On September 30, 2022, the Office of Foreign Assets Control of the US Department of the Treasury entered into a settlement with Tango Card, Inc., to resolve the company’s potential civil liability for apparent violations of US sanctions programs regarding Cuba, Iran, Syria, North Korea, and Ukraine.
Tango Card, based in Seattle, Washington, supplies and distributes electronic rewards to support its clients’ incentives programs. Following a February 2021 notification by a client, Tango Card initiated an investigation of top-line domains or IP addresses in sanctioned jurisdictions to which Tango Card had sent rewards. Although Tango Card used OFAC screening tools to identify suspicious customer addresses, it did not apply the same risk assessment measures to the addresses of reward recipients.
The company’ investigation revealed that between September 2016 and September 2021, it had transmitted 27,720 gift cards and debit cards totaling $386,828.65 to IP addresses associated with one of the sanctioned jurisdictions noted above.
OFAC found that these transactions constituted apparent violations of the Cuban Assets Control Regulations, the Iranian Transactions and Sanctions Regulations, the Syrian Sanctions Regulations, the North Korea Sanctions Regulations, and Executive Order 13685 regarding the Crimea.
In determining the settlement amount of $116,048.60, OFAC took into account aggravating factors such as Tango Card’s failure to impose currently available risk-based geolocation rules to identify reward recipients’ addresses and the company’s provision of approximately $386,828 in economic benefit to sanctioned jurisdictions.
At the same time, OFAC considered as mitigating factors the company’s clean record regarding sanctions violations for the five preceding years, Tango Card’s voluntary self-disclosure of the apparent violations and cooperation with OFAC’s investigation, and the enhanced compliance measures taken by the company since discovery of the apparent violations. These include:
• The application of geo-blocking software to reward recipients’ addresses;
• Enhanced training of employees, and expansion of the compliance team;
• The engagement of a cloud security consultant to assess Tango Card’s security posture;
• The use of additional screening tools, and
• Bi-monthly reports to quickly identify the top-line domains and IP addresses of customers and recipients.