On September 30, 2022, the United States Department of Treasury’s Office of Foreign Assets Control (“OFAC”) released an enforcement action (the “Action”) against Tango Card, Inc. (“Tango”) related to Tango’s non-compliance with regulations governing transactions made with persons and entities in countries sanctioned by the United States government. Tango settled with OFAC for $116,048.60 after self-reporting their non-compliance.
Tango operates a rewards platform which enables its customers to purchase and distribute e-gift cards as rewards or incentives to employees or customers. Prior to the issuance of this Action, Tango used various screening practices, including geolocation tools to identify if persons interacting in the technology that Tango leverages are physically in countries where there is a high risk for suspected fraud and certain Know Your Customer (“KYC”) mechanisms for its direct customers. Tango’s KYC compliance focused on the customers of Tango itself, and not the recipients of e-gift cards which would be sent to such recipients by Tango.
In February of 2021, a client of Tango identified that a number of email addresses that the client intended to send e-gift cards to included top-line domains based in countries of which the United States has imposed sanctions (i.e., “.cu” representing the country code top-line domain associated with domains in Cuba or “.ir” representing the same or domains in Iran). The client informed Tango, which then conducted an internal review uncovering that (1) there had been other instances where it sent e-gift cards to reward recipients (which were initiated by Tango’s direct customers, who provided email lists of recipients to Tango) and (2) that there were instances where a reward recipient redeemed a reward using an IP address for a sanctioned jurisdiction.
Tango voluntarily disclosed and reported its findings of non-compliance to OFAC, which proceeded to conduct a further investigation into the matter. This investigation, with Tango’s cooperation, determined that Tango transmitted 27,720 separate e-gift cards totaling $386,828.65 “to individuals with email or IP addresses associated with Cuba, Iran, Syria, North Korea or the Crimea region of Ukraine.” Violations of the statutes listed in the Action carry a maximum civil monetary penalty of $9,168,949,062.00 and a base civil monetary penalty of $193,414.33.
Ultimately, OFAC weighed two aggravating factors and three mitigating factors when determining the ultimate settlement amount of $116,048.60. The first aggravating factor was the violation itself that Tango transferred $386,828.65 in the form of e-gift cards to persons in sanctioned regions. The second aggravating factor was Tango’s failure to conduct KYC on recipients of the e-gift card transfers in spite of having all necessary information, such as top-line domains of recipients’ email and IP addresses, to determine if transactions were occurring with persons suspected of being in sanctioned regions.
However, the three mitigating factors helped to reduce the ultimate settlement amount to approximately $75,000 below the base civil monetary penalty that would have otherwise been imposed. The first mitigating factor was that Tango had not received any penalty notice or other related notice asserting non-compliance with laws by OFAC. The third mitigating factor listed was that Tango voluntarily disclosed the non-compliance upon its discovery and cooperated with OFAC’s investigation into the matter. The second mitigating factor involved the implementation of certain compliance processes discussed below.
As discussed, Tango had historically conducted KYC investigative measures on its direct customers and used certain geolocation tracking to determine if transactions were taking place in jurisdictions where there was a high chance of fraud. Upon discovery of non-compliance with OFAC regulations, in addition to voluntarily disclosing to OFAC, Tango implemented a number of additional compliance protocols which collectively were considered as the second mitigating factor. In addition to using geolocation tools to identify regions with higher risk for fraudulent transactions, Tango specifically began geofencing persons in jurisdictions and regions subject to sanctions from redeeming any rewards sent to such persons. Additionally, Tango blocked persons whose email addresses contained a top-line domain associated with sanctioned countries, preventing Tango from issuing rewards to such persons. Tango also acquired other screening tools and implemented an internal process of running reports confirming that the tools Tango put in place were adequately preventing persons in sanctioned jurisdictions from being sent or receiving e-gift cards and other rewards.
If you have any questions about whether your rewards program or payments platform conforms to OFAC requirements, please contact the authors of this article or any member of Frost Brown Todd’s Blockchain and Electronic Payments & FinTech teams.