On October 15, 2021, the Office of Foreign Assets Control (OFAC) issued an advisory providing sanctions compliance guidance for the virtual currency industry (Guidance).  The Guidance follows a series of recent enforcement actions targeting the industry and the designation of a cryptocurrency exchange for facilitating ransomware payments.  These developments highlight OFAC’s continued focus on this sector and virtual currency, which is seen as a potential tool to evade U.S. sanctions and diminish the efficacy of U.S. sanctions policy.

The Guidance provides additional insight into OFAC’s expectations with respect to identifying sanctioned parties online, which is helpful for any company that provides services to customers over the internet, even if not directly dealing with virtual currencies.

Level setting

As an initial matter, OFAC cautions that its rules apply to virtual currency transactions to the same extent that they apply to transactions involving fiat currencies.  For example, U.S. persons remain subject to the prohibitions on dealing with sanctioned jurisdictions (Cuba, Iran, North Korea, Syria, or Crimea) and sanctioned parties when they are conducting transactions denominated in virtual currencies or engaging in related services.  And non-U.S. persons can similarly face penalties for violating U.S. sanctions if their conduct involves the United States, U.S. persons, or goods or services that originate from the United States.

As with fiat currency, OFAC’s Guidance confirms that participants in the virtual currency space must “block” virtual currency by denying all parties access to the asset and report the blocked property to OFAC within 10 business days.  However, there is no requirement to convert the virtual currency into fiat currency or to hold the virtual currency in an interest-bearing account, unlike other blocked funds.

Best Practices for the Virtual Currency Industry

The Guidance strongly recommends that industry members adopt a risk-based approach to sanctions compliance based on OFAC’s “Framework for OFAC Compliance Commitments.”  OFAC notes that traditional financial institutions and other companies with exposure to virtual currencies or related service providers should adopt appropriate controls to address sanctions risks.  These include:

Management Commitment  Many members of the fast-growing virtual currency industry may be slow to develop and implement sanctions compliance programs, which can risk exposure to sanctions violations.  OFAC counsels early managerial commitment to the development and implementation of compliance programs.  Building these processes in early can prevent costly violations later on.

Risk Assessment – The Guidance recommends that companies conduct routine risk assessments to identify potential sanctions issues before providing services or products to customers.  The risk assessment should be tailored to what and where products or services are offered, account for customers, reflect the company’s supply chain, and also evaluate counterparty and partner risk, including whether those parties have adequate compliance procedures.  The results of that assessment should feed into the development of an effective sanctions compliance policy.  Outside advisors can help craft risk assessments that highlight key risks for virtual currency companies.

Internal Controls – The Guidance document contains a number of recommendations related to internal controls and processes that should be considered in designing a sanctions compliance program for virtual currencies and digital payments.  As noted above, many of these recommendations apply to any company that provides digital services over the internet and reflect lessons learned from recent enforcement actions targeting online commerce.  These tools include:

  • Geolocation and IP Address Blocking – As in several recent enforcement actions (including those involving Payoneer, BitGo, and Amazon), the Guidance makes clear that OFAC expects companies to consider IP address geolocation data to identify customers that may be in or ordinarily reside in sanctioned jurisdictions and to adopt blocking controls that deny access to IP addresses associated with sanctioned jurisdictions.  OFAC notes that analytics tools can play an important role in identifying the likely location of customers by addressing IP address geolocation misattribution caused by the use of anonymization services like Virtual Private Networks (VPNs). Other information, such as an address from a customer or counterparty, an email address top-level domain (e.g., user@domain.ir or user@domain.gov.ir), or transactional details, like an invoice, can also be relevant for a company’s sanctions controls, even if that information was initially obtained for a non-compliance purpose.
  • Know Your Customer (KYC) Procedures – Conducting due diligence at onboarding, during periodic reviews, and when processing transactions helps to reduce potential sanctions-related risks.  For individuals, this means screening customers’ names, dates of birth, physical and email addresses, nationality, IP addresses associated with transactions and logins, bank information, and government-issued or other documentation against sanctions lists (like the SDN List) and for any “red flags.”  For entities, this can also include type of business, ownership information, physical and email address, and where the entity does business.  A keyword list of sanctioned jurisdiction cities and regions can also be an important part of a KYC screening.
  • Transaction Monitoring and Investigation – OFAC’s Guidance endorses the use of software to monitor and investigate transactions involving sanctioned individuals and entities or persons located in sanctioned jurisdictions based on identifying information associated with transaction data.  As of 2018, OFAC began to include virtual currency addresses in the “ID #” field for persons listed on the SDN List.  Companies should calibrate software to identify and block transactions associated with those virtual currency addresses, in addition to those otherwise associated with SDNs or persons located in sanctioned jurisdictions.
  • Implementing Remedial Measures – Should a virtual currency company identify an apparent sanctions violation, that company should take immediate and effective remedial actions, which OFAC may consider as a mitigating factor in a potential enforcement action.
  • Monitoring Transactions and Users for “Red Flags” – OFAC’s Guidance notes that there are several “red flags” that may indicate a transaction’s or user’s connection to sanctions, including providing inaccurate or incomplete KYC information at onboarding; attempting to access a virtual currency exchange from an IP address or VPN connected to a sanctioned jurisdiction; failing or refusing to provide updated KYC information or to provide requested additional transaction information; and, attempting to transact with a virtual currency address associated with a blocked person or a sanctioned jurisdiction.

Testing and Auditing –  OFAC’s Guidance advises that companies operating in the virtual currency industry test and audit their sanctions compliance programs to ensure they are operating as intended, and highlights a few best practices, such as:

  • Ensuring sanctions and KYC screening tools effectively flag transactions and customers related to SDNs or sanctioned jurisdictions;
  • Confirming IP address software properly prevents sanctioned jurisdiction access; and
  • Reviewing procedures for investigating and, if applicable, blocking and reporting to OFAC flagged transactions identified through the screening process.

Training – The Guidance stresses the importance of conducting, on at least an annual basis, mandatory training that is informed by the profile of the company and tailored to the responsibilities and functions of all relevant employees.  Especially in the virtual currency industry, sanctions training should take into account frequent developments and updates regarding both the governing sanctions programs and underlying technologies in the virtual currency space.

Final Considerations

The publication of the Guidance underscores the growing importance of implementing effective sanctions compliance programs tailored to the risks presented by virtual currencies given increased OFAC and U.S. government focus on the sector.  The Guidance is another signal that OFAC will be ramping up enforcement efforts to address illicit activities in which cryptocurrencies and digital payment services play a large role.

Today, the Office of the U.S. Trade Representative (USTR) announced an agreement reached with five countries – Austria, France, Italy, Spain, and the United Kingdom – on digital services tax (DST) measures that had been subject to recent investigations by USTR under Section 301 of the Trade Act of 1974.  These countries will avoid 25 percent duties on certain imports into the United States as a result of the deal.

We previously reported on the investigations here and here, which concluded that these countries’ DST measures (plus measures announced in India and Turkey) burden or restrict U.S. commerce, and are discriminatory and inconsistent with prevailing principles of international taxation.[1]  With the affirmative investigation findings, in March 2021, USTR proposed lists of products from Austria, India, Italy, Spain, Turkey, and the United Kingdom that would be subject to an additional 25 percent import tariff, subject to public comment and hearing.  In June 2021, USTR announced that it would be suspending the proposed tariff measures for each of the six countries for 180 days to “to allow additional time for multilateral and bilateral discussions that could lead to a satisfactory resolution of this matter.”  USTR had previously and separately investigated France’s DST measures, determining in June 2020 to impose an additional 25 percent tariff on certain French imports and, in January 2021, deciding to indefinitely suspend that action pending further negotiations.

The agreement reached today terminates the United States’ proposed Section 301 tariffs with respect to Austria, France, Italy, Spain, and the United Kingdom.  India and Turkey did not join in the agreement.  The “political compromise” reached does not require the five countries involved to withdraw their existing DST measures.  Instead, those countries have agreed that to the extent U.S. companies accrue any DST liability before implementation of Pillar 1 of the Organization for Economic Co-operation and Development (OECD) global tax agreement, such liability will be creditable against future income taxes as determined under Pillar 1.  The OECD global tax agreement is a historic, multilateral tax reform project aimed at addressing the challenges of the digital economy and earning the high-level political support of the G7, G20, and 136 members of the OECD.  Pillar 1 of the OECD agreement relates to a global framework allocation of firms’ digital services profits by introducing new profit allocation mechanisms and nexus rules to expand the taxing authority of market jurisdictions.  According to today’s Section 301 deal, once OECD Pillar 1 is in effect (2023), the United States will work with the five countries to roll back their existing, individual digital services taxes.

The suspended 25 percent tariffs on certain imports from India and Turkey are set to go into effect on November 30, 2021, barring satisfactory resolution of the dispute before that time or USTR’s decision to further suspend the tariff actions.


[1] USTR also investigated DST measures by Brazil, the Czech Republic, the European Union, and Indonesia.  In March 2021, USTR announced the termination of these investigations, without further action, because none of the four investigated jurisdictions had adopted or implemented the DST policies at issue.

Yesterday, the Biden Administration released the results of a broad review of U.S. economic sanctions policy following two decades of expanding use of sanctions as a foreign policy tool.  The report recognizes that U.S. sanctions policy must evolve to confront changes to the global payments system, including the rise of digital currencies, reduced use of the U.S. dollar for cross-border transactions, and evolving foreign policy challenges presented by cybercriminals and strategic economic competitors.

In part, the report reflects concerns that the United States has become over-reliant on sanctions in recent years, encouraging adversaries and others to build alternative payment systems using digital currencies and other mechanisms that do not involve U.S. dollars or the U.S. financial system.  Such developments threaten to reduce the effectiveness of U.S. sanctions in the long run, as more payments occur outside of U.S. regulatory jurisdiction.

Below are the key recommendations from the report, which may reduce the number of sanctions actions by the United States, but will also likely increase complexity for the companies and financial institutions that must comply with these rules:

  • Crypto, digital currencies, and digital payments: The report makes clear that Treasury will continue to focus on digital currencies and alternative payment platforms, which adversaries and others can use to avoid the U.S. financial system and blunt the impact of U.S. sanctions policy.  The report follows the recent designation of a cryptocurrency exchange for facilitating ransomware payments and the issuance of guidance for the virtual currency industry on sanctions compliance.
  • Multilateral approach: Reflecting a marked shift in strategy from the last administration, the report indicates that the Biden Administration should seek to continue to coordinate with allies and other international partners to impose multilateral sanctions to increase the effectiveness of sanctions as a policy tool and retain the “credibility of U.S. international leadership.”  Recent U.S. sanctions actions targeting Belarus and others are examples of a renewed U.S. focus on collaboration with allies on the deployment of multilateral sanctions.
  • Avoiding unintended harm: Treasury intends to further tailor sanctions to limit unintended economic, humanitarian, and political impacts on U.S. businesses, allies, and non-sanctioned populations abroad.  One potential outcome of this approach may be the continued development of bespoke sanctions restrictions, such as Russia-related sectoral sanctions and Chinese Military-Industrial Complex Company securities sanctions, and a reduced reliance on traditional blocking sanctions.  While these more tailored measures are intended to limit unintended harm, they also increase complexity for companies and compliance programs.  The report also highlights a renewed focus on expanding sanctions exceptions related to the flow of legitimate humanitarian goods and services that support basic human needs, which are often restricted due to sanctions compliance concerns.
  • Investment in Treasury resources: As anyone who interacts with U.S. sanctions officials know, the agencies responsible for implementing and enforcing U.S. sanctions face resource constraints, including staffing and technology limitations.  The report calls for investing in the modernization of Treasury’s workforce and operational capabilities, particularly in the digital assets and services space, and updating OFAC’s website and guidance documents to make them easier to navigate and understand.
  • Increased industry coordination:  Treasury intends to increase coordination and reach out to industry, including companies operating in the digital currency and payments space, to encourage effective implementation of sanctions restrictions.
  • Structured framework for new sanctions: The report indicates that Treasury should adopt a more structured framework to assess the potential impact of new sanctions, akin to the vetting process used to authorize military force.  The new five-point framework should be designed to ensure that sanctions support a clear policy objective within a broader foreign policy objective and consider the factors noted above when crafting new sanctions restrictions.

Overall, the report suggests a more restrained approach to U.S. sanctions policy designed to tackle the evolving nature of international payments and more sophisticated efforts to evade U.S. sanctions.  While the number of sanctions actions may decrease under the new framework, compliance departments will likely remain busy as Treasury crafts more complex sanctions rules designed to maximize pressure on adversaries and minimize impacts on the United States, allies, and vulnerable populations.


On Monday, October 4, U.S. Trade Representative Katherine Tai delivered a long anticipated speech framing the Biden Administration’s trade policy toward China.

Among the announcements made were that (1) a Section 301 product exclusion process would be “restarted” with respect to the tariffs currently in effect, and (2) additional enforcement actions against China could be initiated, potentially to include another Section 301 investigation.  Recall that the existing tariffs were imposed beginning in March 2018 under Section 301 of the Trade Act of 1974, pursuant to an investigation concerning “China’s Acts, Policies, and Practices Related to Technology Transfer, Intellectual Property, and Innovation.”

On Tuesday, October 5, the USTR announced as a first step toward (1) that it would open a proceeding to consider whether to renew any Section 301 product exclusions that had previously been granted and that had previously been extended.  The USTR granted about 2,200 product exclusions between 2019 and 2020, and 549 of those were subsequently extended.  Those 549 exclusions are now up for renewal.  Comments are being invited on whether this particular universe of previously granted exclusions should be reinstated.  USTR will be looking for information on (1) whether the product remains available only from China, (2) changes in the product’s global supply chain/relevant industry developments since September 2018, (3) efforts importers have taken since September 2018 to source the product from the U.S. or third countries, and (4) domestic capacity for producing the product.  Any reinstated exclusions will be retroactive to October 12, 2021 and run for a time period yet to be determined.

It is possible that this exclusion renewal process is only a first step preceding a more extensive reopening of the product exclusion process, although no concrete indications of that have been made by the Administration.  We will continue to make announcements as opportunities arise.

The Federal Register notice announcing the exclusion renewal process is available here.  The USTR’s official list of 549 previously extended exclusions is available here.   We have also prepared a fully sortable Excel based version of USTR’s list, available here.  The comment period will be open between October 12, 2021 and December 1, 2021.  We are available to assist with the preparation of comments either supporting or opposing renewal of exclusions on any of the listed products.  Please let us know if you have any questions.

On September 20, 2021, the U.S. Department of Commerce (“Commerce”) published a final rule codifying numerous changes – both substantive and procedural in nature – to certain portions of the body of regulations governing antidumping and countervailing duty proceedings.  Regulations To Improve Administration and Enforcement of Antidumping and Countervailing Duty Laws, 86 Fed. Reg. 52,300 (Dep’t Commerce Sept. 20, 2021) (“Final Rule”).  The rule revisions constitute the first major overhaul of the AD/CVD regulations in over 20 years and were several years in the making.  That Commerce’s work on and ultimate implementation of these revisions spanned multiple presidential administrations is a testament to the apolitical nature of the effort and its importance to the good governance of U.S. trade laws.

Commerce first published a proposed rule in August 2020, inviting public comment and allowing 30 days for initial comments and 14 days for rebuttal submissions.  Regulations To Improve Administration and Enforcement of Antidumping and Countervailing Duty Laws, 85 Fed. Reg. 49,472 (Dep’t Commerce Aug. 13, 2020) (“Proposed Rule”).  In response to the Proposed Rule, Commerce received 37 sets of comments and 17 rebuttal submissions from interested parties, including domestic producers, exporters, importers, surety companies, and foreign governments.  Given the scope and significance of the Proposed Rule most submissions were submitted on behalf of formal trade associations or informal groups of companies, or law firms, including Kelley Drye, representing the general interests of their client base and providing input based on extensive practitioner experience.

The modifications proposed and ultimately adopted by Commerce were largely expected and codified agency practice as it has developed over many years, in a number of increasingly important areas.  As Commerce explains: Continue Reading Commerce Publishes Long-Awaited Changes to AD/CVD Regulations

Last Friday, the Office of Foreign Assets Control issued two general licenses aimed at facilitating humanitarian assistance and the provision of essential supplies to the people of Afghanistan.  Subject to exceptions, the general licenses establish blanket authorizations for transactions involving the Taliban or the Haqqani Network (and entities directly or indirectly owned by the same) that are “ordinarily incident and necessary” to the humanitarian efforts of certain entities, as well as transactions relating to the exportation or re-exportation of agricultural and medical items.  The general licenses ease restrictions on humanitarian activities that may otherwise violate U.S. sanctions laws.

Specifically, General License No. 14 authorizes all transactions ordinarily incident and necessary to the provision of humanitarian assistance to Afghanistan—or other activities that support basic human needs in Afghanistan—by the following entities, their employees, grantees, contractors, and other persons acting on their behalf:

  • The United States Government;
  • Nongovernmental organizations (“NGOs”);
  • The United Nations, including its Programmes, Funds, and Other Entities and Bodies, as well as its Specialized Agencies and Related Organizations;
  • The International Centre for Settlement of Investment Disputes and the Multilateral Investment Guarantee Agency;
  • The African Development Bank Group, the Asian Development Bank, the European Bank for Reconstruction and Development, and the Inter-American Development Bank Group, including any fund entity administered or established by any of the foregoing;
  • The International Committee of the Red Cross and the International Federation of Red Cross and Red Crescent Societies; and
  • The Islamic Development Bank.

Activities authorized pursuant to General License No. 14 include the provision of relief services, healthcare services, and other activities that support basic human needs.

General License No. 15 more broadly authorizes the export and re-export of the following agricultural, food, and medical items to Afghanistan and to persons in third countries for resale to Afghanistan:

  • Agricultural commodities (e., products falling within the term “agricultural commodity” under section 102 of the Agricultural Trade Act of 1978) that are intended for ultimate use in Afghanistan as food for humans, seeds for food crops, fertilizers or organic fertilizers, or reproductive materials;
  • Medicine (e., an item falling within the term “drug” under section 201 of the Federal Food, Drug, and Cosmetic Act); and
  • Medical, devices, replacement parts and components for medical devices, and software updates for medical devices (e., falling within the definition of “device” under section 201 of the Federal Food, Drug, and Cosmetic Act).

Neither authorize any debit to a blocked account on the books of a U.S. financial institution.  Financial transfers to blocked persons are also generally prohibited, unless they are made for purposes of effecting payment of taxes, fees, or import duties, or the purchase or receipt of permits, licenses, or public utility services.


While Afghanistan continues to present heightened sanctions risks for U.S. and non-U.S. persons, these developments should provide assurance to U.S. and non-U.S. companies, NGOs, charities, and financial institutions that the enumerated humanitarian activities are permissible under U.S. sanctions regulations, so long as parties comply with the terms and conditions of the licenses.

Please contact our sanctions and export control team with any questions about compliance with U.S. sanctions related to the Taliban or Afghanistan.

Last week, the Biden administration issued a new Executive Order (“E.O.”) that authorizes “menu-based” sanctions on persons determined to be responsible for or complicit in the ongoing crisis in northern Ethiopia, and announced a policy of denial for export licenses of military equipment to Ethiopia.  The two actions are aimed to stop the escalating conflict and humanitarian crisis in northern Ethiopia.

In particular, under the new sanctions E.O., the Office of Foreign Assets Control (“OFAC”) may select among a “menu” of options to sanction parties associated with the conflict in Ethiopia.  The “menu” options include both blocking and non-blocking sanctions:

  • Blocking sanctions on all property and interests of that sanctioned person (and inclusion on OFAC’s SDN list);
  • A prohibition on U.S. persons from investing in or purchasing significant amounts of equity or debt from the sanctioned person;
  • A prohibition on U.S. financial institutions from making loans or extending credit to the sanctioned person;
  • A prohibition on foreign exchange transactions that are subject to U.S. jurisdiction in which the sanctioned person has any interest; and
  • Imposition of sanctions on the leaders, officials, officers, and directors of the parties above.

Notably, blocking and non-blocking sanctions do not apply to entities owned in whole or in part by persons sanctioned pursuant to the new E.O., unless that entity is separately designated.  This is an important exception to OFAC’s 50 percent rule.

OFAC also issued three general licenses that authorize U.S. persons to engage in otherwise prohibited transactions and activities that are (1) related to the official business of certain international organizations, (2) ordinarily incident and necessary in support of nongovernmental organizations’ humanitarian activities, and (3) related to the exportation or reexportation of agriculture, medicine, and medical devicesNon-U.S. persons do not risk sanctions exposure for engaging in transactions and activities that would be exempt or authorized for U.S. persons under the general licenses.

Separately, the Directorate of Defense Trade Controls (“DDTC”) will publish an amendment to the International Traffic in Arms Regulations (“ITAR”) that adds Ethiopia to the list of countries for which the agency imposes a presumption of denial for export licenses of defense articles and services.  This policy will effectively cut off the flow of U.S.-origin defense items and services to Ethiopia.

Companies that operate or do business in Ethiopia should carefully review the new E.O. and potential exposure to any forthcoming sanctions, as well as the forthcoming Federal Register notice updating the ITAR.




On August 20, 2021, President Biden signed a new Executive Order to further implement sanctions provided under the Protecting Europe’s Energy Security Act (“PEESA”) of 2019.  PEESA, which was enacted earlier this year, requires the State Department to issue a periodic report naming parties involved in the construction certain Russian energy export pipelines.  Last week’s E.O. authorizes sanctions on any person named in that report, subject to certain exceptions, and directs the Treasury and the State Departments to issue rules to implement those sanctions.

As background, PEESA directs the State Department, in consultation with the Treasury Department, to identify (1) vessels engaged in certain pipe-laying activities for the Nord Stream 2 and Turkstream pipeline projects, as well as any successor projects; and, (2) foreign persons that knowingly facilitated those projects who:

  • sold, leased, or provided, or facilitated selling, leasing, or providing, those vessels for the construction of such a project;
  • facilitated deceptive or structured transactions to provide those vessels for the construction of such a project;
  • provided for those vessels underwriting services or insurance or reinsurance necessary or essential for the completion of such a project;
  • provided services or facilities for technology upgrades or installation of welding equipment for, or retrofitting or tethering of, those vessels if the services or facilities are necessary or essential for the completion of such a project; or
  • provided services for the testing, inspection, or certification necessary or essential for the completion or operation of the Nord Stream 2 pipeline.

The State Department issued its first PEESA report in May and another report in tandem with the new E.O.  As a result, the Biden Administration sanctioned seven persons and identified 16 of their vessels as blocked property in connection with the Nord Stream 2 project.  However, the State Department identified but waived penalties on Nord Stream 2 AG and its chief executive for national security reasons.

Companies that service vessels and operate in the Russian energy sector should carefully review PEESA, the new E.O., and an OFAC general license that narrowly authorizes certain dealings with Russia’s Federal State Budgetary Institution Marine Rescue Service.  It is possible that the Biden Administration may take further action to oppose the construction of energy pipelines, like Nord Stream 2, and target entities and individuals that are involved in their construction.

Today, President Biden issued an Executive Order (E.O.) authorizing the imposition of additional sanctions on the Government of Belarus and a number of key sectors of the Belarusian economy in coordination with the United Kingdom and Canada, which also expanded sanctions on Belarus.  The E.O. authorizes the Office of Foreign Assets Control (OFAC) to impose sanctions on parties that are a part of the “Government of Belarus,” any entities owned or controlled by the government, and entities operating in the security, energy, potassium chloride (potash), tobacco, construction, or transportation sectors of the Belarusian economy, among others.

Pursuant to the new E.O. and existing authorities, OFAC added 23 individuals and 21 entities to its List of Specially Designated Nationals (SDN List) today, broadly prohibiting U.S. persons from conducting business with the newly sanctioned parties and freezing any sanctioned party property subject to U.S. jurisdiction.  Among others, OFAC targeted Belarusian oligarchs Mikalai Varabei and Aliaksey Aleksin and the Serbia-based Karic family and their holdings in Belarus.  Companies associated with these parties include significant players in the Belarusian energy, cargo, and tobacco industries.  OFAC also designated Belaruskali OAO, a major producer of potash, Grodno Tobacco Factory Neman, and several directors of other previously sanctioned state-owned enterprise.  Limited transactions necessary to wind down existing business with Belaruskali OAO are authorized until December 8, 2021, pursuant to a general license issued by OFAC.  Today’s action also includes sanctions on individuals and entities involved in human rights abuses, the suppression of peaceful protestors, and the diversion of Ryanair flight 4978.

Companies doing business in Belarus should closely review these developments and any dealings with the newly sanctioned parties or any entities majority owned by the new SDNs, which may now be prohibited.  Further sanctions targeting state-owned enterprises, the Belarusian government, and the other sectors identified in today’s E.O. are possible.

On July 23, 2021, the Office of Foreign Assets Control (“OFAC”) announced a settlement agreement with online money transmitter Payoneer Inc. (“Payoneer” or the “company”) for processing online transactions on behalf of persons in sanctioned jurisdictions and persons on OFAC’s  Specially Designated Nationals (“SDN”) List.  The case is the latest in a string of OFAC enforcement actions targeting online services and commerce, and once again highlights the agency’s compliance expectations for the sector.

The Facts

Over a five-year period, Payoneer processed 2,241 payments for parties located in sanctioned jurisdictions and 19 payments on behalf SDNs.  Although Payoneer’s written policies and procedures prohibited transactions with parties in sanctioned locations and SDNs, the company failed to implement controls to ensure compliance with those requirements.  Payonner’s auditing and testing systems also failed to identify the gap between compliance program requirements and how the company’s systems were actually operating.  OFAC called out Payoneer’s failure to “exercise a minimal degree of caution or care” in its compliance program and knowledge that its users were located in sanctioned jurisdictions as “aggravating factors.”  OFAC also determined that only 19 of the violations were voluntarily self-disclosed.  However, the company took substantial remedial measures that led OFAC to reduce the ultimate the penalty amount from a base penalty amount of $3.9 million to approximately $1.4 million.

Lessons Learned

The case highlights a number of compliance lessons for digital payments companies, online service providers, and others:

  • IP address screening (again): As with other recent enforcement actions targeting online commerce (including those involving BitGo and Amazon), OFAC cited Payoneer’s failure to use IP address geolocation data to identify users in sanctioned jurisdictions.  While IP address information is not always reliable, this and other cases make clear that OFAC expects companies to consider IP addresses when screening accounts for users in sanctioned jurisdictions.
  • The power of unique identifiers: OFAC cited Payoneer for failing to screen Business Identifier Codes (BICs) where those codes were collected from customers and were included in SDN entries.  Matches to BICs and other unique identifiers, like ID numbers, are strong indicators of a potential true match to a sanctioned party, and should be incorporated into sanctions screening algorithms.
  • Use the data you collect: Payoneer also failed to consider other “common indicators” of a person’s location, including billing and shipping addresses and copies of identification issued by sanctioned jurisdictions.  The lesson?  If you collect data about a user’s identity or location for business reasons, you need to be considering that data for sanctions compliance purposes too.
  • No de minimis exception: The average value of the transactions in this case was only about $355.  Even relatively small value transactions can generate substantial OFAC liability, particularly in cases like this one, where there were repeated potential violations over a long period of time.
  • Maintain holds: OFAC cited Payoneer for allowing transactions with sanctions alerts to be automatically released during “backlog periods.”  If you have a potential match to a sanctions list, it is important to implement and maintain a transaction hold on that account until that alert is properly reviewed and cleared.
  • Testing and auditing: Testing and auditing are important elements of any successful compliance program.  A robust testing and auditing program should examine whether procedures are sufficient to address compliance risks and whether those procedures are being implemented as intended in the real world.  OFAC noted the company’s enhancements to its testing and auditing programs as important remedial measures, including retraining all compliance employees and hiring positions focused on testing.  If Payoneer had those functions in place earlier, it’s possible the company could have avoided a costly enforcement proceeding.

Please contact our sanctions and export control team with any questions about designing, testing, or enhancing your sanctions compliance program.