Does the PayPal Settlement Set a Dangerous Precedent?
Last week, PayPal agreed to cough up $7,658,300 for violations of a number of different sanctions programs. Between 2009 and 2013, the company processed 486 transactions worth approximately $43,934 that OFAC judged to be violations of sanctions. However, the penalty was largely the result of failures related to a single account, occurring over multiple years. Regulators claim they don’t expect perfection, but do they?
Of the $17,018,443 base penalty, all but $18,443 resulted from conduct from a single account held by Kursad Zafer Cire, who was designated pursuant to Executive Order 13382 on January 12, 2009. According to Treasury, between October 20, 2009 and April 1, 2013, PayPal processed 136 transactions worth $7,091.77 on behalf of Cire. Due to an apparent failure in PayPal’s automated screening software, Cire was not identified as a Specially Designated National (“SDN”). After the automation issue was solved, PayPal compliance personnel incorrectly dismissed SDN alerts on five occasions in 2009. Then in February 2013, after PayPal’s software flagged Cire’s account, a PayPal employee requested additional information, which matched information contained in Cire’s SDN entry. Yet the employee mistakenly dismissed the match due to an apparent misunderstanding of the software. Cire’s account was finally blocked on April 13, 2013.
Using the Base Penalty Matrix from OFAC’s Enforcement Guidelines, the base penalty for the Cire-related violations comes out to $17 million. OFAC considered the conduct to be egregious and coupled with the fact that it was voluntarily self-disclosed, the resulting penalty is one-half of the statutory maximum, which is $250,000 or twice the value of each transaction, whichever is higher. So 136 x $250,000 = $17,000,000.
Some things to consider when evaluating this penalty:
For international transactions, which present the greatest sanctions-related risk, PayPal’s revenue is %6.4 of the total value of the transaction. So the greatest possible revenue PayPal could have generated from the Cire-related transactions is $453.87. Moreover, for PayPal to recoup the $17 million base penalty amount for these transactions, it would need to process $265,625,000 worth of transactions. If Paypal had not self-disclosed, the base penalty would double and PayPal would need to process $531,250,000 worth of transactions to cover the $34 million penalty. PayPal currently processes approximately $623 million in payments every daily, though the revenue generated from these payments would be less than %6.4 of the total.
Paypal’s settlement sends a message that a single account, handled improperly, can result in a significant financial penalty. While Acting Undersecretary for Terrorism and Financial Intelligence Adam Szubin recently gave a speech in which he said “we do not expect perfection from the private sector,” such a severe fine for a single mishandled account sets a fairly high bar, particularly in a case when there is no evidence of any deliberate attempt to avoid sanctions compliance and the conduct was voluntarily disclosed.
All in all, $7 million is not going to cause the brass at PayPal to lose much sleep, though there are reputational issues, as well as the risk that any future penalty will be exacerbated by this prior enforcement action. But other Money Service Businesses (MSBs) that may not be able to easily absorb this sort of penalty should be on notice that mistakes, whether by improperly calibrated software or human error, can have potentially devastating consequences. The danger is that some will take this as further evidence that regulators intend to crack down harder on MSB-related risk, which may not be such a good thing at a time when risk-perception is shutting down international remittances channels, raising the possibility of food insecurity in places like Somalia.
We at Sanction Law experienced Paypal’s efforts to beef up its compliance first-hand. Several years ago Erich published the Iranian Transactions Regulations Practice Guide, the first-ever practice guide devoted to an individual U.S. sanctions program. Unfortunately, the account established to receive payments for the book was frozen on multiple occasions and transactions were repeatedly rejected.
The reason? The term “Iranian” in the title.
So in its zeal to improve its sanctions compliance, PayPal ended up blocking payments for a book designed to educate about sanctions compliance.
1 Comments
It is clear from recent regulator fines that it is not just financial institutions who will need to have in place Sanctions programmes. Large scale global companies cannot afford to lag behind any longer
Comments are closed.