US Financial Services Company Fined $1.4M for Sanctions Violations, Faulty Screening
The Office of Foreign Assets Control fined a New York online money transmitter and provider more than $1.4 million for violating U.S. sanctions on the Crimea region of Ukraine, Iran, Sudan and Syria. Payoneer came to a settlement agreement with OFAC after illegally processing more than 2,000 payments for parties in sanctioned countries, OFAC said in a July notice. The fine was OFAC’s third highest this year.
The violations, which took place between 2013 and 2018, stemmed from several “deficiencies” in Payoneer’s compliance program, OFAC said. Although the company had policies in place to prohibit transactions involving sanctioned parties, OFAC said Payoneer suffered from multiple “sanctions compliance control breakdowns,” including weak algorithms that didn’t flag close matches to Specially Designated Nationals and a “lack of focus” on certain sanctioned countries. The agency also said Payoneer didn’t screen for Business Identifier Codes (BIC) “even when SDN List entries contained them” and allowed flagged payments to be “automatically released without review” when the company was backlogged.
OFAC specifically said Payoneer could have done more to scrutinize illegal payments involving Crimea, adding that the company didn’t monitor internet protocol addresses and didn’t flag addresses in sanctioned locations. In total, Payoneer processed 2,241 transactions worth about $802,000, violating OFAC sanctions regimes targeting Crimea, Zimbabwe, weapons of mass destruction proliferators, Iran, Syria and the agency’s now-repealed Sudan sanctions regulations. The company self-voluntarily disclosed just 19 of the transactions, but OFAC said the case was non-egregious.
OFAC pointed to several aggravating factors, included Payoneer’s failure to “exercise a minimal degree of caution or care” for sanctions compliance when it allowed people on the SDN List to open accounts and conduct transactions, which “persisted for a number of years.” Payoneer also had “reason to know” that its customers were subject to sanctions because it had “common indicators of location,” including billing and shipping documents, IP addresses and copies of identification. OFAC also said Payoneer’s violations harmed six separate U.S. sanctions programs.
But OFAC also said Payoneer’s senior management “acted quickly” to self-disclose its violations and cooperated with the agency’s investigation. Other mitigating factors included the fact that the company hadn't received a penalty notice within the last five years and self-imposed a range of remedial measures, including replacing its chief compliance officer, retraining all compliance employees and hiring new compliance officials focused on testing. Payoneer also improved its screening software to include bank aliases and BIC names, and to identify regions subject to sanctions, and it now conducts a “daily review of identification documents.” The company also added a “rule engine” that stops payments with “identification indicating jurisdictions and regions subject to sanctions.”
OFAC said the case highlights that money service businesses must comply with U.S. sanctions and should “develop a tailored, risk-based sanctions compliance program.” The agency also stressed that effective screening doesn’t only search for SDN List matches but also for sanctioned locations. Companies should also perform “algorithm testing to be sure filters are flagging payments within expected parameters” and should hold all flagged payments until they're reviewed. Payoneer didn’t comment.