On September 30, 2022, the United States Treasury’s Office of Foreign Assets Control (OFAC) published Sanctions Compliance Guidance for Instant Payment Systems. The guidance emphasises the importance of the risk-based approach that firms in the US must take to sanctions risk, in particular where those firms use payment technologies to handle transactions, such as instant payment systems.
OFAC published the payment systems guidance following its court settlement with Tango Card Inc, a stored-value card company that distributes products such as electronic gift vouchers and other online rewards. An OFAC investigation found that Tango Card had violated multiple US sanctions by transmitting its products to sanctioned countries.
With OFAC’s renewed focus on payment systems, it is crucial that service providers understand the new guidance, and how to ensure regulatory compliance.
What Does OFAC’s Instant Payment Systems Guidance Involve?
The 2022 guidance emphasises that there is no “one-size-fits-all approach” to sanctions compliance, pointing out that each instant payment system “has its own unique characteristics” and does not entail “the same sanctions risks”. Accordingly, OFAC’s guidance states that each financial institution’s sanctions compliance solution “should be based on that institutions’ assessment of its own risk”, and take in a variety of factors for mitigating that risk.
OFAC’s guidance sets out the following key risk factors relevant to financial institutions offering instant payment systems:
Domestic vs Cross Border Payments: OFAC’s guidance identifies that domestic payment systems which involve the transfer of funds between US bank accounts are typically a lower sanctions risk than those that facilitate cross-border transactions – which are obviously more likely to involve persons designated by US sanctions programs. OFAC points out that US banks already implement robust screening and monitoring processes (as required by US law), along with risk-based customer due diligence, but that non-US banks “may not be subject to the same regulatory requirements and examinations”.
Nature and Value of Payments: Certain types of payment facilitated by instant payment systems pose a greater sanctions risk than others. To this end, OFAC’s guidance suggests that the “nature and value” of payments should be a relevant risk factor when assessing risk. In particular, banks should examine the consistency of payments with customers’ past behaviour: for example significantly higher value payments than normal, to foreign accounts, may indicate a greater sanctions risk.
Emerging Compliance Technology: New compliance technology, such as artificial intelligence tools and information sharing mechanisms can significantly reduce the sanctions risk associated with instant payment systems. In particular, OFAC notes that such emerging technologies can “enhance sanctions screening functions and reduce false positives”, and encourages financial institutions to integrate technology wherever possible in order to manage instant payment risk.
The Tango Card Settlement
The publication of the instant payment systems guidance on 30 September coincided with OFAC’s settlement with Tango Card Inc, following an investigation that ran from 2016 to September 2021. The investigation found that Tango Card had “deficient geolocation identification processes” that had caused multiple US sanctions violations, including the illegal transmission of 27,720 gift cards and debit cards worth $386,828.65. Those cards had been issued to individuals in a number of high risk sanctioned countries, including Iran, Syria, North Korea, Cuba, and Ukraine’s Crimea region.
While OFAC praised Tango Card’s voluntary disclosure of the violations, it pointed out that the card company should have known that it was delivering cards to customers within sanctioned jurisdictions. The investigation found that Tango Card had failed to implement risk-based measures to identify the non-compliant transactions or establish the location of card recipients, and had failed to implement sufficient “geo-blocking” features to restrict the sale of cards to such customers. While Tango Card did implement contractual provisions that required its direct customers to comply with sanctions provisions, it did not ensure that the cards were not passed to customers in sanctioned jurisdictions.
Following the investigation, OFAC emphasised that contractual provisions should not be used as a means to transfer sanctions liability since they do not mitigate sanctions risk, nor do they absolve persons of their own compliance liability.
As part of the settlement, Tango Card agreed to pay $116,048.60, as opposed to a maximum penalty of $9.2 billion. The relatively low fine reflected mitigating factors in the case, including Tango Card’s voluntary disclosure of its compliance failures and its subsequent cooperation with OFAC during the investigation. OFAC also commended the steps Tango Card subsequently took to address its failures, which included implementing geo-blocking measures to prevent card issuance to sanctioned jurisdictions, conducting compliance training, integrating new screening tools, and hiring a security consultant.
The Importance of Technology in Sanctions Compliance
The Tango Card settlement, and the subsequent OFAC guidance underline the importance of the risk based approach as a sanctions compliance priority for organisations that offer instant payment services, but also demonstrate the importance of technology in achieving that goal. Many of Tango Card’s sanctions violations could have been prevented with the better application of screening technology within its compliance infrastructure: high risk transactions, for example, would have been flagged automatically, while geo-blocking measures would have identified top line domains and prevented products being issued to designated countries.
Ripjar’s Labyrinth Screening platform was designed to help firms meet their sanctions compliance requirements including the challenges presented by instant payments. When a payment is initiated, Labyrinth enables real time searches of sanctions lists, watch lists, and other types of data, including thousands of adverse media sources. Labyrinth helps firms conduct accurate, efficient assessments of the sanctions risks they face, integrating machine learning technology to manage structured and unstructured data, and generate actionable intelligence in seconds.