Lessons Learned from OFAC’s Settlement with Tango Card
Alex Cotoia, Regulatory Manager at The Volkov Law Group, rejoins us for a review of OFAC’s recent settlement with Tango Card for sanctions violations. Alex can be reached at [email protected]
On September 30, 2022, the United States Department of the Treasury’s Office of Foreign Asset Control (“OFAC”) announced a settlement with Tango Card, Inc. (“Tango Card”), a supplier and distributor of stored valued cards used by businesses to support their customer loyalty and employee rewards programs. According to an OFAC enforcement release, Tango Card violated multiple U.S. sanctions programs when it transmitted at least 27,720 stored value products to recipients with internet protocol (“IP”) and email addresses associated with Cuba, Iran, Syria, North Korea, and the Crimea region of Ukraine. As a consequence, Tango Card agreed to the payment of $116,048 to settle its potential civil liability arising from the violations.
The Tango Card settlement is notable for a number of reasons—not the least of which is that Tango Card’s sanctions compliance program did not include “geo-blocking” of stored value card recipients. “Geo-blocking” refers to the method by which a company—alone or in partnership with a third-party service provider—can restrict access to content based on geographic location.
While the enforcement release notes that Tango Card did utilize geolocation services to block transactions with its direct counterparties (e.g., customers that contracted with Tango Card to provide value card services), it failed to use the same tools to block prospective recipients of rewards who may be located in sanctioned jurisdictions. This failure was not discovered until February 2021, when one of Tango Card’s customers discovered that several of its own reward recipients had “top-level” domains (domain name endings) associated with sanctioned countries.
After conducting a “lookback review” for similar occurrences, Tango Card identified numerous instances where rewards were sent to recipients with IP addresses in sanctioned regions. In the aggregate, Tango Card identified nearly 28,000 such transmissions that occurred between September 2016 and September 2021, with an aggregate value of $386,828.65. Although the enforcement release noted Tango Card’s voluntary disclosure and subsequent cooperation with OFAC’s investigation, it found that its failure to implement risk-based, geolocation and geo-blocking services was an aggravating factor that led to a repeated pattern of sanctions violations over a considerable period of time. Collectively, Tango Card’s oversight resulted in the transfer of tangible economic benefits to individuals residing in sanctioned regions—thereby undermining U.S. foreign policy objectives.
The Tango Card enforcement case highlights the importance of conducting a comprehensive assessment of potential sanctions risks by companies subject to OFAC’s jurisdiction—especially those operating in technologically sophisticated industries like e-commerce. While more conventional enterprises are used to screening direct counterparties, those operating in the e-commerce space are more likely to be involved in more complicated transactions where the sanctions risk emanates not only form the provision of direct customer services, but the conferral of direct or indirect benefits on third parties as well. It is therefore imperative that such companies consider the totality of their potential sanctions exposure, taking into account the various business processes that present the greatest opportunity for sanctions risk.
Second, Tango Card’s failure to independently detect flagrant violations of existing sanctions regulations serves as a reminder that companies are obligated to periodically re-assess their sanctions risk and audit the highest-risk transactions. While not all sanctions violations are capable of being prevented, had Tango Card recognized the objective risk that its activities carried—and implemented a system of periodic auditing and monitoring commensurate with that risk—it may have discovered the infractions well before a customer alert led to a review of its rewards distribution program.