In late February 2026, a prominent US educational institution agreed to pay $1.72m to the US Treasury to settle allegations that it had processed tuition payments connected to sanctioned individuals with links to Mexican drug cartels.
According to Alessa, the enforcement action, led by the Office of Foreign Assets Control (OFAC), underlines a critical reality for compliance professionals: sanctions risk is not confined to banks or FinTech firms. Any organisation that handles payments, customer data, or cross-border transactions is potentially exposed.
According to enforcement announcements and media coverage, OFAC determined that between 2018 and 2022 the school enrolled two students whose parents were designated on the US sanctions list for providing material support to a sanctioned criminal organisation.
Tuition payments, often routed via third-party wire transfers from Mexico, were not subject to adequate sanctions screening. In total, regulators identified 89 apparent breaches of counter-narcotics sanctions regulations. While the institution cooperated with investigators and has since strengthened its sanctions compliance framework, the case demonstrates how easily control gaps can accumulate into significant regulatory exposure.
Importantly, the violations did not centre on the students themselves, but on how funds linked to sanctioned individuals were processed without sufficient oversight. The absence of a formal sanctions compliance programme during the relevant period proved decisive. Without systematic screening of payors and related parties, organisations cannot reliably determine whether they are engaging with designated individuals or entities. The financial penalty, alongside reputational damage and remediation costs, illustrates how compliance blind spots can become expensive liabilities.
At first glance, a school paying a $1.72m fine may appear to be an isolated compliance failure. In reality, it reflects broader enterprise risk management weaknesses that can affect any sector. Sanctions risk is now embedded in global commerce. Whether an organisation operates in education, technology, non-profit services, marketplaces, or digital platforms, the moment it touches payments or cross-border relationships, it enters the sanctions perimeter.
The fundamentals remain consistent across industries. Effective controls should include automated sanctions screening of counterparties, transaction monitoring linked to country and source-of-funds risk, structured escalation protocols, and clear executive ownership.
These measures are standard practice in banking and increasingly embedded within RegTech solutions, but they are just as relevant for non-financial institutions. Embedding controls directly into operational processes, rather than bolting them on as an afterthought, is essential.
The settlement also aligns with a wider enforcement trend. Regulators are demonstrating a growing willingness to hold non-banking entities accountable when compliance gaps are uncovered.
As digital payments, international supply chains, and online enrolment models expand, the regulatory lens follows. Sanctions compliance is therefore no longer a specialist concern; it is a core business risk requiring board-level visibility.
For AML and risk teams, several clear lessons emerge. Sanctions screening must occur both at onboarding and at every payment touchpoint, particularly where third-party intermediaries are involved. Governance structures must assign explicit responsibility at senior management level. Controls must evolve alongside risk, combining technology, policy, staff training, and regular risk assessments.
Ultimately, this case reinforces a simple message: regulators expect organisations to understand and actively manage their exposure, regardless of sector. Sanctions compliance is not merely a defensive necessity. When embedded effectively, it strengthens resilience, protects institutional reputation, and supports sustainable operations in an increasingly complex global environment.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst
