On March 25, 2015, the Department of Treasury’s Office of Foreign Assets Control (OFAC) announced that PayPal Inc. (“PayPal”) agreed to pay $7.7 million to settle 486 violations of U.S. economic sanctions.  According to OFAC, for several years until 2013, PayPal, one of the world’s largest electronic payment companies, did not have adequate compliance processes to “identify, interdict, and prevent” transactions that were in apparent violation of OFAC sanctions programs.  Specifically, PayPal did not employ adequate screening procedures and technology to identify transactions involving U.S. sanctions targets.

The total amount of the transactions at issue is only $43,934.  But OFAC alleged that some of PayPal’s conduct was “egregious,” which led OFAC to calculate the company’s total potential penalty at over $17 million.  So while the ultimate settlement is still hefty, the company is paying less than half of its potential liability. Factors driving that reduction were the company’s voluntary disclosure of the violations, cooperation in the investigation, and enhancement of compliance program and procedures.  While banks and other traditional financial institutions have been the focus of many recent OFAC enforcement actions, the PayPal settlement should put the payment industry and emerging payment service providers on the alert.

The Alleged Violations

According to documents released by the U.S. government, the settlement addresses the following violations:

Transactions with Specially Designated Nationals (SDN).

  • The focus of the settlement documents are transactions that violated the Weapons of Mass Destruction Proliferators (WMDP) Sanctions. Between October  2009 and April 2013, PayPal processed 136 transactions totaling $7,091.77 for Kursad Zafer Cire, an individual designated in 2009 as a Specially Designated National (“SDN”).  Cire was designated for his involvement in the nuclear technology sales network operated by Pakistani nuclear scientist A.Q. Khan.  PayPal stated that its automated interdiction filter failed to initially flag Cire as an SDN because its software was not “working properly.”  Six months later, Cire’s account was flagged as a potential SDN match, but a PayPal Risk Operations Agent dismissed the alert without requesting any other information, mistakenly believing that the system had generated the alert to confirm Cire’s name and address.  Four subsequent transactions that triggered flags were dismissed by PayPal Risk Operation personnel who were presumably relying on the initial dismissals as evidence that the alerts were false alarms.  On February 14, 2013, PayPal’s filter flagged Cire’s account as a potential match to the SDN list again.  Though the PayPal Risk Operation Agent who was alerted followed internal procedures by creating a “case,” restricting the account, and requesting further information, the Agent dismissed the alert after receiving a copy of Cire’s passport, even though the passport showed identifying information identical to the SDN, because the Agent misunderstood why the transaction was flagged.  On April 3, 2013, Cire’s account was flagged for the seventh time, and PayPal blocked the account.
  • Between November 2009 and May 2013, PayPal processed 94 transactions totaling $5,925.27 dealing in the blocked property of Interpal, designated as an SDN in August 2003, and Kahane Tzadak, designated as an SDN in October 1999, in apparent violation of the Global Terrorism Sanctions Regulations.

Other Transactions In Violation of Various Sanctions Programs

  • Between December 2010 and September 2013, PayPal processed 98 transactions totaling $19,344.89 involving Cuban-origin goods, or in which Cuba or a Cuban national had an interest, in apparent violation of the Cuban Asset Control Regulations.
  • Between September 2009 and October 2013, PayPal processed 125 transactions totaling $8,257.66 related to purchases of goods or services destined for Iran or the purchase of Iranian-origin goods, in apparent violation of the Iranian Transactions and Sanctions Regulations.
  • Between May 2010 and August 2013, PayPal processed 33 transactions totaling $3,314,43 involving Sudan, in apparent violation of the Sudanese Sanctions Regulations.

According to OFAC, these transactions included explicit references to countries subject to OFAC sanctions, such as “Tehran,” “Khartoum,” “Cuba,” “Iran,” “Sudan,” “Iranian,” or “Cuban.”

Assessing the Penalty: Aggravating and Mitigating Factors

The part of the story that financial services companies should really pay attention to is in the assessment of the penalty.  OFAC found the conduct associated with Cire’s account to be “egregious.”  The terms “reckless” and “reckless disregard” were used repeatedly in the settlement documents to describe PayPal’s conduct.  OFAC particularly noted PayPal’s failure to identify Cire as an SDN for six months, the company’s personnel ignoring warning signs and repeatedly dismissing alerts, and their failing to adhere to internal policies and procedures.  OFAC also noted that PayPal’s actions provided economic benefit to Cire thus undermining the objectives of the WMDP sanctions.  PayPal is a giant – a large, sophisticated payment company that undoubtedly had a strong compliance program in place.  But the devil is usually in the details.  Compliance procedures can be a pitfall if they are not followed, and human error should always be taken into account.

OFAC also listed the following aggravating factors: (1) PayPal’s reckless disregard for sanctions requirements in deciding to operate a system without appropriate controls to prevent processing transactions that apparently violate sanctions; (2) PayPal management and supervisors’ knowledge of the conduct; (3)  Harm to U.S. sanctions program objectives because of PayPal’s operation of an SDN’s account for three and a half years; and (4) PayPal’s compliance program’s inadequacy to prevent apparent violations.

But OFAC also took into account mitigating factors such as: (1) PayPal’s enhancement of its compliance program by hiring new management, undertaking measures to strengthen OFAC screening processes, and implementing more effective controls; (2) PayPal’s clean record for the last five years; and (3) PayPal’s substantial cooperation with the investigation.

The aggravating and mitigating factors serve as a roadmap for financial services providers and other companies about OFAC’s expectations of compliance safeguards and expectations of remedial measures when potential violations are identified.

Compliance Take-Away: Real-Time Scanning of Payments

OFAC specifically described PayPal’s pre-2013 system for screening as insufficient, noting that for several years, PayPal did not interdict in-process transactions that included references to countries subject to U.S. economic sanctions.  In 2013, PayPal implemented a solution to screen live transactions against OFAC’s SDN list and a broad set of sanctions-related keywords.  This solution facilitates blocking or rejecting OFAC-prohibited transactions before payment completion.

PayPal’s Chief Compliance Officer said in a statement, “We recognize that prior to April 2013, PayPal did not have a system that could scan payments in real time in order to block prohibited payments.  There was a delay in the scanning, which allowed some prohibited payments to be processed.”  “[PayPal] has now put in place proprietary state-of-the-art systems that allow for real-time scanning of potentially sanctioned payments before they are processed.”

Ten or fifteen years ago real-time screening may have seemed like a nice concept, but operationally it was a fantasy.  But in the PayPal settlement, OFAC seems to be setting the expectation that, at least for financial services, real-time scanning is a compliance program requirement.  As payment systems are rapidly evolving, the compliance obligations for companies offering web-based and mobile financial services will rapidly evolve as well.  And payment industry players should ensure that their compliance programs employ appropriate procedures and technology that address these emerging obligations.