Is your business model violating international sanctions?

For global companies, particularly in the financial services sector, sanctions compliance is becoming ever more fraught. Payments and money transfers are becoming ever more globalised, and new businesses are popping up to take advantage of a booming market. But when it comes to sanctions compliance, the costs of getting it wrong are rising.

Payoneer is a firm specialising in business-to-business cross-border payments. It is used by global leaders like Airbnb, Amazon, Google and Upwork to facilitate cross-border wire transfers, online payments, and debit card services. The company also offers facilities for small and medium-sized businesses to send payments anywhere in the world, quickly and cheaply.

But this business model recently hit the wall of sanctions compliance. Sending money anywhere in the world might be a good marketing slogan, but it’s also a violation of international sanctions. In July 2021, Payoneer was fined $1.4 million by the US sanctions authority, the Office of Foreign Assets Control (OFAC) for over 2,200 violations of multiple sanctions regimes.

In the settlement agreed to by Payoneer, they admitted to processing payments for parties located in Crimea, Iran, Sudan and Syria, all countries subject to US sanctions. They also processed 19 payments on behalf of individuals sanctioned by the US.

This meant sanctioned individuals were able to engage in over $800,000 worth of transactions. The fine comes at a tricky time for Payoneer, who began trading on the Nasdaq exchange the month before, with a valuation of $3.3 billion.

What can we learn from Payoneer’s mistakes?

The sanctions failings relate to Payoneer failing to focus on sanctioned locations, and had no system in place for monitoring IP addresses or flagging addresses from sanctioned locations. OFAC noted that Payoneer had reason to know the location of sanctioned users, so it begs the question, how does a business fail so spectacularly at sanctions compliance?

OFAC found multiple sanctions control breakdowns from weak algorithms that allowed close matches on the sanctions list to go unflagged, failing to screen for Business Identifier Codes, even when these were included on sanctions lists, and allowing flagged and pending payments to be automatically released without review during backlog periods.

If Payoneer hadn’t settled, it would have been looking at over $4 million in sanctions. Other actions the company took included firing its chief compliance officer, retraining compliance staff and putting in place more checks within its system.

Clearly, Payoneer believes the fault lies with its compliance department. But is shifting the blame from the board and executive team really that helpful? Sanctions compliance must go beyond more than one department or a single team to be effective. Businesses need top-down sanctions compliance, setting the tone from the top and embedding understanding of international sanctions across the business. Particularly when a business model is centred on providing payments to anyone, anywhere, when that very modus operandi flies in the face of a strong sanctions compliance programme.