US Company’s Lack of Location Controls Leads to OFAC Settlement, Fine
An Illinois-based financial services firm reached a $206,213 settlement with the Office of Foreign Assets Control this week after the company allowed its prepaid reward card programs to be used by people in sanctioned regions, including Iran, Syria, Cuba and the Crimea region of Ukraine. OFAC said Swift Prepaid Solutions’ lack of “comprehensive geolocation controls” led to 12,391 violations of U.S. sanctions programs.
The company, doing business as daVinci Payments, offered online payment reward card programs for corporate, non-profit and government clients, allowing them to issue prepaid cards as part of a loyalty or promotional incentive for employees and customers. The company had sanctions compliance procedures in place, and required card users to provide their names, addresses and email addresses on daVinci’s website, which OFAC said were screened against sanctions lists.
But during a compliance review that began in March 2020, daVinci discovered on 12,378 occasions it had redeemed prepaid cards for users with internet protocol addresses associated with Iran, Syria, Cuba and Crimea. After the company began preventing access to its platform from IP addresses associated with those regions, it soon discovered it had redeemed prepaid cards for 13 more users who had used email addresses with suffixes -- which OFAC said are “sometimes called top-level domains” -- associated with sanctioned jurisdictions that the company didn’t catch. For example, those suffixes may have included ".sy" for Syria and ".ir" for Iran, OFAC said.
OFAC said daVinci processed redemptions totaling nearly $550,000 for cardholders in sanctioned jurisdictions. The agency could have imposed a maximum civil penalty of more than $4 billion but decided on a lesser amount due to several mitigating factors, including the fact that daVinci voluntarily disclosed the violations. OFAC also noted that the company hadn’t received a penalty notice in the previous five years and took “a number of significant remedial measures,” including by proactively conducting an internal review, implementing IP blocking controls, conducting real-time screening and blocking of email address suffixes and beginning “independent third-party testing at regular intervals.” The agency also said daVinci cooperated with OFAC’s investigation.
The agency pointed to one aggravating factor: daVinci failed to “exercise due caution or care” when it redeemed prepaid cards for users who appeared to be in sanctioned regions. The company “knew or had reason to know” that the users were in sanctioned regions “but did not incorporate this information into its compliance program or controls.”
The case highlights the importance of “obtaining and using all available information” to verify a customer’s identity or residency for sanctions compliance purposes, OFAC said, including by using location data, such as IP address and top-level domains. Companies face risks if they only rely on information provided by the customer “rather than a holistic information-gathering system that can mitigate evasion or misrepresentation,” the agency said. Businesses also should regularly review their compliance programs for any gaps and consider “periodic independent testing to ensure adequate controls.”
Both Swift Prepaid Solutions and daVinci payments couldn’t be reached for comment.