OFAC Issues New Sanctions Compliance Guidance for Instant Payment Systems
On September 30, 2022, the Office of Foreign Assets Control (OFAC) of the US Department of the Treasury published its “Sanctions Compliance Guidance for Instant Payment Systems” (the Guidance) designed to help financial institutions allocate their compliance resources consistent with their particular sanctions risks. In recent years, the financial sector has introduced payment systems that allow users to send and receive funds almost instantly. Because of the high velocity of instant payments, along with increasing values and volumes of such payments, the Guidance emphasizes the need for robust compliance measures in this context. Specifically, the Guidance (i) reaffirms that financial institutions should take a risk-based approach to managing sanctions risks; (ii) highlights key factors that may be relevant in determining that risk-based approach; (iii) encourages the development and deployment of innovative sanctions compliance approaches and technologies to address identified risks; and (iv) encourages developers of instant payment systems to incorporate sanctions compliance considerations as they develop new payment technologies.
No One-Size-Fits-All Approach
The Guidance does not purport to provide a one-size-fits-all approach to managing sanctions risks. Instant payment systems vary significantly depending, among other things, on their geographic locations and the extent of their international presence; the location, nature, and transactional history of their customers and their counterparties; the specific products and financial services they offer; and their size and sophistication. Thus, OFAC recommends that each financial institution’s decision “on whether and how” to screen transactions conducted using instant payment systems should be based on that institution’s assessment of its own risks.
Although OFAC recommends a risk-based decision as to “whether and how” a financial institution should conduct sanctions screening on instant payment system transactions, our view is that only in exceptionally rare cases will it be a question of “whether” to screen; financial institutions should presume that some degree of sanctions screening is necessary.
Domestic Institutions Face Lower Risk of Sanctions Exposure
Domestic instant payment systems are those in which all transactions involve only accounts maintained at US banks, excluding foreign correspondent accounts. According to OFAC, those instant payment systems typically pose a lower risk of sanctions exposure than instant payment systems that permit cross-border transactions. Financial institutions should not, however, become complacent in screening domestic instant payment system transactions. As OFAC notes, the presumption that domestic instant payment system transactions carry less risk than cross-border transactions is based on an expectation that US banks are subject to supervisory examinations and already are subject to stringent regulatory requirements, such as performing risk-based customer due diligence at onboarding and at regular intervals thereafter. Non-US banks, on the other hand, may not be subject to similar stringent regulatory requirements and examinations.
Consumer’s Pattern of Behavior Is Key to Assessing Risks
OFAC states that while a payment of any amount could result in a violation of OFAC regulations, the nature and value of a payment may be relevant in assessing the relative sanctions risks of payments made via an instant payment system. For example, payments consistent with past customer behavior that a financial institution has previously vetted and cleared for potential sanctions implications generally pose lower sanctions risk than payments that appear inconsistent with a customer’s prior history, such as significantly higher value payments or payments made to foreign persons with whom the customer has not previously dealt. OFAC’s guidance thus also underscores the importance of maintaining robust processes to comply with the Financial Crimes Enforcement Network’s (FinCEN’s) Customer Due Diligence rule. Financial institutions must collect the necessary information at account opening to understand the nature and purpose of the customer relationship in order to develop an accurate customer risk profile, and they must follow through by conducting periodic ongoing customer due diligence to assess whether the customer’s transaction activity is consistent with the customer’s risk profile.
Emerging Technologies Should Aid Compliance
OFAC recommends using artificial intelligence (AI) tools and other innovative compliance solutions, such as those that leverage information sharing mechanisms across financial institutions, which may enhance sanctions screening functions and reduce false positives. Where appropriate, based on an institution’s assessment of risk, OFAC encourages the use of such tools and other emerging technologies and solutions to manage sanctions risks that could arise in the context of instant payments.
As we have cautioned, when the federal banking agencies have encouraged the industry to test and employ AI and other innovative solutions to detect and report money laundering, financial institutions should not allow this OFAC guidance to let their guard down in terms of sanctions screening. Financial institutions should test new screening solutions in parallel with existing screening mechanisms and they should obtain feedback from their supervisors before launching a new innovative process.
In addition, OFAC encourages developers of instant payment systems to incorporate sanctions compliance during the design and development process so that sanctions compliance controls are accounted for as new payment technologies are being developed. For example, instant payment systems can facilitate sanctions compliance by enabling communication among participating financial institutions involved in processing payments, as such communication is often necessary to gather information related to potential sanctions alerts. Furthermore, instant payment systems that allow for exception processing—i.e., allowing a transaction to be removed from the automated process to provide sufficient time for a financial institution to investigate potential sanctions concerns—also help their participants mitigate sanctions risks. Exception processing can help enable screening and review of payments that may involve a sanctions nexus.
OFAC Is Stepping Up Its Enforcement Efforts: The Tango Card Settlement
On September 30, 2022, OFAC announced a settlement with Tango Card, Inc., a Seattle-based company that supplies and distributes electronic gifts and rewards, often in the form of stored value cards to support client businesses’ employees and customer incentive programs. Between September 2016 and September 2021, as a result of the company’s “deficient geolocation identification processes,” Tango Card electronically transmitted 27,720 merchant gift cards and promotional debit cards (totaling $386,828.65) to individuals with email and/or IP addresses associated with a number of sanctioned jurisdictions—i.e., Cuba, Iran, Syria, North Korea, and the Crimea region of Ukraine.
In its enforcement release, OFAC emphasized that Tango Card—as a company engaging in cross-border transactions—knew or should have known that it would be transmitting gift cards and awards to recipients in sanctioned jurisdictions, yet Tango Card failed to impose risk-based geolocation rules to identify the location of its rewards recipients at the moment those transactions took place. Importantly, this case also serves as a reminder that parties cannot transfer their sanctions risk through contractual provisions. While a contractual term that requires a customer or counterparty to comply with sanctions regulations may help mitigate sanctions risk, such provisions do not absolve an entity from potential sanctions liability or the need to implement its own sanctions controls.
Tango Card agreed to pay $116,048.60 to resolve the investigation, an amount exceptionally far below the statutory maximum penalty of $9.2 billion. When calculating Tango Card’s actual penalty, OFAC noted that this constituted a non-egregious case and it accounted for mitigating factors, such as the fact that Tango Card voluntarily self-disclosed the apparent violations and substantially cooperated with OFAC’s investigation. OFAC also cited Tango Card’s remediation such as: implementing geo blocking for top line domains (TLDs), preventing reward issuance to email addresses associated with sanctioned jurisdictions, updating its IP address geo blocking to include jurisdictions and regions subject to sanctions, preventing redemptions by persons in these jurisdictions, conducting sanctions training for employees who handle bulk spreadsheet orders, hiring a consultant to review its security posture with regard to its cloud program, and acquiring additional screening tools.
This case therefore underscores the importance of using relevant geographic information as part of a risk-based sanctions compliance program, voluntarily self-disclosing apparent violations, promptly implementing remedial sanctions compliance measures, and providing early and thorough cooperation with OFAC should it initiate an investigation.
Financial institutions seeking advice on sanctions compliance requirements and processes, or seeking assistance in responding to an OFAC investigation, are encouraged to contact any of the authors of this Advisory or their usual Arnold & Porter contact.
© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.