This week brought a study in the cost of looking the other way. OFAC reached a $275 million settlement with Adani Enterprises over 32 apparent violations of its Iran sanctions, the largest non-bank Iran-related enforcement action on record. The OCC issued a consent order against Community Federal Savings Bank for fundamental Bank Secrecy Act and suspicious activity reporting failures. The Financial Conduct Authority finalised its Carillion enforcement, concluding that the former chief executive and finance directors had acted recklessly and that the company’s breach of the Market Abuse Regulation could be directly attributed to the state of mind of its directors. The Department of Justice unsealed charges against 15 defendants in a $90 million Minnesota Medicaid fraud, including what officials described as the largest autism fraud scheme it has ever charged. And the UK Home Office’s new Fraud Strategy 2026 to 2029, now beginning operational implementation, repositions fraud as a critical-national-infrastructure issue. The structural thread is gatekeeper failure: corporate boards, banks, professional advisors and state-programme administrators are the chokepoints at which financial crime is best detected and most reliably ignored. This week’s enforcement is, in different ways, the bill arriving.

1. OFAC’s $275 million Adani Iran sanctions settlement

OFAC announced a $275 million settlement with Adani Enterprises Limited on 18 May, resolving 32 apparent violations of Iran sanctions related to the company’s purchase of approximately $14 million in petroleum gas that originated in Iran but was misrepresented in shipping documentation as Emirati. Analysis by Global Sanctions Daily notes that the action sits among the largest non-bank Iran-related settlements and exposes the limits of relying on counterparty representations and bills of lading to satisfy sanctions diligence.

This is a textbook trust exploitation case. The fraud against the sanctions regime is not committed by Adani; it is committed by the upstream sellers who falsified the documentation. Adani’s exposure arises from its decision to rely on those representations without independent verification — a decision that, under rational choice analysis, is rationally taken so long as the expected cost of detection is low. The size of the settlement is what shifts that calculation. From a situational crime prevention standpoint, secondary enforcement against the buyer of misrepresented sanctioned commodities is the most effective intervention point: it forces the importer to absorb the diligence cost the misrepresentation was designed to externalise. Expect downstream commodity trading houses to revisit their certificate-of-origin verification practices, particularly on liquefied petroleum and LNG flows from Gulf transhipment hubs.

2. OCC consent order against Community Federal Savings Bank for BSA/AML failures

The OCC issued a consent order on 21 May against Community Federal Savings Bank, of Woodhaven, New York, for deficiencies in its Bank Secrecy Act and anti-money laundering compliance programme. The order cites violations of 12 CFR 21.21 (the BSA/AML programme rule), 12 CFR 163.180(d) (suspicious activity reporting), and 31 CFR 1010.520(b)(3) (USA PATRIOT Act information sharing). The same release notes an Order of Prohibition against a former JP Morgan Chase associate for assisting unauthorised customer withdrawals causing at least $38,500 in losses.

The interesting feature here is the bank’s profile. Community Federal Savings Bank acts as the chartered bank-as-a-service partner for a number of fintechs and money-movement firms. BSA/AML failures at the small chartered-bank-with-large-platform-exposure node are the modern version of the capable guardian gap – the institution sits at the regulatory perimeter for a much larger flow of activity than its supervisory footprint suggests. From a displacement perspective, fintech-enabled money movement that cannot find a compliant sponsor bank will gravitate to the least supervised one. This OCC action signals that the OCC is no longer willing to treat that arrangement as low risk. Sponsor-bank diligence by non-bank fintechs should be tightening rapidly in response.

3. FCA finalises Carillion Market Abuse Regulation case against directors

The FCA’s Carillion enforcement programme has reached its conclusion, with Final Notices against the former chief executive Richard Howson and the former finance directors Adam and Khan. The Authority fined Howson £237,700 for misleading announcements made between July 2016 and July 2017, and concluded that each of Mr Adam, Mr Howson and Mr Khan had acted recklessly. That finding allowed the FCA to attribute the directors’ state of mind to Carillion itself, and to determine that Carillion’s breach of Article 15 of the Market Abuse Regulation was therefore reckless. The Financial Reporting Council has imposed parallel sanctions on the finance directors as accountants.

This is the most analytically important UK enforcement moment in months. The FCA has, for the first time at this scale, used the attributed state of mind doctrine to hold a listed issuer reckless under MAR through the conduct of its directors, and it has done so in a case where the company is in liquidation and cannot be punished, meaning the substantive purpose of the finding is precedent. Under Sutherland’s differential association, the value of the precedent is in the boardroom: directors of listed issuers now operate in a regulatory environment in which their individual recklessness can be aggregated and attributed to the company, with the consequence that the firm’s MAR posture is only as robust as the most cavalier disclosure decision around the table. Combined with the FRC’s parallel route against the same individuals as accountants, this is the closest the UK has come to operationalising senior-manager accountability for issuer-level misconduct without primary legislation.

4. DOJ Minnesota Medicaid takedown: 15 defendants, $90 million, largest autism fraud case on record

The Department of Justice unsealed charges on 22 May against 15 defendants accused of defrauding Minnesota Medicaid and other state-managed programmes of more than $90 million, including what officials described as the largest autism-related fraud case ever charged. Two autism therapy providers were charged in a $46.6 million scheme, and the DOJ announced the expansion of the Health Care Fraud Midwest Strike Force to Minnesota with 15 additional dedicated prosecutors. The action sits alongside FinCEN’s January geographic targeting order over Hennepin and Ramsey counties.

Health care fraud is the canonical illustration of routine activity theory‘s production constraint: motivated offenders, large suitable targets in the form of federal and state programmes with predictable disbursement patterns, and structurally weak capable guardians embedded in claims-adjudication systems built for throughput rather than detection. Minnesota’s exposure is now better mapped than any other state, in part because of the political profile of its alleged exploitation and in part because FinCEN’s geographic targeting order generates anomaly-spotting infrastructure that did not previously exist. The autism-therapy specificity matters: the diagnostic and billing landscape for paediatric behavioural therapy is opaque, fragmented, and reimbursed at high per-session rates, which makes it precisely the kind of programme that rational choice offenders identify and exploit. Expect this enforcement geography to broaden.

5. DOJ Scam Center Strike Force passes $700 million in restrained crypto

The DOJ’s Scam Center Strike Force has confirmed it has now restrained more than $701.9 million in cryptocurrency tied to Southeast Asian pig butchering schemes. Analysis from Chainalysis confirms charges against two Chinese nationals managing the Shunda compound in Burma, the seizure of 503 fake cryptocurrency investment websites, and the takedown of a Telegram channel with 6,000 followers used to recruit trafficking victims. The Strike Force’s work continues to operate in parallel with the OFAC designations earlier in the spring against Cambodian Senator Kok An’s network.

The notable structural feature of the Strike Force is its targeting vertically across the production chain: trafficking recruitment infrastructure, compound operators, lure-site infrastructure, and proceeds-laundering. That is closer to a crime script model of intervention than the more familiar targeting of money flow at the exit point. Read through situational crime prevention, the restraining of $700 million in crypto matters less as a recovery figure than as a signalling intervention to crypto service providers, who can read this as a clear public-private cooperation expectation. The next test is whether the Strike Force can convert restrained funds into victim restitution at scale – historically the bottleneck in transnational fraud cases.

6. UK Home Office launches Fraud Strategy 2026 to 2029

The Home Office’s Fraud Strategy 2026 to 2029 has now entered its early operational phase, with implementation guidance and commentary including analysis from K&L Gates and techUK. The strategy positions fraud as a critical-national-infrastructure issue, expands the remit of the National Economic Crime Centre, and signals a more explicit duty-of-care obligation on technology platforms, banks and telecommunications providers.

The strategic significance is the framing. The 2023 Fraud Strategy was structured around the victim journey; the 2026 Strategy is structured around infrastructure. That is a meaningful conceptual upgrade: it treats banks, platforms, telcos and payments rails not as service providers that occasionally enable fraud but as the load-bearing structure of the fraud economy. Under routine activity theory, this is the right level of intervention — capable guardianship is most effective where motivated offenders converge with suitable targets, which is at the infrastructure layer rather than the consumer education layer. The implementation question is whether the supervisory and resourcing architecture can keep pace; the Strategy will only be as effective as the National Crime Agency, FCA, Ofcom and ICO’s joint operational capacity to act on it.

7. OFAC removes ICC officials from sanctions list

OFAC issued a notice on 15 May and a related designation removal on 20 May reversing the designations of certain International Criminal Court officials under the 2025 ICC-related Executive Order. The action narrows the application of the ICC sanctions programme without rescinding the underlying executive order.

The interesting point is taxonomic. A sanctions programme aimed at officials of an international criminal tribunal is structurally different from any other OFAC programme: it targets persons acting in their official enforcement capacity rather than offenders, sanctions evaders, or facilitators. The selective removals signal that the practical workability of using OFAC’s financial-system architecture as a foreign policy instrument against accountability institutions has limits, particularly where financial institutions and counsel face overlapping primary and secondary exposure. From a wider trust exploitation perspective, this is a reminder that the sanctions framework’s legitimacy rests on the perception that designations track conduct – when designations become reversible on diplomatic rather than evidentiary grounds, the deterrent value across all programmes is diluted.

8. Iran sanctions enforcement continues: OFAC May 19 and May 11 designations

OFAC’s counter-terrorism and Iran-related designations on 19 May added further individuals and entities to the Iran sanctions architecture, building on the 11 May designations that accompanied FinCEN’s IRGC alert. The agency continues to publish actions on a near-weekly cadence under Executive Order 13902.

Cadence here is the analytically important variable, for the same reason it is in DOJ fraud enforcement. A regular publication schedule of designations against Iranian shadow-banking and procurement architecture is, in effect, a perceived certainty intervention against the offender population, which under rational choice is the variable most responsive to enforcement design. The structural complement to the FinCEN IRGC alert covered in last week’s Lab Report is now in place: typology-led red flagging, plus continuous designations updating, plus settlement enforcement against private-sector facilitators. The remaining gap is the supervisory architecture for trust-and-company service providers in third-country jurisdictions — the next typology to expect from FinCEN.

New Research Worth Reading

• Childs, A. (2024), ‘I guess that’s the price of decentralisation…’: Understanding scam victimisation experiences in an online cryptocurrency community, in International Review of Victimology. A qualitative study of r/CryptoCurrency narratives showing how victimisation norms are constructed inside crypto communities; relevant for understanding why fraud exposure does not displace retail crypto participation.
• Acharya, B. et al. (2024), Conning the Crypto Conman: End-to-End Analysis of Cryptocurrency-based Technical Support Scams, arXiv preprint. Maps the technical-support scam economy targeting users with wallet-recovery problems. This has direct relevance to the Scam Center Strike Force typology.
• Carpentier-Desjardins, C., Paquet-Clouston, M., Kitzler, S. and Haslhofer, B. (2025), Mapping the DeFi crime landscape: an evidence-based picture, in Journal of Cybersecurity. Quantifies $30 billion in industry-wide profit-driven crypto crime, with two-thirds attributable to centralised finance, a useful counterweight to the prevailing focus on DeFi.
• Tian, Z. et al. (2025), Towards Collaborative Anti-Money Laundering Among Financial Institutions, arXiv preprint. Technical paper proposing privacy-preserving cross-institutional transaction graph analysis. Directly relevant to the structural failure illustrated by the Community Federal Savings Bank consent order.

What I Am Watching

• The list of non-bank importers and trading houses potentially exposed to similar Iran-origin commodity claims following the Adani settlement.
• Sponsor-bank diligence responses across the US fintech sector to the Community Federal Savings Bank consent order, and whether other OCC- or state-chartered sponsor banks have similar examination findings pending.
• Whether the FCA’s Carillion attribution doctrine is now applied to live listed-issuer disclosure investigations, and which.
• The geographic expansion of the Health Care Fraud Strike Force model – Minnesota is the latest addition, but the typology is portable.
• Operational delivery against the UK Fraud Strategy 2026 to 2029, particularly the duty-of-care expectations on platforms and the resourcing settlement for the National Economic Crime Centre.
• The Scam Center Strike Force’s victim-restitution pipeline and whether restrained crypto can be returned at scale through the existing forfeiture framework.