Tango Card, a Seattle-based supplier and distributor of electronic rewards, agreed to pay approximately $116,000 as part of a settlement with the Treasury Department’s Office of Foreign Assets Control (OFAC) for apparent sanctions violations related to its issuance of e-gift cards.
Tango Card transmitted at least 27,720 merchant gift cards and promotional debit cards totaling nearly $400,000 to individuals with email or IP addresses associated with sanctioned jurisdictions, including Cuba, Iran, Syria, North Korea, and Ukraine (Crimea), OFAC stated in an enforcement release Friday. The alleged lapses occurred from September 2016 through September 2021.
Tango Card voluntarily self-disclosed the matter to OFAC, which determined the case to be nonegregious.
The details: Tango Card used geolocation data and had screening and know your customer (KYC) controls in place to identify potential transactions with direct customers within sanctioned jurisdictions. However, “It did not use those controls to identify whether recipients of rewards, as opposed to senders of rewards, might involve sanctioned jurisdictions,” OFAC found.
A Tango Card client discovered the issue in February 2021 when it found reward recipient email addresses it previously provided to Tango Card had top-level domains (TLDs) associated with sanctioned jurisdictions. Tango Card conducted a lookback review regarding the matter, identifying further instances of award recipients redeeming from IP addresses located in sanctioned jurisdictions, according to OFAC.
“Tango Card failed to impose risk-based geolocation rules using tools at its disposal to identify the location of its reward recipients, despite having reason to know that it was transmitting rewards to recipients in sanctioned jurisdictions based on IP address and TLD data in its possession,” said OFAC.
After discovering the issue, Tango Card cooperated with OFAC’s investigation and enhanced its sanctions compliance processes, including by hiring more staff, retaining a consultant, conducting additional training, and acquiring new screening tools. Tango Card implemented geoblocking for TLDs, updated its IP address geoblocking, and began running monthly reports to ensure its controls around TLDs and IP addresses were working to prevent transactions in sanctioned regions.
“This case demonstrates the importance of using relevant geographic information as part of an effective, risk-based sanctions compliance program, including the use of appropriate geolocation tools to identify transactions potentially involving sanctioned jurisdictions,” said OFAC. “In addition, while contractually obligating customers to comply with sanctions regulations can help mitigate risk, it does not obviate the need to impose other sanctions compliance controls when appropriate on a risk basis.”
Tango Card response: “Building systems with compliance top of mind is key for us, our customers, and our future growth,” the company said in an emailed statement. “We are excited to refocus our attention on offering great rewards to customers around the world with higher confidence in our compliance controls.”