This report summarizes the enforcement release regarding TradeStation Securities, Inc., a Florida-headquartered brokerage firm that operates online securities trading platforms.
What Happened
Between June 21, 2021, and June 15, 2022, TradeStation provided investment services—specifically allowing 481 securities trades—to customers who were physically located in Iran, Syria, and the Crimea region of Ukraine.
The problem originated from a failure in the company’s “geo-blocking” systems, which are designed to identify where a customer is located and block them if they are in a sanctioned country. While TradeStation had two layers of this technology, the second layer contained a critical technical blind spot: instead of checking the customer’s location, the system mistakenly checked the location of TradeStation’s own U.S.-based servers. This error meant that customers using the company’s mobile app were not restricted from trading for nearly a year, even though those attempting to use the web platform were successfully blocked.
The issue persisted because TradeStation’s compliance team failed to properly test and validate that these tools were working as intended. Specifically, in November 2021, the company stopped using an automated tool that was meant to test its servers for exactly these types of vulnerabilities.
The Penalty
TradeStation agreed to pay $1,110,661 to settle its potential civil liability for the 481 apparent violations.
- Violation Type and Status: All 481 violations were determined by OFAC to be non-egregious and were voluntarily self-disclosed by TradeStation.
- Base Penalty Breakdown: The total value of the illegal trades was $4,442,645. Under OFAC’s guidelines for self-disclosed, non-egregious cases, the base penalty is calculated as one-half of the transaction value.
- Base Penalty Total: $2,221,322.
- Final Settlement: The final penalty of $1,110,661 reflects a 50% reduction from the base penalty due to the company’s cooperation and remedial efforts.
Aggravating Factors
- Failure to Exercise Minimal Caution
- General Factor involved: Degree of Care.
- Applicability: TradeStation allowed significant compliance weaknesses to remain unaddressed for a full year. Crucially, the company had received a “Cautionary Letter” from OFAC earlier in 2021 regarding similar geo-blocking failures, meaning they were already aware of the risks but failed to ensure their systems were properly tested.
- Discontinuing Necessary Testing Tools
- General Factor involved: Management of Compliance Program.
- Applicability: In November 2021, TradeStation intentionally stopped using an automated testing tool for its on-premises servers, which directly contributed to the failure to detect the system error that allowed sanctioned users to trade.
Mitigating Factors
- Prompt and Comprehensive Correction
- General Factor involved: Remedial Response.
- Applicability: After discovering the error, TradeStation quickly implemented new technical controls and solutions to ensure that future failures in its geo-blocking or alert systems would be identified immediately.
- Limited Scope and Low Financial Benefit
- General Factor involved: Nature and Complexity of Operations / Economic Benefit.
- Applicability: The illegal trades represented a very small percentage of TradeStation’s total transaction volume during that year, and the company earned less than $2,000 in total revenue from these specific trades.
- Substantial Cooperation
- General Factor involved: Cooperation with OFAC.
- Applicability: The company filed a detailed self-disclosure report, was highly cooperative throughout the investigation, and agreed to “toll” the statute of limitations (giving OFAC more time to complete the case).
- Clean Five-Year History
- General Factor involved: Prior Record.
- Applicability: TradeStation had not received a formal Penalty Notice or Finding of Violation from OFAC in the five years leading up to these events.
To find more details on this case, please see the full Enforcement Release provided by OFAC.
What are the Takeaways?
- Test and Audit Regularly: This case shows that even if you have “two tiers” of defense, they only work if they are correctly implemented. Companies must regularly test their compliance tools to ensure they are actually blocking what they are supposed to block.
- Don’t Ignore Warning Signs: If a regulator sends a cautionary letter or points out a flaw, treat it as a high-priority alert. TradeStation’s failure to act on a previous warning was a major factor in the size of the penalty.
- Verify After Every Update: Technical changes—such as migrating to new servers or updating software—can accidentally break your compliance filters. Testing should be a standard part of any system maintenance.
- Use Diverse Indicators: Effective geo-blocking should look at more than just a single IP address; it should include tools like VPN detection and location-based alerts to prevent users from bypassing restrictions.
