OFAC settles with payments firms over sanctions violations

Compliance considerations in the wake of OFAC’s settlement with daVinci Payments, which manages prepaid reward card programs.

The Office of Foreign Assets Control (OFAC) has announced its settlement order with daVinci Payments, which is an Illinois-based payments firm that largely manages prepaid reward card programs.

DaVinci agreed to pay $206,213 to settle its potential civil liability for its alleged violations of sanctions on Crimea, Iran, Syria, and Cuba by enabling reward cards to be redeemed from persons apparently residing in sanctioned jurisdictions.

OFAC said this had been allowed to happen for about two and a half years – from November 2017 to July 2022 – but that the modest settlement amount reflects its conclusion that daVinci’s conduct was non-egregious and the infractions were voluntarily self-disclosed.

Alleged violations

DaVinci provides digital and physical payment reward card programs for corporate, nonprofit and government clients through an online platform.

OFAC says in its order that between March 2020 and February 2022, in the course of a compliance review and subsequent investigation, daVinci discovered that on 12,378 occasions it had redeemed prepaid cards for users with Internet Protocol (IP) addresses associated with Iran, Syria, Cuba, and Crimea.

After daVinci began preventing access to its platform from IP addresses associated with these sanctioned jurisdictions, the company further discovered it had redeemed prepaid cards for 13 card recipients who had used email addresses with suffixes (sometimes called top-level domains) associated with sanctioned jurisdictions (for example Syria is “.sy,” and Iran is “.ir”) during the redemption process and who were apparently residents in those regions.

Over the course of the relevant time period, this absence of comprehensive geolocation controls led daVinci to process 12,391 redemptions totaling $549,134.89 for cardholders apparently located in sanctioned jurisdictions, resulting in apparent violations of the Cuban Assets Control Regulations, Iranian Transactions and Sanctions Regulations, Ukraine-/Russia-Related Sanctions Regulations, and the Syrian Sanctions Regulations.

Penalty calculations

OFAC determined that the apparent violations were voluntarily self-disclosed and were non-egregious; accordingly, under OFAC’s Economic Sanctions Enforcement Guidelines, the applicable base civil monetary penalty would be one-half of the transaction value for each apparent violation, which is $274,950. The settlement amount of $206,213 reflects OFAC’s consideration of daVinci’s remedial measures and cooperation in OFAC’s investigation, the agency said.

DaVinci knew or had reason to know of redeemers’ IP addresses and email address suffixes, but it failed to incorporate this information into its compliance program or internal controls.

Aggravating and mitigating factors

An interesting aspect of this case revolves around the list of aggravating and mitigating factors OFAC considered. The aggravating factor was the fact that daVinci failed to exercise due caution when it redeemed prepaid digital reward cards for users who appeared to be in sanctioned jurisdictions.

DaVinci knew or had reason to know of redeemers’ IP addresses and email address suffixes, but it failed to incorporate this information into its compliance program or internal controls, OFAC said.

The two mitigating factors OFAC noted were:

  • OFAC had not issued a finding of violation or penalty notice to daVinci in the five years preceding the earliest of the transactions giving rise to this settlement.
  • DaVinci took a number of remedial steps, including an internal review, implementing IP blocking of access to its platform from sanctioned jurisdictions, conducting real-time screening and blocking of email address suffixes, and instituting independent third-party testing at regular intervals.
  • The business cooperated with OFAC’s investigation.

Digital wallets and OFAC sanctions

The economic and trade sanctions watchdog has been watching big tech firms and their online platforms for any prohibited, transactional activity in the sanctions arena for some time now.

In December 2020, OFAC announced a settlement with BitGo, Inc., a technology company based in California that implements security and scalability platforms for digital assets and offers non-custodial secure digital wallet management services.  

BitGo agreed to pay $98,830 to settle its potential civil liability for 183 apparent violations of multiple sanctions programs.  

The apparent violations were processed between March 10, 2015 and December 11, 2019 on behalf of persons located in the Crimea region of Ukraine, Cuba, Iran, Sudan, or Syria that were using BitGo’s non-custodial secure digital wallet management service.

BitGo required all new accountholders to verify the country in which they are located, but BitGo generally relied on each user’s attestation regarding their location and did not perform additional verification or diligence on the location of its users, OFAC said in its enforcement release.

Compliance considerations

Another interesting aspect of this case is that OFAC concluded its enforcement release with a section called “compliance considerations,” which offers some great guidance to businesses that have access to location-related data and might not be using or adequately using it for sanctions compliance purposes.

OFAC reminds firms to use all of the data it has to track such data, including IP address and top-level domains, integrating such information into a risk-based sanctions compliance program to prevent the provision of services to persons in sanctioned regions.

“The case further demonstrated the potential shortcomings of controls that rely on customer-provided information, rather than a holistic information-gathering system that can mitigate evasion or misrepresentation,” OFAC said. “The action further highlights the value of conducting proactive, self-initiated reviews to identify compliance gaps, disclose any potential violations to OFAC, and taking steps to remediate deficiencies, including by instituting periodic independent testing to ensure adequate controls.”

The demand for virtual public networks has shot up since late February, particularly in Russia, where demand rose 2,692% between February 24 and March 24, 2022.

Just to add onto these pointers, compliance professionals should also consider looking at OFAC guidance that discusses IP address-blocking procedures and the fact that they do not fully address an Internet firm’s compliance risks, since international distribution authorities can reassign IP blocks, making the geographic location of an IP potentially dynamic. Multiple sources must be used and firms should attempt to gather authentic identification information on their customers before a new account is opened or new transaction is initiated, including asking for identification documents from customers.

Although IP addresses in most circumstances can indicate where online traffic comes from, they are susceptible to manipulation because virtual private networks can conceal the actual location of the user. The demand for virtual public networks has shot up since late February, particularly in Russia, where demand rose 2,692% between February 24 and March 24, 2022, according to research from review website Top10VPN.com. (The Russian invasion of Ukraine began on February 24 last year, and OFAC and the Financial Crimes Enforcement Network have been actively reminding businesses of their obligations under the export control and sanctions mandates they have imposed since it began.)

Businesses should use a host of location data points and consider using technology services that can provide more precise location information to bridge the gap.