Where’s the Beef (in First Data’s Settlement)?
On April 15, United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) settled with Atlanta-based First Data Resources LLC apparent violations §598.203 of the Foreign Narcotics Kingpin Sanctions Regulations (“FNKSR”). With a penalty of $23,336 (from transactions valued at $69,114 resulting in a $34,572 base penalty), First Data’s settlement was on the low end and the conduct described by OFAC is relatively unremarkable compared to some other cases. The company was providing unspecified “third-party data processing services” to a Specially Designated Narcotics Trafficker even though its screening software identified a potential match. First Data’s compliance procedures were also deficient in that the SDN was able to reactivate its access to First Data’s services after the company deactivated the SDN’s account after the potential violations were discovered.
The question is, what was the specific conduct undertaken by First Data from which OFAC calculated the transaction value and in turn the base penalty?
First Data is a payment processing company, which provides almost half of the annual credit card transactions in the United States. It stands to reason that the violations in question here were related to processing payment transactions on behalf of the SDN. In other cases where financial transactions are involved, such as the recent PayPal settlement, the base penalty has been calculated based on the number and value of the transactions in question.
In the case of First Data we’re given no real information on what services First Data was providing nor are we told how many transactions were conducted in violation of the FNKSR. This would seem to indicate that First Data’s penalty is not being calculated based on the transactions it may have processed, but rather based on some other metric such as the total value of the services contract signed with the SDN.
Since First Data voluntarily self-disclosed the violations and the conduct was non-egregious, under OFAC’s Enforcement Guidelines the penalty calculation used is one-half of the transaction value capped at $125,000 per violation. Given First Data’s provision of services to the SDN lasted only roughly 3.5 months, it is not outside the realm of possibility that the total value of actual transactions processed would be much smaller than the $69,114 noted by OFAC. Or the total value could be significantly higher.Foreign Narcotcs
Without more clarity on how OFAC calculated the penalty it’s hard to ascertain how significant First Data’s violations actually were.
What is clear is that OFAC expects companies’ interdiction software to be functioning properly and for compliance staff to correctly deal with SDN alerts. As with the PayPal example, even a single mishandled account can result in your company’s name going up on OFAC’s enforcement page.