By Jackson Wood, Director, Industry Strategy, Global Trade Intelligence, Descartes Systems Group

In the continued efforts of the Office of Foreign Assets Control (OFAC) to enforce U.S. sanctions, IP address screening has been given increased consideration as a critical aspect of an organization’s sanctions compliance program.

OFAC has been penalizing organizations for preventable sanctions violations stemming from inadequate geolocation controls and incomplete due diligence monitoring. The growing trend is reflected in a series of OFAC enforcement actions that occurred over the past few years. 

Businesses offering digital and internet-driven solutions such as payment providers, software companies, and FINTECH as well as organizations with significant global trade activities are particularly exposed to this category of sanctions risks.  

In this article, we examine the latest enforcement action on a payment provider and see what steps could be taken to meet OFAC sanctions compliance obligation as it applies to IP address screening. 

Key Takeaways

  • A Vital Risk Indicator: The recent OFAC enforcement action signals the impact and importance of IP address geolocation screening in sanctions compliance. Knowing where customers and other 3rd parties are transacting from is essential to complying with OFAC’s location-based regulations. 
  • Increased Scrutiny and Significant Penalties: There have been notable settlements related to lapses in OFAC sanctions search that do not include IP geolocation information.  
  • Consistent IP Screening is Crucial: For many businesses such as those fined for OFAC sanctions violations, consistent and comprehensive monitoring of customer interactions is required to meet their OFAC compliance obligations. 
  • Robust Solutions Enhance Compliance: AI-enabled denied party screening solutions like those offered by Descartes, have the capabilities to accurately identify geolocation data and implement robust controls to protect organizations in realtime. 

Missed Chances for OFAC Compliance Resulted in a Monetary Fine. 

On November 6, 2023, OFAC announced a settlement with a payments provider for apparent violations of sanctions regarding Crimea, Iran, Syria and Cuba. The violation occurred when the financial services company which manages prepaid reward card programs, enabled reward cards to be redeemed from persons apparently resident in sanctioned jurisdictions. 

Details of How the Alleged Sanctions Violation Occurred 

The online payments provider supplies reward card programs to corporate, nonprofit, and government clients. The card programs are self-funded by clients via an issuing bank, with the organization supplying prepaid cards to authorized users. To redeem a reward card, users would go to the company’s website and provide their names, addresses, and email addresses. Users could not enter an address in a sanctioned jurisdiction and were screened against OFAC sanctions lists. Once screened and verified, funds would be released by the issuing bank to the users’ prepaid cards. 

According to OFAC, between March 2020 and February 2022, the payment provider redeemed prepaid cards on 12,378 occasions for users with Internet Protocol (IP) addresses associated with the sanctioned jurisdictions of 4 countries. The redemptions totaled $549,134.89 for cardholders apparently located in prohibited regions. 

A few compliance errors occurred prior to this OFAC ruling: 

  • The company did not implement proper due diligence measures to know exactly who, where and what their customers are involved with. OFAC has made it clear that organizations are responsible for the legal standing of third parties they interact with. 
  • They relied only on customer provided information rather than putting in place software tools that can holistically gather and analyze data to flag potential risks. Despite being aware of users’ IP addresses and email suffixes, the payment provider did not include this data in its compliance program or controls. 
  • Overall, the company demonstrated a flawed assessment of its risk profile, which is reflected in its compliance performance. Its sanctions compliance program and the controls put in place did not align with the nature of the business. 

The OFAC Penalty and The Organization’s Response 

OFAC ruled that the payment provided neglected to show proper caution or care in redeeming prepaid digital reward cards for users from sanctioned areas. However, the regulator did not apply the statutory maximum civil monetary penalty of $4,399,759,685, because it determined that the apparent violations were voluntarily self-disclosed and were non-egregious.  

The activities undertaken by the payments provider to address its shortcomings include: 

  • conducting real-time screening for denied or restricted parties. 
  • blocking of email address suffixes associated with sanctioned jurisdictions. 
  • implementing frequent third-party audits of its compliance program. 

The settlement amount of $206,213 reflects OFAC’s consideration of the steps taken by the company to fix the apparent lapses in its program as well as its cooperation with OFAC investigation. 

Compliance Considerations to Better Navigate OFAC Sanctions 

This sanctions violation provides insight into OFAC’s expectations around how companies verify customer identity and location using location-based data like IP addresses and geolocation gathering tools. The three main compliance lessons to learn and implement include: 

  • Comprehensive Due Diligence: Efficient denied party screening relies on data that is complete, accurate, and accessible. In the case we just examined, important data which would have prevented a violation was not made accessible to the screening process. Compliance software that integrates with business systems such as CRM or ERP, which already contain customer and third-party data, is an effective way to mitigate that compliance failure. In the case of this payment provider, with an integrated screening solution, OFAC sanctions list search will be performed directly within the business system that manages transactions. A robust solution will have geolocation verification tools that can authenticate the information provided by users during the sign-up stage and raise flags when potential denied parties or sanctioned regions try to access the services. 
  • Continuous Audits and Updates to Compliance Procedures: Compliance programs should always take a risk-based approach. While organizations have compliance policies in place, they need to be reviewed regularly to ensure they reflect the nature of risks that apply to the business. As OFAC regulations and sanctions change, along with technological evolution, a process should be in place to perform regular updates to compliance processes and systems in use. In order to identify lapses and avoid mistakes similar to the ones in this case, organizations should perform regular training, consult with professionals / vendor partners who have experience in their sector, and also apply the guidance shared by OFAC on how to apply IP address geolocation information in denied party screening. 
  • Consistent Automated Screening: To stay ahead of OFAC compliance obligations, the dynamic nature of sanctions risk, and the creative methods that restricted or denied parties will attempt to circumvent controls that have been put in place, real-time sanctions screening is required.  

How Descartes Visual Compliance™ Can Help with IP Address Screening

For organizations to keep up with an ever-changing and risk-laden compliance landscape, they must look to software solutions for their denied party screening needs, especially in the complex area of IP Address Screening. Manual efforts create plenty of opportunity for human error and are simply too slow to keep up with the current pace of compliance risks. 

Descartes is a provider of an industry-leading suite of denied party screening, 3rd-party risk management solutions, as well as trade content for leading business systems, that can be integrated with minimal disruption, sometimes in under an hour. 

Descartes Visual Compliance and Descartes MK™ Denied Party Screening solutions are flexible and modular, allowing organizations to pick the specific and exact functionality and content they need for their particular compliance needs and scale up later as and when necessary. 

Find out what our customers are saying about Descartes Denied Party Screening on G2 – an online third-party business software review platform. Additionally, you can read this essential buyer’s guide to denied party screening to help you select a solution that fits your needs.