Payoneer, Inc., an online money transmitter and prepaid access company, agreed to pay $1.4 million to OFAC to settle violations of multiple sanctions programs.  In an ironic twist, Payoneer, which often touts its comprehensive sanctions and anti-money laundering compliance programs to its business customers, had to acknowledge 2,260 apparent violations of OFAC sanctions.

Payoneer is a well-known money service business (MSB) and acknowledged that it processed 2,241 transactions for prohibited parties subject to sanctions including the Crimea region of Ukraine, Iran, Sudan, and Syria.  In addition, Payoneer acknowledged its processed 19 payments on behalf of sanctioned persons, Specially Designated Nationals (“SDNs”). 

As an MSB, Payoneer failed to adequately screen participants in commercial transactions for potential matches on OFAC’s Specially Designated Nationals List (SDNs) and individuals that may be located in prohibited countries or regions. 

Payoneer also failed to conduct appropriate audits of its OFAC compliance program, test its algorithm to ensure that its filters are identifying payments within the set parameters, screen for BIC codes and holding flagged payments until they are reviewed.

All in all, Payoneer processed a total of $802,117.36 in prohibited transactions.  Interestingly, Payoneer received credit for voluntarily disclosing the 19 illegal payments to SDNs but did not voluntarily disclose the 2,241 illegal transactions involving persons in prohibited regions or countries.

Between February 2013 and February 2018, Payoneer processed 2,260 illegal transactions.  Payoneer’s policies and procedures dating back to June 2015 prohibited transactions with sanctioned parties or locations.  However, Payoneer’s compliance program failed to include basic testing, monitoring and verification of its activities to ensure compliance.  In particular, Payoneer’s screening, testing, auditing and transaction review procedures failed to identify these problematic transactions.

Payoneer’s sanctions violations occurred in processing of commercial transactions by corporate customers and card-issuing financial institutions.  The compliance control breakdowns included: (i) weak algorithms and filter settings that failed to identify close matches to SDN List entries; (ii) failure to screen for Business Identifier Codes (BICs) even when SDN List entries contained BICs; (iii) during backlog periods, allowing flagged and pending payments to be automatically released without review; and (iv) lack of focus on sanctioned locations, especially Crimea, because it was not monitoring IP addresses or flagging addresses in sanctioned locations.

Payoneer ignored basic transaction information that it collected such as billing, shipping or IP addresses, or copies of identifications issued in jurisdictions and regions subject to sanctions.  Instead, Payoneer allowed SDNs and persons in sanctioned location to open accounts and transact business despite having access to critical information indicating that the persons involved were SDNs or located in prohibited countries or regions.

Upon discovering potential sanctions compliance issues, senior management acted quickly to self-disclose the Apparent Violations related to blocked persons and provided substantial cooperation throughout the investigation.

To remediate the OFAC violations, Payoneer: (i) replaced its Chief Compliance Officer, retraining all compliance employees, and hiring new compliance positions focused specifically on sanctions testing; (ii) enhanced its screening software to include financial institution alias names and BIC codes and automatically triggering a manual review of payments or accounts that match persons on the SDN List; (iii) enabled the screening of names, shipping and billing addresses, and IP information associated with account holders to identify jurisdictions and regions subject to sanctions; (iv) flagged for review pending transactions identified by its filter instead of just authorizing them when a backlog occurred; (v) conducting a daily review of identification documents uploaded to Payoneer, and (vi) establishing a rule engine that stops payments when identifications indicate jurisdictions and regions subject to OFAC sanctions.