OFAC’s recent enforcement action against TradeStation Securities is a powerful reminder of a basic but often overlooked truth: compliance controls are only as effective as the testing, monitoring, and accountability that support them. The case is not about the absence of a compliance program—it is about the failure to ensure that the program actually worked.

According to OFAC, TradeStation was fined approximately $1.1 million for processing 481 trades worth about $4.4 million for users located in Iran, Syria, and the Crimea region of Ukraine—all sanctioned jurisdictions. On its face, this is a relatively modest enforcement action. OFAC classified the violations as “non-egregious,” and the company received credit for voluntary self-disclosure, cooperation, and remediation. But the underlying compliance failures are far more instructive—and concerning.

What makes this case particularly important is that TradeStation did not lack controls. In fact, the company had what many would consider a reasonably sophisticated sanctions compliance framework. It screened customers against OFAC’s Specially Designated Nationals (SDN) list, conducted ongoing monitoring, and implemented a two-tier geo-blocking system designed to prevent access from sanctioned regions.

And yet, the system failed—badly.

The root problem was not design. It was execution.

First, a software change undermined a critical control. In 2018, TradeStation introduced a new mobile platform that inadvertently rendered its second-tier geo-blocking ineffective. Instead of detecting a user’s true IP address, the system identified the IP address of a U.S.-based server hosting the application. As a result, the control could no longer identify users in sanctioned jurisdictions.

Second, a basic operational error compounded the problem. In 2021, an employee disabled the first-tier geo-blocking control to install a software update—and failed to reenable it. This left the company’s primary blocking mechanism effectively offline for nearly a year.

Third—and perhaps most troubling—TradeStation stopped testing its controls. The company discontinued its automated testing tool in November 2021 after encountering interference from third-party service providers and failed to replace it. As a result, it had no effective mechanism to verify whether its geo-blocking controls were functioning.

Fourth, the company ignored a critical warning signal. A subscription service that provided daily alerts about blocked access attempts expired in September 2021. No one renewed it. No one escalated the issue. And for eight months, compliance personnel failed to question why those alerts had disappeared.

These failures are not exotic. They are not the result of cutting-edge cyber threats or sophisticated evasion techniques. They are basic breakdowns in governance, testing, and accountability.

OFAC’s message could not be clearer: a compliance program cannot operate on autopilot. As the agency emphasized, companies cannot take a “set it and forget it” approach or rely on a patchwork of technological solutions without ongoing validation.

There are several important lessons here.

First, technology is not a substitute for oversight. TradeStation had multiple layers of controls—screening, geo-blocking, third-party tools—but no effective mechanism to ensure they were functioning as intended. Controls must be continuously tested, validated, and monitored.

Second, change management is a critical compliance function. A software update disabled a key control. A system redesign undermined another. These are predictable risks in any technology-driven environment. Compliance must be embedded in change management processes to assess how system changes affect controls before and after deployment.

Third, testing is not optional. TradeStation’s decision to discontinue its testing tool without replacement was a fundamental failure. Testing is the only way to confirm that controls are working. Without it, companies are operating blind.

Fourth, warning signs must be taken seriously. The disappearance of daily alerts should have triggered immediate escalation and investigation. Instead, it went unnoticed—or ignored—for months. Effective compliance programs require not just tools, but disciplined attention to anomalies.

Fifth, prior regulatory engagement matters. OFAC noted that TradeStation had previously received a warning letter in 2021 related to deficiencies in its geo-blocking controls. The company’s failure to act on that warning was an aggravating factor. Regulators expect companies to learn from prior issues and strengthen controls—not repeat mistakes.

At the same time, the case also highlights what companies can do right. TradeStation received a reduced penalty because it voluntarily disclosed the violations, cooperated with the investigation, and implemented significant remedial measures. This reinforces a consistent theme across enforcement agencies: post-violation conduct matters.

The broader takeaway is straightforward. Compliance programs today are increasingly technology-dependent. But that dependency introduces new risks—system failures, integration issues, human error, and vendor complications. Managing those risks requires more than good intentions or sophisticated tools. It requires discipline.

Test your controls. Monitor your systems. Validate your assumptions. And most importantly, never assume that because a control exists, it is actually working.

That is the lesson OFAC is sending—and companies would be wise to listen.