Office of Foreign Assets Control (OFAC) sanctions enforcement does not always begin with a blocked transaction. In one recent case involving a U.S. FinTech company offering non-custodial digital asset wallets globally, regulators focused instead on how customer questions were answered, how technical guidance was delivered, and how frontline teams responded when users connected from a comprehensively sanctioned country.
The $3 million settlement tied to Iran-related activity shows how OFAC compliance expectations now extend deep into customer-facing operations. Over time, routine support interactions with users located in Iran led regulators to conclude that the company had exported prohibited services under OFAC regulations, despite not holding customer funds or executing transactions itself.
For FinTech, SaaS, and digital platform businesses operating at global scale, this case underscores a critical shift. OFAC compliance is no longer confined to transaction screening or onboarding checks. It applies to the people, processes, and systems that support users every day. Without structured controls, training, and oversight, customer support can become a hidden sanctions risk.
Key Takeaways
- U.S. FinTech platforms remain fully accountable under OFAC compliance rules. Operating as a non-custodial platform or infrastructure provider does not reduce sanctions obligations when services reach sanctioned jurisdictions.
- Customer support is now a primary sanctions risk area. Guidance that enables users to bypass controls, including VPN-related advice, can trigger enforcement exposure just as directly as facilitating a transaction.
- OFAC compliance governs how services are delivered. Technical assistance provided to users in Iran was treated as a prohibited export under OFAC regulations, even where no transaction processing occurred.
- Written policies do not substitute for controls. Without training, escalation paths, and enforcement mechanisms, Terms of Use provide limited protection during an investigation.
- Continuous screening and governance are expected. Denied party screening that uses OFAC screening software or sanctions screening software helps ensure each OFAC sanctions check is consistent, documented, and defensible as risk profiles evolve.
A Timeline of the Violations and Enforcement Action
The enforcement record shows how repeated support activity, rather than a single event, led to sustained OFAC compliance exposure.
- October 17, 2017 – January 4, 2019: The FinTech company’s customer support teams provided technical assistance on 254 occasions to users who identified themselves as being located in Iran, a comprehensively sanctioned jurisdiction under OFAC regulations.
- Early 2018: Access restrictions relied largely on user self-certification through Terms of Use, with no effective operational controls, training, or escalation processes to prevent support interactions with sanctioned users.
- April 2018: A third-party exchange integrated into the wallet began blocking Iranian users using IP-based controls to comply with U.S. sanctions requirements.
- May 2018 – late 2018: Despite internal awareness that the exchange restrictions were sanctions-related, customer support staff continued assisting Iranian users and, in at least 12 documented cases, recommended VPN use to bypass IP-based blocks. OFAC later classified these interactions as egregious.
- December 16, 2025: OFAC announced a $3.1 million settlement, requiring $2.47 million paid within 15 days of execution and $630,000 suspended pending investment in a formal sanctions compliance program, citing repeated OFAC compliance failures tied to Iran-related customer support.
This timeline reflects OFAC’s core enforcement position that sanctions risk accumulated through routine operational decisions that were neither screened, escalated, nor documented.
Related Content: Why Should Startups Spend Time on International Trade Compliance?
Where OFAC Compliance Fell Short (And What Regulators Expect Instead)
The enforcement action shows that the violations were not isolated errors, but the result of structural gaps in how OFAC compliance was implemented, monitored, and enforced across daily operations.
- Customer support was incorrectly scoped as operational, not regulated: OFAC’s enforcement made clear that customer-facing technical assistance falls within the scope of regulated services. By treating customer support as an operational function rather than a sanctions-sensitive activity, the company allowed frontline teams to engage with users in Iran without appropriate safeguards, creating sustained OFAC compliance exposure.
- Contractual restrictions were not backed by execution: OFAC rejected the idea that Terms of Use alone could prevent violations when employees were neither trained nor prevented from assisting users in sanctioned jurisdictions. Without enforcement mechanisms, self-certification did not mitigate risk under OFAC regulations.
- Sanctions awareness failed to change frontline behavior: The investigation showed that internal understanding of sanctions-related access restrictions did not translate into compliant outcomes. In multiple cases, support staff acknowledged sanctions limitations while still offering guidance that enabled continued access, a factor OFAC cited in classifying the conduct as egregious.
- Screening and escalation were absent from support workflows: OFAC identified the lack of screening, escalation, and documented review as a systemic weakness. Without denied party screening, structured escalation paths, or a reliable OFAC search tool, sanctions-related decisions were handled inconsistently and without audit-ready records.
- Weak controls led to extended regulatory oversight: Because the compliance gaps reflected structural issues rather than isolated errors, OFAC imposed multi-year governance, training, audit, and certification requirements. The outcome underscores how OFAC compliance failures often result in long-term operational obligations beyond the initial penalty.
Related Content: 5 Tips to Help You Get Started with Export Compliance and Denied Party Screening
Build OFAC Compliance into Operations Before Enforcement Does It for You
The FinTech enforcement action is a wake-up call for technology companies operating at a global scale. The failure was not technical, but rather operational. Customer support teams were left to make sanctions-sensitive decisions without screening, escalation, or documentation, and those routine interactions became violations of OFAC compliance requirements. The result was a $3 million penalty and years of mandatory compliance oversight.
For U.S. FinTech, SaaS, and platform businesses, the message is clear: OFAC compliance must extend beyond onboarding checks and transaction controls into the workflows that support users every day. Without structured processes, audit-ready records, and consistent enforcement, sanctions risk accumulates quietly until regulators step in.
Descartes supports operational, defensible OFAC compliance through OFAC sanctions check tools designed for real-world enforcement expectations:
- OFAC Compliance Solutions: Apply sanctions controls across users, services, and operational touchpoints, not just transactions.
- Denied Party Screening: Enable accurate screening and rescreening as lists change to reduce exposure to sanctioned parties.
- Screening and Audit History: Maintain clear, defensible records that show how sanctions decisions were made.
- Compliance Manager Workflow: Ensure sanctions issues are escalated, reviewed, and resolved consistently across teams.
Book a demo to see how Descartes helps technology companies operationalize OFAC compliance, reduce sanctions risk, and stay audit-ready before enforcement becomes the catalyst.
Find out what our customers are saying about Descartes Denied Party Screening on G2 – an online third-party business software review platform. Additionally, you can read this essential buyer’s guide to denied party screening to help you select a solution that fits your needs.