I work with sanctions. I think both can be easily blamed. Similarly to DMCA notices, most companies opt to for the path of least resistance ( it is cheaper to blanket ban than to investigate ). Yes, politicians are to blame for creating the environment, but companies deserve flak for taking the path that is bad for the customer ( unless they are sufficiently well-heeled ).
My thoughts are my own. I do not represent anyone other than myself.
So look at (one one hand) a customer worth... well, PureLabs is "10 incredible FTEs," let's give them the $21/user/mo Enterprise plan at $210/month in revenue.
On the other hand, a sanctions violation could be a $65,000 fine (Trading with the Enemy Act) or $250,000 (International Emergency Economic Powers Act) for each offense. (I leave aside the million-dollar narcotics-kingpin act). On top of this we also see the risk of criminal prosecution.
In what world is it reasonable to expect anyone to take this chance?
It is hard to discuss hypothetical violations so I won't do that. It absolutely is a safe course of action to do a blanket ban. That said, is it reasonable to assume violation based on IP address ( and that is what seems to have happened here )? Banks don't automatically (typically ) block MUHAMMAD JIHAD even if they may end up questioning it.
That’s because the combined business of all Muhammads and their employers is way more than 210$/month AND it would be illegal, and Bad PR™, to ban them from your business based just on their culture/name. Otherwise they would have been “derisked” out of service.
You have a point ( and Mnuchin to his credit ,based on reports, does care about regulatory burden and its impact ). So you are right, one is not like the other. To address your point directly, if OFAC tomorrow added MOHAMMAD JIHAD with no other information ( no DOB, no address, and so on ), you would be surprised how quickly the banks would respond.
Now note that that we are discussing a name, a commmon, but somewhat reliable, if mutable, driver of our identity. Now compare it to IP address and tell me, which one is a better predictor of who you are.
Unless, we are assuming IP is a proxy for location, which is another story.
Banks typically would react overnight to OFAC list updates, through a sanctions list service.
If no DOB or similar is also provided, though, scoring should not be too high - and if a match with Mohammad is enough to trigger an alert, the overnight alert delta would be either manually processed by Compliance, or bulk closed as false positives, depending on how much time you need to unblock the clients and similar risk considerations.
I am not sure if you realize it, but you are proving my point. Banks found a way to address the issue without adversely affecting the customers. Github appears to have only recently started to do the same, but they opted for a blanket approach as opposed to a more targeted one.
Not parent and not about terrorism directly, but Tardigrade Ltd. was sanctioned in US (because it is an arms dealer without licence in US) causing all "Tardigrade" payments blocked (even innocuous ones): https://news.ycombinator.com/item?id=24450828
Cases like this are an example of a company trying to cover their ass leads to a customer getting kicked in the ass.
Sanctions, compliance, etc. is a messy ordeal to manage (both technically and operationally), and the ways laws are written with so many intricacies and dependencies doesn't make it easier.
Because only 1 instance of violation could lead to fines equivalent to a person's salary, often the systems are made to be overly sensitive and less investigative to figure out whether a 'hit' is actually a false-positive because that also takes time/money and still carries potential risk.
My thoughts are my own. I do not represent anyone other than myself.