Behind PayPal’s Foreign Assets Violations

TECHCRUNCH: In 2009, the US Treasury Department’s Office of Foreign Assets Control (OFAC) blacklisted an individual named Kursad Zafer Cire. Mr. Cire was believed to have run a network that facilitated the sale of nuclear technologies to countries such as Iran, Libya, and North Korea. He was a known bad actor.

But from October 2009 to April 2013, PayPal continued to allow payments to be made to Mr. Cire. On March 25, 2015, PayPal agreed to $7.7 million in fines for this and other infractions including processing payments to Sudan, Cuba and an organization in the UK believed to support Hamas. At the time, PayPal had screening technology, yet it was under-employed. And in some exceptional cases, employees had been notified of the condition but continued to allow payments to be made.

PayPal did voluntarily help the Treasury Department and has made the necessary corrections to its processes. But have you? What can financial officers and entrepreneurs at companies who do business with many partners and suppliers learn from the PayPal violations and how can they avoid getting in trouble with the law?

It turns out, many other companies may not be acting in compliance with OFAC regulations requiring that companies follow a due diligence process prior to making payments to suppliers to ensure they don’t have an OFAC “hit.”  A recent study by Gatepoint Research of 100 accounts payable departments across varying industries and company sizes identified that, like PayPal, nearly 66 percent either did not screen or did not know whether they screened suppliers across OFAC and anti-money laundering (AML) databases.

With more and more companies doing business with global suppliers and partners, the likelihood that you may be dealing with a bad entity is ever increasing. In addition, the proliferation of network economy business models — where sourcing of digital assets, crowd talent and information and ad networks — makes verifying and validating even more important. The new normal is that business happens without a face-to-face meeting with a partner or even a phone conversation. Yet businesses can’t simply trust an individual on merit and identity alone.

Negative credibility damage

OFAC called PayPal’s actions a “reckless disregard” of its sanctions. Also stating in theirenforcement documentation:

“PayPal demonstrated reckless disregard for U.S. economic sanctions requirements… PayPal agents engaged in a pattern of conduct by repeatedly ignoring certain warning signs about potential matches to the [blacklist].“

Amanda DeBusk, a partner at law firm Hughes Hubbard & Reed LLP, stated in a Wall Street Journal article that we can expect more targeting by the Treasury Department: “While the spotlight has been on the banks, [OFAC] is increasing its focus on the nonbank financial institutions.” This makes sense since terrorists know there are better places to hide their activities than a bank.

 For a company like eBay and its PayPal division (which is currently restructuring into different companies), the general public probably won’t flinch at this news. There are many other avenues for the company to re-engage its customers and partners, and this kind of violation is likely a small blip.

But let’s say you’re not a mega-corporation and you don’t have diversified holdings and billions already invested in household brand recognition. Is it worth the negative PR as a company that knowingly (or even unknowingly) engaged in illegal transactions, dealt with illegal suppliers, and has had run-ins with the law. Will investors (current and potential) recoil if they know you don’t have strong controls and processes in place?

Profitability hit of non-compliance

Let’s say your organization is willing to risk the brand damage of getting caught. What does that risk actually look like in pure numbers? If we use the PayPal settlement as a model, it’s substantial. The company was fined $7.7 million for what amounts to $43,934 in transactions. Assuming they charged their published 2.9 percent transaction fee for businesses, the company actually only made $1,274 off of those transactions.

So what is the “violation on return (VOR)?” 6,044 percent. In other words, that error cost them 6,000x what they got out of it.

Keeping in mind PayPal’s total revenue in 2013 was $6.6 billion, $7.7 million in fines may not be that significant. But the VOR number looks at worst: cataclysmic, and at best: embarrassing.

For a smaller company, those penalties could be extremely damaging. According to the US Department of the Treasury,“criminal penalties for willful violations can include fines ranging up to $20 million and imprisonment of up to 30 years.”

Let’s face it: as demonstrated by PayPal, transactions don’t always happen to the letter of the law. So let’s get more personal. How does one justify their moral compass when we know that these regulations are there to stymie criminals and people who want to hurt others? What greater reason is there to act above the law?