Mr. Sanctions

Category: Settlement Agreements

  • OFSI teaches us lessons about the Bank of Scotland enforcement action

    From OFSI’s blog:

    Sanctions compliance in practice: lessons from OFSI’s £160,000 Bank of Scotland penalty

    OFSI, 23 February 2026 – OFSI Blog

    In January 2026, OFSI published the details of an £160,000 monetary penalty imposed on Bank of Scotland Plc, a subsidiary of the Lloyds Banking Group, for breaching the Russia financial sanctions regime. 

    The lessons in this case go beyond one bank and one customer. OFSI’s published outcomes demonstrate how OFSI assesses breaches, the circumstances surrounding them, and how weaknesses in screening, escalation and training are taken into account when breaches have occurred. These lessons can help firms better understand how to run sanctions controls in practice, and how weaknesses in screening, escalation and training can expose firms to the risk of breaching.

    UK financial sanctions apply to any conduct in the UK and to all UK persons (including UK legal entities) anywhere in the world.

    Lesson 1: Screening data and configuration really matter

    OFSI strongly encourages firms to utilise all information available to them to optimise sanctions controls relative to their risk. Firms are advised to assess and employ appropriate resources to enhance the effectiveness of such systems.

    In this case, Lloyds Banking Group had taken measures to implement sanctions screening. However, its automated sanctions systems failed to detect a spelling variation of a designated individual’s name.

    What this means for you:

    • Ask whether your screening can cope with spelling and transliteration variants.
    • Where your risk justifies it, consider enriched screening and commercial list providers alongside the new UK Sanctions List.

    Lesson 2: Automation is not a safety net

    This case illustrates that there are inherent risks associated with automated sanctions screening. It is essential that firms establish robust and explicit contingency procedures.

    Internal policies should provide robust and explicit guidance to staff regarding the escalation of potential sanctions concerns. This is particularly pertinent for areas of business that are more exposed to sanctions risk, such as those involving Politically Exposed Persons (PEPs).

    What this means for you:

    • Make sure front‑line teams know when to escalate, who to contact and how – not just that they “should escalate”.

    Lesson 3: Training must match today’s sanctions landscape

    The sanctions landscape has evolved significantly since the Russian invasion of Ukraine in February 2022, and continues to develop with ever-shifting geopolitical events. It is imperative that all training and associated materials relating to sanctions are regularly reviewed and updated.

    What this means for you:

    • Training content must be regularly reviewed and updated to accurately reflect relevant regulatory and geographical developments to ensure continued compliance.

    Lesson 4: Voluntary disclosure can shape the outcome

    This case is an example of prompt, voluntary disclosure of a potential breach. Lloyds Banking Group, on behalf of Bank of Scotland, made an initial notification within two weeks of identifying a potential breach. OFSI seeks to reward prompt and complete voluntary disclosures through penalty discounts, which alongside co-operation can result in a discount of up to 30% under new guidance.

    What this means for you:

    • You should report suspected breaches to OFSI as soon as practicable.
    • Where full disclosure is not possible, a person should make an early disclosure with partial information on the basis that they are still working out the facts and will make a further and full disclosure as soon as possible.
    • Reporting breaches protects the integrity of financial sanctions and assists government and law enforcement agencies in tackling serious crime.

    What firms should do next

    This case shows that OFSI is focused not only on whether firms have sanctions controls, but on how effectively those controls operate in practice. From the way screening data is configured, to how concerns are escalated, how often training is refreshed, and how quickly potential breaches are reported.

    Firms with UK touchpoints, including those operating internationally, should:

    • review their sanctions screening, escalation procedures and training considering these lessons
    • ensure they understand and comply with their reporting obligations, including reporting “as soon as practicable” where required.

    You can read the full penalty notice here: https://www.gov.uk/government/publications/imposition-of-monetary-penalty-bank-of-scotland-plc

    Further information and guidance on reporting information to OFSI is available here: https://www.gov.uk/government/organisations/office-of-financial-sanctions-implementation

    , , ,

  • February 12, 2026: OFAC Settles for $1.7MM from IMG Academy

    Settlement Agreement between the U.S. Department of the Treasury’s Office of Foreign Assets Control and IMG Academy, LLC

    The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) today announced a $1,720,000 settlement with IMG Academy, LLC to settle its potential civil liability for 89 apparent violations of OFAC counternarcotics sanctions. Between 2019 and 2025, IMG Academy dealt in the property or interests in property of two Specially Designated Nationals (SDNs) sanctioned for their ties to a sanctioned Mexico-based drug cartel. Specifically, IMG Academy entered into yearly tuition agreements with the SDNs and received and processed payments pursuant to those agreements. The settlement amount reflects OFAC’s determination that IMG Academy’s conduct was non-egregious and not voluntarily disclosed.

    Here’s Gemini’s take:

    Based on the OFAC Enforcement Release regarding IMG Academy, LLC (the document referenced by the URL provided), here is the reformatted and simplified breakdown as requested.

    What Happened

    The Core Issue

    IMG Academy, a Florida-based sports prep school, agreed to settle its legal liability after it was discovered they had been doing business with two people on the U.S. sanctions list. These individuals were sanctioned due to their ties to a major Mexican drug cartel.

    The Two Sets of Violations

    The school entered into two separate tracks of business dealings:

    • Customer 1 (SDN 1): Between 2018 and 2022, the school signed three separate yearly tuition contracts with this individual.
    • Customer 2 (SDN 2): During that same period, the school signed another three yearly tuition contracts with this second individual.

    In both cases, the school provided “elite academic and athletic training” for the children of these individuals. Even though the parents’ names were clearly listed on the U.S. government’s “No-Business” list (the SDN List), the school continued to invoice them, communicate with them about payments, and process their money.

    How the Money Moved

    The school didn’t just take one-off payments. They processed 89 total transactions over several years. This included:

    1. Direct Charges: Using credit cards the sanctioned parents had left on file.
    2. Third-Party Wires: Accepting wire transfers from other people and companies in Mexico intended to cover the students’ costs.

    Description of the Apparent Violations

    IMG Academy appears to have violated § 598.202 of the Foreign Narcotics Kingpin Sanctions Regulations. Essentially, the school “dealt in the property” of sanctioned persons by providing services in exchange for their money, which is a violation of federal law.

    The Bottom Line

    While the school eventually reported the issue, they only did so after the government had already started an investigation, meaning they did not get credit for a “voluntary” disclosure.

    The Penalty

    The final settlement amount is $1,720,000.

    Violation Breakdown

    OFAC categorized all 89 violations as non-egregious (meaning they weren’t considered a “worst-case scenario” of intentional defiance), but because the school didn’t self-report before the investigation began, the penalty was still substantial.

    • Total Violations: 89
    • Total Egregious Violations: 0
    • Total Non-Egregious Violations: 89
    • Base Penalty: $1,720,000 (The “schedule” amount for non-disclosed, non-egregious violations).

    Mitigating and Aggravating Factors

    Aggravating Factors (Why the penalty remained high)

    • Failure to Perform Basic Checks
      • General Factor: Reckless Disregard. The school failed to run the parents’ names through any sanctions screening software, even though the parents provided their real names which matched the SDN list exactly.
    • Management Awareness of the Relationship
      • General Factor: Awareness of Conduct. While the school might not have realized the parents were “sanctioned,” they had actual knowledge of the transactions. They sent invoices directly to the parents and spoke with them regularly about their accounts.
    • Providing a “Safety Valve” for Cartel Money
      • General Factor: Harm to Sanctions Program. By accepting this money, the school allowed people tied to a drug cartel to use the U.S. financial system and obtain high-end services in the U.S.

    Mitigating Factors (Why the penalty wasn’t higher)

    • A Clean Recent Record
      • General Factor: Compliance Record. IMG Academy had not been flagged for a sanctions violation in the five years before this happened.
    • Coming Clean and Cooperating
      • General Factor: Cooperation. Once they realized the government was looking into them, the school cooperated fully, shared information quickly, and agreed to extend the legal deadlines to help the investigation.
    • A Total Compliance Overhaul
      • General Factor: Remediation. After a change in ownership in 2023, the school hired a new Chief Legal Officer, conducted a deep audit of their past mistakes, and built a professional sanctions screening system.

    What are the Takeaways?

    • Screen the Payors: It is not enough to screen the student; you must screen the person signing the contract and the person sending the wire transfer.
    • Names are Enough: If a customer gives you their real name and it matches a sanctioned person, “I didn’t know” is not a valid excuse if you never bothered to check the list.
    • Non-Bank Businesses are at Risk: This case shows that OFAC is looking closely at “non-traditional” sectors like private schools, luxury goods, and specialized training centers.
    • Ownership Changes are an Opportunity: If you buy a company, conduct a “compliance lookback” immediately. IMG’s new management helped limit the damage by fixing the system as soon as they took over.

    Other Resources

    • OFAC Civil Penalties & Enforcement: Visit the official Treasury website to see a list of recent actions and understand how OFAC applies these rules to different industries.
    • Compliance Framework: Review the “Framework for OFAC Compliance Commitments” to see the five pillars of a strong legal safety net.
    • Contacting OFAC: If you find a potential violation, you can contact the OFAC Compliance Hotline or use their online reporting portal.

    Here’s the actual Enforcement Release:

    20260212_img_academyDownload

    Note: Gemini originally didn’t catch that there were 2 sets of violations with SDN 1 and SDN 2. What flagged this for me was that the date range of the violations was wrong.

    Fixing it was pretty simple – I just told Gemini to recheck its work and why I thought it had missed something.

    Probably a good thing to do with enforcement actions that have “multiple’ something – whether its sets of actions, sanctioned parties or affected sanctions programs. It’s generally good practice to have an AI tool check its work – since I asked for a simplified recap, I expected it to omit certain detail. But, this was not that…

    , , ,

  • What did Exodus Movement agree to do with its compliance program?

    Based on the OFAC enforcement release and settlement agreement regarding Exodus Movement, Inc., here is a summary of the Compliance Commitments (often found in Section 2 or labeled as a specific point in the agreement terms):

    • Sanctions Compliance Program: Exodus agrees to maintain a comprehensive sanctions compliance program for at least five years.
    • Management Commitment: The company will ensure senior management support and the provision of adequate resources to the compliance function.
    • Risk Assessment: Exodus will conduct periodic risk assessments to identify and mitigate sanctions risks specific to its business.
    • Internal Controls: The company must implement and maintain written policies and procedures, including effective sanctions screening (such as IP blocking/geoblocking) and escalation protocols for potential matches.
    • Testing and Audit: Exodus is required to perform independent testing and audits to ensure the effectiveness of its compliance program.
    • Training: The company commits to providing regular (at least annual) sanctions compliance training to relevant employees.
    • Compliance Investment: Exodus has specifically agreed to invest $630,000 in additional sanctions compliance controls and measures.
    • Reporting: A senior executive must submit annual certifications to OFAC for a period of five years, confirming that the company is meeting these compliance obligations.

    ,