On July 23, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced an enforcement action against Payoneer Inc., a money transmitter and provider of prepaid access, for processing payments involving several sanctioned jurisdictions and actors, including those in Crimea, Iran, Sudan, and Syria.
Payoneer paid a $1.4m monetary fine after OFAC found that it had processed over 2,241 payments involving sanctioned jurisdictions over a 5 year period totaling $802,117. Of note in the enforcement action were OFAC’s comments regarding Payoneer’s sanctions compliance program, which was deemed to have several deficiencies. For example, while Payoneer had a sanctions compliance policy that prohibited processing payments in or with sanctioned jurisdictions, Payoneer had not adopted procedures to implement that policy, failing to properly test or audit those processes.
Additionally, OFAC commented on Payoneer’s screening deficiencies. Notably, OFAC observed that Payoneer had insufficient algorithms that allowed close SDN List matches not to be flagged, failed to screen for business identifier codes, allowed flagged and pending payments to be released without review during backlog periods, and failed to focus on location screening, especially IP addresses.
This is not the first enforcement action against a money transmitter for compliance-related lapses, and should serve as a reminder to all payment processors that sanctions screening (including location-based screening) is a key step to mitigating regulatory risk. OFAC’s public consolidated Sanctions List is certainly a good place to start, though please note that the OFAC Sanctions List does not incorporate location-based screening, nor does it necessarily address subsidiaries or affiliates that are not expressly listed but still may be the subject of sanctions, among other potential screening gaps.