So, Payoneer apparently violated a number of programs by processing 2,241 payments for parties in Iran, Sudan, Syria and Crimea… and another payments on behalf of parties on the SDN List. The value of the transactions? Less than the fine – only $802,117.36. Why? Because those 2241 violations were not voluntarily self-disclosed (although they were all non-egregious).
The why is a who’s-who of previous enforcement actions – see if you can remember who else had similar issues:
The Apparent Violations, which related to commercial transactions processed by Payoneer on behalf of its corporate customers and card-issuing financial institutions, resulted from multiple sanctions compliance control breakdowns, including (i) weak algorithms that allowed close matches to SDN List entries not to be flagged by its filter, (ii) failure to screen for Business Identifier Codes (BICs) even when SDN List entries contained them, (iii) during backlog periods, allowing flagged and pended payments to be automatically released without review, and (iv) lack of focus on sanctioned locations, especially Crimea, because it was not monitoring IP addresses or flagging addresses in sanctioned locations.
Now, that $1,400,301.40? It represents a big discount from the base penalty of $3,889,726. Here’s how OFAC looked at the matter:
OFAC determined the following to be aggravating factors:
1) Payoneer failed to exercise a minimal degree of caution or care for its sanctions compliance obligations when it allowed persons on the SDN List and persons in sanctioned locations to open accounts and transact as a result of deficient sanctions compliance processes that persisted for a number of years;
2) Payoneer had reason to know the location of the users it subsequently identified as located in jurisdictions and regions subject to sanctions based on common indicators of location within its possession, including billing, shipping, or IP addresses, or copies of identification issued in jurisdictions and regions subject to sanctions; and
3) The Apparent Violations caused harm to six different sanctions programs.
OFAC determined the following to be mitigating factors:
1) Upon discovering potential sanctions compliance issues, senior management acted quickly to self-disclose the Apparent Violations related to blocked persons and provided substantial cooperation throughout the investigation;
2) Payoneer has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the earliest transaction giving rise to the Apparent Violations;
3) Payoneer has represented that it has terminated the conduct that led to the Apparent Violations and undertook the following remedial measures intended to minimize the risk of recurrence of similar conduct in the future:
• Replacing its Chief Compliance Officer, retraining all compliance employees, and hiring new compliance positions focused specifically on testing;
• Enhancing its screening software to include financial institution alias names and BIC codes and automatically triggering a manual review of payments or accounts that match persons on the SDN List;
• Enabling the screening of names, shipping and billing addresses, and IP information associated with account holders to identify jurisdictions and regions subject to sanctions;
• Pending transactions flagged by its filter instead of allowing them to complete during a backlog; and
• A daily review of identification documents uploaded to Payoneer, and a rule engine that stops payments with identification indicating jurisdictions and regions subject to sanctions.
4) As part of its agreement with OFAC, Payoneer has undertaken to continue its implementation of these and other compliance commitments.
Did you notice that they replaced their Chief Compliance Officer? I think I’d like to see the Settlement Agreement – something tells me there is something more to the story such that OFAC would mention that in the Enforcement Information…. Just saying.
And OFAC’s lesson to learn here? Not so interesting, but here it is:
This action highlights that money services businesses—like all financial service providers—are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade-related transactions with jurisdictions and regions subject to sanctions. To mitigate such risks, money services businesses should develop a tailored, risk-based sanctions compliance program. OFAC’s Framework for OFAC Compliance Commitments notes that each risk-based sanctions compliance program will vary depending on a variety of factors, including the company’s size and sophistication, products and services, customers and counterparties, and geographic locations, but should be predicated on and incorporate at least five essential components of compliance: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
Within that framework, this enforcement action emphasizes the importance of effective screening not only for persons on the SDN List but also for sanctioned locations; ensuring that audits of OFAC compliance programs focus not only on persons on the SDN List but also on sanctioned locations; performing algorithm testing to be sure filters are flagging payments within expected parameters; screening for BIC codes, especially when OFAC includes them in SDN List entries; and holding flagged payments until they have been reviewed.