On July 23, 2021, the Office of Foreign Assets Control (“OFAC”) announced a settlement agreement with online money transmitter Payoneer Inc. (“Payoneer” or the “company”) for processing online transactions on behalf of persons in sanctioned jurisdictions and persons on OFAC’s Specially Designated Nationals (“SDN”) List. The case is the latest in a string of OFAC enforcement actions targeting online services and commerce, and once again highlights the agency’s compliance expectations for the sector.
Over a five-year period, Payoneer processed 2,241 payments for parties located in sanctioned jurisdictions and 19 payments on behalf SDNs. Although Payoneer’s written policies and procedures prohibited transactions with parties in sanctioned locations and SDNs, the company failed to implement controls to ensure compliance with those requirements. Payonner’s auditing and testing systems also failed to identify the gap between compliance program requirements and how the company’s systems were actually operating. OFAC called out Payoneer’s failure to “exercise a minimal degree of caution or care” in its compliance program and knowledge that its users were located in sanctioned jurisdictions as “aggravating factors.” OFAC also determined that only 19 of the violations were voluntarily self-disclosed. However, the company took substantial remedial measures that led OFAC to reduce the ultimate the penalty amount from a base penalty amount of $3.9 million to approximately $1.4 million.
The case highlights a number of compliance lessons for digital payments companies, online service providers, and others:
- IP address screening (again): As with other recent enforcement actions targeting online commerce (including those involving BitGo and Amazon), OFAC cited Payoneer’s failure to use IP address geolocation data to identify users in sanctioned jurisdictions. While IP address information is not always reliable, this and other cases make clear that OFAC expects companies to consider IP addresses when screening accounts for users in sanctioned jurisdictions.
- The power of unique identifiers: OFAC cited Payoneer for failing to screen Business Identifier Codes (BICs) where those codes were collected from customers and were included in SDN entries. Matches to BICs and other unique identifiers, like ID numbers, are strong indicators of a potential true match to a sanctioned party, and should be incorporated into sanctions screening algorithms.
- Use the data you collect: Payoneer also failed to consider other “common indicators” of a person’s location, including billing and shipping addresses and copies of identification issued by sanctioned jurisdictions. The lesson? If you collect data about a user’s identity or location for business reasons, you need to be considering that data for sanctions compliance purposes too.
- No de minimis exception: The average value of the transactions in this case was only about $355. Even relatively small value transactions can generate substantial OFAC liability, particularly in cases like this one, where there were repeated potential violations over a long period of time.
- Maintain holds: OFAC cited Payoneer for allowing transactions with sanctions alerts to be automatically released during “backlog periods.” If you have a potential match to a sanctions list, it is important to implement and maintain a transaction hold on that account until that alert is properly reviewed and cleared.
- Testing and auditing: Testing and auditing are important elements of any successful compliance program. A robust testing and auditing program should examine whether procedures are sufficient to address compliance risks and whether those procedures are being implemented as intended in the real world. OFAC noted the company’s enhancements to its testing and auditing programs as important remedial measures, including retraining all compliance employees and hiring positions focused on testing. If Payoneer had those functions in place earlier, it’s possible the company could have avoided a costly enforcement proceeding.