AirBnB has started off 2022 with a telling little enforcement action, paying $91,200 to the Office of Foreign Assets Control for failing to monitor how people were using the lodging platform to book visits in Cuba.
OFAC announced the settlement Monday. The fine is insignificant considering that AirBnB reported $2.2 billion in revenue for its most recent quarter, but we do have some interesting points to consider about how companies should scale up their technology and compliance programs to keep pace with rapid growth.
So what happened? As outlined in the OFAC settlement order, the trouble arose from AirBnB’s payments subsidiary, aptly named AirBnB Payments. The Obama Administration relaxed restrictions on doing business in Cuba in January 2015, and AirBnB began offering its hosting services there several months later — but the payments subsidiary didn’t implement sufficient procedures and controls to document why people were traveling to Cuba. AirBnB needed to keep such documentation to comply with U.S. sanctions, which only allow travel to Cuba for certain reasons.
Anyway, AirBnB Payments didn’t have systems in place to keep pace with the growth in Cuba bookings that AirBnB experienced. Eventually the company discovered the problem and reported it to OFAC, which then asked AirBnB to perform a statistical analysis of transactions.
That led AirBnB and OFAC to conclude that from 2015 to 2020, AirBnB Payments processed more than 3,400 transactions for visits to Cuba that weren’t within the 12 travel reasons permitted under U.S. sanctions law, plus another 3,000 “experiences” where AirBnB didn’t keep proper records for those transactions either. In total, AirBnB processed about $730,000 worth of transactions during the period.
More importantly — why did these violations happen? Let’s just quote directly from the OFAC statement on that point:
These apparent violations occurred primarily because Airbnb launched its Cuba business in April 2015, which would eventually extend to a global customer base, without fully addressing the complexities of operating a Cuba-related sanctions compliance program for internet-based travel services … The scaling up of its services in Cuba appears to have outpaced the company’s ability to manage the associated sanctions risks via its technology platforms.
In other words, the company did not scale up its compliance resources to keep pace with the regulatory compliance obligations that came along with rapid growth. Print out that sentence and staple it to your CFO’s forehead immediately.
Instead, AirBnB Payments was using manual processes and outdated technology to manage its sanctions compliance, which is roughly akin to building a nuclear device with a mallet and chisel. For example, the violations with the AirBnB Experience transactions were primarily due to technical defects on an older version of the AirBnB website, which remained operational for Cuba-related travel. That older version didn’t have the necessary functionality for guests to make an attestation about their reason for visiting Cuba.
Enter the Compliance Calculations
According to statute, the maximum civil penalty AirBnB would face for violations like this is $600.6 million. But because AirBnB voluntarily self-disclosed the violations and because the violations themselves weren’t egregious, OFAC guidelines specify that the penalties should only be 50 percent of the transaction value — which in this case, would be $364,690. (That is, half of the nearly $730,000 in Cuba transactions.)
So how did we get from that $364,690 down to the $91,172 that AirBnB will actually pay? As usual, OFAC listed a few aggravating factors and a few mitigating ones.
The aggravating factors were two:
- The violations happened after a change in U.S. policy toward Cuba that, nevertheless, maintained certain restrictions that hadn’t changed;
- Airbnb Payments is a large and sophisticated U.S.-based technology company.
That second factor is interesting. Yet again, we have a regulator telling us that the government expects large, sophisticated companies to invest sufficient resources in their compliance programs. This is especially true for OFAC and sanctions compliance, since OFAC published guidance in 2019 expressly warning that sanctions compliance is complicated stuff that warrants dedicated staff and technology. (Shortly after that guidance, OFAC hit State Street Corp. with an enforcement action to underline the point.)
Also interesting to note that once AirBnB knew it had a sanctions issue, it worked with OFAC to perform a statistical analysis and extrapolate the likely violations in Cuba. That’s some pretty sophisticated technology power for a company that had previously been navigating its compliance obligations with manual processes and outdated software.
OFAC also cited numerous mitigating factors. First, AirBnB voluntarily self-disclosed its Cuba issue when the company discovered its errors. Second, AirBnB hadn’t had any OFAC violations in the prior five years.
And third, AirBnB Payments implemented a suite of sanctions compliance reforms, including:
- An IP blocking system to account for issues related to letting Cuba residents act as hosts on AirBnB’s platform, and to prevent those persons from using the platform as guests;
- Collecting country of residence and payment information, to determine whether users are Cuban nationals or residents;
- Screening of hosts to assure that none are Cuban government officials or communist party members, and also conducting manual checks to assure that no listings are associated with the Cuba Restricted List;
- Requiring guests who book a stay or experience in Cuba to complete an attestation prior to completing the reservation; and
- Requiring hosts listing a property in Cuba to certify that they are an independent entrepreneur.
So there we have it. Sanctions compliance officers will note OFAC’s emphasis on specific procedures around IP blocking and collecting payment information. That’s not news per se; lots of companies have run afoul of OFAC for similar violations. But this case is a reminder that, especially for high-growth businesses like internet-based platforms for consumer services, the company needs to invest in compliance and automation to keep pace with business growth.
The rest of us can take that same message back to the board and the C-suite too. “Sure, we don’t have sanctions risk like AirBnB does — but do you really believe OFAC is the only regulator thinking along these lines? We gotta keep our compliance program current or the Justice Department or our other regulators will run the same play against us.”
I hope that message resonates, because it’s true.