Sanctions Screening for Crypto Exchanges — OFAC Compliance Guide 2026

Crypto exchanges operate in a regulatory grey zone, but sanctions compliance is not grey at all. OFAC rules apply to any platform with a U.S. nexus, and enforcement actions against crypto companies have made it clear that the Treasury Department treats virtual asset service providers the same as traditional financial institutions. If your exchange allows users to buy, sell, or transfer crypto, you need sanctions screening.

This guide covers the regulatory landscape for crypto sanctions compliance in 2026, the specific enforcement cases that shaped current expectations, and a practical implementation guide for adding screening to your exchange or DeFi platform.

Why crypto needs sanctions screening

The crypto industry has a sanctions problem, and regulators worldwide have responded with increasingly aggressive enforcement. Three forces are driving this:

• OFAC enforcement expansion. The U.S. Treasury has been steadily expanding its crypto-related sanctions since 2018, when it first added Bitcoin and Ethereum wallet addresses to the SDN list. Since then, OFAC has sanctioned entire protocols, mixer services, and individual wallet addresses tied to ransomware, state-sponsored hacking, and sanctions evasion.
• MiCA regulation in the EU. The Markets in Crypto-Assets regulation, fully in force since 2024, requires all crypto-asset service providers operating in the EU to implement comprehensive AML and sanctions screening programs. MiCA treats exchanges and wallet providers as obliged entities under the EU Anti-Money Laundering framework, meaning the same screening requirements that apply to banks now apply to crypto.
• Travel Rule enforcement. Both FATF and FinCEN require virtual asset service providers to share originator and beneficiary information for transfers above certain thresholds. This means you need to know who your users are and screen them against sanctions lists before facilitating transfers.

The bottom line: operating a crypto exchange without sanctions screening is no longer a calculated risk. It is an invitation for enforcement action.

OFAC enforcement actions against crypto

Understanding the enforcement history helps you understand what regulators expect. Here are the cases that defined the current compliance landscape for crypto:

Tornado Cash (2022)

In August 2022, OFAC took the unprecedented step of sanctioning Tornado Cash, an Ethereum-based mixing protocol. OFAC added 45 Ethereum smart contract addresses associated with Tornado Cash to the SDN list. This was the first time OFAC sanctioned a decentralized protocol rather than a specific person or company.

The implications were massive. Every U.S. person and business was immediately prohibited from interacting with those smart contracts. Major exchanges and DeFi protocols scrambled to block addresses that had interacted with Tornado Cash. The case established that OFAC is willing to sanction code, not just people, and that compliance obligations extend to the protocol level.

BitPay ($507,375 fine, 2021)

BitPay, a crypto payment processor, was fined $507,375 for processing transactions where the buyer or seller was located in a sanctioned region (Crimea, Cuba, North Korea, Iran, Sudan, and Syria). BitPay had collected IP address and location data but failed to screen it against OFAC's sanctions programs.

The key takeaway: collecting KYC data is not enough. You must actually screen that data against sanctions lists and act on the results. OFAC specifically noted that BitPay had the information needed to identify the sanctioned-region transactions but did not use it.

Blender.io (2022)

OFAC sanctioned Blender.io, a Bitcoin mixer, after it was used by North Korea's Lazarus Group to launder $20.5 million stolen in the Axie Infinity hack. This reinforced OFAC's willingness to sanction mixing services and established that facilitating the movement of illicit crypto funds is a sanctionable offense.

Which lists you must screen against

Because crypto is inherently global, screening against a single country's sanctions list is insufficient. Your users can access your platform from any jurisdiction, and the borderless nature of cryptocurrency means sanctions violations can occur across multiple regulatory regimes simultaneously.

At minimum, every crypto exchange should screen against these lists:

• OFAC SDN List + Sectoral Sanctions. The primary U.S. sanctions list with 18,700+ entries. Includes individuals, entities, and since 2018, cryptocurrency wallet addresses. The Sectoral Sanctions Identifications (SSI) list adds entities subject to narrower restrictions. Read more about OFAC screening requirements.
• UN Security Council Consolidated List. Binding on all 193 UN member states. Focuses on terrorism financing, nuclear proliferation, and specific conflict zones. Smaller than OFAC but universally applicable.
• EU Consolidated Financial Sanctions List. Required for any exchange serving EU customers or operating under MiCA. Has grown significantly since 2022 with Russia-related sanctions.
• UK HM Treasury OFSI List. Relevant for any exchange with UK users. Post-Brexit, the UK list has diverged from the EU list in some areas.

With Verifex, all four lists are checked in a single API call. You do not need to manage separate integrations or worry about list update schedules. See how Verifex compares to ComplyAdvantage for a detailed feature breakdown.

PEP screening for crypto — why it matters

Beyond sanctions lists, crypto exchanges should also screen for Politically Exposed Persons (PEPs). PEPs are individuals who hold prominent public positions — heads of state, senior politicians, military leaders, judges, and their family members. While being a PEP is not illegal, PEPs are considered high-risk for money laundering and corruption because of their access to public funds and influence.

MiCA explicitly requires crypto-asset service providers to perform enhanced due diligence on PEPs. Even outside the EU, screening for PEPs is considered a best practice by FATF and most national regulators. Several high-profile cases have involved PEPs using crypto to move illicit funds, and exchanges that failed to identify them faced enforcement actions.

Verifex includes PEP screening in all API plans, checking against a database of 300,000+ politically exposed persons extracted from Wikidata with country-by-country coverage. This runs alongside sanctions screening in the same API call, so there is no additional integration work.

Real-time vs batch screening

Crypto exchanges need both real-time and batch screening, but the balance depends on your platform's architecture and risk profile.

Real-time screening

Real-time screening happens synchronously during user actions. You should screen in real-time at these points:

• Account registration. Screen the user's name before activating their account. If the screen returns a critical or high risk level, place the account in a pending state for manual review.
• Withdrawal requests. Screen the beneficiary name and, if applicable, the destination wallet address before processing an outbound transfer.
• Fiat on-ramp and off-ramp. Screen the sender or recipient whenever fiat currency enters or leaves your platform.

Batch screening

Batch screening runs asynchronously against your entire user base. This catches users who were not sanctioned when they registered but have since been added to a list. Run batch screening:

• Weekly at minimum, daily if your user base is large or your risk profile is high
• Immediately after a major sanctions list update (OFAC updates can happen multiple times per week)
• After any geopolitical event that triggers new sanctions designations

Code example: screening with the Verifex API

Here is how to integrate sanctions screening into your crypto exchange. We will show both a curl example for testing and a Python implementation for production use.

Quick test with curl

curl -X POST https://api.verifex.dev/v1/screen \
  -H "Authorization: Bearer vfx_sk_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Lazarus Group",
    "type": "organization"
  }'

Python implementation

import os
from verifex import Verifex

client = Verifex(api_key=os.environ["VERIFEX_API_KEY"])

def screen_user_on_signup(name: str, user_type: str = "person") -> dict:
    """Screen a user during account registration."""
    result = client.screen(name=name, type=user_type)

    if result["risk_level"] in ("critical", "high"):
        # Block account creation and flag for review
        return {
            "approved": False,
            "reason": "sanctions_match",
            "risk_level": result["risk_level"],
            "matches": result["matches"],
            "request_id": result["request_id"],
        }

    return {"approved": True, "risk_level": result["risk_level"]}


def screen_withdrawal(beneficiary_name: str, wallet_address: str = None) -> dict:
    """Screen before processing a withdrawal."""
    # Screen the beneficiary name
    name_result = client.screen(name=beneficiary_name, type="person")

    if name_result["risk_level"] in ("critical", "high"):
        return {"approved": False, "reason": "beneficiary_sanctioned"}

    # Optionally screen the wallet address
    if wallet_address:
        addr_result = client.screen(name=wallet_address, type="crypto_address")
        if addr_result["risk_level"] in ("critical", "high"):
            return {"approved": False, "reason": "wallet_sanctioned"}

    return {"approved": True}


def batch_rescreen_all_users(users: list[dict]) -> list[dict]:
    """Weekly re-screening of entire user base."""
    flagged = []

    # Process in batches of 100
    for i in range(0, len(users), 100):
        batch = users[i:i + 100]
        results = client.screen_batch(
            entities=[{"name": u["name"], "type": "person"} for u in batch]
        )

        for j, result in enumerate(results):
            if result["risk_level"] in ("critical", "high"):
                flagged.append({
                    "user_id": batch[j]["id"],
                    "name": batch[j]["name"],
                    "risk_level": result["risk_level"],
                    "matches": result["matches"],
                })

    return flagged

You can try screening names manually using the free OFAC search tool before writing any code. This is useful for understanding the response format and testing specific names against the sanctions lists.

Ongoing monitoring with webhooks

Batch re-screening catches newly sanctioned users, but there is a delay between when the list is updated and when your next batch job runs. For exchanges that need tighter compliance, webhook-based monitoring eliminates that gap.

With webhook monitoring, you register your existing user names with the screening provider. When a sanctions list is updated, the provider automatically checks your registered names against the new entries and sends you a webhook notification if any of your users now match.

This is how the flow works:

1. Register names. When a user signs up and passes initial screening, register their name for ongoing monitoring.
2. Receive webhooks. When a sanctions list update causes a new match against one of your registered names, you receive a webhook with the match details.
3. Take action. Your webhook handler freezes the account, blocks pending withdrawals, and alerts your compliance team for review.

This approach means you are notified within minutes of a sanctions list update, rather than waiting for your next batch job to run. For high-volume exchanges processing millions in daily volume, this near-real-time alerting is essential.

Compliance checklist for crypto startups

If you are launching a crypto exchange or wallet service, use this checklist to ensure your sanctions screening program meets regulatory expectations:

• Screen at onboarding. Every new user must be screened before account activation. No exceptions.
• Screen before withdrawals. Screen beneficiary names and wallet addresses before processing outbound transfers.
• Check all four major lists. OFAC SDN, UN Security Council, EU Consolidated, and UK HM Treasury. A single API call with Verifex covers all four.
• Include PEP screening. Politically Exposed Persons require enhanced due diligence under MiCA and FATF recommendations.
• Re-screen periodically. Run batch screening at least weekly. Daily is better for higher-risk platforms.
• Implement ongoing monitoring. Use webhooks or automated alerts when sanctions lists are updated to catch newly sanctioned users between batch runs.
• Screen wallet addresses. OFAC has added specific crypto wallet addresses to the SDN list. Screen destination addresses before processing withdrawals.
• Maintain an audit trail. Log every screening request with the timestamp, name screened, risk level, lists checked, and the action your team took. This is what regulators will ask for during an examination.
• Document your compliance program. Write down your screening policies, thresholds for escalation, and procedures for handling matches. Regulators want to see that you have a defined program, not just an API integration.
• Train your team. Your compliance officer and customer support staff need to understand what a sanctions match means and how to handle flagged accounts. Document escalation procedures clearly.

The cost of compliance vs the cost of non-compliance

One of the most common objections from crypto startups is that compliance is expensive. But consider the alternative. BitPay's $507,375 fine was for a relatively small number of violations. Binance agreed to a $4.3 billion settlement with the DOJ and FinCEN in 2023, with sanctions violations as a key component. The cost of a sanctions screening API is trivial compared to even one enforcement action.

With Verifex, sanctions and PEP screening starts with a free tier of 100 screens per month. The paid plans start at $29 per month with per-screen pricing of $0.006. For a crypto startup processing 10,000 screens per month, that is $60. For a larger exchange processing 100,000 screens per month, it is $600. Compare that to the $330,000 minimum fine for a single OFAC violation, and the math is straightforward.

Getting started

If you are building or operating a crypto exchange and have not implemented sanctions screening yet, start today. The regulatory environment is only getting stricter, and the enforcement actions are only getting larger. Here is the fastest path to compliance:

1. Sign up for a free Verifex API key at verifex.dev
2. Test a few names with the free OFAC search tool
3. Integrate the screening API into your signup and withdrawal flows
4. Set up a batch re-screening cron job
5. Document your compliance program and train your team

The entire technical integration can be completed in an afternoon. The hardest part is making the decision to start.

Frequently asked questions