As long as companies like PayPal have issues like that, or with moderation in case of Youtube, Twitter or Facebook, I'd claim neither of these companies have actually solved scale. If they can not properly deal with the issues that arise of scale, they haven't solved it at all. They might be reaping the benefits and dumping the issues on others but they haven't solved anything else at all.
If any match those strings it's flagged for a review.
This is more or less legally required for any company that moves money in the United States of America. You will probably find the same issues with the same terms on any other banking for financial body.
Technically, these aren't being blocked. They're being audited. The payments will still go through. The way this is taking place is following very specific legally "known good" pathways - so that when paypal does accidentally let a payment through to a sanctioned entity they are able to argue that they took every available precaution and should not have to pay the $250k per transaction fine.
The last time PayPal had to pay these fines - for example - it was ~$7m. That's not including legal fees. https://fcpablog.com/2015/03/27/ofac-fines-paypal-77-million...
It isn't flagged and reviewed, it's just outright rejected with a cryptic error message indicating that someone, somewhere breached PayPal's terms of service. No money leaves the customer's account, no money arrives in the vendor's account; the process simply fails.
No you won't because names are not unique. Banks and credit unions tend to have sophisticated data analysis, unlike the knuckleheads at PayPal.
When I heard about this nonsense years ago, I put some of the banned words in the memo area of checks and transferred money between two credit union accounts. They went through. I did the same thing using electronic transfers between accounts. Again, they went through without any problem.
A person put the words "James Kang" in a donation to the Red Cross that stated he was testing these banned words and PayPal, in their infinite stupidity, froze the transaction.
One of the Bacardi family was locked up / exiled during the first Cuban revolution ironically.
So, no, "I Can't Believe It's Not Butter!" is not a bad brand for margarine, but saying "Cuban" something in a cigar which causes all manner of embargo difficulties is bad branding.
They buyers are literally getting a message saying "This transaction cannot be completed because it violates the PayPal User Agreement" 
Conversely, what stops bad actors just switching to doing transactions for t_rdigr_de, ta_dig_ade, or tar_igra_e and thumbing their nose at the filtering? (OK, realistically they would probably switch to some more obscure backup code but you get the idea.)
The basic problem here is that the burden of enforcement is being shifted by Paypal to innocent people with no warning, instead of being shouldered by the company, which is in a position to push back legally on unreasonable requests and plan ahead for reasonable ones.
This literally happened at HSBC. Employees entered transactions in exactly the way you're imagining.
(I didn't find a written source, but this is covered in Netflix's "Dirty Money", episode "Cartel Bank")
It’s up to the payment processor to have a process that ensures they don’t send payments to a blocked entity.
You can search for them here: https://home.treasury.gov/policy-issues/office-of-foreign-as... and see the listing for the company in this notice: https://home.treasury.gov/policy-issues/financial-sanctions/...
Note that the standard practice for handling an OFAC hit (e.g. payment to O Bin Laden) is to disambiguate your payee from the blocked individual/entity. This can be easy or difficult depending on how much info you have on the payee; if you have an address and nationality already that don’t match the sanctioned entity then you’re generally ok; typically you would collect a photo of the payee’s ID and run a manual check if there was any doubt.
These “enhanced due diligence” processes can be quite time consuming in aggregate, and I’m not surprised that PayPal isn’t running a detailed EDD process on transactions that will probably net it a few cents of fees.
Having said that, given the structure of their business (online checkout) I’m surprised that they are considering the product (eg “tardigrade”) as being relevant; they have account info on both the payor and payee so they know the payment isn’t going to the sanctioned Cypress company from the OFAC list. This isn’t a Venmo payment that says “pass this payment on to Tardigrade Inc”, which you would want to block.
This seems like either a bug in their screening code or some very risk-averse logic (maybe to do with low-value transactions).
What if an arms trader used the name “Tickets Limited”? Would they block all payments mentioning tickets? Surely not, as it would hurt their business, clearly illustrating that their conduct is not at all due to “compliance with mandatory laws and nothing we can do about it” but “we did the math and we feel we can screw you over in this case.”
Example, I know one of the largest banks in Europe used to have payments they sent to one of their South American branch offices blocked from time to time because their address in Brazil or Argentina or something was on a street called "Avenue de Cuba".
A false negative can get you a fi ne of $250,000 and criminal penalties.
This isn't an issue of ( or not just an issue of) "not solving scale". Even if filtering issues if this sort were 99.9999% solved the risk asymmetry would still come down on taking an abundance of caution on nation-state levels of "oh crap" if you miss something.
I've worked in fintech/self-banking institutions. PayPal is a mockery of the entire industry. The example of the literal worst implementation anyone can think of and which leaves everyone scratching their head at how they manage to get away with running as fast and loose as they do.
Or you can do searches.
if they say that they will process payments unless prohibited by government sanctions and then do not process payments that is not prohibited I guess they would be getting sued for those payments.
Wrong. Assets under U.S. jurisdiction that are owned by or being transferred to persons or organizations on the Specially Designated Nationals and Blocked Persons List must be frozen. Furthermore, the Department of Treasury has a right to seize these funds without due process.
The Washington concept of NATIONAL SECURITY<tm> is a brain-eating parasite that seemingly renders compliance managers unable to tell the difference between categorically different things, such as US Senators and IRA terrorists, or Serbian companies named Tardigard and products, sold by companies completely unconnected with Serbia, with descriptions that contain the word tardigard.
As Bruce Schneier (IIRC) observed: these people are 'too dangerous' to let fly, but not dangerous enough to arrest.
Safe enough for firearms as well:
> In a 2010 report, the Government Accountability Office noted that "Membership in a terrorist organization does not prohibit a person from possessing firearms or explosives under current federal law," and individuals on the No Fly List are not barred from purchasing guns. According to GAO data, between 2004 and 2010, people on terrorism watch lists—including the No Fly List as well as other separate lists—attempted to buy guns and explosives more than 1,400 times, and succeeded 1,321 times (more than 90% of cases).
But then I think another part of the reason is that most of the international terrorist types that were originally expected to be blocked by the No Fly List were generally not in the US, and so not subjects to US Gov charges or even gathering evidence.
Because it renders them liable. The whole system will turn against you if you give it an opportunity to nail you for using discretion.
And this happens everywhere in society after a certain size is reached due to the need to hold people accountable without actually being able to fully evaluate who or what is to blame (due to the situation being too complex or not having all the facts/data). But politically, someone(s) has to go down.
Perhaps we aren't scaling the judiciary system propley & allowed it to become overly complex so that only a certain subsect of the population can navigate it efficiently and an even smaller portion of that can litigate for others.
This is how you tell the difference between financial crime that the authorities don't care about and financial crime they do.
Look for personal liability.
It seems to me we build big opaque structures that prevent accountability. Your national internet provider rips you off? You'll probably be able to reverse the transaction, but good luck getting any information at all about what happened.
If you can fake ID, and you're on some list, why on Earth would you use the same name? And if you can't fake ID, then it will be linked to, you know, ID numbers, birthdays, and more.
I can't even imagine how "just names" ended up on that list, as a match requirement. How many John Smiths are there?
Very, very strange. I don't get it.
what country is that? AFAIK in the US most businesses can refuse to do business with you for any reason, except a very limited set of reasons related to discrimination.
> 44) Consumers should be guaranteed access to a range of basic payment services. Services linked to payment accounts with basic features should include the facility to place funds and withdraw cash. Consumers should be able to undertake essential payment transactions such as receiving income or benefits, paying bills or taxes and purchasing goods and services, including via direct debit, credit transfer and the use of a payment card. Such services should allow the purchase of goods and services online and should give consumers the opportunity to initiate payment orders via the credit institution’s online facility, where available. However, a payment account with basic features should not be restricted to online usage as this would create an obstacle for consumers without internet access.
Depends very much on jurisdiction. PayPal is active in many jurisdictions, too.
Unfortunately, PayPal's advanced KYC and AML verification process is hilariously incompetent and rigid.
Some months ago, they asked me to provide charity information for my personal account, and subsequently limited my receiving/sending privileges.
Phone calls to them trying to sort this out have always ended up at some call centre in the Philippines, where the agents can only tell their users that the account limitation is "for their safety".
That account of mine is still limited.
They've also limited the personal account of a friend of mine (who was interestingly enough ex-PayPal) before, also asking for charity information.
In the US, which is presumably where the sanctions trigger originates (the company is on OFAC's list), a review of a transaction is just that. Even opening an account doesn't require a review of your customer's entire financial history, merely that, for a business account, you understand the nature of your customer's business.
> In that climate there's no good reason not to massively over-filter, the risks of a false negative are way too high.
There is, however, good reason to do an actual review and not outright block transactions. The advice PayPal gave its customer, "change the wording on your website to prevent this from happening," is exactly what competant regulatory training tells you not to do. Changing the wording of a transaction to obviate the need for a review is in itself a red flag. PayPal is utterly incompentant.
This keyword stuff is no kind of protection for them, especially if their own reps are advising people to just circumvent the list, which itself probably is a TOS violation.
We have to start accepting that either websites are unwilling to or unable to do moderation in any meaningful way, unless they hire human moderators at huge costs.
Hearing an interview with the country for Facebook on Danish radio just two weeks ago, it’s pretty clear to me that it’s not that Facebook aren’t willing to implement the moderation politicians requests, the problem is that they can’t. And if Facebook can’t implement moderation, there’s no way PayPal is able to with a much smaller budget.
Consider an analogy between modern social media sites and something like a phone network or postal mail service. What would happen if a politician suggested that phone companies or their national postal service should be required to monitor all communications for some vaguely-defined concept of suspicious activity, and then when something was flagged, have it reviewed by a human and if deemed inappropriate cut off the spread within X hours? It would be considered an absurd suggestion by just about everyone, for being impractical, expensive, intrusive, unreliable and of questionable benefit.
And yet, politicians keep suggesting that social media companies should be able to do almost exactly that. There are demands that these companies magically detect any sort of inappropriate content on their systems, and then remove it quickly. Small details like subjectivity, privacy and practicality never seem to feature in the press conference, though.
1. Post and phone have an expectation of privacy so the government can't review them (in the US, at least)
2. There is already a system in place to review all phone calls in real time. It's run by several Western intelligence agencies to get around the monitoring rules mentioned in #1.
Even if 2 is true, I doubt that system is preventing people from discussing controversial subjects like, say, climate change or politics, even if what the speakers are saying is untrue.
“Snowden showed how corrupt the gov’t is and how our privacy is at risk!”
“We should have the gov’t regulate communication on the big social networks!”
But regulations should always be reasonable and proportionate, and expecting a social network to police all human communication via their system for vaguely specified bad content does not seem to clear that bar.
I'd wonder why the US is still embargoing Cuba after all these years. What's the endgame? What's the goal? The Cuban regime is still there and the Soviets are long gone. It seems petty and spiteful.
For companies the size of Paypal, Google, or Twitter, the revenue from their operations is so great that leaving a few crumbs on the table by not handling corner cases is of no concern.
Smaller companies can't afford to lose (for example) 10% of their business to corner cases. For large monopolies, a 90% solution is more than good enough.
That doesn't mean that they've solved the problems of scale that we care about as a society.
But problems that are absolutely pretty big, might still only be 0.01% for Google.
PayPal is also just two words blended together. I'm not sure they're anyone's friend though.
If I had infinite resources, IMO, the way to go with this sort of thing is to have no blocked transactions or obvious failures, and only relaying the suspicious transactions for law-enforcement to review. If there are crimes, actually get involved and prosecute them, don't just create weird financial black-holes for innocent people and behaviour. From the customer side, no more stupid disruptions. If there are actual bad actors at play, they don't get any immediate feedback they've been flagged and are less likely to change their strategies and cover their tracks.
If there are too many transactions getting flagged this way and law-enforcement ends up buried under dots to connect, then that's a signaling mechanism for them too-- they've obviously done a bad job of crafting their filters and need to adjust for signal/noise.
I bet a lot of malevolent transactions do slip through the cracks because of how laughably naive this system is.
When they ban the new code word, they'll just switch again, once again screwing over the legitimate users of that word.
its wackamole only stupider because at least wackamole at the arcade gives you prize tickets.
> TARDIGRADE LIMITED, Dimitriados 1, Limassol 4004, Cyprus;
Registration Number C378737 (Cyprus) [GLOMAG] (Linked To: TESIC,
> TESIC, Slobodan (a.k.a. SLOBODAN, Tezic), Serbia; DOB 21 Dec 1958;
POB Kiseljak, Bosnia and Herzegovina; nationality Serbia; citizen
Serbia; Gender Male; Passport 009511357 (Serbia) expires 27 Oct
2020; alt. Passport 007671811 (Serbia) expires 05 Aug 2019
> [GLOMAG]: Executive Order 13818 - Global Magnitsky;
There is also a TARGET TRANSPORTATION LIMITED on the list. PayPal, in their infinite stupidity, would probably block transfers to the retailer Target.
Their filter is probably like /iran|tard|cuban|.../i (see also: https://www.insidehook.com/daily_brief/news-opinion/paypal-w... and https://news.ycombinator.com/item?id=24359821)
If I were you, I would expect something to trigger a blockage again (and ultimately decide, like many companies, that Paypal just isn't reliable).
A few people mentioned OFAC sanctions, so I investigated a bit more. In Dec 2019, US Dept of Treasury sanctioned companies linked to Serbian arms dealer Slobodan Tesic, including Cyprus-based Tardigrade Ltd. So PayPal flags tardigrade ornaments by mistake.
The law could provide an efficient recourse in case of false positives – e.g. a legislated right to appeal, legislated SLAs for considering appeals (and penalties for failing to meet them), indemnification for the provider if they grant an appeal in good faith, an expedited process for judicial review of denied appeals, etc – but the law doesn't, and since there is no incentive for an efficient recourse, nobody provides one
I don’t blame PayPal for their reaction, but I also doubt that they actually have better solutions than keyword blocking.
Don’t even get me started on eBay. Support is non-existent for my issue so I had to lie in a different support request to get my issue looked at. Even then what they need me to verify transactions on my account is impossible.
Instead of Tardigrade (A) shipping arms to $TERRORISTS (B) and (B) sending money to (A) by paypal in a bilateral pattern AB, they should move to the next topological level.
A ships arms to $EMBARGOED_PARTY (B), (B) sends money to $FREEDOM_FIGHTERS (C), and (C) sends drugs with street value to (A), making a triangular pattern ABC.
Extension to tetrahedral trade is left as an exercise for the reader.
Likely not due to the Scunthorpe problem like one might expect, but due to an arms dealer having sold weapons through a shell company named Tardigrade.
It's unlikely you'll be able to get Paypal to actually comply with it, but going through a path that will hit someone familiar with GDPR and mentioning this article, and escalating via the DPA, is probably the most promising option
Obviously doesn't help if you need something done quickly, because especially if you need to get the DPA involved, this process will take months.
The desire to preserve other planets for the remote chance that there's life there and we can study it before turning up anyway and ruining things is misguided. We are the only known life in the universe, it's incredibly irresponsible to not propagate such things (just in case)
I had the worst experience ever in trying to set up our recurring billing system with them, wasting several days of work, to the point that I simply gave up, switched to Stripe, and got everything up and running, in production, in hours.
Even as a consumer I had a terrible experience when trying to send money abroad, for my rent, with Xoom, a PayPal service. They initially took the money from my PayPal account, told me that the money was on its way to the recipient, only to block it some days later for non specified reasons (refunded in my account). On top of that, I lost the option to use my PayPal account to send money, for what appeared to be a technical issue.
Even if the system appeared to give me the option to use my PayPal account as a source of funds, telling me that the accounts were indeed connected, then when actually sending the money the option disappeared.
To solve the issue I called Xoom, they told me that there was no way of reconnecting my account and that I had to contact PayPal. So I did and they told me that they couldn't do anything and that I had to contact Xoom. After few exchanges back and forth like these, I simply asked to close my Xoom account so I could open a new one and restore the link between my Xoom and PayPal accounts, but they told me that that was not possible and that to cancel Xoom I had to cancel also PayPal.
So I gave up, used another service and got my money to my recipient.
it always feels a bit weird to see people elsewhere rely on it for much more.
And this is the answer.
Paypal's existence comes down to the fact that they are the sole "legitimate" vector into the US financial system for a vast majority of the rest of the world. Because that's such a massive financial incentive, they can basically treat users however they wish and get away with it.
Even today, so many people use Venmo, which is still PayPal. Apple Cash seems to work well, but still involves an unnecessary middleman like PayPal.
Zelle is the only half decent solution, that doesn’t involves third parties.
Also, with Zelle, you never need to give anyone your bank account number, and you are never authorizing anyone to reach into your account and take money via ACH, like you are with Paypal/Venmo/Apple Cash/etc. It’s also instant.
>Early Warning Services, LLC, is a fintech company owned by seven of the country’s largest banks.
>Zelle is a United States–based digital payments network owned by Early Warning Services, a private financial services company owned by the banks Bank of America, BB&T, Capital One, JPMorgan Chase, PNC Bank, U.S. Bank and Wells Fargo. The Zelle service enables individuals to electronically transfer money from their bank account to another registered user's bank account (within the United States) using a mobile device or the website of a participating banking institution.
As a non-American, seeing this listed as a plus is always so strange.
What do you mean by 'free'? Didn't they always charge fees?
For example: paypalsucks.com was set up some time around 2001.
 This is the earliest snapshot the IA has of the site: https://web.archive.org/web/20010215013627/http://paypalsuck...
Outside of the US, credit cards were far from ubiquitous (and they still aren't). PayPal was the one system that could handle international transfers reasonably.
Edit: Also, speed and payments to individuals. Back when eBay was an auction house for used goods sold by individuals, not a marketplace for commercial sellers, it was the one way to get someone money that was instant. No idea how that worked in the US, but in Germany the alternative was bank transfers which took 2-3 days back then.
Now that people have got used to better payment processing the banks have had to improve, I think it's easy to forget just how bad things used to be.
Clear indication for regulatory audit, since the methodology is at fault here.
Edited to add: or the arms dealer. Either seem likely.
Paypal kept blocking the transaction even though it was just a simple person to person transfer. I was on chat with their support for nearly an hour. The person kept describing some black box of a security system that, for security purposes, no one manages or can see why transactions get flagged. I asked multiple times to speak to a manager or someone on the security team and was told consistently that managers won't have more info and there literally isn't a security team...
Needless to say I haven't used them since and will do everything I can to avoid it. I have no problem if a flag is errantly raised on a normal transaction, but to say they literally don't have a security team is mind boggling.
I made one and linked my card but rarely used it. Once I had to pay to an online merchant and for some reason the card didn't work so I hooked up my savings account. Months go by and since I never came around to using the service again, I wanted the account closed.
But before that, as a personal preference, I wanted to manually remove the card and account link. The card worked fine but it won't let me do it with the bank account. Took 3 separate chats over a week to get it done and I finally closed it to never look back. I have no idea of the dark patterns exist anymore.
Now I just use cashapp to send and receive money with my friends. Left such a salty taste in my mouth, I'll never give PayPal any business anymore, just seems sketch.
So they literally admitted that they don't have anyone actively monitoring transactions? Working to watch for fraud? Theft? Hacking?
Wow, I may stop using them as well.
I also had a bad issue with some unauthorized withdrawal via eBay, from my paypal, in about 2004, and spent hours on the phone with no result. I wished I could boycott them after this, but no one cares, I just learned no to trust them because they are a terribly run company on the consumer support side. And I think it is because they deal so much with fraud. I don’t think we can do anything about it, except promote these stories.
I'm sure there's a "security team" somewhere that responds to attempts to directly breach PayPal's infrastructure, though I never interacted with them. (Paypal has quite a bit of on-campus physical security, and I did interact with them almost every week.)
Circling back to the discussion at hand: PayPal probably doesn't have any digital/financial security staff at their call centers (why would they?) so as far as the call center reps are concerned, there is no "security team".
Try again? Do you have a better jab?
Maybe one that doesn't rely upon a comic, as your main argument?
we know tardigrades can travel through space. what if the aliens are already here
tardigrades founded paypal to demoralize us with arbitrary + stupid rules, and their only weakness is the streisand effect
There is almost certainly a way to handle this, but it involves talking to PayPal's legal department, and it will take time.