OFAC hits State Street with $7.5m penalty for Russian sanctions gaps

OFAC has imposed a $7.5 million penalty on State Street for sanctions violations connected to Russia. The fine reflects gaps in transaction monitoring and sanctions screening controls that permitted activity inconsistent with US restrictions on Russian entities and individuals. The enforcement action signals tightened expectations for custodian banks operating across multiple jurisdictions.

• Regulator's line: OFAC cited State Street for inadequate controls that failed to detect and block transactions linked to sanctioned Russian persons and entities within required timeframes.
• The number: $7.5 million penalty reflects the scale and duration of compliance gaps, though OFAC reduced the fine after State Street demonstrated remediation and cooperation.
• What changed: State Street must now deploy enhanced transaction monitoring systems and real-time sanctions screening protocols across all Russian-connected customer activity and correspondent banking flows.
• For compliance teams: Custodian banks must audit OFAC list matching logic, sanctions screening placement in transaction workflows, and threshold settings for delayed transaction settlement flagging.

This enforcement closes a 2020s gap in custodian bank oversight. OFAC has signalled that filtering at the SWIFT instruction layer alone is insufficient. Compliance teams should review whether sanctions screening occurs before settlement instruction and whether customer on-boarding screens include beneficial ownership verification tied to OFAC lists. Expect similar actions against peers with similar control weaknesses. Immediate action: test your current sanctions screening latency in high-risk jurisdictions and document remediation completion dates for your audit file.

FinCEN has issued an $80 million civil money penalty against Canaccord Genuity LLC for violations of the Bank Secrecy Act and federal anti-money laundering requirements. The enforcement action was coordinated with the SEC and FINRA, which separately assessed a $20 million fine against the broker-dealer, bringing total regulatory sanctions to $100 million.

• Regulator's line: FinCEN cited failures in AML compliance infrastructure, including inadequate transaction monitoring and customer due diligence procedures across the firm's operations.
• The number: Combined penalties totalled $100 million across three regulators, with FinCEN's $80 million penalty representing 80 percent of total enforcement action.
• For compliance teams: Multi-regulator coordination on a single firm signals heightened scrutiny of broker-dealer AML programmes, particularly transaction monitoring and KYC gaps.

Canaccord's case demonstrates the compliance risk when broker-dealers rely on legacy monitoring systems or outsourced AML functions without adequate oversight. Compliance teams should audit their transaction monitoring thresholds, alert calibration, and escalation procedures. Expect similar enforcement actions against mid-market brokers with comparable control gaps.

The Office of Foreign Assets Control has imposed a $7.5 million penalty on State Street for violations of Russian sanctions regulations. The fine reflects the custodian's failure to prevent sanctioned transactions flowing through its systems, marking a significant enforcement action against one of the sector's largest compliance operators.

• The violation: State Street processed transactions connected to Russian sanctions targets without proper screening or blocking, breaching OFAC programme requirements.
• The number: $7.5 million fine reflects systemic rather than isolated lapses in transaction monitoring and OFAC list matching controls.
• For compliance teams: Review transaction-layer screening protocols, particularly for legacy systems handling high-volume custodial flows where sanctions checks can fall through.

This enforcement highlights a persistent vulnerability: even large institutions with substantial compliance budgets struggle with real-time OFAC screening at scale. For custodians and settlement operators, the message is direct. Sanctions violations require both initial screening and secondary controls. Review your transaction flow architecture now. Test coverage on legacy connectivity points, not just new platforms.

Keysight Technologies has released SBOM Manager, a software compliance platform targeting three regulatory frameworks: the EU Cyber Resilience Act, US Executive Order 14028, and FDA software guidance. The tool generates and manages software bills of materials, a core requirement for demonstrating supply chain transparency in connected devices and critical systems.

• Regulatory trigger: The CRA requires manufacturers to document all software components and known vulnerabilities before market entry by September 2025.
• The scope: SBOM Manager covers component tracking, vulnerability mapping, and compliance reporting across hardware and software supply chains.
• For compliance teams: Early adoption signals that device manufacturers face immediate pressure to operationalise SBOM workflows before enforcement deadlines.

This release reflects accelerating convergence between hardware compliance and software transparency mandates. Manufacturers in medical devices, automotive, and industrial control systems face overlapping SBOM obligations across jurisdictions. Compliance teams should audit whether current systems can generate standardised SBOM formats (SPDX, CycloneDX) at scale and integrate vulnerability intelligence feeds. Expect similar tools to proliferate as the CRA implementation clock ticks.