OFAC Screening Requirements for Crypto ATM Operators

If you operate Bitcoin ATMs or crypto kiosks in the United States, you’re subject to the same OFAC sanctions compliance requirements as any other financial services business. The Office of Foreign Assets Control (OFAC) administers economic sanctions programs, and every U.S. person — including businesses — is prohibited from transacting with sanctioned individuals, entities, and jurisdictions.

For crypto ATM operators, this isn’t theoretical. FinCEN has specifically called out cryptocurrency kiosks as a high-risk area for money laundering, and OFAC has settled enforcement actions against crypto businesses that failed to screen transactions against sanctions lists. Here’s what you need to know.

What OFAC Requires

OFAC’s requirements apply to all U.S. persons and businesses, regardless of size. There is no minimum transaction threshold and no exemption for small operators. The core obligation is straightforward: do not process transactions involving sanctioned parties.

In practice, this means you need to:

1. Screen customers against the SDN list — The Specially Designated Nationals and Blocked Persons List is OFAC’s primary sanctions list. It includes individuals, companies, and organizations that U.S. persons are prohibited from doing business with.

2. Screen wallet addresses — OFAC has added cryptocurrency wallet addresses to the SDN list since 2018. If a customer sends funds to or receives funds from a sanctioned wallet, that transaction violates sanctions.

3. Screen against other OFAC programs — Beyond the SDN list, OFAC maintains several sanctions programs covering specific countries and regions (Iran, North Korea, Cuba, Crimea, etc.). Transactions involving these jurisdictions may be prohibited or require a license.

4. Maintain records — Document your screening process, the tools you use, and the results. If you identify a potential match, you need a process for blocking the transaction and filing a report with OFAC.

Why Crypto ATMs Are High-Risk

FinCEN and state regulators have flagged crypto ATMs as a particularly high-risk channel for several reasons:

• Cash transactions: Crypto ATMs often involve cash-to-crypto conversions, which carry inherent money laundering risk.
• Limited identity verification: Some kiosks operating at lower transaction tiers collect minimal customer information, making it harder to verify who you’re transacting with.
• Speed of transactions: Crypto transactions settle quickly, making it difficult to recover funds after the fact.
• Geographic distribution: Kiosks in convenience stores, gas stations, and shopping centers can be harder to monitor than a centralized exchange.

In August 2025, FinCEN specifically highlighted cryptocurrency kiosks in guidance on financial crime risks, noting that they are “increasingly being used by bad actors to facilitate fraud, drug trafficking, and money laundering.”

This increased scrutiny means your OFAC compliance program needs to be airtight.

Building an OFAC Screening Program for Your ATM Network

Customer Screening

Every customer who uses your ATM should be screened against the SDN list. How you do this depends on your KYC process:

• At onboarding: When a customer creates an account or verifies their identity, screen their name, date of birth, and any other identifying information against the SDN list and other OFAC sanctions lists.
• On an ongoing basis: Re-screen your customer base when OFAC updates the SDN list (typically several times per month). A customer who was clear last week could be designated today.
• At the point of transaction: For kiosks that allow transactions without full account creation, screen at the transaction level using whatever identifying information is available.

Wallet Screening

This is where crypto-specific compliance diverges from traditional financial services. You need to screen blockchain addresses involved in transactions:

• Destination addresses: Before processing an outbound transaction, check whether the destination wallet appears on the SDN list or is associated with sanctioned activity.
• Source addresses: For inbound transactions (customers depositing crypto), check whether the source wallet is flagged.
• Indirect exposure: Consider whether a wallet has transacted with sanctioned addresses, even if the wallet itself isn’t listed. This is where blockchain analytics tools become relevant.

What to Do When You Get a Hit

If your screening produces a potential match:

1. Block the transaction. Do not process it.
2. Document the match. Record the customer information, the transaction details, and the specific SDN entry or sanctions program involved.
3. File a blocking report with OFAC within 10 business days if funds are blocked.
4. Do not tip off the customer. Informing a customer that they’ve been flagged for sanctions screening can itself be a violation.
5. Review false positives carefully. Not every name match is a true match. Your process should include a review step where an analyst evaluates the match against additional identifying information (date of birth, country, address).

Common Compliance Gaps

Based on OFAC enforcement actions against crypto businesses, here are the most common failures:

• No screening at all. Some operators assume that because transactions are below a certain dollar threshold, OFAC doesn’t apply. It does. There is no de minimis exemption for sanctions compliance.
• Screening only at onboarding. The SDN list changes frequently. If you only screen customers once, you’ll miss new designations.
• Ignoring wallet addresses. Entity screening alone isn’t sufficient. OFAC has listed specific crypto wallet addresses on the SDN list, and transacting with those addresses — even unknowingly — can result in enforcement action.
• No documentation. Even if you’re screening properly, you need to be able to prove it. Maintain records of your screening process, the tools you use, match results, and disposition decisions.
• Manual processes that don’t scale. A small ATM network might get by checking names manually, but as you add kiosks and customers, manual screening becomes error-prone and inconsistent.

The Cost of Getting It Wrong

OFAC enforcement actions carry strict liability — meaning intent doesn’t matter. Even if you didn’t know a customer was sanctioned, you can be held liable for processing the transaction.

Penalties for OFAC violations can reach up to $356,579 per violation for non-egregious cases and up to $1,000,000 or more for willful violations. For a crypto ATM operator processing thousands of transactions per month, the exposure adds up quickly.

Beyond fines, an OFAC enforcement action can result in loss of banking relationships, state license revocation, and reputational damage that’s difficult to recover from.

Automating OFAC Screening

For any crypto ATM network beyond a handful of kiosks, automated screening is a practical necessity. Your screening solution should:

• Screen against the full SDN list, plus other OFAC sanctions lists
• Support wallet address screening, not just entity names
• Update automatically when OFAC publishes list changes
• Provide fuzzy matching to catch name variations and transliterations
• Generate audit logs for every screening decision
• Integrate with your existing transaction processing workflow via API

Decern provides OFAC and sanctions screening purpose-built for crypto MSBs — including wallet screening, fuzzy matching, and continuous re-screening when lists update. One API call covers entity and wallet checks across OFAC, EU, UN, and PEP lists.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified compliance attorney or OFAC counsel for guidance specific to your business.