The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has announced a $7,658,300 settlement with PayPal, Inc.(PayPal) to resolve potential civil liability for 486 alleged violations of the Iranian, Sudanese, Cuban, Global Terrorism, and Weapons of Mass Destruction Proliferators (WMDP) sanctions programs.  OFAC alleged that, for several years up to and including 2013, PayPal failed to employ adequate screening technology and procedures to identify the potential involvement of U.S. sanctions targets in transactions that PayPal processed; consequently, PayPal did not screen in-process transactions in order to reject or block prohibited transactions; even when PayPal instituted automated interdiction filtering that initially identified account holders as potential matches to OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN List), PayPal Risk Operations Agents improperly dismissed alerts after failing to obtain or review documentation corroborating the identity of the SDNs; and PayPal processed hundreds of transactions involving individuals on the SDN List that gave economic benefit to such persons and undermined U.S. sanctions programs.  Although all of the transactions at issue totaled only $43,934 in value, OFAC found some of PayPal’s conduct to be egregious and assessed its apparent liability at $17,018,443.

OFAC cited the following facts as supporting its view that PayPal violated the sanctions regulations:

  • PayPal acknowledged that its automated interdiction filter had not been not “working properly.”
  • After PayPal’s filter was corrected, and it appropriately flagged certain transactions involving an SDN’s account, separate PayPal Risk Operations Agents dismissed the alerts without requesting additional information to clear the potential SDN name matches (conduct that PayPal asserted did not comply with its internal policies and procedures). 
  • Even where PayPal’s interdiction filter properly flagged an SDN’s account as a potential SDN List match, and a PayPal Risk Operations Agent followed procedures by restricting the SDN’s account and obtaining additional information from the customer, the Agent mistakenly dismissed the match despite the information showing a date and place of birth that were identical to those on the SDN List. 

The total value of the 486 transactions at issue was only $43,934.  Nonetheless, OFAC determined that the total base penalty for all of the alleged violations was $17,018,443. In arriving at that amount, OFAC considered the following aggravating factors in concluding that PayPal’s actions, although deemed to be non-egregious violations of the Iranian, Cuban, Sudanese and Global Terrorism sanctions programs, constituted an egregious violation of the WMDP sanctions regulations:

  • PayPal demonstrated reckless disregard when its interdiction software failed to identify the SDN as a potential match to the SDN List for approximately six months and when, even after the filter flagged the account-holder as a potential SDN match, employees cleared name matches against the SDN’s account on six separate occasions prior to appropriately identifying and blocking the account. 
  • Multiple PayPal Risk Operations Agents engaged in a pattern of reckless conduct by repeatedly ignoring warning signs about potential matches to the SDN List, and by failing to adhere to PayPal’s policies and procedures pertaining to SDN match escalation.
  • PayPal’s actions provided economic benefit to the SDN and undermined the integrity and objectives of the WMDP sanctions program by operating an account and processing transactions on behalf of an SDN for approximately three-and-a-half years.
  • PayPal’s management and supervisors knew of the conduct giving rise to the apparent violations, and demonstrated reckless disregard for U.S. economic sanctions requirements in deciding to operate a payment system without implementing appropriate or adequate controls to prevent processing of transactions in apparent violation of OFAC regulations.

Somewhat offsetting these aggravating factors, OFAC found the following to be

mitigating factors:

  • Following its initial missteps, PayPal’s interdiction filter flagged the SDN’s account, and PayPal appropriately blocked the account and voluntarily reported it to OFAC. 
  • PayPal hired new management within its Compliance Division, identified OFAC-related issues with regard to its payment system in 2011, and undertook various measures to strengthen its OFAC screening processes and measures, including steps to implement more effective controls.
  • PayPal had not received a penalty notice or Finding of Violation in the five years preceding the earliest date of the transactions giving rise to the apparent violations.
  • PayPal voluntarily self-disclosed its violations to OFAC and substantially cooperated with OFAC’s investigation by submitting relevant documents, responding to OFAC information requests, and entering into a statute of limitations tolling agreement and extension.

OFAC’s announcement of its settlement with PayPal is significant. Whereas much of the publicity surrounding the agency’s recent enforcement actions has been focused on banks and other financial institutions that have stripped identifying information from fund transfer documents to avoid detection of transactions involving persons in sanctioned countries, OFAC’s settlement with PayPal may indicate a new, heightened focus on the payments industry and payments processors.