OFAC Releases New Sanctions Compliance Guidelines for Instant Payment Systems – Financial Services

On September 30, 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) released its “Sanctions Compliance Guide for Instant Payment Systems(the Guide) designed to help financial institutions allocate their compliance resources based on their particular sanctions risks. In recent years, the financial industry has introduced payment systems that allow users to send and receive funds almost instantaneously.Along with the increasing values ​​and volumes of these payments, the guidance stresses the need for robust compliance measures in this context. Specifically, the guidance (i) reaffirms that financial institutions should adopt a risk-based approach to managing sanctions risks; (ii) highlights key factors that may be relevant in determining this risk-based approach; (iii) encourages the development and deployment of innovative approaches and technologies sanctions compliance to address identified risks; and (iv) encourages developers Instant payment systems to incorporate sanctions compliance considerations as they develop new payment technologies.

No one-size-fits-all approach

The Guidelines do not claim to provide a single approach to sanctions risk management. Instant payment systems vary considerably depending on, among other things, their geographical location and the extent of their international presence; the location, nature and transaction history of their customers and counterparties; the specific financial products and services they offer; and their size and sophistication. Thus, OFAC recommends that each financial institution’s decision “on whether and how” to screen transactions made using instant payment systems be based on that institution’s assessment of its own risk.

Although OFAC recommends a risk-based decision as to “if and how” a financial institution should conduct sanctions screening on Instant Payments System transactions, we believe that this is only in exceptional circumstances. rare that it will be a question of “if” carrying out a check; financial institutions should assume that some degree of sanction control is necessary.

National institutions face a lower risk of exposure to sanctions

Domestic instant payment systems are those in which all transactions involve only accounts held in US banks, excluding foreign correspondent accounts. According to OFAC, these instant payment systems generally present a lower risk of exposure to sanctions than instant payment systems that allow cross-border transactions. However, financial institutions should not only screen transactions from national instant payment systems. As OFAC notes, the presumption that domestic instant payment system transactions are less risky than cross-border transactions is based on the expectation that U.S. banks are subject to supervisory reviews and are already subject to stringent regulatory requirements, such as running risk-based accounts receivable. due diligence during onboarding and at regular intervals thereafter. Non-US banks, on the other hand, may not be subject to such stringent regulatory requirements and scrutiny.

The consumer behavior model is key to assessing risk

OFAC states that while a payment of any amount may result in a violation of OFAC regulations, the nature and value of a payment may be relevant in assessing the relative sanctions risks of payments made through an instant payment system. For example, payments consistent with a customer’s past behavior that a financial institution has previously vetted and cleared for potential sanctions implications generally have a lower sanctions risk than payments that appear inconsistent with a customer’s track record. , such as payments of a significantly higher value or payments made to foreign persons. with whom the customer has not yet dealt. The OFAC guidance therefore also highlights the importance of maintaining robust processes for complying with the Financial Crimes Enforcement Network’s (FinCEN) Customer Due Diligence Rule. Financial institutions should collect the necessary information at account opening to understand the nature and purpose of the customer relationship in order to develop an accurate customer risk profile, and they should follow up with periodic ongoing due diligence to assess whether the client’s trading activity is consistent with the client’s risk profile.

Emerging technologies should facilitate compliance

OFAC recommends using artificial intelligence (AI) tools and other innovative compliance solutions, such as those that take advantage of information-sharing mechanisms between financial institutions, which can improve compliance functions. sanction filtering and reduce false positives. Where appropriate, based on an institution’s risk assessment, OFAC encourages the use of these tools and other emerging technologies and solutions to manage sanctions risks that may arise in the context of payments. snapshots.

As we warned, when federal banking agencies encouraged the industry to test and use AI and other innovative solutions to detect and report money laundering, financial institutions should not allow these OFAC guidelines to let our guard down in terms of sanction screening. Financial institutions should test new screening solutions in parallel with existing screening mechanisms and they should obtain feedback from their supervisors before launching a new innovative process.

In addition, OFAC encourages developers of instant payment systems to incorporate sanctions compliance during the design and development process so that sanctions compliance checks are considered as new payment technologies are developed. . For example, instant payment systems can facilitate sanctions compliance by enabling communication between participating financial institutions involved in payment processing, as such communication is often necessary to gather information related to potential sanctions alerts. In addition, instant payment systems that allow for exception handling, i.e. the removal of a transaction from the automated process to allow a financial institution sufficient time to investigate potential sanction issues, also help their participants mitigate the risk of sanctions. Exception handling can help enable filtering and review of payments that may involve a sanctions link.

OFAC Steps Up Enforcement Efforts: Tango Card Settlement

On September 30, 2022, OFAC announced a regulation with Tango Card, Inc., a Seattle-based company that provides and distributes electronic gifts and rewards, often in the form of stored-value cards to support corporate client employees and customer incentive programs. Between September 2016 and September 2021, due to the company’s “deficient geolocation identification processes”, Tango Card electronically transmitted 27,720 merchant gift cards and promotional debit cards (for a total of 386,828.65 $) to individuals with email and/or IP addresses associated with a number of sanctioned jurisdictions, i.e. Cuba, Iran, Syria, North Korea and the Crimea region in Ukraine.

In its enforcement statement, OFAC pointed out that Tango Card, as a business transacting across borders, knew or should have known that it would be transmitting gift cards and rewards to recipients in sanctioned jurisdictions, but Tango Card failed to impose a risk-based approach. geolocation rules to identify the location of its reward recipients at the time these transactions took place. Importantly, this case also serves as a reminder that parties cannot transfer their risk of sanctions through contractual provisions. Although a contractual clause requiring a customer or counterparty to comply with sanctions regulations may help to mitigate the risk of sanctions, such provisions do not absolve an entity from potential liability for sanctions or the need to implement its own sanctions controls.

Tango Card agreed to pay $116,048.60 to solve the investigation, an amount exceptionally well below the legal maximum penalty of $9.2 billion. When calculating Tango Card’s actual penalty, OFAC noted that this was a non-flagrant case and considered mitigating factors, such as Tango Card voluntarily disclosing the violations. apparent and cooperated substantially with OFAC’s investigation. OFAC also cited Tango Card remedies such as: implementing geo-blocking for front-line domains (TLDs), preventing rewards from being issued to email addresses associated with sanctioned jurisdictions , updating its geo-blocking of IP addresses to include sanctioned jurisdictions and regions, preventing takeovers by people in those jurisdictions, conducting sanctions training for employees who process bulk orders spreadsheets, hiring a consultant to review its security posture with respect to its cloud program, and acquiring additional filtering tools.

This case therefore underscores the importance of using relevant geographic information as part of a risk-based sanctions compliance program, voluntarily disclosing apparent violations, implementing sanctions compliance remedies quickly, and to provide early and thorough cooperation with OFAC if it initiates an investigation.

Financial institutions seeking guidance on sanctions compliance requirements and processes, or seeking assistance in responding to an OFAC investigation, are encouraged to contact one of the authors of this advisory or their usual Arnold & Porter contact.

* Volodymyr Ponomarov contributed to this review. Mr. Ponomarov is only admitted to New York; practicing law in the District of Columbia during the term of its application for admission to the DC bar and under the supervision of attorneys in the firm who are members in good standing of the DC bar.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.