How CFOs Can Avoid Repeating PayPal’s OFAC Violations

This is an extension of an article originally published in TechCrunch on April 12, 2015: “Behind PayPal’s Foreign Assets Violations.”
In the TechCrunch article, we recap how in 2009, the US Treasury Department’s Office of Foreign Assets Control (OFAC) blacklisted an individual named Kursad Zafer Cire. This individual was believed to have run a network that facilitated the nuclear technology sales to Iran, Libya, and North Korea. OFAC designated this person as a known bad actor.
During the time from October 2009 to April 2013, PayPal continued to allow payments to be made to Mr. Cire, even though they had controls in place to screen and stop payments to known bad actors in the Treasury Department’s Specially Designated Nationals (SDNs). On March 25, 2015, PayPal agreed to a $7.7 million settlement for this and other infractions including allowing payments to Sudan, Cuba and an organization in the UK believed to support Hamas.
Gatepoint Research recently conducted a study of accounts payable departments across varying industries and company sizes that identified that, like PayPal, nearly 66% either did not screen or did not know whether they were screening suppliers across OFAC and anti-money laundering (AML) databases.
The White House has also recently enabled OFAC to add cybercriminals as sanctionable entities. In today’s digital business world, where cyberthreats pose one of the most serious economic and national security challenges, it’s becoming clear that every company needs to be vigilant in ensuring their systems are not being hijacked by bad actors bent on engaging in nefarious acts of terrorism, money laundering, drug trafficking, or more. It puts your company and systems at risk.
So what can financial officers at companies who do business with many partners and suppliers learn from the PayPal violations and how can they avoid getting in trouble with the law?
What Accounts Payable Controls Can Businesses Employ?
In dealing with the tens of thousands of accounts payable payment transactions our company processes for our customers, we have some key rules to maintain controls.
- KYC (know your customer), or in this case “know your partner.” Onboarding should always involve some type of background check including screening on OFAC and other international anti-terror, anti-money laundering, anti-drug trafficking watch list databases. When appropriate, Tipalti looks at banking information the supplier is providing for their remittance and we may engage in investigating a company’s business model and corporate structures of their suppliers. In addition, we do not allow payments until the payee has submitted their W-9/W-8 tax identification forms. This process is part of the standard onboarding workflow and can be done in a paperless way. As we’ve say often, today’s global digital economy makes it a challenge to meet your suppliers face-to-face, much less have an actual conversation. You have to do what you can to secure your supply chain is on the right side of the law.
- Screen every transaction. Fraud happens when there is a lapse, and not always on the first attempt. If the company has been paying someone for a few months, then suddenly the transactions change dramatically or someone is added to the blacklist, the company’s controls must account for this type of circumvention. The key is that every point of contact is a point to reverify or revalidate a supplier payee.
- Take a more proactive, community-driven approach. For example, because we service transactions to over 300,000 entities across hundreds of organizations across almost 200 different countries, our systems – and even our customers – can actually flag bad actors. This enables other customers to benefit from crowd-sourced identification of potential fraudsters. As soon as we see a red flag with a payee, we can launch an investigation or even contact the authorities.
Final Thoughts
Certainly, there are business reasons to be diligent in support of OFAC and other regulatory sanctions. No one wants to have their operation shut down by the government. No one wants to pay millions in fines and be made an example of.
But let’s get more personal.
How does one justify their moral compass when we all know that these regulations are there to stymie criminals and people who want to hurt others. What greater reason is there to act above the law?