On July 23, 2021, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced a settlement agreement with Payoneer Inc. (“Payoneer”), a publicly traded New York-based online money transmitter and provider of prepaid access. Payoneer agreed to pay a civil penalty of approximately $1.4 million to settle its potential liability for 2,260 apparent violations of multiple sanctions programs. According to OFAC, Payoneer “processed payments for parties located in the Crimea region of Ukraine, Iran, Sudan, and Syria, and also processed payments on behalf of sanctioned persons” on OFAC’s List of Specially Designated Nationals (“SDN”) List.
OFAC indicated that between February 2013 and February 2018, Payoneer processed 2,260 transactions totaling just over $800,000 to prohibited parties, and that most of the violations were not reported to OFAC via the voluntary self-disclosure process. The apparent violations were the result of “multiple sanctions compliance control breakdowns”, including (i) weak algorithms that allowed close matches to SDN List entries not to be flagged, (ii) failure to screen for Business Identifier Codes (BICs) even when SDN List entries contained them, (iii) during backlog periods, allowing flagged and pended payments to be automatically released without review, and (iv) lack of focus on sanctioned locations because the company was not monitoring IP addresses or flagging addresses in sanctioned locations.
As a result, there were apparent violations of OFAC’s sanctions regulations pertaining to the Crimea region of Ukraine, Zimbabwe, Iran, Sudan, Syria and Weapons of Mass Destruction proliferators. While OFAC determined that the violations were non-egregious, the fact that only 19 were voluntarily disclosed led to several aggravating factors and a determination that resulted in the higher civil penalty. The aggravating factors were: (1) that Payoneer failed to exercise “a minimal degree of caution or care for its sanctions compliance obligations” when it allowed sanctioned and listed persons to open accounts and conduct transactions “as a result of deficient sanctions compliance processes that persisted for a number of years”; and, (2) Payoneer had “reason to know” the location of the users as being located in jurisdictions and regions subject to sanctions based on information in its possession, “including billing, shipping, or IP addresses, or copies of identification issued in jurisdictions and regions subject to sanctions”. The fact that six different sanctions programs were involved was also considered an aggravating factor.
As noted by OFAC, “this action highlights that money services businesses—like all financial service providers—are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions.” OFAC continues to highlight that risks can be mitigated by developing “a tailored, risk-based sanctions compliance program” as suggests in its “Framework for OFAC Compliance Commitments” guidance.