Nearly a year since OFAC doubled the statute of limitations for sanctions violations, global businesses face a drastically extended compliance horizon, just as tensions with Iran and Russia escalate and US policy veers toward unpredictability. With new secondary sanctions on the table and a widening enforcement net, the risk of past transactions becoming tomorrow’s violations has never been more real.
Last year, the US Treasury’s Office of Foreign Assets Control (OFAC) doubled the statute of limitations for sanctions violations: from 5 to 10 years. This includes a 10-year record retention requirement, including maintaining transaction records, screening documentation and compliance communications. That’s a decade of exposure, scrutiny, and potential enforcement for every deal, transaction, or due diligence file with a US nexus.
This means every sanctions-related transaction — even seemingly innocuous ones — must be documented, retained, and audit-ready for a full decade. This new 10-year window applies retroactively to any potential violation where the previous five-year limit had not yet expired as of 24 April 2024. This effectively pulls transactions from as far back as April 2019 into scope.
This change gives OFAC a much longer reach to investigate and prosecute violations, potentially years after the employees involved may have moved on, IT systems may have changed, and memory of the transaction has faded.
Key implications include:
- 10-year liability window: includes every IEEPA or TWEA-triggered sanction — including all OFAC-related regimes.
- Retroactive exposure: Deals closed in 2019 could now face enforcement.
- Increased risk of whistleblowing: Former employees and counterparties could trigger investigations with years-old information.
- Ballooning compliance costs: Data storage, staff training, and due diligence reviews must now stretch a full 10 years.
- Longer corporate memory required: Internal audits must cover an extended compliance horizon.
How the Trump Administration’s Ukraine and Iran deals could impact sanctions
The doubling of the statute of limitations period was introduced in 2024 under the 21st Century Peace Through Strength Act. This includes the periods for sanctions violations under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA).
The same law that extended OFAC’s reach also delivered a major escalation in Iran-related secondary sanctions. This includes:
- Refining and shipping activity involving Iranian petroleum
- Transactions related to Iranian drones and missiles
- Chinese banks or any foreign financial institution involved in even a single significant transaction for Iranian UAVs or oil
The recent resumption of nuclear talks between the US and Iran in Oman highlights the administration’s attempt to renegotiate terms that would limit Iran’s uranium enrichment activities. However, Iran’s insistence on retaining its enrichment capabilities has led to a stalemate, raising the possibility of the US reimposing stringent sanctions if negotiations fail. Such a move would have profound implications for companies engaged in sectors like energy, shipping, and finance, especially those with ties to Iranian markets.
Simultaneously, the administration’s approach to the Russia-Ukraine conflict is marked by a complex mix of proposed ceasefires and potential sanctions. European leaders, with U.S. support, have threatened intensified sanctions against Russia, including permanent blocks on projects like the Nord Stream 2 pipeline, unless a ceasefire is achieved. Companies operating in or with Russian entities must prepare for rapid policy shifts that could affect energy exports, banking operations, and broader economic engagements. These geopolitical dynamics necessitate that compliance officers remain agile, continuously monitor policy changes, and reassess risk exposures in real-time.
Recent examples show OFAC means business
This is no theoretical risk. In just the past few years, OFAC has stepped up enforcement against international companies:
British American Tobacco (BAT) paid over $629 million in April 2023 for violating North Korea sanctions, including schemes dating back more than a decade. BAT used intermediaries and shell companies to hide transactions involving sanctioned jurisdictions
BNP Paribas was fined a staggering $8.9 billion for sanctions violations involving Sudan, Cuba, and Iran. The offences stretched over ten years, with investigators using emails and documents long assumed forgotten.
Commerzbank AG of Germany agreed to pay $1.45 billion in 2015 for facilitating prohibited transactions involving sanctioned entities in Iran and Sudan — again, spanning more than half a decade.
Société Générale paid $1.34 billion in 2018 for violating U.S. sanctions against Cuba and Iran, with many infractions dating back more than ten years.
OFAC’s powers backed by this new 10-year timeframe give the agency ample ammunition to revisit these types of cases or dig into new ones.
What compliance teams must do now
Compliance isn’t just about ticking boxes; it’s about surviving the next decade of regulatory risk. OFAC’s announcement amidsts geopolitical risks changes the game for every compliance programme, especially for multinational firms with even the smallest US exposure.
Immediate action items:
- Update your sanctions record retention policies to 10 years — no exceptions.
- Audit past transactions for possible legacy risk exposure.
- Enhance transaction screening tools to handle long-term data integrity.
- Train staff to understand the expanded liabilities and responsibilities.
- Review third-party relationships going back 10 years especially in high-risk jurisdictions.
