OFAC settlement with online payment-services company highlights key OFAC expectations in sanctions compliance programs

On July 23, 2021, the Office of Foreign Assets Control (OFAC) of the US Department of the Treasury entered a settlement agreement with an online payment-services company business based in New York, Payoneer Inc. (Payoneer). Payoneer, which went public on the Nasdaq exchange in June 2021, provides digital payment services and online money transfer services to businesses and individuals throughout the world. OFAC alleged that Payoneer had processed payments in violation of US sanctions on Crimea, Iran, Sudan, and Syria, as well as having processed payments for a number of Specially Designated Nationals and Blocked Persons (SDNs), over a five year period ending in 2018.

For companies that accept or process online payments, the settlement agreement with Payoneer serves as a reminder of certain key elements of an e-commerce sanctions due diligence program that OFAC appears to consider essential to ensuring US sanctions compliance, some of which have been emphasized in recent OFAC enforcement actions. These elements include, but are not limited to:

• Screening counterparties against the SDN List using names and Bank Identification Codes (BIC), where available;
• Performing “algorithm testing” to ensure that screening software is flagging close name matches (not just exact matches) and generally catching persons within the relevant parameters; and
• “Geo-blocking” counterparties based upon IP address, where such IP addresses indicate presence in a comprehensively-sanctioned jurisdictions, and generally ensuring that due diligence takes US embargos into account, rather than focusing due diligence exclusively on matches on the SDN List.

Moreover, OFAC includes a reminder in the settlement agreement that money services businesses that they would be well-served to ensure that their risk-based sanctions compliance policies (SCPs) have incorporated what OFAC describes as the “five essential components of compliance.”

Allegations against Payoneer

OFAC’s allegations against Payoneer claim that Payoneer processed payment transactions in violation of multiple US sanctions programs over the course of five years, from February 4, 2013 to February 20, 2018. Specifically, OFAC alleged that Payoneer completed 2,260 separate transactions totalling $802,117.36 in violation of US sanctions. Payoneer’s violations involved processing payments on behalf of Payoneer’s corporate customers and card-issuing financial institutions.

According to the settlement agreement, Payoneer allegedly violated the following sanctions authorities: Executive Order 13685, dated December 19, 2014 (“Blocking Property of Certain Persons and Prohibiting Certain Transactions with Respect to the Crimea Region of Ukraine”); the Zimbabwe Sanctions Regulations, 31 C.F.R. § 541.201; the Weapons of Mass Destruction Proliferators Sanctions Regulations, 31 C.F.R. § 544.201; the Iranian Transactions and Sanctions Regulations, 31 C.F.R. § 560.204; the Syrian Sanctions Regulations, 31 C.F.R. § 542.207; and the now-repealed Sudanese Sanctions Regulations, 31 C.F.R. § 538.205, which were still in force at the time of the alleged violations.

Specific compliance failures identified by OFAC

OFAC listed the following specific categories of compliance failures by Payoneer:

• “weak algorithms that allowed close matches to SDN List entries not to be flagged by its filter”;
• “failure to screen for [BICs] even when SDN List entries contained them”;
• “during backlog periods, allowing flagged and pended payments to be automatically released without review;” and
• “lack of focus on sanctioned locations, especially Crimea, because [Payoneer] was not monitoring IP addresses or flagging addresses in sanctioned locations.”

OFAC indicated that the maximum civil penalty that it would be authorized to assess for the above violations was $666,142,614, with a “base civil monetary penalty” amount of $3,889,726.

Notwithstanding these significant potential penalties, the actual penalty paid by Payoneer was substantially smaller, on the basis of OFAC’s consideration of the so-called General Factors under the Economic Sanctions Enforcement Guidelines (Enforcement Guidelines). Under the Enforcement Guidelines, OFAC found that Payoneer had three aggravating factors and four mitigating factors.

The aggravating factors included that (i) Payoneer allowed persons in sanctioned jurisdictions and persons on the SDN List to “open accounts and transact” over the five year period; (ii) Payoneer “had reason to know the location of users [in sanctioned jurisdictions] . . . based on common indicators of location within its possession, including billing, shipping, or IP addresses, or copies of identification issued in [sanctioned jurisdictions] . . . .” Finally, (iii) the violations involved six different sanctions programs.

On the other hand, OFAC identified four mitigating factors, i.e., (i) Payoneer “acted quickly” to self-disclose the transactions with SDNs as soon as it became aware of them and cooperated with the investigation; (ii) Payoneer had not received a penalty notice or finding of violation from OFAC in the previous five years; (iii) Payoneer undertook a number of remedial measures and terminated the conduct at issue; and (iv) Payoneer agreed to continue its sanctions compliance efforts.

Compliance take-aways from the Payoneer settlement

OFAC summarized some of the key compliance considerations arising from the Payoneer settlement as follows:

• Companies must ensure sanctions screening (as well as audits of their sanctions compliance programs) include not only the SDN List, but also take sanctioned jurisdictions into account;
• Companies should undertake “algorithm testing” to ensure that their filters are flagging all payments that are designed to be flagged based on the algorithm parameters;
• Screening should include BIC codes when OFAC includes this information in the SDN List entities for particular individuals or entities; and
• When a payment is flagged for review, the payment should be held up by Payoneer for the duration of the due diligence review of the transaction, rather than being released pending review.

The remedial measures imposed by OFAC incorporated the points above, as well as requiring the replacement of Payoneer’s Chief Compliance Officer, retraining of all compliance employees, hiring of new compliance employees “focused specifically on testing,” and performing “[a] daily review of identification documents uploaded to Payoneer,” among other remedial steps.

Finally, the settlement agreement generally reminds companies to consider OFAC’s May 2019 guidance document, A Framework for OFAC Compliance Commitments. OFAC notes that the guidance is not only intended for US organizations, but also for “foreign entities that conduct business in or with the United States or US persons, or that use US-origin goods or services . . . .”

* * *

We will continue to monitor developments in this area, and encourage you to subscribe to be kept informed of latest developments. Please contact the authors or your usual Herbert Smith Freehills contacts for more information.