — provides further mitigation credit.

The institutions that come out of OFAC enforcement actions with mitigated penalties have one thing in common: a documented risk assessment that pre-dates the violation, that maps to controls, and that the institution can show was being maintained. The institutions that get hit hardest are the ones whose risk assessment was either missing, stale, or paper-only.

If your sanctions program is being built or rebuilt, the risk assessment is where to start. Everything else — list inventory, screening tuning, training, monitoring, governance — flows from it.

30/60/90-Day Implementation Roadmap

Days 1–30: Baseline and Scope

• Pull the current OFAC risk assessment (if any) and identify the date and approval status
• Inventory active sanctions programs and confirm all comprehensive and material list-based programs are addressed
• Map the institution’s customer, geography, product, and channel population — pull data, don’t estimate
• Confirm the BSA/AML risk assessment scope so OFAC scope is clearly delineated or integrated
• Stand up the methodology document — scoring scale, risk factor definitions, data sources

Days 31–60: Scoring and Control Mapping

• Score inherent risk across all four dimensions with documented rationale
• Pull recent independent testing, internal audit, and screening tuning results to support control effectiveness scoring
• Calculate residual risk for every combination
• Identify gaps between residual risk and current program coverage (lists not loaded, training audience misaligned, monitoring scenarios missing)
• Validate the scoring with business unit leaders, BSA Officer, and Sanctions Compliance Officer

Days 61–90: Approval and Operationalization

• Build the action plan tied to specific residual risk findings — owners, deadlines, evidence requirements
• Present to senior management and board risk committee
• Document approval with date and committee minute reference
• Push action items into the AML/sanctions remediation tracker
• Update screening configuration, training plan, and monitoring scenarios per findings
• Schedule the next annual refresh and triggering events that would require an interim update

Build the Surrounding Program Documents

A risk assessment is the start. Once you’ve documented residual risk, you need the AML risk assessment, the Customer Identification Program, and the new product approval gate to operationalize the controls the assessment recommends. Our New Product Risk Assessment Template builds in OFAC and BSA/AML risk factors as standard pre-launch evaluation criteria — so you’re not bolting sanctions analysis onto a product after launch.

FAQ

(See above for top-line FAQs)

Related Reading

• AML Risk Assessment Template: A Practitioner’s Methodology for Banks and Fintechs
• Customer Identification Program (CIP) Template: What Banks and Fintechs Must Document at Account Opening
• Iran Crypto Sanctions Risk: What the Strait of Hormuz Tensions Mean for Compliance
• GENIUS Act + Stablecoin AML/OFAC Compliance

Sources

• OFAC Framework for Compliance Commitments (May 2019)
• OFAC 2024 Civil Penalties and Enforcement Information
• OFAC Settlement with Binance Holdings (November 2023)
• Treasury Press Release on Binance Settlement
• FATF High-Risk and Monitored Jurisdictions