Do you have access to telematics data that keeps track of your customers and where they are from? Well, the U.S. federal government wants you to develop a risk-based Sanctions Control Program (SCP) that leverages that data.
Tech company pays fine for violating sanctions program
A California-based technology company recently paid a substantial fine to U.S. sanctions control authorities to settle allegations that the company failed to use IP addresses to identify the location of its customers. The U.S. Treasury’s Office of Foreign Asset Control (OFAC) fined BitGo, Inc. $98,830 and the reputational fallout will compound the company’s losses.
This decision is a significant one. It is the first time the U.S. has used its sanctions enforcement authority to require a private company to leverage information in its possession concerning its customers and where they are from.
BitGo provides “non-custodial, secure digital wallet management services.” Similar to many technology and Internet of Things (IoT) providers, BitGo tracked its customers’ Internet Protocol (IP) addresses for security purposes related to account logins. However, they failed to use the IP data to prevent customers from sanctioned countries accessing their services.
In the Enforcement Release, OFAC concluded that BitGo failed to prevent persons apparently located in the Crimea Region of Ukraine, Cuba, Iran, Sudan, and Syria from using its services. The fact that “BitGo had reason to know that some of its users were located in sanctioned jurisdictions based on those users’ IP address data, which it had separately obtained for security purposes,” was cited by OFAC as an aggravating factor in assessing the penalty.
The substantial fine reflected OFAC’s consideration of the General Factors under its Enforcement Guidelines. Notably, BitGo agreed to implement a new sanctions compliance policy, deploy heightened screening measures, and appoint a compliance officer “specifically responsible for implementing and providing guidance and interpretation on matters related to U.S. sanctions law.”
Start planning your own sanctions control program now
The BitGo decision is a wake-up call to both technology and IoT providers. Now, more than ever, industry actors (for example: global and multinational telematics companies like Geotab and their global Resellers and Partners) need to design and deploy a tailored, risk-based SCP to promote compliance and hedge against the possibility of a disruptive and costly violation of U.S. sanctions controls.
Before the BitGo decision, it was less clear to what extent OFAC would require technology companies to use available and accessible customer information in furtherance of their compliance programs. Now, the industry must carefully design an approach to sanctions control based on knowledge of their customers and where they are from.
Framework outlines five key elements for program compliance
Under current OFAC guidance, companies must design a “risk-based” approach to sanctions compliance. The relevant Framework for OFAC Compliance Commitments identifies five elements of a fully compliant SCP:
- Management Commitment
- Risk Assessment
- Internal Controls
- Testing and Auditing
This article is the first in a series on the topic of government compliance. It’s critical that technology providers take the time to carefully assess and manage their risk of suffering an OFAC enforcement action. In the weeks ahead, we will review each of the five elements of a fully compliant SCP.