OFAC, COAF and FATF: why a serious OTC rejects certain clients — and how this protects you

We eventually reject clients. It's not an easy decision — no company likes to say no to revenue. But there is a set of situations where the only possible answer is not to operate, and where operating would be worse than losing the business.

OFAC, COAF and FATF are the three pillars of the global financial crime prevention system that any serious SPSAV needs to know — and operate within.

"An OTC that rejects clients for compliance reasons is protecting those who remain. It's not exclusion — it's curation."

What each one is

OFAC

Office of Foreign Assets Control US Treasury agency that administers economic and trade sanctions. Its SDN (Specially Designated Nationals) list contains sanctioned individuals, companies and countries. Any financial transaction with a listed entity is prohibited — regardless of where the transaction occurs. A Brazilian company that uses dollars is subject to OFAC's reach.

COAF

Financial Activities Control Council (Brazil) Brazil's Financial Intelligence Unit. Receives suspicious operation reports from financial institutions and obligated entities — including SPSAVs. Analyzes money laundering and terrorism financing patterns and, when necessary, forwards to the Public Prosecutor.

FATF

Financial Action Task Force (GAFI) Intergovernmental organization that sets global standards for combating money laundering and terrorism financing. Its recommendations are adopted by more than 200 jurisdictions — including Brazil. FATF maintains lists of non-cooperative countries — operations with clients from these jurisdictions have automatic restrictions for compliant SPSAVs.

Why SPSAVs are required to verify these lists

Joint Resolution 13/2024 and Law 9,613/98 (the Money Laundering Law) require SPSAVs to verify all clients before granting access and to monitor operations continuously. Failing to comply has consequences ranging from significant fines to cancellation of the operating authorization.

Which situations generate automatic rejection

Situations that result in rejection

✗

Entity or partner on OFAC's SDN list

✗

Client domiciled in a FATF non-cooperative jurisdiction

✗

PEP (Politically Exposed Person) without additional documentation justifying the risk profile

✗

Declared activity inconsistent with the company's actual profile

✗

Operations with money laundering characteristics (structuring, layering)

How these verifications protect you as a client

When you operate with an SPSAV that performs these verifications correctly, you are in a curated environment — with other clients who have passed the same qualification process:

No other clients with incompatible risk profiles on the same platform
Documentary trail that supports your own compliance audit
Within the regulated perimeter — which reduces regulatory risk for your company
Reduced risk of having an operation blocked or questioned by your own bank's compliance

What continuous monitoring means

Verification doesn't happen only at onboarding. SuitCoin monitors operations and clients continuously — new list updates, changes in risk profile, unusual operation patterns. This protects the environment that all active clients share.

Want to understand how our compliance structure works?

We explain the full process before the first operation.

Rica Morais Chief Operating Officer · SuitCoin

Economist from Unicamp, Rica has been COO of SuitCoin since its founding — including the SPSAV licensing process with the Central Bank. Lecturer at FIA and startup mentor. Writes about what actually matters for those making financial decisions using crypto.