On March 25, 2015, the Office of Foreign Assets Control (“OFAC”) of the U.S. Treasury Department announced a settlement[1] with PayPal, Inc. (“PayPal”), a federally registered money services business, in the amount of $7,658,300 resulting from PayPal’s alleged failure to implement “effective compliance procedures and processes to identify, interdict, and prevent transactions in apparent violation of the sanctions programs administered by OFAC.” Specifically, PayPal allegedly failed to “employ adequate screening technology and procedures to identify the potential involvement of U.S. sanctions targets in transactions that PayPal processed.” The settlement agreement also requires PayPal to provide OFAC with a presentation within six months summarizing its “current policies and procedures as they relate to screening transactions and/or customers for the purpose of compliance with the regulations administered by OFAC.”

The settlement agreement states that for several years up to and including 2013, PayPal’s automated interdiction filter did not correctly identify and process account holders as potential matches to OFAC’s Specially Designated Nationals List (“SDN List”), and when it did, multiple PayPal Risk Operations Agents failed to adhere to PayPal’s policies and procedures pertaining to SDN List match escalation by, among other things, dismissing alerts. These failures led to apparent violations of the following OFAC sanctions programs: the Weapons of Mass Destruction Proliferators Sanctions Regulations, 31 C.F.R. Part 544 (“WMDPSR”); the Iranian Transactions and Sanctions Regulations, 31 C.F.R. Part 560 (“ITSR”); the Cuban Assets Control Regulations, 31 C.F.R. Part 515 (“CACR”); the Global Terrorism Sanctions Regulations, 31 C.F.R. Part 594 (“GTSR”); and the Sudanese Sanctions Regulations, 31 C.F.R. Part 538 (“SSR”).

According to OFAC, PayPal processed 486 transactions totaling approximately $43,934 in apparent violation of these sanctions programs. The settlement agreement focuses on 136 transactions involving one particular PayPal account registered to an individual designated as an SDN under the WMDPSR program. The agreement states that PayPal’s automatic interdiction filter initially failed to flag this customer as a potential SDN. Then, after the filter did begin to flag the account, PayPal personnel allegedly repeatedly dismissed the alerts based on an apparent misunderstanding of why the account had been flagged for review. Other transactions giving rise to the apparent violations, according to OFAC, contained explicit references to countries subject to OFAC sanctions or other terms linked to the countries, such as “Tehran,” “Khartoum,” “Cuba,” “Iran,” “Sudan,” “Iranian” or “Cuban.”

OFAC found that PayPal’s apparent violations of the WMDPSR constituted an “egregious” case but that the violations of the ITSR, CACR, GTSR and SSR were not egregious. OFAC also determined that PayPal voluntarily self-reported the apparent violations. The resulting base penalty amount, calculated by OFAC as approximately $17 million, was reduced based on OFAC’s assessment of various other factors under its Economic Sanctions Enforcement Guidelines.[2]

In determining that PayPal’s apparent violations of the WMDPSR were egregious and involved aggravating factors, OFAC cited the following factors: (1) PayPal demonstrated reckless disregard for U.S. economic sanctions requirements in deciding to operate a payment system without implementing appropriate controls to prevent the system from processing transactions in apparent violation of OFAC regulations; (2) PayPal management and supervisors knew of the conduct giving rise to the apparent violations; (3) PayPal agents repeatedly ignored warning signs that transactions involved a prohibited person under the WMDPSR; (4) PayPal’s conduct resulted in an economic benefit to this prohibited person and undermined the integrity of the WMDPSR; (5) multiple PayPal employees failed to adhere to the company’s OFAC compliance program; and (6) PayPal’s OFAC compliance program was inadequate.

OFAC also described the following mitigating factors, which reduced the base penalty amount: (1) PayPal hired new management within its Compliance Division, identified OFAC-related issues with regard to its payment system and undertook remedial measures to strengthen its OFAC compliance program; (2) PayPal has not been subject to OFAC penalties or found to have engaged in OFAC violations in the preceding five years; and (3) PayPal substantially cooperated with OFAC’s investigation, including by submitting documents and information in a clear and organized manner, answering numerous follow-up inquiries for information over the course of OFAC’s investigation, and agreeing to toll the  five-year statute of limitations period.