Export Compliance & Sanctions Screening: OFAC, BIS & EU Regulations

In 2025, the US Department of the Treasury's Office of Foreign Assets Control (OFAC) imposed over $1.5 billion in penalties for sanctions violations. The Bureau of Industry and Security (BIS) denied export privileges to hundreds of entities. And the EU expanded its sanctions programs to cover new sectors and geographies. For any company engaged in international trade --- including digital services, software licensing, and cross-border eCommerce --- export compliance has become a critical operational requirement.

The consequences of non-compliance are severe: criminal penalties of up to $1 million and 20 years imprisonment per violation for willful export control violations, civil penalties up to $330,000 per violation for OFAC sanctions breaches, and the existential risk of being cut off from the US financial system.

Key Takeaways

• Sanctions screening must occur before every transaction, not just at customer onboarding
• Software and technology exports require classification (ECCN) even when no physical goods cross borders
• EU, US, and UK sanctions programs differ significantly --- compliance with one does not guarantee compliance with others
• Automated screening tools are essential at scale, but human review is required for potential matches

---

Understanding the Regulatory Landscape

Export compliance involves two distinct but related regimes: sanctions programs (which restrict transactions with specific countries, entities, and individuals) and export controls (which restrict the transfer of specific goods, software, and technology).

US Sanctions Programs (OFAC)

OFAC administers and enforces economic sanctions programs based on US foreign policy and national security goals. These sanctions are among the broadest and most aggressively enforced in the world.

Key OFAC lists:

| List | Full Name | Contains | Updated | |------|-----------|----------|---------| | SDN | Specially Designated Nationals and Blocked Persons | Individuals and entities whose assets are blocked | Daily | | SSI | Sectoral Sanctions Identifications | Entities subject to sectoral restrictions | As needed | | CAPTA | Non-SDN Palestinian Legislative Council | Palestinian legislative council members | As needed | | FSE | Foreign Sanctions Evaders | Persons facilitating sanctions evasion | As needed | | Consolidated | Consolidated Sanctions List | Combined non-SDN lists | Weekly |

Comprehensive sanctions programs prohibit virtually all transactions with certain countries: Cuba, Iran, North Korea, Syria, and the Crimea/Donetsk/Luhansk regions of Ukraine.

Secondary sanctions extend US sanctions reach to non-US persons. A European company that facilitates significant transactions with Iranian entities can itself be sanctioned by the US, even though it is not subject to US jurisdiction directly.

US Export Controls (BIS)

The Bureau of Industry and Security within the Department of Commerce administers the Export Administration Regulations (EAR). These regulations control the export of "dual-use" items --- goods, software, and technology that have both commercial and military/intelligence applications.

Key BIS lists:

| List | Purpose | Impact | |------|---------|--------| | Entity List | Entities acting contrary to US national security/foreign policy | License required for any EAR-controlled item | | Denied Persons List | Individuals denied export privileges | No exports of any kind | | Unverified List | Entities whose bona fides cannot be verified | Enhanced due diligence required | | Military End-User List | Military end users in certain countries | License required for specified items |

EU Sanctions

The EU maintains its own sanctions programs, which are legally binding on all EU member states, EU nationals, and companies incorporated in the EU.

Key characteristics:

• EU sanctions are implemented through EU Regulations (directly applicable law in all member states)
• Sanctions targets may differ from US lists (a person sanctioned by the US is not necessarily sanctioned by the EU, and vice versa)
• The EU maintains the Consolidated Financial Sanctions List
• Sector-specific sanctions target specific industries (energy, finance, defense, technology) in sanctioned countries
• EU members have national enforcement bodies (e.g., OFSI in the UK post-Brexit, Dutch Sanctions Authority)

---

Classification: ECCN & HTS Codes

Before you can determine whether an export requires a license, you need to classify what you are exporting.

Export Control Classification Number (ECCN)

ECCNs are five-character alphanumeric codes that identify the level of export control applied to an item:

• First character (0-9): Category (e.g., 5 = Telecommunications and Information Security)
• Second character (A-E): Product group (A = Systems/Equipment, D = Software, E = Technology)
• Remaining characters: Identify specific items within the category

Example classifications relevant to tech companies:

| ECCN | Description | License Requirements | |------|-------------|---------------------| | 5D002 | Software for information security (encryption) | License required for certain destinations | | 5A002 | Information security systems and equipment | License required for certain destinations | | 5E002 | Technology for information security | License required for certain destinations | | EAR99 | Items not on the Commerce Control List | Generally no license required (but sanctions still apply) |

Software and Technology Considerations

Many tech companies are surprised to learn that software exports are controlled:

• Encryption software above certain threshold strengths requires classification and may need export licenses
• Open source encryption software has a specific exemption (publicly available) but requires notification to BIS
• Cloud services may constitute a "deemed export" if accessed by foreign nationals
• SaaS products with encryption capabilities require classification even though no physical product crosses a border
• Technology transfer includes technical data, training materials, and technical assistance

HTS Codes

Harmonized Tariff Schedule codes are used for customs purposes and determine applicable tariffs. While separate from ECCN classification, HTS codes must be accurate for customs declarations. Misclassification can result in underpaid duties, import delays, and penalties.

---

Building a Sanctions Screening Program

Transaction Screening Workflow

Effective sanctions screening requires checking multiple touchpoints in every transaction:

1. Customer onboarding. Screen customer name, aliases, addresses, and beneficial owners against all applicable sanctions lists before establishing the business relationship.
2. Transaction screening. Screen each transaction for sanctioned parties, countries, and end-use concerns. This includes the buyer, ship-to party, end user, and any intermediaries.
3. Payment screening. Screen payment details for sanctioned banks, financial institutions, and beneficiaries.
4. Ongoing monitoring. Re-screen existing customers when sanctions lists are updated (OFAC updates its SDN list daily).
5. Escalation and review. Potential matches must be reviewed by a trained compliance officer. False positives (common with name-based screening) must be documented and resolved.

Screening Tool Comparison

| Tool | Coverage | Automation | Price Range | Best For | |------|----------|------------|-------------|----------| | Dow Jones Risk & Compliance | OFAC, EU, UK, 200+ lists | Full API integration | $$$$ | Large enterprises | | LexisNexis Bridger Insight | OFAC, EU, UK, PEP lists | API + batch screening | $$$ | Mid-market | | Descartes Visual Compliance | OFAC, BIS, EU, 500+ lists | API + ERP integration | $$$ | Manufacturing/trade | | Comply Advantage | 100+ sanctions + PEP lists | API-first, real-time | $$ | SaaS/fintech | | OpenSanctions | OFAC, EU, UK, 80+ sources | Open source, API | $ (self-hosted) | Startups/custom | | OFAC SDN Search (official) | OFAC lists only | Manual search only | Free | Basic screening |

Integrating Screening with ERP Systems

For companies using Odoo or similar ERP systems, sanctions screening should be integrated at key process points:

• Contact creation: Automatic screening when a new customer or vendor is added
• Sales order confirmation: Re-screen before order processing
• Purchase order approval: Screen vendors and ship-from countries
• Shipping/logistics: Screen delivery addresses and freight forwarders
• Payment processing: Screen bank details before disbursement

The screening should be non-blocking for clear passes and blocking (with required compliance review) for potential matches.

---

Compliance Program Elements

OFAC, BIS, and EU regulators all emphasize that having a compliance program is a significant mitigating factor if a violation occurs. In fact, OFAC explicitly considers the adequacy of a compliance program when determining penalties.

OFAC's Five Essential Components

OFAC's Framework for Compliance Commitments identifies five essential components:

1. Management commitment. Senior management supports and resources the compliance program. There is a designated compliance officer with adequate authority and independence.

2. Risk assessment. The company identifies and assesses its sanctions risk based on customers, products, services, geographies, and channels. Risk assessment is updated annually.

3. Internal controls. Policies, procedures, and processes that identify, interdict, escalate, and report transactions that may be prohibited. This includes screening tools, approval workflows, and record-keeping.

4. Testing and auditing. Independent testing of the compliance program's effectiveness. This includes testing screening tools (are they catching known sanctioned parties?), reviewing escalation procedures, and auditing training records.

5. Training. Regular, role-specific training for all employees involved in transactions that could implicate sanctions. Training records must be maintained.

Record-Keeping Requirements

Maintain records of:

• All screening results (positive and negative)
• Match resolution documentation (how potential matches were investigated and cleared)
• License applications and determinations
• Blocked or rejected transactions
• Training records and materials
• Risk assessments and updates
• Compliance program policies and procedures
• Voluntary self-disclosures (if any violations are identified)

Retention period: OFAC requires records to be maintained for at least five years. BIS requires five years from the date of export. Best practice is to retain for the longer of the two periods.

For detailed audit trail requirements across compliance frameworks, see our audit trail compliance guide.

---

Common Violations & How to Avoid Them

Violation 1: Failure to Screen

The most common violation is simply not screening at all, or screening at onboarding but not on an ongoing basis. Sanctions lists change daily --- a customer who was clean last month may be sanctioned today.

Prevention: Implement automated re-screening triggered by list updates.

Violation 2: Inadequate Name Matching

Name-based screening is inherently imperfect. Common issues include transliteration variations (Arabic, Chinese, Cyrillic names), common names generating excessive false positives, and alias/AKA matching failures.

Prevention: Use fuzzy matching algorithms, configure appropriate match thresholds, and always review potential matches manually.

Violation 3: Ignoring Beneficial Ownership

OFAC's 50% Rule states that entities owned 50% or more by a sanctioned person are themselves considered sanctioned, even if the entity is not on the SDN list.

Prevention: Conduct beneficial ownership screening for all significant business relationships. This is particularly important for B2B transactions.

Violation 4: Unauthorized Re-Export

Goods, software, or technology exported from the US may be subject to re-export controls. If your European subsidiary receives US-origin software and distributes it to a third country, that re-export is subject to US export controls.

Prevention: Track the origin of goods and technology throughout your supply chain. Include re-export restriction clauses in distribution agreements.

For guidance on how export compliance fits within a broader compliance framework, see our enterprise compliance handbook.

---

Frequently Asked Questions

Do software companies need to worry about export controls?

Yes. Software is explicitly covered by US export controls (EAR), EU dual-use regulations, and the Wassenaar Arrangement. Encryption software, cybersecurity tools, AI/ML software for certain applications, and technology related to controlled items all require classification. Even SaaS products delivered via the cloud can constitute an "export" or "deemed export" under US regulations.

What is the difference between sanctions and export controls?

Sanctions restrict who you can do business with (specific countries, entities, and individuals). Export controls restrict what you can export (specific goods, software, and technology). A transaction can violate both simultaneously --- for example, exporting controlled encryption software to a sanctioned entity. You must comply with both regimes independently.

How do we handle false positives in screening?

False positives are inevitable, especially with common names. Establish a documented review process: when a potential match is flagged, a trained compliance officer investigates using additional identifiers (date of birth, address, nationality, business details). If the match is determined to be a false positive, document the reasoning and clear the transaction. Maintain a "cleared parties" list to reduce future false positives for the same entity, but re-screen periodically.

Are there export control implications for open source software?

Open source software is generally exempt from US export controls under the "publicly available" exception, but with important caveats. You must file a notification with BIS and the NSA when making encryption source code publicly available. And the exemption applies only to software that is truly publicly available --- proprietary modifications or custom builds may not qualify.

What should we do if we discover a past sanctions violation?

OFAC strongly encourages voluntary self-disclosure (VSD). Companies that voluntarily disclose violations typically receive significantly reduced penalties --- OFAC considers VSD a major mitigating factor. Engage legal counsel immediately, stop the prohibited activity, preserve all relevant records, and prepare a thorough disclosure to OFAC that includes the facts, the compliance failures that allowed it, and the remedial measures you have taken.

---

What Is Next

Export compliance and sanctions screening are not optional for businesses operating internationally --- the penalties for non-compliance are severe and enforcement is intensifying. Building a robust compliance program with automated screening, clear escalation procedures, and comprehensive training is an investment that protects your company from existential risk.

ECOSIRE helps international businesses build compliant trade operations. Our Odoo ERP implementations can integrate sanctions screening at every transaction touchpoint, from customer onboarding to shipment processing. For AI-powered compliance monitoring and risk assessment, explore our OpenClaw AI platform. Contact us to discuss your export compliance needs.

---

Published by ECOSIRE — helping businesses scale with AI-powered solutions across Odoo ERP, Shopify eCommerce, and OpenClaw AI.