Many U.S. technology companies still treat compliance with Office of Foreign Assets Control (OFAC) as something that only applies to transactions. But a recent enforcement action against a U.S. FinTech highlights the risk of that assumption. The violation wasn’t tied to executing trades, holding customer assets, or payment processing—it stemmed from providing customer support.
In December 2025, U.S. regulators announced a $3.1 million settlement after determining that the FinTech company provided technical assistance to users located in Iran, a comprehensively sanctioned jurisdiction. Over more than a year, customer support staff responded to hundreds of inquiries from Iranian users and, in some cases, suggested workarounds that helped those users continue accessing services. Under OFAC regulations, that assistance qualified as a prohibited export of services.
The enforcement action sends a clear signal to FinTech, SaaS, and digital platform businesses: OFAC compliance extends beyond code, infrastructure, and payment flows.
What employees say, recommend, and troubleshoot also matters. In a global, always-on support environment, sanctions risk now lives squarely inside everyday operational decisions.
Key Takeaways
- OFAC compliance applies to services, not just transactions. Technical assistance, troubleshooting, and guidance provided to users in sanctioned jurisdictions can qualify as prohibited exports of services under OFAC regulations, even when no funds move.
- Customer support teams are a real sanctions risk. Help desks, email support, FAQs, and escalation teams can create violations when guidance enables users to bypass geographic or sanctions-based controls.
- U.S. FinTech and SaaS companies remain fully in scope. Acting as a platform, tool provider, or infrastructure layer does not limit enforcement exposure, and OFAC compliance must extend across the organization.
- Terms of Use alone are not enough. Effective OFAC compliance requires training, escalation rules, and controls that prevent employees from facilitating sanctioned activity.
- Ongoing screening and governance matter. Denied party screening, supported by OFAC screening software or sanctions screening software, enables organizations to perform an OFAC sanctions check, maintain audit history, and demonstrate defensible compliance.
What Happened: Unpacking the FinTech Company Case and Timeline
The enforcement action against the company did not stem from a single failure or isolated mistake. It developed over time as it expanded its user base, relied on third-party exchanges, and operated customer support across borders without a mature OFAC compliance framework in place.
The company was founded in 2015, offering non-custodial digital asset wallets. While it did not hold customer funds or execute transactions, it did rely on third-party exchanges integrated into the wallet to complete digital asset transactions. From a compliance perspective, this structure led to a critical assumption that sanctions risk primarily sat with the exchanges, not with the company itself.
Timeline of Events and OFAC Enforcement
The sequence below shows how routine support activity, left unchecked, escalated into a material OFAC compliance failure.
| Oct 2017 – Jan 2019 | The FinTech company’s customer support responded to 254 inquiries from users who identified themselves as being located in Iran, a comprehensively sanctioned jurisdiction, providing technical assistance that enabled continued platform use. |
| Early Reliance on ‘Terms of Use‘ | Access restrictions depended largely on user self-certification, with no practical enforcement mechanisms, training, or workflows to ensure customer support teams understood or applied OFAC regulations in real time. |
| April – May 2018 | A third-party exchange partner began blocking Iranian users using IP-based controls to comply with U.S. sanctions, and the company’s leadership and support staff understood these restrictions were tied to sanctions requirements. |
| Mid-2018 | Despite that awareness, customer support staff continued assisting Iranian users and, in at least 12 instances, recommended VPN use to bypass IP-based restrictions, actions OFAC later classified as egregious. |
| Dec 2018 – Jan 2019 | The company sought external legal guidance and began reassessing its approach, but the absence of a structured OFAC compliance program, escalation rules, or denied party screening controls had already shaped the enforcement outcome. |
| Dec 16, 2025 | OFAC announced a $3.1 million settlement with the company, including $2.47 million payable within 15 days upon signing the enforcement action, and $630,000 suspended contingent on investment in a formal sanctions compliance program, following repeated OFAC compliance failures tied to customer support services provided to users in Iran. |
This compressed timeline makes clear where the risk materialized: not in the product design, but in how customer support decisions were made, documented, and governed.
Why This Matters for OFAC Compliance
The case shows how sanctions exposure can develop quietly inside everyday operations. Without integrated controls, audit history, and support-specific safeguards, even well-intentioned teams can create significant OFAC compliance risk. For regulators, the issue was not the technology itself, but how the service was supported, explained, and enabled over time.
This timeline underscores why modern sanctions programs must extend beyond transactions and into the people, processes, and systems that support global users.
Related Content: Why Startups Should Spend Time on International Trade Compliance
OFAC Compliance Failures and Lessons Learned
OFAC’s enforcement rationale for the case was consistent throughout. Sanctions risk is created by how services are delivered and governed, not only by what a product does. The failures below show where that risk materialized and why regulators treated the conduct as sanctionable.
1. Treating Customer Support as Outside OFAC Compliance
OFAC determined that customer support interactions qualified as a regulated service. Technical assistance, troubleshooting, and guidance provided to users in Iran constituted a prohibited export of services under OFAC regulations, even though no transactions were executed or assets were held.
Companies must extend OFAC compliance expectations to support desks, help chats, and escalation teams, not just payments or platform access.
2. Relying on Terms of Use Without Enforcement Controls
OFAC found that contractual restrictions alone were insufficient when employees were not trained, monitored, or prevented from assisting users in sanctioned jurisdictions. Self-certification did not offset the absence of operational controls. Effective OFAC compliance requires enforceable processes, not static legal language.
3. Enabling Sanctions Evasion Through Support Guidance
In at least 12 instances, OFAC classified the conduct as egregious because support staff acknowledged sanctions restrictions and still recommended VPN use, enabling users to bypass sanctions controls.
Providing advice that helps users circumvent restrictions escalates routine support into willful sanctions exposure and undermines OFAC regulations.
4. Failing to Screen and Escalate Sanctions-Related Interactions
OFAC cited the absence of screening, escalation, and review workflows as a core weakness. Support staff were left to make sanctions-sensitive decisions without guardrails, documentation, or oversight.
Denied party screening enabled by OFAC screening software, sanctions screening software, or OFAC search tools must extend into organization-wide operational workflows to ensure consistent decisions and defensible audit trails.
Related Content:5 Tips for Organizations Looking to Get Started With Export Compliance and Denied Party Screening
5. Underestimating Post-Enforcement Obligations
The settlement imposed multi-year compliance obligations because OFAC did not view the violations as isolated. The lack of a structured program increased the risk of recurrence.
OFAC compliance failures often result in long-term governance, training, audit, and certification requirements that extend well beyond the initial penalty.
Turn OFAC Compliance into an Operational Control
The case shows exactly where sanctions risk lives today. OFAC compliance failures did not come from payments or custody, but from customer support teams making unsupervised compliance decisions, without screening, escalation, or audit trails. That is now a clear enforcement priority.
For U.S. FinTech, SaaS, and platform businesses, the takeaway is simple: sanctions compliance must be built into daily operations, not handled as a legal checkbox. Teams need tools that screen consistently, enforce workflows, and document how decisions are made when regulators ask.
Descartes supports enforceable OFAC compliance by embedding sanctions controls directly into daily operations, so teams can screen, escalate, and document decisions consistently with our robust portfolio of OFAC compliance solutions.
- Denied Party Screening: Perform accurate screening and rescreening as watchlists change to help prevent sanctioned parties from entering workflows.
- Screening and Audit History: Maintain defensible records that show how sanctions decisions were made when regulators ask.
- Compliance Manager Workflow: Ensure sanctions issues are escalated, reviewed, and resolved through consistent, documented processes.
Book a demo to see how Descartes helps teams operationalize OFAC compliance, reduce sanctions risk, and stay audit-ready across global operations.
Find out what our customers are saying about Descartes Denied Party Screening on G2 – an online third-party business software review platform. Additionally, you can read this essential buyer’s guide to denied party screening to help you select a solution that fits your needs.
