Who We Serve

Services

About

Resources

Money Transmitters Compliance

Money Transmitters

Lessons From The OFAC Compliance Settlements With SAP And MoneyGram

Dec 21, 2023

·

InnReg

·

8 min read

Contents

It is essential to ensure that you implement proper IP address tracing protocol for any cloud-based services which may be used by someone in a foreign country.

If you work with third-party vendors who engage with people in other countries, you must complete proper due diligence to ensure that they are not selling your services to people on an SDN list. If you do business with people from foreign countries, you must ensure that they are not blocked by the Department of the Treasury.

Finally, it is important to ensure that you have a proper Compliance and Audit team to ensure that you are able to audit your own systems and ensure that no violations are occurring.

InnReg Logo

InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013. If you need assistance with compliance or fintech regulations, click here.

Lessons From The OFAC Compliance Settlements With SAP And MoneyGram
Lessons From The OFAC Compliance Settlements With SAP And MoneyGram
InnReg Banner
InnReg Banner

Key Facts

The Office of Foreign Asset Control recently settled two lawsuits with SAP, a German software company with US offices, and MoneyGram, a Texas-based global payments company. Both entities violated US sanctions regulations against multiple foreign countries and entities.

In particular, SAP violated Section 560.204 of the Iranian Transactions and Sanctions Regulations by allowing their software to be purchased, downloaded, and used by Iranian companies.

Meanwhile, MoneyGram violated their OFAC Compliance Commitments by violating a host of sanctions regulations, including:

  • The Foreign Narcotics Kingpin Sanctions Regulations;

  • The Narcotics Trafficking Sanctions Regulations;

  • The Syrian Sanctions Regulations;

  • The Democratic Republic Of The Congo Sanctions Regulations; and

  • The Central African Republic Sanctions Regulations;

The Similarities Between SAP and MoneyGram

Both companies were selling the products and services abroad in different countries. Both companies also failed to properly monitor the transactions to ensure they were not in violation of US sanctions policies.

Both companies also helped mitigate the violations by fully cooperating with the investigation and making proactive changes to ensure violations did not continue. These proactive actions included:

  • changing their transaction monitoring systems,

  • providing better training for their staff to spot transactions that might violate US Sanctions regulations and

  • ensuring that their compliance departments were properly staffed to be able to monitor and respond to any issues with transactions.


It is important to note that both companies settled their OFAC Compliance Commitment violations, and therefore, the violations were apparent rather than proven.

The SAP Settlement

The SAP settlement is unique as it is the first time that the DOJ has gone after a foreign company for sanctions violations since implementing The Export Control and Sanctions Enforcement Policy for Business Organizations in December 2019.

Background Of The SAP OFAC Settlement

The SAP settlement was part of a much larger investigation that involved the OFAC, the US Department of Justice, and the US Department of Commerce Business Initiative and Security, which resulted in a settlement totaling eight million dollars ($8 million).

As part of that settlement, SAP has agreed to pay the OFAC two million one hundred and thirty-two thousand one hundred and seventy-two dollars ($2,132,172) in settlement of the approximately one hundred and ninety (190) Iranian Sanctions violations committed.

Conduct Which Led To The OFAC Compliance Commitment Violations

In the investigation, it was determined that between June 1, 2013, and January 1, 2018, SAP violated the Compliance Commitments in three major ways:

  1. by not tracking Internet protocol (IP) addresses for those entities and individuals downloading their software, its updates, or using their software,

  2. by failing to do proper due diligence on their third-party vendors, and

  3. failing to properly audit and fix deficiencies with newly acquired subsidiaries to ensure compliance.

InnReg Banner
InnReg Banner

Failure To Track IP Addresses

SAP did not properly track IP addresses for end users of their software to determine whether the software was being used in countries subject to sanctions such as Iran. The OFAC Compliance Commitment Violation was exacerbated because SAP had undergone several audits and was told to start tracking IP addresses for their end-users.

SAP was made aware of the need to track end-user IP addresses as early as 2004 when the geolocation IP screening technology was introduced. SAP did not implement such protocols until approximately January of 2018.

Because SAP's software was cloud-based, IP address tracking was an essential part of SAP's OFAC Compliance Commitments. IP address tracking helps to ensure that the software is not being used by entities blocked under US sanctions. Because SAP has offices in the United States, they were subject to the US sanctions regulations despite being based in Germany.

Failure To Conduct Proper Due Diligence For Their Third-Party Vendors

SAP also failed to do proper due diligence on their third-party vendors. The OFAC found SAP failed to do proper due diligence on some of their third-party vendors. Some of these vendors were selling the software to companies owned by Iranian entities. SAP allowed such sales to occur. SAP also failed to do due diligence on their third-party vendors to discover their communications with Iranian entities about the software, its use, and updates.

SAP also failed to do proper due diligence to discover that many of these third-party vendors were dealing with companies known to be owned by Iranian entities but based in countries such as Malaysia and the United Arab Emirates.

Failure To Properly Audit And Fix Deficiencies In Newly Acquired Subsidiaries

The OFAC found additional Compliance Commitment Violations when SAP failed to integrate a cloud-based company that they purchased in the United States in a timely manner. Instead, SAP allowed the Cloud Based Group to function independently under the SAP banner, almost as a separate entity. In addition, SAP relied on a skeletal compliance and audit team based in the US to handle any violations that might occur.

It is important to note that it was specifically stated in the settlement announcement that the SAP enforcement action “emphasizes the importance of conducting sufficient pre-and post-acquisition due diligence to identify and promptly remediate compliance deficiencies in newly acquired subsidiaries.”

InnReg Logo

Need help with money transmitter compliance?

Fill out the form below and our experts will get back to you.

By submitting this form, you consent to be added to our mailing list and to receive marketing communications from us. You can unsubscribe at any time by following the link in our emails or contacting us directly.

By submitting this form, you consent to be added to our mailing list and to receive marketing communications from us. You can unsubscribe at any time by following the link in our emails or contacting us directly.

By submitting this form, you consent to be added to our mailing list and to receive marketing communications from us. You can unsubscribe at any time by following the link in our emails or contacting us directly.

Mitigating Factors Found By The OFAC

When determining the settlement, several mitigating factors were found in SAP's favor. The company had taken steps to honor its OFAC Compliance Commitments and stop the flood of violations. These actions include:

  • firing multiple employees who knew about the software sales to Iranian entities,

  • implementing a geolocation IP screening protocol which denied access to SAP's software if the IP address originates in a blocked country; and

  • hiring new employees specifically tasked with export control and sanction compliance.

The MoneyGram Settlement

A settlement worth $34,328.74 with MoneyGram was sealed for various OFAC compliance commitment violations.

InnReg Banner
InnReg Banner

Conduct Which Led To The OFAC Compliance Violations

Between March 2013 and March 2016, MoneyGram provided payment services to the Department of Justice's Federal Bureau of prisons ("BOP"). These services allowed federal inmates to send and receive money from their commissary accounts with people outside of the prison system.

The OFAC Compliant Commitment Violations occurred when inmates who were blocked by various United States Sanctions regulations were allowed to send and receive money to foreign entities from their commissary accounts. The violated sanctions include:


MoneyGram also failed to check that the BOP inmates using their services were not subject to the OFAC's List of Specially Designated Nationals And Blocked Persons List ("SDN list"). In the investigation, it was also found that MoneyGram knew that some of the BOP inmates were, in fact, on the SDN list and allowed the blocked inmates' money transfer requests to continue to occur.

Mitigating Factors Found In The Settlement

When determining whether to settle the case against MoneyGram for OFAC Compliance Commitment Violations, a number of mitigating factors were found in MoneyGram's favor. These factors include:

  • Internal audits and self-reporting

  • Cooperating with the investigation

  • Implementing improvements to protocols for compliance commitments

Internal Audits And Self Reporting

Moneygram’s violations were discovered in an internal audit to increase OFAC compliance standards. The company self-reported these violations.

Cooperating With The OFAC Investigation

MoneyGram fully cooperated with the investigation that occurred after they self-reported the Compliance Commitment violations. The cooperation included allowing complete access to the files and records, including those for transactions that did not violate the OFAC's Compliance Commitments.

Implementing Improvements To Protocols For Compliance Commitments

The OFAC found that MoneyGram took a number of important steps to ensure that further Compliance Commitment Violations did not occur. These steps included:

  • Launching a new screening system which more carefully monitored people and entities using the company's money transfer services;

  • Launching a new screening program specifically designed for BOP inmates which checks whether federal inmates are on the SDN list;

  • Ensuring that any federal inmates who are on an SDN list cannot send or receive money from their commissary account;

  • Providing additional training to its employees to check use records against sanctions lists to ensure compliance; and

  • Increasing the compliance auditing service division to 128 employees

InnReg Banner
InnReg Banner

What Do These Settlements Mean For Your Business?

In order to avoid these OFAC Compliance Commitment Violations, there are several steps that companies can take.

Steps to avoid OFAC compliance commitment violations


1. IP Tracking

If you are a company that engages in a cloud-based service, it is essential that you incorporate a geolocation IP address tracking protocol. This ensures that no one from a sanctioned country is using your product.

2. Vendor Check

If you work with third-party vendors, you must do proper due diligence to ensure that they are not communicating with people from these sanctioned countries. Immediately stop working with any third-party vendor found to be in violation of the United States sanction policy.

3. Fast Compliance Program Deployment Following an Acquisition

When acquiring a business, it is essential that you do proper due diligence both before and directly after purchasing the company to find any deficiencies in compliance with the OFAC Compliance Commitment standards.

It is critical that you incorporate the company into your company as quickly as possible. Ensure that the company is following your protocols and guidelines for compliance. Do not allow them to function as a single separate entity under your umbrella.

This is especially important if the company in question has been found to have deficiencies in its compliance with the Compliance Commitment Standards.

4. Employee Training

All employees must be properly trained as to the data and information that is needed to ensure that your company does not violate the OFAC standards. This training should also give information on how to cut off access to any customer or third-party vendor who violates these Compliance Commitments.

5. Proper Teams

When dealing with foreign entities or those who might be subject to United States Sanctions Regulations, you must have a robust Compliance and Audit team that is sufficiently staffed to be able to ensure compliance.

6. Self-Reporting

Finally, if your company does discover that you have committed a violation of the OFAC’s Compliance Commitment, it is essential that you self-report as quickly as possible and fully cooperate with the investigation.

By self-reporting and cooperating with the investigation, you are more likely to get your case settled rather than prosecuted, and the fine is likely to be lower because you are not trying to hide violations.

Conclusion

To ensure that a company does not incur OFAC violations, companies must set up IP tracking, perform vendor due diligence, set up a single entity for the company, ensure proper employee training, ensure self-reporting if the company discovers issues, and set up proper competent teams for compliance.

InnReg Banner
InnReg Banner
InnReg Banner
InnReg Banner

How Can InnReg Help?

InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.

We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.

If you need help with money transmitter compliance, reach out to our regulatory experts today:

By submitting this form, you consent to be added to our mailing list and to receive marketing communications from us. You can unsubscribe at any time by following the link in our emails or contacting us directly.

By submitting this form, you consent to be added to our mailing list and to receive marketing communications from us. You can unsubscribe at any time by following the link in our emails or contacting us directly.

By submitting this form, you consent to be added to our mailing list and to receive marketing communications from us. You can unsubscribe at any time by following the link in our emails or contacting us directly.

Published on Nov 28, 2021

·

Last updated on Dec 21, 2023

Latest LinkedIn Posts