The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has significantly increased its focus on sanctions compliance for "financial gatekeepers," including financial institutions and other firms managing access to the U.S. financial system. This shift is underscored by OFAC's recent settlement with Interactive Brokers (IB) LLC, which highlights the need for such firms to deploy dynamic compliance programs that go beyond superficial information to identify and mitigate sanctions risks, regardless of transaction or client complexity. The severity of the IB and related enforcement actions emphasizes the growing need for sanctions vigilance across all financial sectors.
The Issue: IB's Compliance Breakdowns
On July 15, 2025, OFAC announced an $11.8 million settlement with IB, addressing 12,367 apparent violations of multiple U.S. sanctions programs between July 2016 and January 2024. IB's failures primarily stemmed from its inability to look past initial client data and integrate its technology to prevent sanctions violations. As a direct result, IB provided brokerage and investment services to individuals in comprehensively sanctioned jurisdictions, including Cuba, Iran, Syria, and the Crimea region of Ukraine.
Although many customers provided "Know Your Customer" information indicating non-sanctioned residences, other data, including IP addresses, showed that they were within sanctioned jurisdictions, exposing a failure to integrate all available information for accurate customer location verification.
Other compliance breakdowns in IB's program included:
- Geo-blocking Flaws: IB's IP geo-blocking controls had technical bugs and were not adequately audited or tested, allowing access from sanctioned jurisdictions. Crimea was initially omitted from blocking lists before May 2019, and from May 2019 to June 2021, IB did not include IP addresses linked to Sevastopol, the largest city on the peninsula.
- Misinterpretation of Licensing Authority: IB processed 259 customer funds transfers to blocked Russian banks between February 25, 2022, and October 10, 2022, mistakenly believing that relevant wind-down general licenses authorized these transactions.
- Automated System Blind Spots: IB's automated trading system lacked sanctions screening for margin-related automatic liquidation orders, which allowed 29 sale transactions on behalf of U.S. persons in issuers subject to Chinese Military-Industrial Complex sanctions. Additionally, a limited technical deficiency allowed two accounts held by persons in Russia to reactivate account permissions for new margin loans, resulting in 66 margin loans that violated OFAC's new investment ban.
- Insufficient Due Diligence on Beneficial Ownership: Delays in obtaining relevant ownership information led IB to process 18 transactions related to customer trading in securities issued by Xinjiang Water, which is majority-owned by an OFAC designated paramilitary organization.
- Alert Review Deficiencies: Thirteen transactions with sanctioned Venezuelan and Syrian individuals proceeded because IB staff incorrectly dispositioned sanctions alerts as false positives, or due to delays in reviewing alerts resulting from a lack of resources and unclear procedures.
Key Strategic Takeaways for Your Business:
The IB case reinforces OFAC's message that financial gatekeepers must establish comprehensive compliance programs that delve deeper than mere surface-level data to accurately uncover and address potential sanctions exposures. To navigate the dynamic nature of OFAC's sanctions regimes, firms should consider these areas:
- Risk-Based Calibration & Geo-blocking: Controls should be well-designed to address specific sanctions risks, including appropriate, risk-based calibration of sanctions screening protocols and geo-blocking controls.
- Data Integrity & System Audits: Businesses should ensure the integrity of data and software for sanctions compliance and conduct timely audits, testing, and remediation of compliance-related systems. Post-remediation validation is critical to ensure designed impact, especially for tech-based solutions.
- Comprehensive Data Integration: Firms should obtain and use all available information, including IP address and geolocation data, to verify a customer's location or residency and integrate that data into compliance protocols.
- Accurate Risk Assessment: Firms should accurately assess the sanctions risk presented by each of its service offerings, business lines, and systems/technologies in their day-to-day operations, including the scope and application of relevant prohibitions and license authorities.
- Investment in Human Capital/Strong Compliance Culture: Businesses should prioritize robust sanctions compliance by investing in adequate personnel and promoting ongoing compliance training. This ensures that all relevant staff understand applicable sanctions regulations, accurately handle alerts, and recognize the severe implications of non-compliance.
- Proactive Reviews & Self-Disclosure: Conducting proactive, self-initiated sanctions reviews to identify compliance deficiencies and potential apparent violations offers significant value. IB reduced a potential $2 billion maximum fine to $11.83 million by identifying and reporting its own extensive sanctions violations. This demonstrates that taking initiative to uncover and address compliance deficiencies, along with substantial cooperation and remediation, can lead to a far more favorable outcome.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
