OFAC Settlement Highlights Importance of Testing and Auditing Sanctions Compliance Controls

On March 17, 2026, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced a settlement with U.S.-headquartered brokerage firm TradeStation Securities (TradeStation), which offers desktop, web and mobile securities trading platforms. TradeStation agreed to remit more than $1 million to settle claims that it “provided investment services to customers located in Iran, Syria, and the Crimea region of Ukraine (‘Crimea’) following a series of compliance control failures, enabling those customers to execute securities-related transactions.”[1]

Although TradeStation had a sanctions compliance program with technical systems, several technological aspects of these systems failed to function as designed. Coupled with lack of oversight from sanctions compliance personnel, these failures resulted in nearly 500 apparent violations.

The TradeStation settlement highlights the importance of actively managing the administration of sanctions compliance systems, as well as testing and validating these systems to ensure that they operate as intended.

1. The Enforcement Action
   1. The Cause of the Apparent Violations

The apparent violations underlying TradeStation’s settlement stem from nearly 500 trades executed on TradeStation’s mobile securities trading platform by users in Iran, Syria and Crimea. OFAC identified two main causes of the apparent violations: (1) failures related to TradeStation’s geo-blocking controls; and (2) failures by TradeStation’s sanctions compliance personnel to test or validate the geo-blocking controls.

TradeStation’s sanctions compliance systems include sanctions screening during the customer onboarding process and daily screening thereafter. TradeStation also screened a prospective customer’s primary residence for sanctioned jurisdictions. In addition, the TradeStation compliance program was designed to utilize two tiers of geo-blocking controls to prevent customers located in sanctioned jurisdictions from accessing its trading platforms: (1) a firewall that blocked users with an IP address associated with a sanctioned jurisdiction and (2) a tool that blocked users at the login stage based on their location as determined by authenticating the user’s IP address. TradeStation received daily alerts generated by a third-party provider that identified users who had been blocked by the geo-blocking controls.

OFAC identified two issues with the geo-blocking controls that resulted in the apparent violations. First, when TradeStation upgraded the software supporting its mobile trading platform in 2018, the second-tier geo-blocking control inadvertently became ineffective. Instead of identifying a user’s IP address, the control identified the IP address associated with TradeStation’s U.S.-located server that supported the mobile trading platform. As a result, any user located in a sanctioned jurisdiction was not blocked by the second-tier geo-blocking control. Second, when the first-tier geo-blocking control was temporarily disabled for a software update in 2021, a TradeStation employee did not reenable the control until approximately a year later. These two failures combined resulted in an approximately one-year period when users in sanctioned jurisdictions accessed TradeStation’s mobile platforms and executed nearly 500 trades, totaling approximately $4.4 million.

OFAC also attributed the apparent violations to TradeStation’s failure to test or validate the geo-blocking controls. First, beginning in late 2021, TradeStation stopped testing the geo-blocking controls. TradeStation previously had a testing protocol for its on-premises servers but encountered issues when it realized that the test attempts were not proceeding to TradeStation’s systems because its internet service and cloud providers were blocking the attempts. Instead of altering the testing protocol to make it more effective, TradeStation ceased testing altogether. In addition, TradeStation lacked a testing protocol for its mobile platform. Second, TradeStation took no action when it received an expiration notification for its subscription to daily alerts identifying users that had been blocked by the geo-blocking controls. The employee who received the expiration notification failed to inform colleagues in the sanctions compliance department, and TradeStation did not receive daily alerts for over eight months.

1. The Penalty

TradeStation self-disclosed the apparent violations to OFAC, which determined that they were not egregious. The base civil monetary penalty was approximately $2.2 million, which reflected 50% of the transaction value for each apparent violation. The penalty amount was further reduced due to the presence of several mitigating factors, including that TradeStation promptly remediated by instituting new controls and solutions that would quickly identify failures related to its sanctions compliance controls. However, OFAC noted that TradeStation’s receipt of a Cautionary Letter from OFAC in 2021 concerning apparent violations related to other issues with its geo-blocking controls was an aggravating factor. The penalty reduction resulted in a final penalty amount of $1,110,661.

2. Compliance Takeaways

TradeStation’s OFAC settlement provides practical takeaways for sanctions compliance professionals. Most importantly, this settlement shows that sanctions compliance programs must be actively managed and routinely tested and audited. Compliance departments run the risk of overlooking compliance gaps — which could very well result in sanctions violations — if the sanctions compliance program is running on autopilot.

Below are key lessons learned from the TradeStation settlement:

• Testing and Auditing: Thorough tests and audits of the compliance system should uncover any deficiencies in the company’s compliance controls. Company management should emphasize the importance of developing and adhering to a testing and auditing schedule. Indeed, OFAC’s Framework for Compliance Commitments states that testing and auditing constitute an “essential component” of an effective sanctions compliance program.[2] OFAC expects that company management “commits to ensuring that the testing or audit function is accountable to senior management.”[3] To further incentivize personnel to complete these tasks and instill accountability, company management may consider including testing and auditing activities in the annual performance review of relevant personnel.
• Coordination Between IT and Compliance Departments: IT departments should pay careful consideration to ensure compliance departments stay informed of software upgrades, bug fixes and other similar actions so that the compliance department can run tests to ensure full functionality of its controls following the IT department’s work. Even if the IT department’s work does not directly impact compliance controls, testing nonetheless should be undertaken in case any inadvertent changes are made to compliance controls.
• Checklists of Compliance-Related Alerts: Compliance departments should maintain a checklist of alerts, including those generated by internal systems and external providers, that they expect to receive. Regardless of whether these alerts are programmed on a daily, weekly or monthly schedule, maintaining a checklist will allow compliance departments to quickly realize if an alert was not received. From there, compliance departments can check if any subscriptions to alerts need to be renewed.
• Compliance Controls for All Customer Channels: Companies should ensure that they have compliance controls for all channels available for customer purchases. For example, if a company offers its products or services through web and mobile channels, each of those channels should have sufficient compliance controls to prevent sanctions violations even if the software supporting each channel differs.
• Implementation of Prior Enforcement Considerations: When a company is in receipt of an enforcement action alleging deficiencies in a compliance function, it is well served to provide special attention to the underlying root causes of any such enforcement action going forward. A compliance policy that considers when to affirmatively disclose violations voluntarily in light of past enforcement activity may serve a company’s economic interests well.

The TradeStation settlement shows us that an effective sanctions compliance program is more than just well-written policies and procedures. A robust compliance program may nonetheless fail if it is not implemented with continued care and proper oversight. While some degree of human or technical error in implementing a sanctions compliance program may be unavoidable, applying the lessons learned from the TradeStation settlement could mitigate any consequences of such errors.