Announcing the civil liability settlement, the Treasury Department's Office of Foreign Assets Control (OFAC) detailed a damning string of instances in which the company accepted and processed 486 transactions totaling approximately $43,934 over a five-year period that it should have stopped.
"PayPals management demonstrated reckless disregard for U.S. economic sanctions requirements in deciding to operate a payment system without implementing appropriate controls," the Treasury Department said in a statement.
One of the cases involved Kursad Zafer Cire, who was named by the U.S. State Dept. in 2009 as an associate of Abdul Qadeer Khan, the Pakistani scientist who the U.S. says provided nuclear know-how to countries including Iran, Libya and North Korea.
In 2009, his name was added to the Treasury Department's list of "specially designated nationals" -- people who have been specifically named as being under sanctions by the U.S. for their involvement in terrorism, programs involving weapons of mass destruction, drug cartels or other major illicit activities.
Yet between October 2009 and April 2013, PayPal processed 136 transactions totaling $7,091 to or from an account registered in his name.
At first, PayPal failed to identify the account as potentially related to a specially designated national, but later in 2009 the account was flagged five times. On each occasion, separate PayPal risk operations agents dismissed the alerts without requesting additional information to clarify whether the account did indeed belong to someone under sanctions.
When the account was flagged for a sixth time in 2013, PayPal requested additional information from its customer, and received a copy of his passport. The name, birth date and place of birth exactly matched the person listed on the specially designated nationals list, but PayPal again approved the transfer.
It wasn't until it was flagged for the seventh time, on April 3, 2013, that the account was blocked and reported to the Treasury Department.
On hundreds of other occasions, PayPal allowed transactions to proceed although they contained specific references to countries under sanction, such as "Iran," "Cuba," "Tehran," "Khartoum" or "Sudan."
"We recognize that prior to April 2013, PayPal did not have a system that could scan payments in real time in order to block prohibited payments," Gene Truono, PayPal's chief compliance officer, said in an emailed statement. "There was a delay in the scanning, which allowed some prohibited payments to be processed. In many cases, those payments were detected and reversed."
The violations were disclosed by PayPal itself to the U.S. government, which contributed to mitigating the size of the overall settlement. PayPal brought new management into its compliance division in 2011 to strengthen its controls, which also counted as a mitigating factor.
The company said that over the last two years it has built a new payment scanning system that is now in place and allows for "real-time scanning of potentially sanctioned payments before they are processed."
Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is martyn_williams@idg.com