On November 6, 2023, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) announced a $206,213 settlement with Swift Prepaid Solutions, Inc. d/b/a daVinci Payments (daVinci) for apparent violations of sanctions regarding Crimea, Iran, Syria and Cuba. The financial services and payments firm was penalized by OFAC for enabling prepaid reward cards to be redeemed by persons who purchased the cards from sanctioned jurisdictions.
The November 6 settlement reflects a growing trend in OFAC enforcement actions to emphasize the importance of geolocation and blocking for financial and web services companies.
DaVinci is an online platform that offers digital and physical payment reward card programs to corporate, nonprofit and government clients. The clients of daVinci reportedly fund the card programs themselves through an issuing bank, while daVinci provides the prepaid cards to the authorized users.
OFAC determined that between March 2020 and February 2022, daVinci had redeemed prepaid cards on 12,378 occasions for users with Internet Protocol (IP) addresses associated with the sanctioned jurisdictions of Iran, Syria, Cuba and Crimea, and that after implementing initial measures to block access to its platform from certain IP addresses, additional prepaid cards were redeemed by persons with potential connections to sanctioned jurisdictions. The redemptions totaled $549,134.89 for cardholders apparently located in prohibited jurisdictions.
Notably, daVinci had mechanisms that would not allow users to enter a personal address in a sanctioned jurisdiction. Customers also were screened against sanctions lists. Thus, the violations were ones that required additional compliance tools, such as geolocation, to identify and prevent.
OFAC determined that the apparent violations by daVinci were voluntarily self-disclosed and non-egregious. However, in determining the penalty for daVinci, OFAC identified as an aggravating factor that the company knew or had reason to know of the redeemers’ IP addresses and email address suffixes indicating location in a sanctioned jurisdiction but failed to incorporate this information into its compliance program or controls.
This enforcement action emphasizes that OFAC expects companies to verify a customer’s identity and location using location-related data like IP addresses and top-level domains, or other geolocation tools, where practicable. The settlement also underscores the limitations of relying solely on customer-provided information, highlighting the importance of a comprehensive information-gathering system to prevent evasion or misrepresentation.