Government agencies continue to scrutinize third-party payment processors for high-risk transactions and, when appropriate, respond to alleged violations with investigations and enforcement actions. Industry members are most likely familiar with the numerous enforcement actions brought in recent years by the Federal Trade Commission, the Consumer Financial Protection Bureau, and the Department of Justice. Recently, however, the Department of Treasury’s Office of Foreign Assets Control (OFAC) has joined the battle, pursuing enforcement actions against and achieving multi-million dollar settlements with those alleged to have violated one or more of the U.S. sanctions programs OFAC administers. These recent enforcement actions signal heightened focus on the payment industry and payment processors. Consequently, these enforcement actions and settlements teach that industry members must update their OFAC compliance policies, ensure that employees comply with those procedures, and understand how to address violations if they occur, including whether to voluntarily disclose violations.
OFAC administers a range of sanctions programs that prohibit or limit “U.S. Persons,” which includes citizens, residents, or nationals, companies registered or located in the U.S., or companies located or formed in a U.S. territory, from doing business with certain identified countries, entities, and individuals. OFAC’s sanctions programs include broad-based programs that target countries like Iran, North Korea, and Syria, and more targeted programs, such as those focusing on Russia/Ukraine, Sudan, and Burma. OFAC maintains a list – the Specially Designated Nationals (SDN) List – that specifically identifies those individuals and entities with which U.S. Persons cannot do business.
OFAC strictly enforces these programs, which directly impact banks, other financial institutions, and their customers. OFAC’s enforcement response can take several forms. First, OFAC can choose to take “no action” if it determines insufficient evidence exists to conclude that a violation occurred. OFAC can also request “additional information” in order to investigate the matter further. OFAC can merely issue a “Cautionary Letter” if it concludes that, even though the conduct could have led to a violation, a Finding of Violation or a civil penalty is not warranted. If OFAC determines that a violation occurred that warrants an official response, but not civil penalties, OFAC may issue a Finding of Violation that identifies the misconduct. OFAC can impose a civil penalty in an amount determined by its guidelines, based on the finding of a violation that warrants the imposition of a monetary penalty. Finally, in egregious circumstances, OFAC has the authority to make a criminal referral to an appropriate law enforcement agency for further criminal investigation or prosecution. Violations referred for criminal investigation also may be subject to OFAC civil penalties or other administrative actions.
Often, OFAC alleges third-party payment processors failed to utilize adequate screening technology and procedures to identify the potential involvement of U.S. sanctions targets in the transactions they process. In addition to software failures, OFAC takes issue with company employees who allow a suspect transaction to proceed and fail to complete the necessary review after software identifies a potential hit. In cases where TPPP conduct is egregious, OFAC can assess higher total base penalties, even when the value of the transactions is lower.
OFAC also considers aggravating and mitigating factors when arriving at a penalty amount. These include:
- Whether the company showed reckless disregard when its interdiction software failed to identify an SDN as a potential match to the SDN list;
- How many times company employees cleared matches even when the system flagged a match and before finally blocking the account;
- Whether company employees ignored warning signs about potential SDN matches or failed to escalate issues; and,
- Whether company management demonstrated a reckless disregard for the sanctions programs by continuing to operate a payment system without adequate controls in place to ensure that inappropriate transactions were blocked.
OFAC recognizes that mitigating factors may offset aggravating factors, at least to some degree. Mitigating factors can include:
- Upon discovering system failures, improving systems to flag SDN accounts and block them;
- Voluntarily reporting issues to OFAC;
- Hiring compliance managers and strengthening screening processes; and,
- Substantially cooperating with OFAC’s investigation by, for example, submitting relevant documents and responding to information requests.
Recent settlements underscore the potential benefits that flow from utilizing OFAC’s voluntary disclosure process. Although OFAC does not grant amnesty, forcing companies to be prepared to deal with an enforcement action, OFAC provides clear guidance regarding its treatment of voluntary disclosures. This guidance allows companies to make an assessment of their particular situation before making the voluntary disclosure. For instance, OFAC’s guidelines establish that in a non-egregious case, if the apparent violation is disclosed through a voluntary self-disclosure, the base amount of the proposed civil penalty shall be 50% of the transaction value, capped at a maximum of $125,000 per violation. In contrast, in a non-egregious case, if the violation comes to OFAC’s attention by means other than voluntary disclosure, the base amount of the proposed civil penalty shall be the “applicable schedule amount,” as defined in the OFAC guidelines and determined by the value of the transaction, capped at $250,000 per violation. Also, full and substantial cooperation with OFAC becomes an important factor when OFAC determines its enforcement response even in the absence of voluntary self-disclosure.
Third-party payment processors often deal with customers living and operating worldwide. Consequently, a higher risk exists that some of those customers may be subject to an OFAC sanctions program. In today’s stringent regulatory environment, merely having a compliance program will not suffice. A company’s compliance program must be updated, including the applicable identification software, and employees must take the time to review potential hits and address any questions. Companies should also consider conducting quarterly or semi-annual audits of transactions to determine whether mistakes have occurred. If any are identified, strong consideration should be given to making a voluntary disclosure.