Rewards Card Issuer Cited for Screening Fail


As a result of deficient geolocation identification processes, Tango Card transmitted at least 27,720 stored value products to individuals with Internet Protocol (IP) and email addresses associated with Cuba, Iran, Syria, North Korea, and the Crimea region of Ukraine, in apparent violations of multiple U.S. sanctions programs.


The Seattle company supplies and distributes rewards, often in the form of stored value cards to support client businesses’ employee and customer incentive programs.  While Tango Card used geolocation tools to identify transactions involving countries at high risk for suspected fraud,  and had OFAC screening and Know Your Business mechanisms around its direct customers, it did not use those controls to identify whether recipients of rewards, as opposed to senders of rewards, might involve sanctioned jurisdictions.   


In February 2021, one of Tango Card’s clients found that several reward recipient email addresses that it had previously provided to Tango Card (and to which Tango Card had sent rewards) had top-line domains (TLDs)1 associated with sanctioned jurisdictions. The subsequent review found that between September 2016 and September 2021, Tango Card transmitted 27,720 merchant gift cards and promotional debit cards, totaling $386,828.65, to individuals with email or IP addresses associated with Cuba, Iran, Syria, North Korea, or the Crimea region of Ukraine.


Tango Card engaged in apparent violations of § 515.201 of the Cuban Assets Control Regulations (CACR), 31 C.F.R. part 515; § 560.204 of the Iranian Transactions and Sanctions Regulations (ITSR), 31 C.F.R. part 560; § 542.207 of the Syrian Sanctions Regulations (SSR), 31 C.F.R. part 542; § 510.206 of the North Korea Sanctions Regulations (NKSR), 31 C.F.R. part 510; and Executive Order (E.O.) 13685, “Blocking Property of Certain Persons and Prohibiting Certain Transactions with Respect to the Crimea Region of Ukraine” (the “Apparent Violations”).


Following discovery of the Apparent Violations, Tango Card implemented a number of remedial

measures, including geo blocking of IP and email addresses associated with sanctioned

jurisdictions, hiring additional staff dedicated to improving compliance, and conducting additional sanctions compliance training. Tango Card also acquired additional screening tools and  implemented new monthly lookback reports designed to identify recipients located in sanctioned jurisdictions.


While the statutory maximum civil monetary penalty applicable in this matter is $9,168,949,062,  OFAC determined that Tango Card self-disclosed the Apparent Violations and that the Apparent Violations constitute a non-egregious case. Accordingly, under OFAC’s Economic Sanctions Enforcement Guidelines (“Enforcement Guidelines”), 31 C.F.R. part 501, app. A, the base civil monetary penalty applicable in this matter equals the sum of one-half of the transaction value for each apparent violation, which is $193,414.33 reduced to $116,048.60, reflecting the company’s voluntary self-disclosure and remedial efforts put in place, including improved TLD and IP address geo-blocking; enhanced training and reporting, and hiring a consultant.  



No comments on this item Please log in to comment by clicking here