OFAC Settles with DaVinci Payments for $206,213 Related to Apparent Violations of Multiple Sanctions Programs

Buffalo Grove, Illinois-based financial services and payments firm Swift Prepaid Solutions, Inc., operating under the trade name DaVinci Payments (daVinci), has reached a settlement with the Office of Foreign Assets Control (OFAC), agreeing to remit $206,213 to resolve potential civil liability for a significant number of apparent violations related to OFAC sanctions programs targeting regions including Crimea, Iran, Syria, and Cuba. The violations took place between November 15, 2017, and July 27, 2022, and revolve around daVinci's management of prepaid reward card programs that enabled individuals in sanctioned jurisdictions to redeem rewards.

DaVinci, which specializes in providing digital and physical payment reward card programs for corporate, non-profit, and government clients, facilitates the issuance of payment cards to select recipients. These recipients typically receive these cards as part of loyalty, award, or promotional incentive programs for employees, customers, and other beneficiaries.

The process involved daVinci's clients funding card programs through an issuing bank, with daVinci supplying the prepaid cards to authorized users. Authorized users received an email containing a token from daVinci, allowing them to redeem the token for a prepaid card. To complete the redemption process, users provided their personal information, including names, addresses, and email addresses. DaVinci implemented sanctions screening to ensure that users from sanctioned jurisdictions could not enter addresses associated with these areas. Once users passed screening and verification, funds were released to their prepaid cards, and daVinci issued the cards for their use at merchants accepting payments via third-party credit card networks.

During a compliance review and subsequent investigation between March 2020 and February 2022, daVinci identified multiple redemptions involving individuals with Internet Protocol (IP) addresses associated with sanctioned regions, including Iran, Syria, Cuba, and Crimea. After taking steps to prevent access from IP addresses linked to sanctioned jurisdictions, daVinci discovered that it had also processed redemptions for users with email addresses using suffixes (top-level domains) associated with these regions. These lapses resulted in 12,391 redemptions totaling $549,134.89 for cardholders apparently located in sanctioned jurisdictions, leading to apparent violations of various sanctions regulations.

OFAC's Enforcement Guidelines, which include a statutory maximum civil monetary penalty of $4,399,759,685, influenced the penalty calculations in this matter. Considering that the apparent violations were voluntarily self-disclosed and non-egregious, OFAC determined a base civil monetary penalty of $274,950. The settlement amount of $206,213 reflects OFAC's evaluation of the General Factors under the Enforcement Guidelines.

Aggravating factors in the case included daVinci's failure to exercise due caution or care when redeeming prepaid digital reward cards for individuals appearing to be in sanctioned jurisdictions, as the company possessed information related to redeemers' IP addresses and email address suffixes but failed to incorporate this data into its compliance program or controls.

Mitigating factors identified by OFAC included the absence of any Finding of Violation or Penalty Notice issued to daVinci in the five years preceding the earliest transaction leading to the apparent violations. Additionally, daVinci undertook significant remedial measures, such as internal reviews, IP blocking to prevent access from sanctioned jurisdictions, real-time screening and blocking of email address suffixes, and independent third-party testing at regular intervals. The company also cooperated with OFAC's investigation.

This enforcement action highlights the importance of using all available information, including location-related data such as IP addresses and top-level domains, for sanctions compliance purposes. Firms providing online services should integrate such data into a risk-based sanctions compliance program to prevent service provision to individuals in sanctioned regions. Furthermore, the case underscores the limitations of controls relying solely on customer-provided information, emphasizing the value of conducting proactive, self-initiated reviews to identify compliance gaps and taking steps to remediate deficiencies. This includes instituting regular independent testing to ensure the effectiveness of controls.

The GRC Report is the first word in governance, risk, and compliance news. As your trusted source for comprehensive coverage, the GRC Report keeps you informed and equipped to navigate the evolving landscape of governance, risk, and compliance. And remember, the GRC Report isn't just a news source; it's a community of professionals who share your passion for GRC excellence. Don't miss out on our insightful articles and breaking news – join the conversation and empower your GRC journey.