Trade Compliance: What It Covers, Costs, and Where SMBs Burn

OFAC collected $262 million in sanctions penalties across 13 enforcement actions in 2025 (Lexology). One case alone accounted for $215 million. The pace hasn't slowed. In February 2026, OFAC settled with IMG Academy for $3.7 million over Syrian sanctions violations, and a separate individual action reached $3.77 million (Arnold & Porter). On the export controls side, BIS and DOJ settled with a technology company for $140 million over shipments to a restricted Chinese military university (Crowell & Moring). These weren't rogue operators. They were established businesses that fundamentally misunderstood what trade compliance actually requires. For detailed guidance on exporting to uk, see our guide to EU and UK trade compliance.

Key Takeaways:

• OFAC issued 13 enforcement actions totaling $262 million in 2025; early 2026 actions already include $3.7M+ settlements (Lexology)
• BIS maximum civil penalty per violation: $374,474 or twice the transaction value, effective January 15, 2025 (Mohawk Global)
• OFAC maximum civil penalty per IEEPA violation: $377,700, effective January 15, 2025 (Crowell &. Moring)
• Sanctions record-keeping requirements extended from 5 to 10 years as of March 2025 (Mohawk Global)
• EU sanctions list includes 5,410 individuals and entities across 36 regimes as of mid-2025 (EUR-Lex)

What Trade Compliance Actually Means for an Exporter

Every legal obligation attached to moving goods, technology, or services across a border falls under trade compliance. The definition sounds tidy. The operational reality for a 150-person manufacturer shipping to 8 countries looks nothing like tidy.

sanctions screening gets most of the attention. Running names against the OFAC SDN List, the EU Consolidated List, the UK Sanctions List. Dozens of other restricted party databases on top of those. But sanctions screening covers maybe 30% of the actual compliance workload for a mid-market exporter processing 100+ shipments monthly.

Everything else: export classification under the EAR or ITAR. Tariff classification using HS and HTS codes. Destination controls for country-level restrictions. End-use verification. Documentation requirements that shift depending on jurisdiction. Miss any single element, regulators treat it the same as a sanctions violation.

A pattern we see repeatedly: companies pour their entire trade compliance budget into denied party screening, then get blindsided during an audit because they've been misclassifying products for years. Your HS Code determines duty rates. It determines preferential treatment eligibility. It also controls whether export restrictions apply to your specific product. Get the code wrong and everything downstream breaks.

Not hypothetical. The US Harmonized Tariff Schedule website averaged 120,000 additional daily visits in 2025 (WCO). That spike tracks directly with tariff policy changes affecting thousands of product categories. Companies that hadn't touched their HS classifications in a while suddenly found themselves overpaying duties or, worse, underreporting.

Why Enforcement Penalties Keep Breaking Records

The $215 million OFAC penalty against GVA Capital, a San Francisco venture capital firm, came from managing assets tied to Suleiman Kerimov, a sanctioned Russian oligarch on the SDN list (Arnold &. Porter). The firm knew the client was designated. They kept operating through intermediaries to obscure the relationship. OFAC classified it as egregious, imposed the maximum penalty. Their refusal to comply with an OFAC subpoena compounded the damage.

Across those 13 enforcement actions, a pattern showed up that should give mid-market exporters pause. Regulators focused heavily on gatekeepers: investment advisers, real estate managers, attorneys, freight forwarders. Fracht FWO, a Texas freight forwarder, settled for $1.6 million after chartering a blocked aircraft linked to Iran's Mahan Air. Their failure wasn't intentional evasion. Inadequate screening controls missed red flags that should have killed the transaction before it started.

BIS coordinated with DOJ on a $140 million resolution against an electronic design automation company whose Chinese operations shipped controlled semiconductor technology to an entity list party over multiple years. BIS assessed $95 million. DOJ added $45 million in forfeiture. The company had a compliance program on paper. On the ground, it didn't function.

What does this mean for a 200-person industrial machinery manufacturer? You don't have a $10 million compliance budget. But OFAC doesn't care about your headcount. The $377,700 maximum civil penalty per IEEPA violation applies to a 50-person shop the same way it applies to Boeing. Penalties stack per violation, not per investigation - ten transactions involving one sanctioned entity could generate ten separate penalty calculations.

U.S. Commerce Secretary Howard Lutnick stated at the BIS Update Conference in 2025 that enforcement would see "dramatic" increases (Lexology). That wasn't aspirational language. It was a policy announcement.

Where HS Classification Creates Hidden Exposure

Over 98% of global merchandise moves under HS codes (WCO). Customs authorities worldwide use these six-digit numbers to set duty rates, determine quota eligibility, flag products for export control review.

Misclassify an HS code and you might be paying 12% duty when your product qualifies for 3% under a trade agreement. Or you've been shipping a dual-use item under a general goods classification, completely missing that your specific configuration requires a BIS license for certain destinations. For more context, see our guide on Lenzo vs SAP GTS: Why SMB Exporters Ditch Enterprise Trade.

We've watched companies get their classification kicked back three times on a single product line. First for missing a material composition threshold, then for incorrect technical specs, finally for not matching the end-use declaration format the destination country required. Each rejection meant shipment delays. At $500-$2,000 per day in demurrage and storage, three rounds of back-and-forth on one classification can cost more than the compliance software that would have caught it upfront.

Here's the non-obvious part. HS classification errors compound silently. A company shipping 200 SKUs might have 15-20 misclassified items generating incorrect duty payments for months before anyone catches it. Retroactive liability on underpaid duties, plus penalties for negligent misclassification, can hit six figures before a single enforcement letter shows up.

How Supply Chain Transparency Became a Trade Compliance Problem

Trade compliance used to stop at your direct transaction partners. Screen the buyer, classify the product, file the paperwork Done.

That model broke when forced labor regulations expanded. The US Uyghur Forced Labor Prevention Act (UFLPA) creates a rebuttable presumption that goods from China's Xinjiang region involve forced labor. The EU Deforestation Regulation (EUDR) requires proof that commodities entering the EU market are deforestation-free. Canada's Modern Slavery Act adds yet another reporting layer.

Now the compliance boundary extends past your direct suppliers into second-tier supply chains. If your raw material supplier sources from a sub-supplier in a restricted region, that's your compliance problem. Not theirs.

Consider a mid-size chemical manufacturer sourcing precursors from three countries. Mapping supply chains back to raw material origins requires data most SMBs simply don't have. We've seen compliance teams spend 20-30 hours on UFLPA audit trails for a single shipment Do that manually across 50 monthly shipments and you'll burn out your one-person compliance department by Q2.

What Breaks When Companies Rely on Manual Processes

Manual trade compliance screening doesn't scale past about 50 shipments per month. The math stops working.

Picture 100 monthly shipments, each requiring screening against OFAC SDN, EU Consolidated List, BIS Entity List, UN Sanctions List, plus country-specific restricted party lists, HS classification checks, end-use verification. that's 40+ hours of specialist time per week. Most companies at that volume have one compliance person. Maybe two.

Nobody wakes up and decides to ship to a sanctioned entity. The failure mode looks quieter than that. OFAC drops a Friday afternoon designation. Your last screening ran Thursday Monday morning, a shipment clears that should have been held. That 62-hour gap between the last screen and the next business day? That's where violations live.

We tried quarterly batch screening on a client engagement once. Not even close. It missed three designation changes in a single quarter, including one entity added on a Tuesday that the batch wouldn't have caught until the following month. Real-time monitoring isn't optional when OFAC publishes changes 200 times per year.

The March 2025 extension of record-keeping requirements from 5 to 10 years tells you exactly where enforcement is heading. Regulators will come asking for documentation on transactions going back a full decade. We've helped clients reconstruct audit trails from old spreadsheets and email archives. It costs 3-5x what maintaining those records in real time would have. Not a mistake you want to make twice.

Automated screening platforms consolidate restricted party lists with real-time monitoring for designation changes. Enterprise tools like SAP GTS require 6-month implementations with annual contracts above $15,000. Lenzo offers same-day onboarding at $99/month with no per-check fees, covering sanctions screening, ECCN classification, destination controls, ownership-level screening in a single platform. The honest trade-off: enterprise platforms provide deeper ERP integration, which matters if you're running SAP or Oracle across 1,000+ employees. For SMBs in the 30-500 employee range processing under 250 shipments monthly, that integration depth rarely justifies the 10-15x price gap.

This piece doesn't cover ITAR compliance for defense articles or anti-corruption frameworks like the UK Bribery Act. Those topics deserve separate treatment.

FAQ

What lists do exporters need to screen against for trade compliance?

US exporters must screen against the OFAC SDN List, the BIS Entity List, the BIS Denied Persons List, the BIS Unverified List, plus the Consolidated Screening List maintained by Commerce, State, Treasury. EU shipments require the EU Consolidated Financial Sanctions List. UK destinations need the UK Sanctions List (OFSI). Mid-market exporters shipping to 5+ destination countries typically end up screening against 15-20 separate lists once you factor in country-specific databases.

How often do sanctions lists update?

OFAC publishes changes roughly 200 times per year, averaging 3-4 updates weekly (Lexology). The EU Consolidated List sees fewer but larger batch updates following Council Decisions. BIS Entity List modifications come through Federal Register notices, usually quarterly but with emergency additions when national security requires it. Running weekly batch screens against lists that change multiple times per week creates gaps that regulators have specifically cited in enforcement actions.

What penalties apply to trade compliance violations?

OFAC maximum civil penalty under IEEPA: $377,700 per violation (effective January 15, 2025). BIS maximum administrative penalty: $374,474 per violation or twice the transaction value, whichever is greater (effective January 15, 2025). Criminal penalties under the Export Control Reform Act reach $1 million per violation with up to 20 years imprisonment. These figures apply per violation, not per case. That distinction catches a lot of companies off guard.

Do smaller exporters face the same enforcement risk as large corporations?

Maximum penalties don't adjust based on company size. The Enforcement Guidelines consider mitigating factors: voluntary self-disclosure, cooperation with investigators, whether a functioning compliance program existed at the time of the violation. But the statutory maximums remain the same. The 2025 enforcement docket included venture capital firms, freight forwarders, individual attorneys. Size didn't determine whether OFAC pursued the case. Whether a working compliance program existed did.

Enforcement pressure keeps building. OFAC's first actions of 2026 already include multi-million-dollar settlements. The 10-year record-keeping window means transactions happening right now will face regulatory scrutiny through 2036. BIS has announced "dramatic" enforcement increases. For SMB exporters running 90-250 shipments monthly, building a trade compliance program now costs a fraction of what defending a single violation will cost later. The platform publishes updated penalty data, screening list change logs, compliance benchmarks for mid-market exporters on an ongoing basis.