The DaVinci Payments OFAC Sanctions Penalty Explained
But before we explain what went wrong - let's quickly touch upon what went right. DaVinci Payments, based in Buffalo Grove, Illinois, voluntarily self-disclosed the sanctions violations, and the US's Office of Foreign Assets Control (OFAC) determined their conduct was non-egregious.
Here's what happened: OFAC, in its enforcement release regarding the case, stated that between November 2017 and July 2022, the company enabled reward cards to be redeemed from persons resident in sanctioned jurisdictions.
And let's dig into the numbers.
On 12,378 occasions, daVinci processed prepaid cards for users with Internet Protocol (IP) addresses associated with four sanctioned jurisdictions:
Over the period, approximately $549,000 was redeemed from persons in these sanctioned jurisdictions.
How Was This Allowed To Happen?
It's important to remember that we only have access to the enforcement release regarding the case.
According to OFAC's description of the apparent violations, daVinci provides digital or physical payment reward card programs through an online platform. Clients using the service issue payment cards to their selected recipients - typically employees and customers receiving rewards.
Here is a simplified version of how the system ran:
- Clients funded the daVinci card programs
- DaVinci received card recipient details from clients
- DaVinci collected information, including names, email addresses, and physical addresses
- DaVinci verified and sent tokens to card recipients via email
- Card recipients could then redeem the token for a prepaid card
You can read a highly detailed breakdown in the OFAC enforcement release. But now let's zone in on where the failure most likely occurred.
According to OFAC, there were sanctions compliance procedures in place:
- Card recipients could not enter an address in a sanctioned jurisdiction
- Card recipients were screened against sanctions lists before funds were released
And the following is certain: Many of you reading this are already seeing some major red flags.
So what went wrong? The most significant reason individuals residing in sanctions jurisdictions slipped through the net, according to OFAC, is the absence of comprehensive geolocation controls.
The result? Recipients with IP addresses associated with sanctioned jurisdictions (who most likely entered incorrect residential addresses, suggesting additional verification issues) escaped the controls. We'll expand on this in the next section.
Furthermore, there were 13 instances when email addresses with suffixes from sanctioned countries (e.g., Syria is .sy, Iran is .ir) also went undetected.
The County Fields Weak Spot
It's also worth stating one more final point. From what OFAC released about the case, it appears that daVinci believed simply screening card recipients' names was enough.
It obviously wasn't.
Why? The answer is perhaps (this is speculation) because vulnerabilities exist in some sanctions screening systems where only the name is checked, not the name and country field.
To cut to the chase, it means if a name (e.g., Jane Doe) doesn't appear on a sanctions list, even though they reside in a comprehensively sanctioned country like Iran, they slip through the cracks. You can learn much more about the vulnerability in this sanctions.io article.
Note that this is an area sanctions.io is on top of and provides solutions. For example, you can easily screen your customers and business partners exclusively against comprehensively sanctioned jurisdictions using our technology.
We'll now dive into the lessons and key takeaways compliance professionals can glean from this intriguing sanctions violation case.
Making Use of All Available Data Is Crucial
In what OFAC pens as "compliance considerations" from the daVinci case, the biggest lesson from the sanctions violations is this: Companies should obtain and use all available information to verify a customer's identity or residency.
But what does this mean in tangible terms?
For example, in the daVinci case, IP addresses could have been recorded. Also, top-level domains (from the provided email addresses) could have been collected and screened as part of the sanctions compliance program. If this had occurred, IP addresses and top-level domains such as .sy and .ir from high-risk jurisdictions could have created red flags in the system.
Although there are technical challenges to doing this - fluctuating and inaccurate IP addresses fuel false positives (creating more problems) - OFAC's message that companies should find ways to integrate this information should be heeded.
Voluntary Self-Disclosure Is an Absolute Must (and You'll Be Rewarded)
In this article, we won't go into the industry chatter surrounding the relatively small $206,213 settlement that OFAC agreed with daVinci.
But it's worth being aware that there was surprise that, in a case where the statutory maximum civil monetary penalty applicable was $4,399,759,685, the monetary fine was a tiny fraction of that enormous amount.
We aren't privy to all the information. But you can bet the last dollar in your pocket that daVinci voluntarily self-disclosing the sanctions violations to OFAC helped them tremendously. The enforcement release also clearly stated that this action was a mitigating factor in the case.
And this relatively small penalty (considering the vast number of violations that occurred) makes total sense if you consider the broader regulatory environment.
As sanctions.io reported earlier in the year, the US is changing its approach to Voluntary Self-Disclosure (VSD) across the board in 2023. Federal authorities, as the Deputy Attorney General instructed, are increasingly rewarding companies that voluntarily disclose corporate crime offenses.
Additional Noteworthy Learning Points From the DaVinci Case
To conclude the analysis, let's touch upon two more key takeaways from the sanctions violations:
Sanctions compliance reviews and testing: OFAC also mentioned the importance of conducting proactive, self-initiated reviews to identify compliance gaps.
Real-time sanctions screening: OFAC stated that daVinci has since implemented real-time screening - a service offered by sanctions.io. Our cost-effective solutions are already helping financial services companies worldwide with their screening needs.
Further Breakdowns of Sanctions Violation Penalties
This article is part of a series of reports revealing insights from sanctions and AML violations in 2023. Here are more from the blog:
- Emigrant Bank's OFAC Penalty Reveals a Screening Vulnerability
- Tornado Cash Saga Continues: Founders Charged With Money Laundering and Sanctions Violations
- OFAC Penalizes Building Materials Firm in Iran Sanctions Case: Insights for Compliance Pros
- Key Takeaways From Deutsche Bank's $186 Million Sanctions and AML Penalty
- Microsoft's 2023 Sanctions Penalties: 5 Key Learning Points
- Learning From BAT's $635M North Korea Sanctions Fine: 5 Key Insights
- Unravelling Swedbank's $3.4 million OFAC Sanctions Penalty: 3 Key Insights
How sanctions.io Supports Sanctions Compliance
sanctions.io is a highly reliable and cost-effective solution for sanction checking. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their sanctions screening needs.
To learn more about how our sanctions, PEP, and criminal watchlist screening service can support your organization's compliance program:
We also encourage you to take advantage of our free 7-day trial (no credit card is required).