Rewards programs have become ubiquitous in recent years. These so-called loyalty management programs exist to nudge customers or employees in a particular direction; a company’s workers might be inclined to exercise more regularly, for example, if they know there is a $5 gift card waiting for them after a specified number of gym check-ins. Their rapid expansion and cash-equivalent, pre-paid nature make loyalty management programs a high risk for sanctions and anti-money laundering issues, but the risks these programs pose are often overlooked.

Prepaid access providers were dealt a reminder of those risks this week, after OFAC announced its settlement with rewards program facilitator daVinci Payments (“daVinci”), which agreed to pay $274,950 to resolve 12,391 apparent violations of sanctions on Crimea, Iran, Syria, and Cuba. The violations occurred between November of 2017 and July of 2022 and caused some $549,134.89 in cash equivalents to be distributed to individuals in sanctioned jurisdictions.

DaVinci (which has since rebranded as Onbe) provides digital and physical payments as part of its clients’ loyalty, award, or promotional incentive programs. The company’s clients would send daVinci a list of intended recipients, including the form (digital, physical, etc.) and value of their “incentive.” Clients funded their rewards programs by sending payment to an issuing bank. Once the funds were ready for distribution, daVinci would send each intended authorized user an email containing a token that enabled them to access their reward. In order to redeem the reward, users had to provide basic know-your-customer details, like their names and addresses, to daVinci.

At this point in their redemption process is where things got tricky for daVinci. The issuing bank (as-in, issuer of the prepaid incentive cards) relied on daVinci to handle the compliance end of things, like screening for––and more importantly, screening out––potential sanctions violations. To meet these obligations, daVinci would thus need to abide by the same due diligence standards that are expected of any other financial institution or money services business. This means verifying each customer’s identity, understanding the nature of their activities, and assessing their unique sanctions or money laundering risk profile based on their due diligence information.

But as OFAC’s enforcement action reflects, daVinci’s compliance program was not fit-for-purpose. DaVinci failed to employ adequate geolocation controls, which allowed customers with IP addresses associated with sanctioned jurisdictions to access daVinci’s redemption portal so long as they had a valid email token. From there, users in sanctioned jurisdictions could just input that they lived somewhere else. Absent any real geolocation controls, daVinci was essentially accepting on faith alone that users reported their identities and residences truthfully.

Underscoring the inadequacy of daVinci’s sanctions screening protocols, the company processed redemptions for numerous recipients with domain addresses associated exclusively with sanctioned jurisdictions. These individuals redeemed cash-equivalents via daVinci using email addresses ending in .sy (Syria) and .ir (Iran)––which was consistent with IP address information that reflected their physical presence in those countries. Still, daVinci failed to integrate this data into its screening process, and its lack of diligence resulted in more than 12,000 apparent sanctions violations.

OFAC assessed the base civil monetary penalty against daVinci, which is a testament to the value of internal audits and voluntarily disclosing potential violations. DaVinci discovered the violations during an internal review, promptly investigated and reported their findings to OFAC, and undertook appropriate remedial measures to ensure future compliance. OFAC cited these mitigating factors in its decision to impose a relative slap on the wrist, as opposed to the maximum applicable civil penalty of ~$4.4 million.

Other participants in the loyalty management market should not expect to receive the same kid-gloves treatment afforded to daVinci. OFAC’s settlement with daVinci has put the prepaid access industry on notice: companies that adopt the responsibilities of a financial institution are subject to the same standards that apply to traditional financial institutions. Whether the gatekeeper is a fly-by-night tech start-up or Bank of America, they are gatekeepers all the same. Loyalty management program sponsors and administrators should remain mindful of these risks and be sure that they fully understand the scope of their respective compliance obligations before any funds are distributed.