As part of a settlement with the Treasury Department's Office of Foreign Assets Control (OFAC), Tango Card, a provider and distributor of electronic incentives with headquarters in Seattle, agreed to pay around $116,000 for alleged sanctions breaches relating to the distribution of e-gift cards.
According to a Friday enforcement announcement from OFAC, Tango Card distributed at least 27,720 merchant gift cards and promotional debit cards totalling close to $400,000 to people with email or IP addresses linked to sanctioned countries, including Cuba, Iran, Syria, North Korea, and Ukraine (Crimea). The claimed errors allegedly took place between September 2016 and September 2021.
Tango Card informed OFAC of the situation willingly, and the agency found nothing egregious about it.
To find prospective transactions with direct consumers within of authorized areas, Tango Card uses geolocation data together with screening and know your customer (KYC) procedures. OFAC discovered that the company "did not use those controls to identify whether recipients of rewards, as opposed to senders of rewards, might involve sanctioned jurisdictions."
When a Tango Card customer realized that reward recipient email addresses it had previously given to Tango Card had top-level domains (TLDs) connected to prohibited areas, it became aware of the problem in February 2021. According to OFAC, Tango Card carried out a lookback investigation into the issue and discovered more instances of reward winners using IP addresses from sanctioned countries to redeem their prizes.
Despite having reason to believe that Tango Card was transmitting rewards to recipients in sanctioned jurisdictions based on IP address and TLD data in its possession, OFAC stated that Tango Card "failed to impose risk-based geolocation rules using tools at its disposal to identify the location of its reward recipients."
Tango Card improved its sanctions compliance procedures after becoming aware of the problem by adding more personnel, keeping a consultant, providing further training, and purchasing new screening equipment. Tango Card also cooperated with OFAC's inquiry. To make sure its restrictions over TLDs and IP addresses were effective in preventing transactions in forbidden areas, Tango Card added geoblocking for TLDs, updated its IP address geoblocking, and started publishing monthly reports.
According to OFAC, "This case demonstrates the importance of using relevant geographic information as part of an effective, risk-based sanctions compliance program, including the use of appropriate geolocation tools to identify transactions potentially involving sanctioned jurisdictions. In addition, while contractually obligating customers to comply with sanctions regulations can help mitigate risk, it does not obviate the need to impose other sanctions compliance controls when appropriate on a risk basis."
In response, Tango Card stated via email that "building systems with compliance top of mind is key for us, our customers, and our future growth. We are excited to refocus our attention on offering great rewards to customers around the world with higher confidence in our compliance controls."
By fLEXI tEAM