Complying with United States sanctions policy presents unique challenges to institutions that operate exclusively on the Internet. The Internet has often been thought of as an "anonymous venue" in that e-commerce transactions can be conducted in relative privacy with little or no face-to-face contact among the parties in a transaction. This anonymity creates a significant challenge for Internet businesses that wish to satisfy their due diligence requirements.
In order to be compliant with OFAC-governed sanctions regulations, US jurisdiction entities must ensure that they are not:
A. Engaging in trade or transaction activities that violate the regulations behind OFAC’s country-based sanctions programs, and;
B. Engaging in trade or transaction activities with sanctions targets named on OFAC's list of Specially Designated Nationals and Blocked Persons (SDN's).
A number of Internet-based financial service companies already developed Internet Protocol (IP) address blocking procedures. These companies use publicly available data to maintain tables of IP addresses based on geographic region. Users attempting to initiate an online transaction or access an account from a sanctioned country are blocked based on their IP address. While this approach is effective, it does not fully address an Internet firm’s compliance risks. The fact that international distribution authorities can reassign IP blocks makes the geographic location of an IP potentially dynamic.
The anonymous character of Internet-based transactions often places obstacles in the path of rigorous compliance practices. Firms that facilitate or engage in e-commerce should do their best to know their customers directly. In order to minimize their liabilities, Internet remittance and account service firms should attempt to gather authentic identification information on their customers before a new account is opened or new transaction is initiated. This information will help confirm the customer’s identity and help the e-commerce firm ensure it is not conducting business with a sanctions target. Currently many Internet remittance companies use credit card authentication as the primary method of confirming a customer's identity. While this method is technologically expedient, it does not meet the standards of due diligence normally found in the non-Internet-based financial community. A company cannot rely on another firm’s compliance program in order to mitigate risk.
It is recommended that e-commerce firms gather and record "purpose of payment" information on each transaction they process. In the non-Internet sector, financial institutions are able to stop in-process transactions and gather more information on them. Due to the level of automation found within the Internet financial sector, this type of in-process information gathering is not always possible. Collecting information on the purpose of payments up front will allow Internet firms to better screen outgoing and incoming transactions for potential violations.