On March 25, 2015, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) and PayPal, Inc. (“PayPal”) agreed to a $7.65 million settlement to settle potential civil liability for 486 apparent violations of various financial sanctions. Between 2009 and 2013, PayPal, a digital payments processor, apparently processed hundreds of transactions in violation of multiple U.S. sanctions programs, including sanctions on Cuba, Iran, Sudan, the Weapons of Mass Destruction Proliferators Sanctions, and the Global Terrorism Sanctions. OFAC administers and enforces various U.S. sanctions programs against targeted countries, persons, organizations, and certain activities, such as terrorism.
According to the Settlement Agreement between OFAC and PayPal, PayPal apparently did not implement effective compliance procedures and processes to identify, interdict, and prevent transactions that would violate U.S. sanctions. PayPal had compliance procedures and processes for screening transactions, but these were ineffective because PayPal did not screen in-process transactions, and several of its employees failed to appropriately respond to a screening match. As a result of these lapses, the Settlement Agreement identified 486 transactions that appeared to violate U.S. sanctions. The total value of the alleged transactions in violation of the sanctions was approximately $44,000 – an average of just more than $90 per transaction. PayPal voluntarily disclosed these transactions to OFAC.
OFAC determined that a portion of the transactions were egregious and demonstrated reckless disregard for U.S. sanctions. Over a period of approximately four years, PayPal processed 136 transactions (totaling $7,091.77) involving an individual on the Specially Designated Nationals List (“SDN List”). OFAC noted that PayPal’s automated interdiction filter failed to match the account holder to the SDN List for a period of six months after the individual was added to the SDN List. OFAC has previously levied penalties where interdiction or screening processes do not identify SDNs at the time that they are added to the SDN List (see, e.g., settlement between OFAC and GEICO announced June 3, 2010). After the interdiction software flagged the SDN on six separate occasions, multiple PayPal employees apparently failed to follow company procedures and cleared the flags to allow the transactions to go forward, which the Settlement Agreement described as “particularly reckless.”
This enforcement action illustrates several important points for compliance:
First, the existence of a sanctions compliance program is not sufficient to avoid penalties if it does not work. In particular, a screening or interdiction program to flag potential blocked persons will not minimize sanctions risks if the people that receive those screening alerts do not appropriately respond. It is critical that all screening compliance programs have clear lines of responsibility for resolving or escalating potential matches, and that those programs are audited to ensure that they work.
Second, although OFAC expressly recognizes the need for risk-based compliance programs, low-value transactions do not necessarily mean low risk for violations or penalties resulting from those violations. According to the figures referenced in the Settlement Agreement, the average transaction that was in violation of the sanctions was approximately $90. A review of prior OFAC enforcement actions would provide additional examples of low-value transactions resulting in large monetary fines.
Third, OFAC’s enforcement actions demonstrate value for voluntarily disclosing violations and implementing remedial compliance measures, as PayPal apparently did in this case. With 486 apparent violations, the $7.65 million settlement is far below the high-end potential penalties. Further, the Settlement Agreement requires PayPal to provide only a presentation in six months summarizing policies and procedures as they relate to screening transactions and customers, rather than more intrusive oversight by OFAC through an outside monitor or mandatory audits.