PayPal, an electronic payments company, this week reached a $7.7 million settlement with the Treasury Department’s Office of Foreign Assets Control for sanctions violations. The civil penalties could have been significantly higher, had PayPal not self-reported the violations and cooperated with the government.

According to OFAC, PayPal for a period of several years processed 486 transactions totaling approximately $43,934 in violation of OFAC regulations governing sanctions programs. “PayPal failed to employ adequate screening technology and procedures to identify the potential involvement of U.S. sanctions targets in transactions that PayPal processed,” OFAC said. As a result of this failure, PayPal did not screen in-process transactions to reject or block prohibited transactions as required under U.S. economic sanctions laws.

Below is a breakdown of the transactions processed by PayPal, according to OFAC:

Between 2010 and 2013, PayPal processed 98 transactions totaling $19,344.89 in violation of the Cuban Assets Control Regulations. The total base penalty for this set of violations was $9,672.45.

Between 2009 and 2013, PayPal processed 125 transactions totaling $8,257.66 in apparent violation of the Iranian Transactions and Sanctions Regulations. The total base penalty for this set of violations was $4,129.

Between 2009 and 2013, PayPal processed 94 transactions totaling $5,925.27 in violation of the Global Terrorism Sanctions Regulations. The total base penalty for this set of violations was $2,984.88.

Between 2010 and 2013, PayPal processed 33 transactions totaling $3,314.43 in violation of the Sudanese Sanctions Regulations. The total base penalty for this set of violations was $1,657.

Each of the transactions that gave rise to the violations either contained an explicit reference to a country subject to OFAC sanctions or another term linked to the country (i.e., “Tehran,” “Khartoum,” “Cuba,” “Iran,” “Sudan,” “Iranian,” or “Cuban”), or involved a PayPal account in which the Specially Designated Global Terrorists Interpal or Kahane Chai had an interest.

Egregious Violations

Separately, between 2009 and 2013, PayPal processed 136 transactions totaling about $7000 to or from a PayPal account registered to Kursad Zafer Cire, a Turkish national who violated the Weapons of Mass Destruction Proliferators Sanctions Regulations (WMDPSR), OFAC said.

PayPal claimed that it failed to identify Cire as a potential Specially Designated National (SDN) at the time of his designation because its money services business (MSB) automation processes was not “working properly.” On several more occasions, however, when PayPal’s automation processes did flag Cire’s transactions as potential matches to the SDN, each of these warnings was dismissed by separate PayPal Risk Operations Agents, OFAC said. It was not until PayPal’s filter flagged Cire’s account for a seventh time that the MSB appropriately blocked the account and reported it to OFAC.

Unlike the other sanctions violations, which OFAC determined constituted a non-egregious case, the violations of the WMDPSR constituted an egregious case, OFAC said. The total base penalty for this set of violations alone amounted to $17 million.

Compliance Failures

OFAC found the following to be aggravating factors in the case:

PayPal’s management demonstrated reckless disregard for U.S. economic sanctions requirements in deciding to operate a payment system without implementing appropriate controls to prevent the system from processing transactions in apparent violation of OFAC regulations;

PayPal management and supervisors knew of the conduct giving rise to the apparent violations;

PayPal’s conduct resulted in harm to U.S. sanctions program objectives, and the MSB provided economic benefit to Cire and undermined the integrity of the WMDPSR by operating an account and processing transactions on behalf of an SDN for approximately three-and-a-half years; and

PayPal’s OFAC compliance program was inadequate to prevent the apparent violations.

Mitigating Factors

As a mitigating factor in the case, however, OFAC acknowledged that PayPal hired new management within its compliance division, identified OFAC-related issues with regard to the MSB’s payment system in 2011, and undertook various measures to strengthen PayPal’s OFAC screening processes and measures, including steps to implement more effective controls.

Furthermore, OFAC said PayPal “substantially cooperated” with the investigation, including by submitting the relevant documents and information in a “clear and organized fashion, answering numerous follow-up inquiries for information over the course of OFAC’s investigation, and by entering into a statute of limitations tolling agreement and an extension to the agreement.”

PayPal also has not received a penalty notice or finding of violation in the five years preceding these violations.