On September 30, 2022, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) published an enforcement release on the USD 116,048 settlement with Tango Card, Inc. (Tango Card).
Tango Card is a Seattle-based company that supplies and distributes electronic rewards in the form of e-gift and prepaid cards to support client businesses’ employee and customer incentive programs. As a result of deficient geolocation identification processes, between 2016 and 2021, Tango Card violated multiple US sanctions programs. During this time, Tango Card transmitted at least 27,720 merchant gift cards and promotional debit cards in the amount of USD 386,828 to individuals with Internet Protocols (IP) and email addresses associated with Cuba, Syria, Iran, North Korea, and the Crimea region of Ukraine.
It is worth noting that on the same day OFAC separately published its Sanctions Compliance Guidance for Instant Payment Systems (Guidance), which emphasizes the importance of taking a risk-based approach to managing sanction compliance risks in the context of new payment technologies.
Below we provide more detail on OFAC’s enforcement action and Guidance.
Why is sanctions compliance important?
OFAC determined that while Tango Card maintained a sanctions compliance program and screening processes for its direct customers (i.e. merchants), the company did not use those same controls to identify whether recipients of rewards (i.e. employees and customers of merchants) might also involve sanctioned jurisdictions. OFAC highlighted as an aggravating factor the fact that the company collected recipients’ information including IP address and email address suffixes associated with comprehensively sanctioned jurisdictions, such as .cu (Cuba) and .ir (Iran), and has, thus, reason to know that it was transmitting rewards to recipients in sanctioned jurisdictions.
The case emphasizes the following aspects:
- the importance of using sanction screening tools as part of an effective, risk-based sanctions compliance program, including the use of appropriate geolocation tools to identify transactions potentially involving sanctioned jurisdictions; and
- The importance of using other risk-based controls when appropriate.
While contractual agreements with customers to comply with sanctions can help mitigate risk, this does not exclude the need to use other risk-based controls when appropriate - including ensuring that shipping or billing address information, IP addresses, or email address suffixes collected during the normal course of business are screened for all transactions.
What are the key takeaways for sanctions compliance frameworks?
While the settlement stresses on the urgency for compliance teams to apply risk-based geolocation rules for all transactions, it is also important because it highlighted several mitigating factors that could serve as “good market practices”. Notably, OFAC recognised that Tango Card took the following remedial measures to strengthen its sanctions compliance processes:
- Implemented geo-blocking for top-line domains (TLDs), preventing reward issuance to email addresses associated with sanctioned jurisdictions;
- Updated its IP address geo-blocking to include jurisdictions and regions subject to sanctions, preventing redemptions by persons in these jurisdictions;
- Conducted sanctions compliance training for the team;
- Hired a consultant to review its security posture with regard to its cloud program;
- Hired additional staff to proactively identify control gaps and improve sanctions compliance processes;
- Acquired additional screening tools; and
- Produced two monthly lookback reports - one identifying any TLDs over the prior month from jurisdictions and regions subject to sanctions and the other identifying any IP addresses over the prior month associated with such jurisdictions.
Considering that Tango Card voluntarily self-disclosed the sanctions violations and substantially cooperated with OFAC’s investigation, OFAC determined that the violations constitute a non-egregious case.
The Tango Card settlement is one of several OFAC enforcement actions involving sanctions screening and geolocation identification deficiencies recently. It is interesting to note that a few days after the Tango Card settlement, the cryptocurrency exchange Bittrex has agreed to pay a significant amount of USD 29 mln in fines for sanctions and anti-money laundering violations. Similarly to Tango Card, the crypto exchange failed to prevent people located in sanctioned jurisdictions like the Crimea region of Ukraine, Cuba, Iran, Sudan and Syria from using its platform between March 2014 and December 2017.
All these enforcement actions emphasize the importance of having a robust sanctions compliance program with sound IP address blocking processes for all business transactions. They also remind that the sanctions compliance program and processes must be frequently tested and audited to ensure they are identifying in practice all transactions related to comprehensively sanctioned jurisdictions.
What are the key elements of the Instant Payment Compliance Guidance?
In recent years, the financial sector has introduced instant payment systems that allow users to send and receive funds almost instantly, at any time of the day and on any day of the year. The high velocity of instant payments has raised questions across the sector about how best to implement sanctions compliance programs in this context. This is how in conjunction with the Tango Card settlement, OFAC published the Sanctions Compliance Guidance for Instant Payment Systems.
The Guidance recommends that all US banks and financial institutions, implement a risk-based approach that incorporates the following five essential components of compliance:
- compliance management commitment;
- risk assessment;
- internal controls;
- testing and auditing; and
- compliance training.
The Guidance does not set out one standardized approach to sanctions compliance; rather, it highlights OFAC’s expectation that financial institutions will make their own assessment to determine effective sanctions compliance controls. OFAC encourages financial institutions to use new tools and technologies to mitigate their sanctions risks. These include artificial intelligence tools that can enhance the accuracy of sanctions screening and reduce the number of false positives.
In the Guidance, OFAC highlights the following factors as particularly relevant in assessing compliance risks related to instant payment systems:
Domestic vs. Cross Border Payment Systems
The nature of the payment system (i.e. domestic or cross-border) may be relevant in assessing the sanctions risk of instant payment systems. Domestic instant payment systems generally pose lower sanctions risk than cross-border instant payment systems because transactions are limited to accounts from US banks. Institutions that use cross-border payment systems should assess sanctions exposure from non-US banks, which may not be subject to similar regulatory requirements and examinations.
Nature and Value of Payment
While the payment of any amount could result in sanction violations, the nature and value of payment may be relevant in assessing the relative sanctions risks of instant payment systems. For example, payments consistent with previous customer behaviour that a financial institution has previously vetted and cleared for potential sanctions implications generally pose a lower risk than payments that appear inconsistent with previous customer behaviour.
OFAC acknowledges that instant payment systems’ inherent expectation that funds be made available to the payee in real time may pose sanctions compliance challenges leading to sanctions violations. To facilitate such compliance, OFAC encourages developers of instant payment systems to incorporate sanctions compliance already during the design and development process.
How can InnReg support your sanctions compliance framework?
As a specialized outsourced compliance provider, InnReg is well positioned to offer compliance expertise to support the full gamut of sanctions compliance requirements, including:
- Sanctions compliance program development and management;
- Compliance facilitation across federal and state regulatory bodies;
- Monitoring for regulatory changes;
- Risk assessment and quality control; and
- Support the CCO function and other key stakeholders in establishing an effective compliance governance and risk management framework.