By Jacob Parker, ACSS Reporter
December 17, 2022
Failure to apply geolocation controls consistently has proven costly for two instant payment providers.
On November 28, 2022, OFAC officials announced a $362,158.70 settlement with Payward, Inc, aka Kraken – a Delaware-incorporated centralized virtual currency exchange founded in 2011 that enables users to buy, sell, or hold cryptocurrencies.
The settlement was for apparent violations of the Iranian Transactions and Sanctions Regulations from October 14, 2015, to June 29, 2019. Payward processed 826 transactions, totaling about $1,680,577, on behalf of individuals apparently in Iran.
Although Payward maintained controls to prevent the opening of accounts in sanctioned jurisdictions, Payward did not fully implement IP address-blocking tools on transactional activity across its platform. OFAC said Payward failed to exercise due caution when, knowing it had a global customer base, applied its geolocation controls subjectively and only at the time of onboarding. This was despite having probable cause to act, OFAC said, on available IP address information detailing what “appeared to have been located in Iran at the time of the transactions.”
Controls not Implemented “Comprehensively and Reciprocally”
OFAC settled for $116,048.60 on September 30 with Tango Card, Inc – an instant payment system supplier and distributor of rewards. The rewards often took the form of stored value cards to support client businesses’ employee and customer incentive programs.
Like Payward, even though Tango Card implemented geolocation tools to appropriately identify transactions involving countries at high risk for suspected fraud, it failed to configure such controls “comprehensively and reciprocally.” OFAC ruled that Tango Card did not exercise due diligence and Know Your Customer (KYC) screening to establish the recipients’ identity despite having the capacity to verify whether the sender of rewards was involved in sanctioned jurisdictions.
OFAC deemed voluntary self-disclosure and cooperation as decisive mitigating factors In both settlements. The undertaking of significant remedial measures was considered another mitigating factor. Among them for Payward:
- Adding geolocation blocking.
- Implementing multiple blockchain analysis tools to assist with sanctions monitoring.
- Investing in additional compliance-related training for its staff, including in blockchain analytics.
- Hiring a dedicated head of sanctions to direct Payward’s sanctions compliance program and hiring additional sanctions compliance staff.
- Expanding its contract with its current screening provider for additional screening capabilities to ensure compliance with the 50 percent rule, including detailed reports on beneficial ownership.
- Contracting with a vendor that assists with identification and nationality verification by using artificial intelligence tools to detect potential issues with supporting credentials provided by users.
- Implementing an automated control to block accounts using cities and postal codes associated with the Crimea region and in the self-declared Donetsk and Luhansk people’s republics of Ukraine.
For Tango Card, the mitigating factors were:
- Adding geo-blocking and updating its IP address geo-blocking protocol to include jurisdictions and regions subject to sanctions.
- Conducting compliance team training for bulk spreadsheet orders for manually screening email addresses for jurisdictions and regions.
- Contracting consultants to review the security of its cloud program and policies.
- Hiring people to identify control gaps and improve compliance processes proactively.
- Acquiring additional screening tools and revising a monthly report identifying domain names and IP addresses from sanctioned jurisdictions and regions.
OFAC’s Sanctions Compliance Guidance for Instant Payment System recommends that, to mitigate the risk of violating OFAC regulations, US persons and entities, including US banks, employ a risk-based approach to sanctions compliance. This is primarily done through developing, implementing, and routinely updating a sanctions compliance program that incorporates five essential components of compliance:
- management commitment;
- risk assessment;
- internal controls;
- testing and auditing; and
- training
OFAC advises companies that the software they use for sanctions compliance framework must:
- stay current with its Specially Designated Nationals (SDN) list,
- screen for relevant red flags, such as SWIFT codes for blocked financial institutions; and
- account for alternative spellings of prohibited firms or people.
Challenges arise when software application designs from the outset are not implemented with a mindset focused on compliance. Issues are often a combination of cost and technical matters, such as machine learning, natural language processing and digital ledger technology.
‘Design Stance’ for Sanctions Compliance
The new tools must adopt what Michael Meadon, Refinitiv director, customer and third-party risk solutions, Asia Pacific, calls a “design stance” to sanctions. This includes all processes, procedures, and systems designed from the ground up to support overall sanctions compliance.
Developers of instant payment systems can incorporate OFAC sanctions compliance measures during design and development to account for compliance as payment technologies are developed.
Two tradeoffs arise. First, sanctions compliance features, tools, and contractual clauses allow system participants to maintain a sanctions compliance program commensurate with the risks presented by their respective instant payment systems.
Second, such proportions organically give way to a consistent, up-to-date watchlist of foreign sanctions evaders, consolidated sanctions, politically exposed persons and sectoral sanctions identifications. Taken as a whole, a practical software application framework, at a minimum, must have the capacity to identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activities that OFAC may prohibit.
“There are three mega-trends in sanctions, and they will impact the instant payments space particularly hard,” Mr Meadon says. “The first is sanctions inflation. Designated individuals have increased by over 274% in the last five years and more than 14% within the last year alone.”
OFAC has been, by far, the largest contributor to sanctions inflation, he says. “There has been a steady increase in the diversity of sanctions programs, everything from human rights – Magnitsky sanctions – to drug trafficking – the Kingpin program – to investment bans due to what the United States calls a ‘civil-military fusion’ in China (the Chinese Military Companies Sanctions program) and others. In 2022, the dominant theme has, of course, been the Russian invasion of Ukraine, though sanctions inflation has been a constant over the past five years.”
Mr Meadon says that the rapid inflation has important implications, including more considerable inherent risk, increased possibilities for false positives and overall, a greater cost of compliance.
Another problem is with divergence – more countries are adopting autonomous sanctions regimes, resulting in a complex web of overlapping and, at times, conflicts.
Risk-Based Approach is the Way Forward
Sanctions compliance departments should always have a risk-based approach. They can accomplished this by incorporating OFAC’s five essential components to sanctions compliance.
For those configuring software into their systems, keep a “design stance” in mind. Implementing geolocation controls and due diligence that factors in KYC measures pre- and post-onboarding, will prevent compliance departments from running afoul with OFAC regulators.
What’s likely next for instant payment systems depends largely on how well companies adhere to OFAC’s guidance on instant payments, published in September. The publication details OFAC recommendations, terminologies, and resources to assist companies in remaining compliant with OFAC regulations. There is no excuse for instant payment providers not to comply.