Most of us are familiar with, or even actively participate in, rewards programs. Maybe it’s through your place of employment or your favorite store. The rewards program can include consumer rebates and loyalty programs, sales incentives and employee rewards and recognition in the form of prepaid gift cards; perhaps to a local coffee chain, holiday gifts, sales bonuses etc.
Interestingly enough, the website of daVinci Payments describes themselves “as working on behalf of your company, helping you deliver on-demand payment experiences to your customers and workforce without the cost, risk and complexity of orchestrating payments in-house.” (Emphasis mine.)
Despite the “risk” promise, daVinci Payments allegedly processed 12,391 transactions in the form of digital prepaid card redemptions worth $549,134.89 between March 2020 – February 2022 to individuals who were in sanctioned countries.
This resulted in violations of the U.S. Treasury’s Office of Foreign Assets Control (OFAC) programs. The company agreed to pay $274,950 to resolve these apparent violations.
What happened with daVinci?
DaVinci’s process was simple – their clients would send them a list of intended recipients and daVinci would send each user an email with details of how to access their reward. In turn, the users only had to provide daVinci typical information such as their names and addresses.
What daVinci did not have in place was a due diligence process to identify and block where those individuals were located based on their IP address.
This meant reward recipients would select a non-sanctioned country when entering their address and still be allowed to download their reward because of the lack of “geolocation controls” employed by daVinci.
On top of that, the company processed redemptions for many end users with sanctioned country email addresses. This was evident, for example, by the user’s domain addresses ending in “.sy” (Syria) or “.ir” (Iran).
These are typical Red Flags that should have halted the processing of the reward, but it did not set off any alarms for daVinci and they continued to process the rewards.
Luckily, daVinci discovered the violations during an internal audit, conducted an investigation and reported their findings to OFAC. Because of the remedial measure to ensure future compliance, OFAC fined them only $274,950 as opposed to the maximum applicable civil penalty of $4.4 million!
What can we learn?
- Companies need to limit access via IP address by blocking those addresses
- Email address suffixes for sanctioned countries should be viewed as a Red Flag and not ignored (examples: “.sy,” “.ir,” “.ru” and others)
- Internal assessments and audits are key to compliance to ensure controls are working.
- If discoveries of non-compliance are unearthed, submitting a voluntary self-disclosure while also fixing the problem are both considered mitigating factors when penalties are assessed.
Trade compliance for your business
Export Solutions offers expert assistance in managing trade compliance, including conducting thorough audits and addressing other compliance deliverables. Our team provides valuable guidance for businesses navigating complex trade regulations. Additionally, if you face the need to self-report a violation, we offer specialized support to handle the situation effectively and efficiently.
Need help? Our team of trade compliance experts is available to assist you with antiboycott compliance. Schedule a no-charge consultation today.
Kristine Kelleher is a Trade Compliance Consultant for Export Solutions -- a full-service consulting firm specializing in U.S. import and export regulations.