DaVinci Payments, a financial services firm which manages prepaid reward card programs, agreed to pay approximately $206,000 as part of a settlement with the Treasury Department’s Office of Foreign Assets Control (OFAC) addressing alleged sanctions violations across four countries.

DaVinci voluntarily self-disclosed the matter, which OFAC deemed non-egregious. The agency’s enforcement release published Monday cited the firm for 12,391 apparent violations of OFAC sanctions regarding Iran, Syria, Cuba, and the Crimea region of Ukraine.

The details: Between November 2017 and July 2022, daVinci enabled reward cards to be redeemed from persons apparently residing in the sanctioned jurisdictions, according to OFAC. The lapses were the result of flawed geolocation controls, the agency said.

A compliance review and investigation daVinci conducted between March 2020 and February 2022 uncovered the apparent issues, resulting in the firm preventing access to its platform from IP addresses associated with the sanctioned jurisdictions.

Compliance considerations: DaVinci was faulted for not exercising due caution or care when redeeming digital reward cards for users who appeared to be in sanctioned jurisdictions. The firm earned credit for cooperating with OFAC’s investigation.

Further remedial activities undertaken by daVinci included conducting real-time screening and blocking of email address suffixes associated with sanctioned jurisdictions and instituting independent third-party testing at regular intervals.

“This case further demonstrates the potential shortcomings of controls that rely on customer-provided information, rather than a holistic information-gathering system that can mitigate evasion or misrepresentation,” said OFAC in its release. “The action further highlights the value of conducting proactive, self-initiated reviews to identify compliance gaps; disclose any potential violations to OFAC; and taking steps to remediate deficiencies, including by instituting periodic independent testing to ensure adequate controls.”

Firm response: “[D]aVinci Payments recognized and notified bank partners of the activity and took immediate steps to stop the activity,” the firm said in an emailed statement. “Within the notification framework of OFAC, daVinci Payments has taken steps to comply with all statutes and regulations, resulting in the current settlement agreement.”