OFAC Recordkeeping Requirement (31 CFR 501.601)

The OFAC Recordkeeping Requirement is codified at 31 CFR 501.601, a provision of the Reporting, Procedures and Penalties Regulations administered by the Office of Foreign Assets Control within the U.S. Department of the Treasury. Its statutory foundation rests on the International Emergency Economic Powers Act (IEEPA, 50 U.S.C. §§ 1701–1708), the Trading with the Enemy Act (50 U.S.C. §§ 4301 et seq.), and program-specific authorities such as the Cuban Liberty and Democratic Solidarity Act of 1996 and the Iran Threat Reduction and Syria Human Rights Act of 2012. Section 501.601 sits within Part 501, the cross-cutting procedural chapter that applies uniformly to every OFAC sanctions program — Russia, Iran, Cuba, Venezuela, counter-narcotics, counter-terrorism, and the Specially Designated Nationals regime — unless a program-specific regulation expressly modifies it.

Mechanically, Section 501.601 obligates every person engaging in a transaction subject to the provisions of Chapter V of Title 31 to keep a full and accurate record of each such transaction, and to retain that record for at least five years after the date of the transaction. For blocked property and funds, the five-year clock does not begin to run until the property is unblocked. The record must be available for examination by OFAC for the entire retention period. The rule applies to U.S. persons, U.S.-incorporated entities and their foreign branches, foreign subsidiaries of U.S. persons where program-specific extraterritoriality attaches (notably the Cuban Assets Control Regulations and the Iranian Transactions and Sanctions Regulations), and any person within the United States.

The records contemplated are broad in scope: wire transfer messages and SWIFT MT103/MT202 traffic, letters of credit, bills of lading, customer due-diligence files, screening logs, license applications and the licenses themselves, voluntary self-disclosure correspondence, rejected and blocked transaction reports filed under 31 CFR 501.603 and 501.604, and internal compliance committee minutes documenting the rationale for proceeding with or declining a transaction. Section 501.602 separately empowers OFAC to demand the production of any such records, and a failure to maintain or furnish them is independently sanctionable under 50 U.S.C. § 1705 — currently carrying civil penalties of up to the greater of $368,136 (as adjusted annually for inflation) or twice the value of the underlying transaction, and criminal penalties of up to $1 million and 20 years' imprisonment for willful violations.

Contemporary enforcement illustrates the rule's reach. In the 2019 Standard Chartered Bank settlement of approximately $639 million with OFAC, deficient transaction records concerning Iranian-nexus payments figured prominently in the agreed statement of facts. The 2023 British American Tobacco settlement of $508 million for North Korea-related conduct cited recordkeeping failures alongside the substantive violations. OFAC's Framework for Compliance Commitments, published 2 May 2019 by the Treasury under Director Andrea Gacki, identifies recordkeeping as a foundational component of the five essential elements of a sanctions compliance program, alongside management commitment, risk assessment, internal controls, and testing and auditing. Examination teams from the New York Department of Financial Services and the Federal Reserve Bank of New York routinely cross-reference 501.601 retention when assessing institutional compliance.

The OFAC recordkeeping obligation must be distinguished from the Bank Secrecy Act recordkeeping rules administered by FinCEN under 31 CFR Chapter X, which govern currency transaction reports, suspicious activity reports, and the Travel Rule. BSA records generally require five-year retention as well, but the triggering events, custodial standards, and examining authorities differ. It is also distinct from the Export Administration Regulations recordkeeping requirement at 15 CFR Part 762, administered by the Commerce Department's Bureau of Industry and Security, which governs dual-use export documentation. A single cross-border transaction may simultaneously trigger all three regimes, and prudent compliance officers maintain integrated but separately tagged record sets to satisfy each regulator without confusion during examination.

Edge cases recur in practice. Cloud storage and offshore data hosting raise questions about whether records held by a foreign processor remain "available" to OFAC within the meaning of 501.601; OFAC's 2019 guidance treats accessibility, not physical location, as controlling. Mergers and acquisitions transfer the recordkeeping obligation to the surviving entity, a point emphasized in the 2017 ZAG-S&W and 2021 SAP SE settlements. Rejected transactions — those not executed because a counterparty matched a sanctions list — must still be documented and reported within 10 business days under 501.604, and the underlying screening hit detail must be preserved. The COVID-19 period also generated controversy over whether pandemic-era remote work arrangements satisfied custody standards; OFAC declined to relax 501.601 deadlines, in contrast to certain SEC accommodations.

For the working practitioner — whether a sanctions counsel at a global bank, a trade compliance officer at an industrial exporter, or a desk officer at the State Department's Bureau of Economic and Business Affairs coordinating with Treasury — Section 501.601 is the evidentiary spine of every OFAC matter. License applications submitted to OFAC's Licensing Division, voluntary self-disclosures seeking mitigation credit under the Economic Sanctions Enforcement Guidelines at 31 CFR Part 501 Appendix A, and defenses against pre-penalty notices all depend on contemporaneous records. Absent the underlying documentation, the regulated party cannot demonstrate good-faith reliance, cannot reconstruct the transaction chain, and cannot rebut OFAC's reconstruction. Recordkeeping is thus not a clerical afterthought but the operational predicate for every subsequent compliance, enforcement, and diplomatic engagement.