The OFAC Trap Most Companies Will Fail: The 10-Year Record Rule Is Now Law
- Viktoria Soltesz PSP Angels Ltd - CY10406204F
- Mar 31
- 1 min read

If you hear about OFAC’s new 10-year recordkeeping rule today, it’s already too late and you are in risk.
Starting 21 March 2025, anyone subject to U.S. sanctions laws—including non-U.S. firms. If your business touches U.S. dollars, U.S. infrastructure, U.S.-owned entities, or sanctioned jurisdictions in any way, this rule applies to you. This includes companies using U.S. correspondent banks, international payment processors, or outsourced compliance providers, too.
The implications go far beyond compliance. Payment structures, data retention policies, vendor agreements, and internal documentation systems must all adapt—immediately.
EU companies face an added risk.
Under GDPR and AML regulations, personal data collected for AML purposes generally must be deleted after five years unless there’s a specific legal obligation to keep it longer. That’s where the problem starts. OFAC has acknowledged this tension but won’t accept it as an excuse for non-compliance.
There is no transition period. No exemptions. No grace window.
Is your business ready?