The best compliance education is not theoretical. It comes from reading what real companies actually did wrong and what it cost them. OFAC publishes every civil enforcement action with detailed factual findings — the violations, the timeline, the aggravating and mitigating factors, and the final penalty. These documents are not dry regulatory filings. They are detailed case studies in exactly how compliance programs fail, what the decision points were, and what a different choice at each point would have cost or saved.
OFAC typically publishes between 10 and 20 civil enforcement actions per year, with total penalties often exceeding $1 billion annually. The cases range from multinational banks paying hundreds of millions to small businesses paying $15,000. What they share is that each one is traceable to a specific, preventable compliance failure — a stale list, a gap between written policy and operational practice, a red flag that went uninvestigated.
Here are six recent settlements, the specific compliance failures behind each, the factors that drove penalties up or down, and the lessons that apply to every exporter regardless of size.
Case 1: British American Tobacco — $635 Million (2023)
What Happened
BAT's Singapore subsidiary sold tobacco products to a North Korean entity through a series of third-party intermediaries from 2007 to 2016. The subsidiary allegedly received approximately $418 million in revenue from these sales, and the parent company allegedly received profits derived from the prohibited transactions. The subsidiary also allegedly made false representations to U.S. and Singaporean authorities about the North Korea business during the investigation.
The Compliance Failures
- Using non-U.S. intermediaries to facilitate transactions with a comprehensively sanctioned country
- Parent-subsidiary structure did not create a legal shield — the parent's receipt of profits was treated as participation in the underlying violations
- Alleged active concealment and false statements during investigation, which drove up the penalty substantially
The Lesson
Corporate structure does not insulate you from sanctions exposure. If a non-U.S. subsidiary engages in prohibited transactions and any U.S. nexus exists — U.S. dollar settlement, U.S. personnel involvement, or receipt of profits by a U.S.-connected parent — the U.S. parent faces liability. Group-wide sanctions compliance programs are not optional for multinational companies.
The BAT case also highlights that obstruction during investigation multiplies the penalty. OFAC's enforcement guidelines treat cooperation as a significant mitigating factor and obstruction — including providing false information to regulators — as a major aggravating factor. The difference between a company that cooperates fully and one that conceals can easily represent 50% or more of the final settlement figure.
What would have changed the outcome: A group-level compliance policy covering all subsidiaries, regardless of jurisdiction, combined with a prohibition on the use of third-party intermediaries for transactions that would be prohibited if conducted directly.
Case 2: Binance — $4.3 Billion (2023)
What Happened
Binance, the world's largest cryptocurrency exchange, settled with OFAC, FinCEN, and the Department of Justice simultaneously for a combined $4.3 billion. OFAC's share of the settlement was approximately $968 million. The conduct involved permitting users in comprehensively sanctioned jurisdictions — Iran, Cuba, Syria, North Korea, and Crimea — to use Binance's platform over a multi-year period.
Binance had formal policies against users in sanctioned jurisdictions but implemented them inadequately. Users could easily circumvent geo-blocking by using VPNs, and Binance allegedly knew about this circumvention but did not take meaningful steps to prevent it. Internal communications reviewed during the investigation showed that employees were aware of the circumvention issue and discussed it, without escalating to meaningful remediation.
The Compliance Failures
- Policies existed on paper but were not enforced operationally
- The company knew its geo-blocking was being circumvented and chose not to strengthen it
- KYC processes were insufficient to identify users in sanctioned jurisdictions despite available IP and device data
- Internal escalation channels failed — awareness of the problem did not produce corrective action
The Lesson
A compliance program that exists only on paper is worse than no program at all. OFAC treats the gap between stated policy and actual practice as an aggravating factor. Knowing that your controls are being circumvented and failing to fix them is not a defense — it is evidence of willfulness.
The internal communication record is especially instructive. When employees document awareness of a compliance gap without it prompting action, those communications become the most damaging evidence in any subsequent enforcement action. A compliance culture is not about policy documents — it is about what happens when someone flags a problem.
What would have changed the outcome: Treating the circumvention reports as material compliance events requiring escalation and remediation, not informal discussion. Real-time IP data and enhanced KYC to detect sanctioned-jurisdiction users beyond geographic blocking.
Case 3: Apple Inc. — $466,912 (2019)
What Happened
Apple settled with OFAC for apparent violations involving apps distributed on the App Store that were associated with a Slovenian software developer added to OFAC's SDN List. Over approximately 2.5 years, Apple hosted, sold, and paid royalties to the SDN-listed developer. Apple's compliance program did not catch the SDN designation because its internal screening was run against a copy of the SDN List that had not been updated to reflect the addition.
Apple's penalty was relatively modest despite the 2.5-year duration, primarily because OFAC credited Apple for its cooperation, remediation steps taken after discovery, and the fact that Apple voluntarily disclosed the apparent violations. The case was treated as non-egregious.
The Compliance Failures
- Using a stale copy of the SDN List rather than current, daily-updated data
- No automated re-screening of existing counterparties against list updates
- The developer had been on the SDN List for years before Apple's screening detected the match
The Lesson
Data freshness is not optional. OFAC updates the SDN List multiple times per week. A screening program that uses list data more than a day or two old is structurally unable to catch new designations. In an era when list data is available via real-time APIs, running against stale data is treated as a control failure.
Apple's case also shows what mitigation looks like in practice. Despite a years-long violation, the penalty was under $500,000 — well below the statutory maximum for the transactions involved. Voluntary disclosure, cooperation, and demonstrated post-discovery remediation directly and substantially reduced the outcome. The same violation, handled without disclosure or cooperation, would have produced a substantially larger figure.
What would have changed the outcome: Daily API-based list sync instead of static snapshots. Automated re-screening of all active developer accounts triggered by each SDN List update, not just at onboarding.
Case 4: Toll Global Forwarding — $6,131,855 (2022)
What Happened
Toll, a logistics and freight forwarding company, processed approximately 2,800 shipments involving parties in Iran, North Korea, Sudan, and Syria over a six-year period. The shipments were not originated by Toll but were handled as part of Toll's forwarding services. Toll's subsidiary had some sanctions compliance processes in place, but they were inconsistently applied and did not systematically screen all parties to each shipment.
A key factor in the case was that Toll's compliance procedures varied significantly between offices. Some offices screened counterparties; others did not apply the same standard. OFAC's findings treated the inconsistency itself as a compliance failure — not merely the individual transactions that resulted from it.
The Compliance Failures
- Inconsistent application of screening procedures across offices and regions
- Reliance on customer representations of shipment details without independent verification
- Incomplete screening of all transaction parties — consignees, consignors, and notify parties were not all screened
The Lesson
Logistics and intermediary roles do not shield you from OFAC jurisdiction. If your business is anywhere in the transaction chain — as a freight forwarder, a payment processor, a platform, or a broker — you face the same screening obligations as the originating party. "We were just handling logistics" has never succeeded as a defense in an OFAC enforcement action.
The process consistency lesson is equally important. A policy that one office follows and another ignores is not a compliance program — it is selective compliance, which OFAC treats as equivalent to no compliance in the offices where it is not followed. Uniformity of controls across all business units is a baseline requirement, not an aspiration.
What would have changed the outcome: A centralized screening function or a shared screening platform that all offices are required to use, with controls that prevent shipment processing without a completed screen. Regular audits comparing screening logs to shipment volumes across offices.
Case 5: Nordgas S.r.l. — $950,000 (2023)
What Happened
Nordgas, an Italian company that manufactures industrial equipment, sold components to another Italian firm that Nordgas allegedly knew or had reason to know would re-export them to Iran. The transactions had a U.S. nexus because the components contained U.S.-origin content, and Nordgas's settlement was based on U.S. jurisdiction over re-exports of U.S.-origin items.
The transaction pattern included specific red flags that OFAC's enforcement release identified: the buying company had no clear legitimate business purpose for the components, the shipping route was inconsistent with a direct Italy-to-Italy transaction, and the stated end-use did not align with the buyer's known operations. Nordgas proceeded without investigating these flags.
The Compliance Failures
- Insufficient due diligence on the stated end-use and end-user
- Red flags in the transaction pattern — unusual routing, atypical buyer profile — were not acted on
- No screening against U.S. sanctions lists despite U.S.-origin content in the products
The Lesson
You do not need to be a U.S. company to be subject to OFAC enforcement. If your products contain U.S.-origin content — including components, software, or technology — re-exports to sanctioned destinations can trigger OFAC jurisdiction regardless of your nationality or location. Non-U.S. exporters of U.S.-origin goods must screen as rigorously as U.S. exporters.
The red flag lesson from this case is particularly operational. OFAC's enforcement releases consistently identify specific transaction characteristics that preceded the violation: buyers with no clear end-use for the product, shipping routes that add unnecessary steps, payments routed through unusual jurisdictions, and requests for documentation suppression. These patterns are not subtle. A compliance reviewer trained to identify them will catch most of them before the transaction closes.
What would have changed the outcome: A formal red flag checklist applied to all transactions involving U.S.-origin content. Any red flag triggering an automatic hold and escalation before the transaction proceeds.
Case 6: Herbalife International — $370,992 (2023)
What Happened
Herbalife, the global nutrition and direct sales company, settled with OFAC for processing payments from Cuban distributors through its U.S.-based payment platform. The payments were processed over several years as part of Herbalife's distributor compensation system. Cuba is subject to comprehensive U.S. sanctions under the Cuban Assets Control Regulations, and the payment processing constituted prohibited transactions.
Unlike the BAT and Binance cases, Herbalife's settlement is notable for what happened after discovery: the company voluntarily disclosed the apparent violations to OFAC, cooperated fully with the investigation, and took significant remediation steps including terminating the Cuban distribution relationships and enhancing its sanctions compliance program. OFAC cited these factors explicitly in the enforcement release.
The Compliance Failures
- Geographic screening did not identify Cuban distributors within the payment system
- The compliance program did not cover the full transaction footprint — distributor payments in the U.S. payment platform were a gap
The Lesson
The mitigation framework is real and it works — if you use it correctly. The potential statutory maximum for Herbalife's violations was substantially higher than the $370,992 settlement. OFAC's enforcement release explicitly credited voluntary self-disclosure, full cooperation, and substantive remediation as the primary reasons for the reduced penalty.
The case is a direct illustration of what good post-discovery response looks like: disclose promptly, cooperate fully, fix the root cause, and demonstrate that the program has changed. Companies that follow this sequence consistently receive materially better outcomes than those that do not. The gap between a cooperative settlement and a non-cooperative one, applied to the same underlying conduct, can be measured in multiples of the penalty amount.
What would have changed the outcome: Geographically-aware screening in the distributor payment system that flagged Cuban-address distributors before payments were processed.
Patterns Across All Six Cases
Reading these cases together, the same failure modes recur regardless of industry, company size, or geography:
Corporate structure is not a shield. Subsidiaries, intermediaries, and non-U.S. entities in the transaction chain are all reachable when any U.S. nexus exists. Routing transactions through a non-U.S. entity to avoid sanctions liability is itself treated as facilitation.
Paper compliance is an aggravating factor, not a defense. Policies without operational enforcement invite larger penalties than the same conduct under an undeveloped program. OFAC views the gap between stated policy and actual practice as evidence that the company knew what it was supposed to do and chose not to do it.
Data freshness is a structural requirement. Every case involving missed matches had a component where the compliance program operated against stale data — stale list, stale counterparty records, stale assumptions about who was covered. Real-time data is not a competitive advantage in compliance; it is the baseline.
Cooperation dramatically reduces outcomes. The spread between the Apple and BAT cases, for violations of comparable duration, illustrates what cooperation produces. Apple disclosed, cooperated, and remediated — and paid under $500,000. BAT allegedly obstructed and paid $635 million. The conduct underlying both was years-long. The variable was what happened after discovery.
Red flags in the transaction precede the violation. In every case, warning signs were present before the prohibited transaction completed. Unusual routing, mismatched end-use, atypical counterparty profiles — these are identifiable. The failure is not the presence of red flags but the absence of trained reviewers instructed to act on them.
How to Operationalize These Lessons
Reading enforcement cases produces awareness. Operationalizing them requires translating each lesson into a specific control or process change. For each of the five patterns above:
On corporate structure: Map every entity in your group that touches a transaction — subsidiaries, agents, intermediaries — and confirm each one is covered by your sanctions screening program. A group compliance policy with explicit coverage and audit rights over all entities is the minimum standard.
On paper vs. practice: Pull three months of screening logs and compare them to transaction volume for the same period. If the numbers don't align — if there are transactions with no corresponding screen — you have a gap between policy and practice. Fix it before OFAC finds it.
On data freshness: Confirm your screening tool updates against OFAC, BIS, and other relevant lists daily at minimum. If your provider updates weekly or monthly, that is an inadequate standard given how frequently lists change.
On cooperation culture: Build a clear internal escalation path for potential violations — from the reviewer who spots the issue to the compliance officer to counsel. The first 72 hours after a potential violation is discovered are the most consequential in determining how the eventual enforcement action resolves. That path needs to exist before you need it.
On red flags: Translate the red flag patterns from published enforcement cases into a checklist your reviewers use for elevated-risk transactions. The specific flags in the Nordgas, Toll, and BAT cases — unusual routing, atypical buyer profiles, end-use inconsistencies — are not unique to those industries. They appear across every category of sanctions violation.
Frequently Asked Questions
Where can I find OFAC enforcement cases to read? OFAC publishes every civil settlement on the Treasury Department website at treasury.gov/ofac under "Civil Penalties and Enforcement Information." Each listing includes the full enforcement release document detailing the conduct, the penalty calculation, and the specific aggravating and mitigating factors OFAC applied.
Are these OFAC settlements public record? Yes. All OFAC civil settlements are published publicly, including the company name, the conduct, and the penalty amount. This is deliberate — public disclosure is part of OFAC's deterrence strategy. The reputational consequences of a documented settlement often exceed the monetary penalty for companies whose customers and partners conduct OFAC enforcement searches as part of their own due diligence.
How are OFAC penalties calculated? OFAC uses a penalty matrix published in Appendix A to 31 C.F.R. Part 501. The base penalty depends on whether the violation is egregious, whether voluntary self-disclosure occurred, and the degree of harm to U.S. foreign policy objectives. The base penalty is then adjusted by aggravating factors (willfulness, obstruction, prior violations, management awareness) and mitigating factors (compliance program quality, cooperation, remediation). Each factor is applied to every transaction in the violation set.
What is the largest OFAC penalty on record? BNP Paribas's $8.9 billion settlement in 2014 — involving transactions with Sudan, Cuba, and Iran processed through U.S. dollar clearing — remains the largest. Binance's $4.3 billion settlement in 2023 is the largest in recent years. Most OFAC settlements fall in the six- and seven-figure range; the multi-billion dollar cases involve systemic conduct over many years, often with aggravating factors including obstruction.
Are smaller companies actually enforced against? Yes. The Nordgas case involved a mid-sized Italian manufacturer. OFAC's enforcement history includes settlements with businesses in the tens of thousands of dollars. Company size does not determine exposure — the presence of a U.S.-nexus transaction with a sanctioned party does. Smaller companies tend to face smaller absolute penalties, but the penalties relative to company size are often more severe.
Does voluntary self-disclosure always reduce the penalty? Yes, in every published case where VSD was credited, it produced a material reduction. OFAC's guidelines provide for up to a 50% reduction in the base penalty for timely, complete voluntary self-disclosure. In practice, VSD also affects OFAC's characterization of the violation — egregious violations disclosed voluntarily are often treated more favorably than non-egregious violations discovered independently. The Herbalife case demonstrates what full cooperation produces; the BAT case demonstrates what obstruction costs.
What does "egregious" mean in OFAC's penalty framework? OFAC defines an egregious violation as one where the subject had actual knowledge of the conduct constituting the apparent violation, the conduct demonstrated reckless disregard for U.S. sanctions requirements, or the conduct involved senior management. Egregiousness determination is binary — violations are either egregious or non-egregious — and it directly affects the base penalty calculation. A non-egregious violation with VSD typically receives the lowest possible base penalty; an egregious violation without VSD receives the statutory maximum per transaction.
How does TradeLasso help avoid these enforcement patterns? TradeLasso addresses the specific control failures documented in these cases: daily-synced list data (Apple failure), automated re-screening of saved counterparties (Toll failure), fuzzy name matching for variants and aliases (common across all cases), and audit-ready logs of every screening action. See how TradeLasso's screening data stays current.