OFAC settles enforcement action against issuer of rewards cards and virtual currency exchange for failing to identify transactions involving sanctioned jurisdictions
On September 30, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced that it had settled an enforcement action for $116,048.60 with a US company for transmitting stored value cards to persons in sanctioned jurisdictions.
Then, on October 11, OFAC announced a settlement for $24,280,829.20 with another US company that failed to prevent persons located in sanctioned jurisdictions from using its platform to engage in significant virtual currency-related transactions. The second settlement was the first parallel enforcement actions by OFAC and the Financial Crimes Enforcement Network (FinCEN) in the virtual currency space, and FinCEN imposed a separate fine of $29,280,829.20 on the subject company.
Regarding the first settlement, the subject company supplies and distributes electronic rewards cards for its commercial customers as part of its marketing and employee incentive programs. According to OFAC, the company transmitted stored value products to individuals with Internet protocol (IP) and email addresses associated with Cuba, Iran, Syria, North Korea, and the Crimea region of Ukraine.
While the company utilized geolocation tools to identify transactions involving countries at high risk for suspected fraud and had OFAC screening and “Know Your Business” controls for its direct customers, it did not use those controls to identify whether recipients of rewards might be located in sanctioned jurisdictions. However, both IP addresses and domain names in certain recipient email addresses were associated with sanctioned jurisdictions. It seems the company did require its customers by contract to comply with sanctions regulations and self-disclosed the violations.
OFAC has said that the case demonstrates:
- The importance of using relevant geographic information as part of an effective, risk-based sanctions compliance program, including the use of appropriate geolocation blocking tools to prevent transactions with persons in sanctioned jurisdictions
- That, while contractually obligating customers to comply with sanctions regulations can help mitigate risk, it does not obviate the need to impose other sanctions compliance controls when appropriate on a risk basis and
- Self-disclosure of violations is viewed favorably in terms of implications of those violations.
In the second settlement, the subject company collected physical address information about customers at onboarding and had IP address information about executed transactions. However, the company did not screen physical address information provided by the customer or IP address information that indicated a customer was in a sanctioned location during the first few years of its operations. Once it began screening through a retained third-party vendor, it only searched for “hits” against OFAC’s List of Specially Designated Nationals and Blocked Persons. The company did not otherwise undertake screening for customers resident or located in comprehensively sanctioned jurisdictions.
While the penalty imposed in this case was substantially larger than the settlement discussed above, that can be attributed in part to lack of self-disclosure, the duration of time the company operated without due caution or care for sanctions compliance, the number of transactions that were alleged sanctions violations, and the economic benefits conveyed to persons in several sanctioned jurisdictions (namely, the Crimea region of Ukraine, Cuba, Iran, Sudan, and Syria). Notably, OFAC cited the company being “small and new” at the time of the violations as a mitigating factor, among others.
OFAC said the case “emphasizes the importance of new companies and those involved in emerging technologies incorporating sanctions compliance into their business functions at the outset, especially when the companies seek to offer financial services to a global customer base.” Another industry takeaway highlighted by this case is the need for companies to understand and monitor the screening processes undertaken by third-party vendors.
For both of these enforcement actions, OFAC’s pursuit highlights the need for robust IP address blocking and scrutiny of all data collected on counterparties or users of products or services (including the domain names of email addresses, if collected).
To learn more about the implications of this enforcement action for your business, please contact either of the authors or your usual DLA Piper relationship attorney.