In late February 2026, a prominent US educational institution agreed to pay $1.72m to the US Treasury to settle allegations that it processed tuition payments connected to individuals under sanctions.
According to Alessa, federal investigators concluded that funds accepted by the institution were linked to sanctioned parties associated with Mexican drug cartels, triggering enforcement action by the Office of Foreign Assets Control (OFAC).
The case stands as a clear warning that sanctions exposure is not confined to banks or FinTech firms. Any organisation that handles payments, processes data or maintains cross-border relationships can face financial crime risk. Even well-funded and reputable institutions can develop compliance blind spots, and when those gaps surface, the financial and reputational consequences can be significant.
According to enforcement announcements and media reports, OFAC determined that between 2018 and 2022 the institution enrolled two students whose parents were on the US sanctions list for providing material support to a sanctioned criminal organisation. During that period, tuition payments – many sent through third-party wire transfers originating in Mexico – were not properly screened against sanctions lists.
In total, regulators identified 89 apparent violations of counter-narcotics sanctions regulations. Although the institution cooperated with investigators and has since strengthened its sanctions compliance framework, the $1.72m settlement underscores the cost of operating without adequate controls. The enforcement action centred not on the students themselves, but on the processing of funds connected to sanctioned individuals and the absence of an effective screening regime.
At first glance, a prep school settlement may appear isolated. However, the underlying weaknesses are fundamental to enterprise risk management. Sanctions risk does not discriminate by industry. Whether an organisation is a bank, nonprofit, technology platform or marketplace, if it accepts payments or engages internationally, it is exposed.
Regulators were explicit in noting that the institution lacked a formal sanctions compliance programme during the relevant period. Without systematic screening of counterparties – including payors – organisations cannot reliably determine whether they are dealing with sanctioned individuals or entities. The consequences extend beyond regulatory fines to reputational damage, remediation costs and heightened supervisory scrutiny.
Proactive controls are therefore essential. Effective programmes typically include automated sanctions screening of payment parties, transaction monitoring aligned to geographic and counterparty risk, escalation protocols for flagged activity, and regular risk assessments with executive oversight. For non-financial institutions, these processes may seem more commonly associated with AML teams in banks, but the principles are transferable and increasingly expected across sectors.
This settlement also reflects a broader enforcement trajectory. As digital platforms expand, global supply chains grow more complex and cross-border payments become routine, regulators are widening their focus beyond traditional financial institutions. Gaps in sanctions compliance within non-banking sectors are drawing increasing scrutiny.
For compliance leaders and risk officers, two priorities emerge. First, compliance must be embedded throughout the organisation rather than confined to finance teams. Any function that touches payments or counterparties should be part of the sanctions risk map. Second, sanctions risk should be treated as a core business risk, elevated within enterprise risk frameworks alongside cybersecurity, data protection and operational resilience.
For AML and risk teams, the lessons are clear. Screening must take place at onboarding and at transaction level, particularly where third parties are involved. Governance must sit at executive level. Controls must evolve as risk profiles shift. Technology and automation can enhance detection, but policy, training and culture remain equally important.
Ultimately, the $1.72m settlement illustrates that regulators expect organisations to understand and manage sanctions risk regardless of sector. Compliance is no longer simply a defensive necessity; it is a prerequisite for trust, resilience and sustainable operations in an increasingly interconnected global economy.
Find more on RegTech Analyst.
Copyright © 2026 FinTech Global
