The $1.05M Invoice Trap: How Unpaid Bills Became an Illegal Extension of Credit
The June 1, 2026 OFAC settlement with FTI Consulting exposes a dangerous compliance blind spot: how letting invoices to sanctioned entities sit unpaid can violate U.S. credit regulations.
If a client refuses to pay your bill, they’re a bad client. But if that client is on a U.S. sanctions list, keeping that unpaid bill open is a federal crime.
For years, professional service providers, software vendors, and consulting firms have operated under a dangerous assumption: as long as they aren’t actively routing money to banned countries or transferring sensitive technology to blocked entities, they are safe from sanctions enforcement.
On June 1, 2026, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) shattered that illusion. In a landmark **$1,050,000 settlement** with global advisory firm FTI Consulting, Inc., regulators made it clear that basic accounts receivable—specifically, letting invoices sit unpaid while continuing to provide services—can legally constitute an unauthorized, criminal extension of credit to a sanctioned entity.
The Substance-Over-Form Reality
OFAC enforces the economic substance of transactions over their legal wrappers. If a sanctioned entity benefits from your operations and pays you late, you are extending them credit. If that credit maturity exceeds the legal limit (e.g., 14 days under Russia-related Directive 1), you are dealing in prohibited debt.
The Case File: FTI Consulting’s June 2026 OFAC Penalty
The details of the FTI Consulting settlement serve as a perfect masterclass in how modern, multi-layered sanctions bypass traditional compliance checkpoints:
- The Indirect Engagement: FTI was retained by a prominent global law firm to provide expert economic consulting services in connection with litigation. The ultimate beneficiary of these services was VTB Bank OAO, a state-owned Russian financial institution.
- The Insulated Fallacy: FTI did not contract with VTB directly; they contracted with the law firm. They believed this structural separation shielded them from sanctions risk. OFAC disagreed, noting VTB was the ultimate beneficiary and responsible for funding the payments.
- The 14-Day Debt Trigger: VTB Bank is subject to Directive 1 of Executive Order 13662. This directive prohibits U.S. persons from dealing in "new debt" with a maturity of greater than 14 days.
- The Unpaid Invoice Trap: VTB Bank failed to pay FTI's invoices within the 14-day window. By continuing to perform services and allowing the unpaid bills to remain outstanding, FTI was legally deemed to have extended credit (debt) to VTB past the 14-day limit.
| Business Dimension | The Vendor's Assumption | OFAC's Regulatory Finding | The Compliance Danger |
|---|---|---|---|
| Contracting | "We are safe because our contract is with a clean U.S./global law firm." | "VTB Bank was the ultimate beneficiary and payor." | Indirect dealings are subject to identical restrictions as direct ones. |
| Billing | "An unpaid invoice is just a normal collections issue." | "Allowing bills to sit unpaid past 14 days is an illegal credit extension." | Strict liability applies to Directive 1 debt limits. No intent is required. |
| Operations | "We must fulfill our litigation support work as agreed." | "Continuing services on unpaid invoices is active credit support." | Failure to freeze terms and halt work creates willful exposure. |
Where B2B and SaaS Companies Are Most Vulnerable
If a global consulting powerhouse can fall into this trap, most mid-market B2B companies, defense contractors, and higher education institutions are even more exposed. The vulnerability points usually lie in three distinct compliance gaps:
1. The Front Desk / Visitor Gate
If your consultants, engineers, or account managers host representatives of foreign affiliates or parent entities of restricted firms at your facility—without real-time screening—you are actively delivering value that can be classified as export support.
2. Post-Onboarding Status Changes
A client or vendor who was perfectly clean when you signed them in 2024 might get added to the SDN list during a rapid geopolitical update. If your compliance program relies on static, annual checks, your billing systems will keep generating invoices and extending credit to a newly sanctioned party.
3. Spreadsheet-Based "Adjudication Theater"
When a match is flagged, many organizations simply clear it in a spreadsheet without capturing the precise timeline, list version, or human reasoning. Without a tamper-resistant audit log, you cannot prove to an auditor why a transaction was cleared or that you halted credit within the required window.
How SecurePoint USA Eliminates Sanctions Credit Risk
SecurePoint USA doesn't just check names; we secure the entire visitor, vendor, and counterparty lifecycle to ensure your operations stay audit-ready and fail-closed.
Real-Time Screening APIs
Our unified screening engine checks visitors and counterparties against OFAC SDN, BIS Entity List, and other global restriction registers in milliseconds. You can screen stakeholders before they enter your facility, access your network, or get onboarded into billing.
Continuous Monitoring and Alerts
When lists shrink or grow (such as the recent June 2026 OFAC updates), our platform automatically re-screens active profiles. If an active client is designated, the system triggers real-time alerts so your legal team can immediately freeze terms, suspend access, and prevent invoice generation.
Cryptographic Audit Trails
Every screening check, match, and human adjudication is logged using our tamper-resistant SHA-256 hash chain. When auditors arrive, you can export complete, timestamped evidence packs proving exactly what was checked, who approved it, and when—leaving zero gaps.
Concerned about credit-sanctions exposure in your operations?
Schedule a walkthrough of our automated sanctions screening system.
Five Steps to Audit Your Billing & Onboarding Compliance
To evaluate your current system's exposure to the OFAC invoice trap, review these five operational baselines with your compliance team:
Beneficiary Identification
Do we screen the ultimate beneficiary of our services, or only the law firm, prime contractor, or middleman holding the contract?
Maturity Limit Gates
Do our billing systems trigger automatic holds on accounts receivable for entities subject to Directive 1 debt limits (14 days)?
Halting Mechanisms
Do we have a documented, automated trigger to immediately stop service delivery and freeze software access if a client fails to pay or gets sanctioned?
Daily List Sync
Are we syncing with the federal SDN and Entity registries daily, or are we relying on outdated databases or manual reviews?
Audit Trial Immutability
Can we produce a complete, cryptographically verified record of every visitor and vendor clearance that will survive federal regulatory scrutiny?
Compliance is an Ongoing Chain, Not a Checkbox
The FTI Consulting settlement is a wake-up call. OFAC expects companies to treat sanctions compliance as an active, continuous operational control—extending all the way from the visitor lobby to the accounting department.
SecurePoint USA helps companies build defensible compliance pipelines that integrate sanctions checks, visitor management, and audit-ready reporting into a single, unified workflow. Rather than checking a box and hoping for the best, our tools give you the evidence, list hygiene, and automated controls you need to stay compliant in a shifting geopolitical landscape.
Frequently Asked Questions
Why did OFAC fine FTI Consulting in June 2026?
OFAC entered into a $1,050,000 settlement with FTI Consulting for indirectly dealing in prohibited debt of Russian bank VTB Bank by continuing litigation support services and letting invoices remain unpaid past the 14-day limit.
How can an unpaid invoice violate sanctions?
Under credit/debt sanctions like Directive 1, extending credit to restricted entities past a set window (14 days) is prohibited. Keeping unpaid invoices open is legally treated as an unauthorized extension of credit.
Does contracting through a third party (like a law firm) insulate a vendor from OFAC liability?
No. OFAC prioritizes economic reality over contractual form. If the ultimate beneficiary is sanctioned and responsible for funding the work, the relationship exposes the vendor directly.
How do B2B companies protect themselves from sanctions credit risk?
Companies should utilize real-time screening engines before onboarding clients, continually monitor active profiles for status updates, and implement automated holds to suspend services immediately if a client is designated.
Visitor Compliance Checklist
- ITAR/EAR and CMMC L2 requirements
- Audit-ready evidence collection
- AI assists, humans approve
Or get it sent to your inbox
