Whitepaper · March 2026

The New Education Compliance Reality in 2026

Why sanctions screening, payment-chain review, and audit-ready documentation can no longer be treated as optional campus controls.

Prepared for school heads, CFOs, business officers, general counsel, compliance leaders, admissions teams, finance teams, and trustees.

20 min readMarch 2026Education · OFAC · Section 117

Download PDF Share on LinkedIn

In This Whitepaper

01Executive Summary 02The 2026 Shift 03Where Schools Are Exposed 04The 5 Compliance Failures 05Audit-Ready Program Framework 0690-Day Action Plan 07Trustee & Leadership Questions 08How SecurePoint Education Fits

01 · Executive Summary

Sanctions Compliance Is No Longer Just a Banking Problem

For years, many schools assumed sanctions compliance was mainly a banking problem. That assumption no longer holds.

In February 2026, the Office of Foreign Assets Control (OFAC) announced a $1.72 million settlement with IMG Academy tied to sanctions compliance failures involving tuition payments and enrollment relationships. Around the same time, the U.S. Department of Education released 2025 foreign funding disclosures showing more than 8,300 transactions worth over $5.2 billion in reportable foreign gifts and contracts, reinforcing that foreign-source oversight in education is now a matter of public accountability and national-security attention.

$1.72M

OFAC Settlement

IMG Academy, Feb 2026

$5.2B

Foreign Funding

Section 117 disclosures

8,300+

Transactions

Reportable foreign gifts

Day Action Plan

From ad hoc to audit-ready

This is the new operating environment for education:

International enrollment creates sanctions and counterparty risk

Tuition and donor relationships can create hidden exposure

Foreign funding oversight is under brighter federal scrutiny

Institutions are expected to show process, documentation, and repeatable controls

02 · The 2026 Shift

Why Education Compliance Just Got More Real

1OFAC Enforcement Reached Education

The February 2026 OFAC settlement involving IMG Academy changed the conversation. The case showed that educational institutions are not outside the reach of sanctions enforcement merely because they are schools. If a school enters into tuition, enrollment, or payment relationships involving blocked persons or prohibited parties, the legal and reputational consequences can be serious.

Schools with international touchpoints must stop assuming that sanctions risk belongs somewhere else.

2Federal Visibility Into Foreign Funding Is Increasing

On February 11, 2026, the U.S. Department of Education released 2025 Section 117 foreign funding data showing over $5.2 billion in reportable foreign gifts and contracts across more than 8,300 transactions. The public portal expansion shows that higher education foreign-source relationships are part of a wider accountability environment.

For institutions, this means a bigger expectation gap: know who is paying, know who is sponsoring, know who is connected to the transaction, and be able to show what was reviewed and when.

3Compliance Is Moving Closer to Operations

The old model was policy on paper, with review happening only when something looked strange. The new model is operational: screening, review, escalation, documentation, and retained evidence built into the workflow itself.

Regulators and auditors do not only ask whether a policy exists. They ask whether the institution can show what it actually did.

03 · Exposure Points

Where Schools and Universities Are Actually Exposed

A lot of education leaders still think only about the student name. That is too narrow.

The real exposure often lives in the full relationship and payment chain.

Tuition & Fee Payments

Funds from parents, sponsors, corporate payers, third-party senders, scholarship intermediaries, or overseas remitters. Risk can sit with the source of funds, not only the enrolled student.

Enrollment Agreements

Contractual or financial relationships entered before screening has happened, creating avoidable exposure if a party is restricted.

Donations & Sponsorships

International donors, family foundations, or intermediaries accepted by development offices with limited screening discipline.

Visiting Scholars & Vendors

International visitors, research partners, consultants, and vendors creating sanctions or export-control implications where funds, services, or controlled technologies are involved.

Refunds & Disbursements

Returning money is not automatically risk-free. Refunds or outbound payments can create additional exposure if counterparties are restricted.

A common — and costly — misconception

“We use Blackbaud / Flywire, so we’re covered.”

In our conversations with school CFOs, business officers, and general counsel, two vendor names come up over and over as the assumed compliance answer: Blackbaud and Flywire. Both are widely deployed in education, both handle money or constituent data, and both are strong at what they do. Neither is positioned by its own vendor as a sanctions-screening or OFAC-adjudication tool for the institution. The category mismatch is what creates exposure.

Blackbaud

Primarily a fundraising, constituent-relationship-management, financial accounting, and tuition-payment platform. Products such as Raiser’s Edge, Financial Edge, and Blackbaud Tuition Management are built to manage donor relationships, fund accounting, and payment collection. Blackbaud’s own product documentation does not position the platform as a sanctions-screening, beneficial-ownership-analysis, or OFAC-adjudication tool. Using Blackbaud well still leaves the institution responsible for screening the parties it transacts with.

Flywire

A cross-border payment processor specializing in international tuition payments. Flywire performs KYC/AML on payors as part of its own regulatory obligations as a licensed money-services business. That program runs on Flywire’s books, satisfying Flywire’s regulator. It is not the school’s screening program, and a cleared Flywire payment is not the school’s documented OFAC review of the payor relationship for the school’s own compliance file.

Why this matters. OFAC obligations and Section 117 disclosure obligations attach to the institution. A vendor running its own compliance program for its own business does not transfer the school’s screening, adjudication, and evidence-retention obligation. A processor’s “the payment cleared’’ log is a different artifact than the school’s screening decision, reviewer identity, decision rationale, and timestamped audit trail of why a payor, sponsor, or donor was approved.

This is consistently where we see the most preventable exposure in education compliance reviews: the school assumes the vendor “handled it,” and has no auditable record showing the institution itself screened the counterparty. Treat Blackbaud and Flywire as the excellent payment and CRM tools they are — and run institutional sanctions screening alongside them, not instead of them.

04 · Common Failures

The 5 Compliance Failures That Keep Showing Up

These patterns appear repeatedly across schools and universities of all sizes.

Screening Only the Student

The institution screens the applicant, but not the parent, sponsor, donor, beneficial payer, or wire originator.

Screening Only Once

A one-time check at admission or enrollment is not enough. Lists change. People change. Relationships change.

No Documented Adjudication Process

Potential matches handled informally through email, hallway discussion, or memory. Weak evidence and inconsistent decisions.

No Retained Audit Package

Even when staff make the right call, many schools cannot later prove what was screened, what result appeared, who reviewed it, and why.

Disconnected Ownership

Admissions, finance, advancement, and compliance operate in separate lanes. Risk moves between those lanes faster than accountability does.

05 · The Framework

What an Audit-Ready Education Compliance Program Looks Like

Institutions do not need a giant bureaucracy. They need a practical operating model built on five pillars.

Pillar 1

Define Who Gets Screened

Students and applicants

Parents and guardians

Tuition payors

Scholarship sponsors

Donors and foundations

Visiting faculty and guest speakers

Key institutional vendors with international ties

Pillar 2

Define When Screening Happens

Pre-enrollment review

Admission or enrollment

Tuition payment setup

Receipt of international funds

Refund processing

Donation acceptance

Periodic re-screening

List update re-screening

Pillar 3

Use Human-Reviewed Adjudication

System screens against relevant lists

Potential hits routed into review queue

Authorized staff review context

Decision and rationale logged

Evidence preserved for later review

Pillar 4

Preserve Evidence in One Place

Screening date and time

Lists screened

Match details or false-positive analysis

Reviewer identity

Decision rationale

Escalation history

Exportable evidence packet

Pillar 5

Assign Ownership Clearly

CFO or business officer

Controller or student accounts lead

General counsel or compliance officer

Admissions or enrollment operations leader

06 · 90-Day Plan

90-Day Action Plan for Education Leaders

Move from ad hoc review to a stable operating process in four phases.

Days 1–15

Foundation

Assign program ownership

Map the full tuition and sponsorship chain

Identify all departments touching international funds

Define who must be screened

Days 16–30

Policy & Process

Write a short screening policy

Define review triggers and escalation paths

Standardize decision states and documentation

Start screening new high-risk relationships first

Days 31–60

Scale

Add batch screening for existing rosters

Build a repeat screening cadence

Train admissions, finance, and advancement leaders

Establish retained evidence procedures

Days 61–90

Operationalize

Test the workflow with sample cases

Review response times and documentation quality

Report status to senior leadership or the board

Move from ad hoc review to stable operating process

07 · Board-Level Questions

Questions Trustees and Senior Leadership Should Be Asking

These six questions reveal whether an institution has moved from policy to practice.

Do we know every party connected to incoming tuition and donation flows?

Are we screening only students, or the full payment chain?

Can we prove what we reviewed six months from now?

Who owns sanctions and counterparty screening at our institution?

If regulators, auditors, or counsel ask for documentation, how fast can we produce it?

Are our current processes policy-deep but workflow-thin?

08 · SecurePoint Education

How SecurePoint Education Fits This Need

SecurePoint Education is built around the idea that educational screening needs to be operational, documented, and easy to defend.

Screening for students, tuition payors, sponsors, faculty, and institutional vendors

Batch roster imports and continuous monitoring workflows

Structured review and adjudication for potential matches

Immutable audit logs tied to case and organization identifiers

Evidence packs and exports with timestamps and integrity-friendly records

One shared screening and audit architecture across products

For institutions, that means less scrambling, clearer accountability, and stronger audit readiness. The key question is not “does it screen?” The key question is: can our institution run a real workflow and prove what happened later?

Case Example: What Good Looks Like

An independent school receives enrollment paperwork for an internationally sponsored student. Tuition will be paid by a family-owned company through a third-party sender.

Weak Process

Admissions clears the student record. Finance receives the funds. No one screens the sponsor or sender. Later, questions arise about the payment source, and the institution has no unified record of what was checked.

Stronger Process

Student, sponsor, and payment-related parties are loaded into the screening workflow. A potential match is flagged, routed to a human reviewer, supporting details compared. The reviewer clears one party as a false positive, escalates another for counsel review. Decision record preserved with timestamps and rationale. Exportable evidence packet available.

Final Takeaway

Education compliance has changed. The message from 2026 is clear: schools and universities with international students, sponsors, donors, and cross-border relationships can no longer treat sanctions screening and related documentation as edge cases.

The institutions that respond well will not be the ones with the most complicated policy manuals. They will be the ones with a simple, enforced workflow:

Screen the right parties

Review potential hits with human judgment

Document every decision

Keep evidence ready

That is how schools protect students, protect operations, protect leadership, and protect the institution.

Ready to Move From Ad Hoc to Audit-Ready?

See how SecurePoint Education gives your institution screening, adjudication, and evidence in one workflow — built for the way schools actually operate.

Request an Education Demo Download PDF

Back to all whitepapers

Informational only. This white paper is provided for general informational purposes only and does not constitute legal, regulatory, or compliance advice. It is not a substitute for review by school counsel, outside counsel, or other advisors familiar with your institution's sanctions, export-control, and foreign-funding-disclosure obligations.

Statistics, settlement amounts, and Section 117 figures reflect publicly available information as of the “Last reviewed” date in the PDF version. OFAC enforcement priorities and Department of Education disclosure rules change; verify with primary sources before acting on anything in this document. © 2026 SecurePoint USA. All rights reserved.