Facts and Penalties

Interactive Brokers LLC (IB) has agreed to pay $11,832,136 to settle its potential civil liability for 12,367 apparent violations of multiple sanctions programs, including those targeting Iran, Russia, Syria, and China. Between 2016 and 2024, the firm improperly provided services to persons in sanctioned jurisdictions, processed payments to blocked Russian banks, and facilitated trading in securities of sanctioned issuers. These violations stemmed primarily from deficiencies in the firm’s screening technology, such as technical bugs in IP geo-blocking software and a failure to update blocking lists to include Crimea. Although the statutory maximum penalty exceeded $5 billion, the significantly reduced settlement amount reflects that IB voluntarily self-disclosed the matters and cooperated substantially with OFAC. However, OFAC identified several aggravating factors, noting that IB failed to exercise due caution for over eight years despite being a highly sophisticated, technology-driven financial institution. Additionally, the agency emphasized that IB's conduct harmed U.S. policy objectives by providing sanctioned persons and entities with access to the U.S. financial system.

Compliance recommendations and lessons to learn

• This enforcement action serves as a critical reminder that firms must rigorously test and audit their automated compliance tools, such as IP geo-blocking and margin liquidation systems, to ensure they function as intended.
• Businesses cannot rely solely on customer-provided "Know Your Customer" (KYC) data; they must utilize all available location information, including IP addresses, to verify residency and screen against sanctioned jurisdictions.
• It is essential to modernize sanctions compliance infrastructure at the same pace as customer-facing technologies to prevent gaps where automated trading platforms might bypass screening filters.
• Companies should also exercise extreme caution when interpreting general licenses, as IB’s mistaken belief that "wind-down" licenses authorized certain payments to Russian banks led to significant violations.
• Furthermore, firms must ensure adequate resource allocation so that compliance teams can promptly review and escalate alerts without the delays that contributed to IB’s failures.
• Finally, conducting proactive, self-initiated internal reviews is highly recommended, as discovering and voluntarily disclosing issues can drastically reduce penalties compared to those discovered by regulators.

Due diligence checklist tailored for investment companies:

Based on the enforcement actions and guidance provided in the files, here is a due diligence checklist tailored for investment companies (broker-dealers, funds, investment advisers). This checklist focuses on mitigating sanctions risks by looking beyond just the direct customer.

• Assess Geographic Risk: Identify if the firm or its customers operate in high-risk jurisdictions or offshore financial centers
• Review Product Risks: Evaluate if specific products (e.g., foreign exchange, penny stocks, margin lending) pose higher sanctions risks
• Map Intermediary Relationships: Determine who holds the ultimate customer relationship (e.g., are you a custodian for another bank's omnibus account?) and assess the risk of "blind spots" where the beneficial owner is unknown
• Identify Beneficial Owners: Do not stop at the entity name; identify the natural persons who own or control the structure. FinCEN guidance suggests a rigorous approach to identifying beneficial owners
• Screen All Parties: Screen not just the account holder, but also beneficial owners, fund advisors, and principals against the SDN List and other relevant lists
• Apply the "50% Rule": Verify if a corporate customer is 50% or more owned, directly or indirectly, by blocked persons. If so, the customer itself is blocked
• Verify Location Data: Cross-reference customer-provided addresses with objective data like IP addresses. Do not rely solely on the customer's stated residency
• Screen Underlying Securities: Before executing trades or holding assets, screen the issuer of the security. Holding shares of a company that is 50% owned by a sanctioned person can be a violation
• Check Foreign Funds: If investing in foreign funds, ensure the fund does not invest in sanctioned jurisdictions (e.g., Iran) or blocked entities
• Monitor Margin & Collateral: Ensure that margin loans are not extended to blocked persons or secured by blocked collateral
• Request Sub-Account Data: For omnibus accounts held for foreign financial institutions, consider requesting information on the underlying sub-account holders if the jurisdiction is high-risk
• Vet the Intermediary's Compliance: If relying on a third party (like an introducing broker) to perform KYC, assess the quality of their sanctions compliance program
• Implement IP Geo-Blocking: Use software to block access from comprehensively sanctioned jurisdictions (e.g., Cuba, Iran, North Korea, Syria). Ensure this software is regularly tested for bugs
• Test Screening Filters: Regularly audit screening tools to ensure they catch variations of names, misspellings, and updated sanctions lists (e.g., ensure new regions like Crimea or Donetsk are added)
• Automate Issuer Restrictions: Configure trading systems to automatically reject trades in securities of sanctioned issuers (e.g., Chinese Military-Industrial Complex companies)
• Monitor for "Status Changes": Re-screen customers regularly, as a legitimate customer today could be designated as an SDN tomorrow
• Watch for Evasion Red Flags: Customers using obscure ownership structures or shell companies. Incomplete or confusing information about beneficial owners. Transactions that seem inconsistent with the customer's known business or history

What Happened

Fracht FWO Inc., a Houston-based freight forwarder, has agreed to pay $1,610,775 to settle civil liability for apparent violations of Venezuela and Iran sanctions programs. The case centered on a 2022 transaction where Fracht, rushing to meet an urgent client request, chartered a flight with "EMTRASUR," a blocked Venezuelan airline, which used an aircraft owned by the sanctioned Iranian entity Mahan Air. Senior executives bypassed the company's own internal screening protocols to expedite the deal, ignoring clear red flags like the aircraft’s Venezuelan tail number and the carrier’s known affiliation with the blocked entity CONVIASA. OFAC deemed the case "egregious" because senior managers had actual knowledge of the blocked counterparty yet proceeded anyway to satisfy commercial demands. The penalty was heavily influenced by aggravating factors, particularly the company's "reckless disregard" for sanctions laws and the fact that they did not voluntarily self-disclose the violation before the government discovered it. Ultimately, this case serves as a warning that providing economic benefits to sanctioned regimes—even inadvertently through intermediaries—carries severe financial and reputational costs.

Recommendations for Business: Lessons Learned

• Never trade compliance for speed: Commercial urgency is never a valid defense for skipping sanctions checks; OFAC views bypassing your own internal controls to "get the deal done" as reckless disregard.
• Screen asset identifiers, not just names: Your screening process must go beyond entity names to include specific identifiers like aircraft tail numbers (e.g., YV-3531) or vessel IMO numbers to catch blocked property that might otherwise slip through.
• Empower your compliance function: Compliance officers must have the autonomy to block transactions and override senior business executives when red flags are identified.
• Vet your intermediaries: Freight forwarders and logistics providers are liable for the actions of their subcontractors; you must conduct due diligence on brokers and carriers to ensure they aren't using blocked assets.
• Train staff on "Red Flags": Operational teams should be trained to spot warning signs, such as a flight originating from a sanctioned jurisdiction or a carrier using a crew from a high-risk country like Iran.
• Invest in immediate remediation: If a compliance failure occurs, taking swift action—such as hiring additional compliance staff or updating contract templates—can be a significant mitigating factor in reducing penalties.

Practical "Red Flags" checklist tailored for freight forwarders and logistics companies:

• Asset identifiers match blocked property: The aircraft tail number, vessel IMO number, or other unique identifier matches property on the SDN List (e.g., specific tail numbers like "EP-MND" or "YV-3531").
• Prefixes indicating sanctioned jurisdictions: The asset carries a registration prefix associated with a sanctioned country (e.g., a "YV" tail number indicating a Venezuelan aircraft).
• Ownership links to blocked Entities: The carrier or operator is a subsidiary or affiliate of a blocked entity, even if the subsidiary itself is not explicitly named on the SDN List (the "50% Rule").
• Crew nationality: The use of flight or vessel crews from high-risk or sanctioned jurisdictions (e.g., an Iranian flight crew operating a non-Iranian aircraft).
• Suspicious itineraries: Flight plans or shipping routes include unexplained layovers, stops, or origins in sanctioned countries (e.g., a flight arriving from or stopping in Venezuela before picking up cargo).
• Commercial urgency overriding compliance: The customer or internal stakeholders pressure staff to expedite a transaction, skip standard screening steps, or ignore "red flags" to meet tight deadlines.
• Opaque ownership structures: The counterparty uses complex ownership structures, shell companies, or intermediaries that obscure the ultimate beneficial owner.
• Incomplete or reluctant KYC: The customer refuses to provide updated Know Your Customer (KYC) information, beneficial ownership details, or specifics about the end-user.
• Location mismatches: The customer's IP address, phone number, or physical location data does not match their stated address (e.g., logging in from a sanctioned jurisdiction like Iran or Crimea).
• Payments to third parties: Requests to make payments to unrelated third parties or entities with no clear role in the transaction, particularly if located in high-risk jurisdictions.
• Transshipment concerns: Use of transshipment points in third countries (e.g., UAE or Turkey) known for diversion to sanctioned jurisdictions (like Iran or Russia) to bypass embargoes.
• Falsified documentation: Shipping documents (Bills of Lading, invoices) that list false end-users, obscure the ultimate destination, or omit reference to sanctioned parties.
• Inconsistent trade patterns: The transaction involves goods or values that are inconsistent with the customer's normal business history or known industry practices.
• "Late Fees" to unknown entities: Unexpected requests to pay additional fees (such as "late loading fees") to entities that have not been fully vetted.

Key facts

ShapeShift AG, a digital asset exchange incorporated in Switzerland but operating out of Denver, has agreed to pay a $750,000 settlement for apparent violations of U.S. sanctions against Cuba, Iran, Sudan, and Syria. Between 2016 and 2018, the company processed over $12 million in transactions for users in these jurisdictions because it had no sanctions compliance program in place. OFAC determined the case was non-egregious, but highlighted significant aggravating factors, including ShapeShift's failure to exercise a minimal degree of caution by ignoring the IP address data it collected. The agency noted that ShapeShift had "reason to know" its users were in sanctioned jurisdictions and that its actions harmed the integrity of U.S. sanctions programs by providing economic benefits to prohibited persons. The significantly reduced penalty reflects the company's cooperation, its financial constraints, and the fact that it is now a defunct entity.

Compliance recommendations

• Foreign incorporation is not a shield: Entities incorporated abroad are still subject to U.S. jurisdiction if their headquarters, senior management, or business operations are located within the United States.
• Utilize the data you have: It is insufficient to merely collect customer data; you must actively screen all available information, especially IP addresses and geolocation data, to block users from sanctioned jurisdictions.
• Build compliance early: Do not wait for a subpoena to start your program; compliance controls should be integrated during the development and beta testing stages of your product.
• Remediate immediately: If you discover compliance gaps, taking prompt remedial action—such as implementing mandatory screening or blocking high-risk IP addresses—can be a significant mitigating factor.

The Facts: willful violations in real estate

OFAC has imposed a significant penalty of $4,677,552 on an individual ("U.S. Person-1") for willfully violating Russia-related sanctions and failing to comply with an administrative subpoena. The individual, acting through King Holdings LLC, purchased a residential property at a foreclosure auction that was previously owned by a sanctioned Russian person and therefore remained "blocked" property. Despite receiving a direct notice from OFAC that the property was blocked, the individual proceeded to mortgage, renovate, and eventually sell the home to an unsuspecting third party for $1.4 million. Aggravating the situation, the individual concealed the impending sale by certifying a false response to an OFAC subpoena. OFAC deemed the case egregious because the individual acted willfully after actual notice, concealed their conduct, and caused significant economic harm to the third-party buyer and financial institutions involved.

Compliance lessons for business

This action serves as a critical reminder to the real estate sector that property rights do not override federal sanctions:

• a foreclosure does not automatically "cleanse" a property of its blocked status
• real estate professionals and investors must conduct thorough due diligence, including researching prior ownership history to identify any sanctioned interests
• if your business receives a warning or subpoena from OFAC, you must stop the prohibited activity immediately and provide completely truthful responses
• concealment or providing false certifications to regulators are severe aggravating factors that will dramatically increase penalties
• companies should ensure their compliance programs include screening for both direct and indirect property interests of blocked persons to avoid similar liabilities
• finally, this case proves that sanctions liability applies strictly to individuals as well as corporate entities

Practical due diligence checklist designed to help real estate professionals and investors flag potential blocked property risks:

Main facts of the case and penalty details

OFAC has imposed a statutory maximum penalty of $215,988,868 on GVA Capital Ltd., a San Francisco-based venture capital firm, for willfully violating Ukraine/Russia-related sanctions and reporting obligations. The firm knowingly managed investments for sanctioned Russian oligarch Suleiman Kerimov between 2018 and 2021, despite having actual knowledge of his blocked status. GVA Capital executives had previously met Kerimov in person to secure funding and continued to facilitate his interests post-designation by working through his nephew, a known proxy. The penalty was aggravated by the firm's reckless disregard for legal advice cautioning against such transfers and its attempt to conceal the sanctioned individual's involvement. Furthermore, the firm failed to fully respond to an OFAC administrative subpoena for over two years, which significantly compounded the severity of the enforcement action.

Recommendations and lessons for businesses

This case highlights critical compliance lessons for venture capital firms, investment advisers, and other financial "gatekeepers."

• Look beyond the paperwork: You cannot rely on formalistic ownership structures or nominees if you have actual knowledge that a sanctioned individual retains control or a property interest in an investment.
• Monitor existing investors: Compliance is not just for onboarding; you must have controls to identify and block assets if an existing investor is subsequently designated by OFAC.
• Gatekeepers bear responsibility: Investment professionals play a crucial role in the financial system and are expected to prevent illicit actors from accessing U.S. markets, regardless of the complexity of the investment vehicle.
• Take subpoenas seriously: Failing to respond timely and completely to an OFAC administrative subpoena is a separate violation that can lead to significant additional penalties.
• Implement risk-based controls: Non-bank financial institutions must maintain a sanctions compliance program tailored to their specific risks, particularly when dealing with high-net-worth individuals from high-risk jurisdictions.

Key Facts

Harman International Industries, Inc. has agreed to pay $1,454,145 to settle potential civil liability for 11 apparent violations of the Iranian Transactions and Sanctions Regulations. The violations occurred between 2018 and 2020 when 13 overseas employees of Harman's U.S. subsidiary facilitated the diversion of audio products to Iran through a distributor in the United Arab Emirates (UAE). These employees, who were middle-level managers, willfully obscured the destination of the goods in internal communications by using code words like "North Dubai" and "up north". OFAC determined this case was egregious due to several aggravating factors, including the willful nature of the employees' conduct and their actual knowledge of the prohibited sales. Furthermore, the lack of an adequate compliance program caused harm to U.S. sanctions objectives by allowing goods to reach Iranian end-users, including the Government of Iran. Finally, OFAC highlighted that as a large, commercially sophisticated company operating worldwide, Harman failed to implement compliance controls commensurate with its size and risk profile.

Compliance Recommendations

• Ensure independent oversight of foreign employees: Geographic distance does not insulate a U.S. parent company from liability; you must maintain robust oversight of overseas staff and subsidiaries.
• Do not rely on business units for compliance: Allowing sales-driven business units to "self-police" is risky because they often prioritize revenue generation over regulatory obligations.
• Empower your compliance function: Maintain a strong, independent compliance department with sufficient resources and authority to effectively monitor risks across the entire organization.
• Scrutinize distributors in high-risk hubs: Distributors located in transshipment hubs like the UAE require dedicated attention and enhanced monitoring to ensure they are not diverting goods to sanctioned jurisdictions.
• Watch for evasion techniques: Train staff to recognize potential evasion tactics, such as the use of coded language or euphemisms in sales communications.
• Extend controls globally: Ensure that your corporate sanctions policies and internal controls are effectively implemented throughout all foreign branches and subsidiaries, not just at headquarters.

Checklist of "Red Flags":

• Use of Euphemisms: Does the distributor or internal sales staff use vague geographic terms like "the northern region," "North Dubai," or "up north" instead of specific country names?
• Inconsistent Documentation: Do export declarations, shipping labels, or invoices list a destination that differs from the final end-user location discussed in emails?
• Obfuscation of End-Users: Is the distributor reluctant to provide specific details about the ultimate end-users, or do they claim the goods are for general "stock" in a region known for re-export?
• Mismatch in Business Focus: Does the distributor’s ordered volume significantly exceed the known domestic demand of the country where they are located?
• Ex Works Shipments: Does the distributor insist on "ex works" terms where they collect goods from your warehouse and handle all onward shipping and export filings themselves, limiting your visibility into the final destination?
• High-Risk Transshipment Hubs: Is the distributor located in a known transshipment hub (e.g., UAE, Hong Kong, Turkey) near a sanctioned jurisdiction?
• Sales Team Pressure: Are sales targets driving employees to overlook compliance checks or advocate for distributors despite known risks?
• Internal Suspicions: have any employees (finance, logistics, or sales support) raised informal concerns or "suspicions" about a specific distributor that were not formally investigated?
• Lack of Audit Rights: Does your contract with the distributor lack clauses that grant you the right to audit their sales records or demand end-user verification?

The Case

Key Holding, LLC, a U.S.-based logistics company, has agreed to pay a $608,825 settlement for apparent violations of the Cuban Assets Control Regulations committed by its Colombian subsidiary. The violations involved 36 freight shipments to Cuba, primarily foodstuffs and some machinery, which occurred because the U.S. parent failed to implement a compliance program after acquiring the subsidiary in 2021. OFAC highlighted several aggravating factors, specifically that the company failed to exercise due caution regarding the acquisition and that the subsidiary's staff were fully aware of the Cuba shipments. Furthermore, regulators emphasized that as an international freight forwarder, the company warranted a higher standard of care regarding sanctions compliance. The penalty was reduced from the statutory maximum because the company voluntarily self-disclosed the violations and cooperated with the investigation.

Compliance recommendations for business

• Prioritize post-acquisition integration: You must ensure that newly acquired foreign subsidiaries are immediately made aware of and integrated into your sanctions compliance program, as they may become subject to U.S. jurisdiction upon acquisition.
• Understand foreign subsidiary liability: It is critical to remember that under the Cuban Assets Control Regulations, foreign entities owned or controlled by U.S. persons are directly prohibited from trading with Cuba.
• Implement document review protocols: Logistics companies should establish escalation systems to carefully review shipping documents, such as air waybills and bills of lading, to flag sanctioned destinations before processing.
• Train global staff on U.S. jurisdiction: You should provide targeted training to employees in foreign offices to ensure they understand how U.S. sanctions regulations apply to their specific daily operations.
• Adopt automated screening tools: Utilizing platforms that allow for automatic, continuous screening of shipments can help prevent human error and ensure compliance with complex export controls.