In wake of OFAC action against Canadian payment processor, banks to review customers, policies
Thursday, September 29, 2016
Posted by: Brian Monroe
By Brian Monroe
September 29, 2016
The U.S. government last week launched a coordinated assault against a global network of mass mailing schemes alleged to have defrauded victims of hundreds of millions of dollars, and in a historic move designated a large Canadian payment processor as an organized criminal group.
At the heart of the wide-ranging action is the U.S. Treasury’s Office of Foreign Assets Control’s (OFAC) designation of PacNet, a payment processor and money services business (MSB) headquartered in Vancouver. OFAC said PacNet actively helped fraudulent merchants steal from millions of victims, mostly elderly and vulnerable individuals, by allowing scammers entry into the international financial system, in some cases even after being warned of their illicit acts.
The OFAC action is unique as it is the first time the agency has used its powers to blacklist transnational organized criminal groups on a foreign, commercial company that helped fraudsters steal and then launder money. The past six designations include operations like Mexico’s Zetas Cartel or Japan’s Yakuza. All of the company’s assets in the U.S. are now blocked.
The case is also causing widespread aftershocks in financial crime compliance circles, with some analysts expecting banks to engage in a fresh round of “de-risking” of third-party payment processor and MSB clients – groups already considered higher risk in the context of anti-money laundering (AML) parlance – to hopefully shed unwanted regulatory scrutiny.
As well, any banks that had direct or indirect connections with PacNet, or any of its related entities or merchants, may be considering voluntary compliance “look backs” to determine what due diligence they did on these operations, analyze if there are any gaps and review transactions with these operations for any missed, reportable suspicious activities.
“PacNet has a nearly 20-year history of knowingly processing payments relating to these fraudulent solicitation schemes, which result in the loss of millions of dollars to U.S. consumers,” the agency stated, adding that “PacNet’s processing operations help to obscure the nature and prevent the detection of such fraudulent schemes” by bank AML compliance teams.
With operations in Canada, Ireland, and the United Kingdom, and subsidiaries or affiliates in 15 other countries, PacNet is the “third-party payment processor of choice for perpetrators of a wide range of mail fraud schemes,” according to OFAC, which overall designated an international network of 12 individuals and 24 entities across 18 countries.
Key to the severity of the government response is that several times, including in 2002, 2009 and 2014, U.S. authorities warned the company about the activities of fraudulent merchants, with the company at one point admitting its operations in Canada and Ireland were fostering fraud and money laundering, but it never stopped serving the related miscreant merchants.
In addition to PacNet, U.S. authorities also went after an India-based printer that manufactures the solicitations and arranges for bulk shipment to U.S. victims, and list brokers who buy, sell or rent lists of victims from one mailer to another so that once a victim has fallen prey to one scheme, others are able to target this victim.
The OFAC action is “a very big deal,” said Erich Ferrari, a sanctions and trade attorney in Washington, D.C. “This is the first time the U.S. has really gone outside of traditional national security concerns and used this authority” on a mainstream commercial business not affiliated with a well-known organized criminal group, like the Yakuza or Sinaloa Cartel.
OFAC historically “is supposed to deal with national emergencies tied to foreign threats,” he said. “But now, the office is looking at criminal activity as being a national security threat. Although the agency has had this authority for some time, it looks like OFAC is really going to flex its muscle on this. It’s not just for show.”
The implications for a broad array of companies – including MSBs, banks, payment processors or any other company acting as a front to help criminals or fraudsters – are clear: “If they turn a blind eye to criminal activity or a criminal organization using their institution to launder the proceeds of crime, they could find themselves on the SDN list as a result,” Ferrari said.
With new designations, including common names, come compliance headaches
As part of the OFAC action, the agency designated 12 individuals who “serve as executives or directors, often in several PacNet-linked companies simultaneously, and, in some cases, provided specific guidance as to how to hide the illicit nature of PacNet’s operations or deceive the financial institutions with which PacNet interacts.”
OFAC specifically named Paul Davis, the president, partner, shareholder, or corporate director in several PacNet companies.
Davis is “directly involved in couriering funds on behalf of PacNet clients and instructing subordinates to mislabel customs forms of currency shipments to evade cross-border reporting requirements,” according to OFAC. “Davis has also knowingly misrepresented to financial institutions the nature of the business of PacNet clients.”
The agency also named Rosanne Day, who oversees day-to-day operations for PacNet Services Limited, based in Canada, and serves as the president, board member, director, or shareholder in several PacNet companies.
“She has instructed subordinates to route transactions through the PacNet entity, Indian River (UK), to hide the affiliation of the transactions with PacNet Services Limited and avoid the potential rejection of the payments by financial institutions.” According to the agency.
The designations with such common-sounding names could create new compliance challenges for banks.
With OFAC “going after more Western countries with very common names, like Paul Davis, that could cause compliance headaches for banks,” Ferrari said. “Because now anytime someone with the name Paul Davis opens an account or does a transaction, there will be a sanctions hit. And banks are already dealing with a lot of sanctions hits” and related time-consuming investigations to clear the name as a false positive.
The action also evinces a new willingness by OFAC to go after any company anywhere, even if the operation is headquartered inside the border of a longtime ally and could come with foreign policy fallout.
There was a sense in recent years that the U.S. would not want to upset a large economic ally with OFAC designations, but that isn’t the case anymore, Ferrari said. “Now, they are moving away from that mentality. It doesn’t matter if you are in Canada or Iran, OFAC will designate you. That is taking U.S. sanctions policies a step further than what has been done traditionally.”
More broadly, the actions are part of a wider effort by the Justice Department and its international law enforcement partners to “attack fraud schemes targeting older Americans and other vulnerable populations that involve individuals and entities across the globe, including Canada, France, India, the Netherlands, Singapore, Switzerland, Turkey and the United States.”
The U.S. government broke down the steps in the in the typical scam scenario:
- Step one: Scammers usually already working with PacNet will mail fraudulent solicitations to victims. These could include bogus claims the individual has won a lottery, car or cash prize, but must send in a “small fee,” or pay the “taxes,” to get it.
- Step two: The letters appear to come from legitimate sources, typically on official-looking letterhead, and – even though they are in reality identical form letters – the letters appear to be personally addressed. Some solicitations even use fonts that appear to be handwritten.
- Step three: The scammer then arranges to have victims’ payments (both checks and cash) sent directly or through a partner company to PacNet’s processing operations.
- Step four: Victims’ money, minus PacNet’s fees and commission, are made available to the scammers through wire transfers from the PacNet holding account.
- Step five: Because PacNet is making payments on behalf of the scammers, it obscures the link to the scammers, frustrating fraud and AML detection efforts at banks holding PacNet accounts, and allowing the scam to continue. This process “aims to minimize the chance that financial institutions will detect the scammers and determine their activity to be suspicious,” according to OFAC.
Compliance aftershocks could include more ‘de-risking’
With OFAC including “law enforcement issues in its jurisdiction, it brings immense power to bear to block assets and take them without a hearing, judge or jury,” said an individual familiar with the matter, who asked not to be named.
In prior designations of groups like the Yakuza, many insiders chortled because they knew no one was going to go into a bank saying they are part of the crime syndicate and want an account, said the person.
But the latest designation “is huge,” said the person. “This designation is very different because this is not a far off person in the Middle East with a very foreign-sounding name. These are Anglo Saxon names and a company with a very substantial commercial presence, not an organized crime group trying to do something under the table.”
There will also be “significant compliance blowback from banks,” going down several tiers to payment processors and any companies they are dealing with, said the person, adding that large payment processors can have agreements with hundreds of thousands of merchants.
“So, yes, this processor is criminal, and some merchants were fraudulent, but, for AML purposes, should banks assume that every merchant is tainted?” asked the person. “What do you do? Some are innocent and their only crime is working with a bad processor. In this case, there are lots of ripples on the AML and OFAC sides.”
Some banks may simply choose to completely de-risk their stock of certain online merchants, payment processors and MSBs, said the person.
In addition to the OFAC action against PacNet, several U.S. government agencies initiated operations against a bevy of other entities in the fraudulent mailing scheme transactional chain, including:
- Criminal charges and a civil injunction against a Turkish direct mailer.
- Civil fraud action against Swiss/Singaporean direct mailer, Indian printer and Connecticut list broker.
- Civil action and injunction against New York direct mailer.
- A consent decree against a Dutch “caging service,” which held monies in P.O. boxes and forwarded funds and information to PacNet for processing.
- Criminal charges against a Nevada mass mailer.
- A Federal Trade Commission action against a California mailer, Florida printer and list broker.
- Iowa Attorney General actions against a list broker and direct mailers.
OFAC PacNet action a ‘harbinger of things to come’
The OFAC action against PacNet “could be a harbinger of things to come,” said Amy Kim, Counsel with BuckleySandler. “It puts the payment processor community on alert in yet one more area in which they need to be mindful of compliance.”
The action is also noteworthy as it is an “unusual confluence of events” involving OFAC and the Justice Department targeting a payment processor, a classification generally deemed high-risk in the AML context, but which has remained relatively free of associated sanctions designations for knowingly facilitating fraudulent activities, she said.
But details in the documents reveal that the designation may not have come as a complete surprise to PacNet.
OFAC stated in its press release that PacNet was notified of the actions of certain fraudulent merchants, and the company “continued doing business with them,” Kim said. “At least there were warning signals, according to OFAC. There was some reasonable notice before this action occurred, more than once, and the company did not stop the problematic activity.”
That reaction to a government inquiry likely factored into the severity of the action, she said.
Nevertheless, the fact that other large domestic and foreign banks have had significant AML and sanctions failures, and related hefty penalties, but were not designated under these broad OFAC powers is noteworthy.
Banks likely to reflect on how they handled PacNet accounts
While U.S. government agencies routinely work together on large cases with foreign connections, this case is unique.
“It’s not entirely uncommon for OFAC and DOJ to work together so that OFAC designates someone who DOJ is investigating or has charged,” said Ben Hutten, an associate at BuckleySandler. “But what’s unusual here is who it is, a seemingly legitimate payment processor.”
That move is a message to other operations – whether they are a bank, MSB or payment processor – that if you are engaging in transactions that help criminal groups, designated or not, you could get designated as an SDN yourself, “and that may be the death penalty” Hutten stated. “The PacNet action gives teeth to that risk.”
The designation also has broader consequences for institutions that had banked the designated PacNet entities, Hutten said.
“Now that this company has been publicly called out and because its affiliates have previously admitted to similar conduct, financial institutions with exposure to PacNet may have to assess any activities that may have passed through the bank.”