Read on Twitter
No more Tardigrade sales on PayPal!?! Due to OFAC?!?
Who’s up for a thread to go deeper
https://twitter.com/pitdesi/status/1304837523537948673
Who’s up for a thread to go deeper
https://twitter.com/pitdesi/status/1304837523537948673
2/ OFAC is the Office of Foriegn Assets Control. It’s a foreign policy tool that uses the financial system as it’s weapon of choice against persons and countries deemed threats to the United States.
https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions-programs-and-information
https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions-programs-and-information
3/ OFAC has some broad tools granted to it by various statutes. It also has some very specific missions, like how it needs to block trade with Cuba and Cuban nationals. Those directives are hardwired into statutory law and can’t be ignored or waived via regulations.
4/ OFAC uses these statutory mandates in two ways.
It keeps a list of people that can’t do business with U.S. companies.
And it maintains some regulations that block companies from doing things with entire countries.
It keeps a list of people that can’t do business with U.S. companies.
And it maintains some regulations that block companies from doing things with entire countries.
5/ OFAC will sometimes allow a company to transact with a person or engage with a country it has sanctioned. It does this by issuing “licenses.” Like your driver’s license lets you operate a car, OFAC licenses let you operate in an otherwise prohibited way.
6/ Trying to just read the OFAC rules and guidance can be maddening. Taken in black and white, it looks like you shouldn’t do anything.
But various nuggets of guidance and informal nuggets shared by officials at conferences offer some pathway.
But various nuggets of guidance and informal nuggets shared by officials at conferences offer some pathway.
7/ Liability is strict on paper with hair triggers. But OFAC officials will tell you they recognize that companies need some room to operate. So they usually don’t punish minor infractions.
8/ An example is when a new individual is added to its sanctioned lists. Let’s say this happens on a Friday. OFAC will generally understand if you can’t update your internal screening systems until after the weekend.
9/ so how does this apply to micro organisms that share a name with a terrorist or criminal entity?
To answer this, we need to talk about how companies design sanctions compliance systems.
To answer this, we need to talk about how companies design sanctions compliance systems.
10/ Companies build screening tools to help meet OFAC’s expectations.
Everyone in financial services should be screening the names of customers against OFAC’s lists.
Everyone should also screen transaction key words.
But there’s complications with this.
Everyone in financial services should be screening the names of customers against OFAC’s lists.
Everyone should also screen transaction key words.
But there’s complications with this.
11/ There can be a lot of noise in your screening results, due to common names and false positives.
To manage this companies hire teams of analysts to try and see if someone is a real match or a false positive.
To manage this companies hire teams of analysts to try and see if someone is a real match or a false positive.
12/ Some of the worst false positives are due to the Kingpin Act list, which is where OFAC lists drug kingpins and associates.
A lot of these folks have common Latinx names.
Normal people with these names can sometimes be blocked from using financial services products.
A lot of these folks have common Latinx names.
Normal people with these names can sometimes be blocked from using financial services products.
13/ the lists are also rediculous. Sometimes they list a common name and no other info — no date of birth, no other element to disambiguate Juan the guy in Cleveland from “Juan” the drug lord in LatAm.
14/ when you’re working at a company and you find you’ve allowed someone with the same name as an SDN to use your product, things get fun.
OFAC has a tool to help you decide how to proceed.
https://home.treasury.gov/policy-issues/financial-sanctions/contact-ofac/when-should-i-call-the-ofac-hotline
OFAC has a tool to help you decide how to proceed.
https://home.treasury.gov/policy-issues/financial-sanctions/contact-ofac/when-should-i-call-the-ofac-hotline
15/ it usually ends with the website recommending you call OFAC, so you do. And you get some nice person that has a checklist. Other times you might get a voicemail.
16/ remember Juan from Cleveland? In those situations, OFAC usually recommends you get a copy of Juan’s driver’s license and “make your own risk based decision.”
17/ Some banks lean in and use common sense - common name + location far from the drug lord’s known location = Juan can continue to be a customer.
But others say Adios Juan. We don’t talk about this enough in financial services, as it adds a hardship for latinx underbanked.
But others say Adios Juan. We don’t talk about this enough in financial services, as it adds a hardship for latinx underbanked.
18/ So what about Tardigrades?
That issue stems from something called “bag of words” screening.
That issue stems from something called “bag of words” screening.
19/ for bag of words, companies take words related to country-specific sanctions and put them into a screening system. This is the “bag.”
The words are things like Cuba, Iran, Persian Carpet, Cuban Cigar, North Korea . . .
The words are things like Cuba, Iran, Persian Carpet, Cuban Cigar, North Korea . . .
20/ this is harder to do because now you have to screen transactions in real time on top of customer sign ups. So lots of companies choose not to do this until they run into a real OFAC issue or until they mature.
21/ Companies get to chart their own course on how they comply with OFAC requirements. But if you have too many issues you’ll end up on OFAC’s Radar. Then they chart your course for you, and that can mean tighter controls that lead to more false positives.
22/ PayPal is one of these companies. A few years ago, OFAC found PayPal lacked adequate controls and let various sanctioned individuals transact on their platform. It cost them a multi-million dollar fine, but the true cost was likely hidden to folks outside the company.
23/ the true cost was OFAC telling PayPal how to run their compliance systems. As a result, risk-averse compliance staff inside PayPal were likely given lots of deference on decisions. Even if they impacted product.
24/ @packyM asked what the downside risk was for Stripe. Getting on the wrong side of OFAC or a similar agency is one risk. Those agencies could force Stripe to enact compliance controls that make the product less usable, like we’re seeing in the PayPal example.
25/ thankfully Stripe has some rockstar folks helping them on these issues, especially Betre Gizaw, Delia Pawelke and Melissa Strait. So they’re likely to keep making prudent decisions that thoughtfully balance compliance and business needs.
26/ the PayPal tardigrade issue isn’t really interesting because it shows how a prankster might mess with famous people.
Imagine a company incorporated in London that did business with entities/countries not sanctioned there, but that were sanctioned in the US.
Imagine a company incorporated in London that did business with entities/countries not sanctioned there, but that were sanctioned in the US.
27/ what if it was called Donald Trump Junior, Ltd. and what if the US ended up adding that entity to its watchlist?
Suddenly anyone who bag of word screens for terms on the watchlist would start blocking payments to or from Donald Trump Junior.
Suddenly anyone who bag of word screens for terms on the watchlist would start blocking payments to or from Donald Trump Junior.
