On October 15, 2021, the US Department of the Treasury’s Office of Foreign Assets Control ("OFAC") issued a brochure to promote sanctions compliance in the virtual currency industry (the "Guidance")1 and updated two related Frequently Asked Questions (FAQs 5592 and 646). The growing prevalence of virtual currency in the global economy denotes greater exposure to sanctions risks. Accordingly, the entire virtual currency industry, including technology companies, exchangers, administrators, miners, wallet providers and users, plays an increasingly critical role in preventing the use of virtual currencies to evade sanctions. While the Guidance largely tracks general sanctions advice in other contexts, this latest publication demonstrates OFAC’s growing attention to the virtual currency sector.
Introduction of OFAC
OFAC is responsible for administering and enforcing economic sanctions against targeted foreign countries, geographic regions, entities, and individuals. "Economic sanctions are used by the US government to prevent targets such as terrorists, international narcotics traffickers, weapons of mass destruction proliferators, and perpetrators of serious human rights abuse from accessing the US financial system for purposes contrary to US foreign policy and national security interests, and to change the behavior of such targets."3
OFAC administers over 35 different sanctions programs. Perhaps the most prominent list of sanctioned persons (individuals and entities) that OFAC maintains is the list of Specially Designated Nationals and Blocked Persons, commonly known as the "SDN List."
In general, enforcement of OFAC’s sanctions regimes is based on a strict liability legal standard, and sanctions restrictions apply to both US and – when engaging in transactions with a US nexus – non-US persons. Failing to adhere to OFAC sanctions requirements may lead to substantial civil and criminal penalties.
Blocking Virtual Currency
In the updated FAQ 646, OFAC clarifies that once a US person determines that it holds virtual currency that must be blocked under OFAC’s regulations, it must deny all parties access to that virtual currency and ensure that the virtual currency is not inadvertently transferred, released, or otherwise dealt in. In addition, "[b]locked virtual currency must be reported to OFAC within 10 business days, and thereafter on an annual basis, so long as the virtual currency remains blocked."4
An Increased Focus on Virtual Currency Transactions
OFAC sanctions have increasingly targeted persons that have used virtual currency in connection with malign activity. For example, the Guidance notes that "[o]n March 2, 2020, OFAC sanctioned two Chinese nationals involved in a North Korean state sponsored money-laundering scheme who received approximately $100 million in virtual currency stolen from cyber intrusions against two virtual currency exchanges."5
In light of the increasing focus on enforcement actions involving the virtual currency sector, OFAC published this Guidance that strongly encourages a risk-based approach to sanctions compliance. The Guidance references OFAC’s "A Framework for OFAC Compliance Commitments," noting that there are five essential components of an effective sanctions compliance program: (1) Management Commitment, (2) Risk Assessment, (3) Internal Controls, (4) Testing/Auditing, and (5) Training.
OFAC considers demonstrated senior management commitment to sanctions compliance as one of the most important factors to a compliance program’s success. Managers of virtual currency companies can demonstrate their commitment to sanctions compliance by evaluating potential sanctions risks as early as the beta testing stage of operations and developing their companies’ sanctions compliance programs before launching new products and services. OFAC maintains that virtual currency companies should consider sanctions compliance during the testing and review process so that sanctions compliance can be accounted for as technologies are being developed.
OFAC encourages members of the virtual currency industry to assess their sanctions risk prior to providing any services or products to customers. This assessment should be tailored to the types of virtual currency products and services offered, as well as the locations in which such products and services are offered. This assessment may also include evaluating whether counterparties and partners also have adequate sanctions compliance policies and procedures. While OFAC does not permit companies to rely on counterparty or partner compliance policies and procedures, it does suggest that companies should evaluate them for adequacy.
One lesson learned is that in 2021, OFAC entered into a settlement agreement with a US virtual currency payment service provider because, "[w]hile the company’s sanctions compliance controls included screening its direct customers for a potential nexus to sanctions, the company failed to screen available information about the individuals who used its payment processing platform to buy products from those merchants."6 In light of this, it is crucial for companies in the virtual currency sector to consider the typical information that will be made available to them, such as Internet Protocol (IP) addresses, in relevant transactions and, more importantly, to what extent such information assists the screening process.
OFAC also recommends having policies and procedures to address the risks identified in a company’s risk assessment. These may include controls to identify, interdict, escalate, report, and maintain records for activities prohibited by OFAC sanctions. The Guidance references another example in 2020 where a "company tracked its users’ IP addresses . . . [but] did not use the IP address information it collected to screen for and prevent potential sanctions violations."7
In this context, virtual currency companies may consider the following best practices to strengthen internal controls8:
- Geolocation Tools: Incorporate geolocation tools and IP address blocking controls to identify IP addresses that correspond to sanctioned jurisdictions and prevent them from accessing a company’s website and services. Analytic tools can identify IP misattribution, for example, by screening IP addresses against known virtual private network (VPN) IP addresses and identifying improbable logins. Additionally, virtual currency companies should review address information provided by a customer or counterparty, and information contained in email addresses and invoices, and other transactional information.
- Know Your Customer (KYC) Procedures: By way of example, the Guidance notes that companies should gather and consider the following information in their KYC Procedures during onboarding and throughout the lifecycle of the customer relationship and use such information to conduct due diligence sufficient to mitigate potential sanctions-related risk:
- Individuals: legal name, date of birth, physical and email address, nationality, IP addresses associated with transactions and logins, bank information, and government identification and residency documents; and
- Entities: entity name, line of business, ownership information, physical and email address, location information, IP addresses associated with transactions and logins, information about where the entity does business, bank information, and any relevant government documents.
- Transaction Monitoring and Investigation: Transaction monitoring and investigation software can be used to identify transactions involving virtual currency addresses or other identifying information (e.g., originator, beneficiary, originating and beneficiary exchanges, and underlying transactional data) associated with sanctioned persons or sanctioned jurisdictions. Similarly, virtual currency companies may consider conducting a historic lookback of transactional activity after OFAC lists a virtual currency address on the SDN List to identify connections to the listed address. A lookback could also identify connections to unlisted addresses that have previously transacted with the listed address. OFAC also discusses in the Guidance about other recommended screening tools, such as fuzzy logic search.9 Virtual currency companies should also pay extra attention to the following risk indicators:10
- Providing inaccurate or incomplete customer identification or KYC information when attempting to open an account;
- Attempting to access a virtual currency exchange from an IP address or VPN connected to a sanctioned jurisdiction;
- Being non-responsive or refusing to provide updated customer identification or KYC information;
- Being non-responsive or refusing to provide additional transactional information in response to a virtual currency company’s request; and
- Attempting to transact with a virtual currency address associated with a blocked person or sanctioned jurisdiction.
- Implementing Remedial Measures: In response to contact from OFAC, virtual currency companies have taken the following types of remedial actions, some of which are actions that OFAC encourages such companies to take elsewhere in the Guidance:11
- Implementing IP address blocking and email-related restrictions for sanctioned jurisdictions;
- Implementing a sanctions-related training program for employees;
- Creating a keywords list of a sanctioned jurisdiction’s cities and regions for screening KYC information;
- Conducting additional sanctions compliance training for all relevant personnel;
- Reviewing and updating end-user agreements to include information about US sanctions requirements;
- Hiring additional compliance staff and a dedicated chief or sanctions compliance officer; and
- Conducting retroactive batch screening of all users.
Testing and Auditing
The best practices for testing and audit procedures in sanctions compliance programs include:12
- Sanctions List Screening: Ensure that screening of the SDN List and other sanctions lists is functioning effectively and is appropriately flagging transactions for further review.
- Keyword Screening: Ensure that screening tools are appropriately flagging geographic keywords in connection with KYC-related screenings or other transactional screenings.
- IP Blocking: Ensure that IP address software is properly preventing users located in sanctioned jurisdictions from accessing its products and services.
- Investigation and Reporting: Review procedures for investigating transactions identified through the screening process as having a potential sanctions nexus and procedures for blocked property or rejected transaction reporting to OFAC.
The Guidance emphasizes that "OFAC training should be provided to all appropriate employees, including compliance, management, and customer service personnel, and should be conducted on a periodic basis, and, at a minimum, annually."13 A well-developed OFAC training program will provide job-specific knowledge based on need, communicate the sanctions compliance responsibilities for all employees, and hold them accountable for meeting requirements through assessments. Effective training should account for updates to sanctions programs, as well as new and emerging technologies in the virtual currency space.
OFAC sanctions compliance obligations apply equally to transactions involving virtual currencies and those involving traditional fiat currencies. Given that members of the virtual currency industry are responsible for ensuring that they do not engage, directly or indirectly, in transactions prohibited by OFAC sanctions, it is crucial for them to follow the best practices suggested above for the sake of mitigating sanctions risks.
Finally, OFAC’s settlement of two fairly small virtual currency enforcement matters and its issuance of the Guidance may signal to those in the virtual currency space not only that OFAC has turned its attention to the use of virtual currencies to evade sanctions, but also that virtual currency companies that fail to follow OFAC guidance may expect much more robust enforcement responses in the future.
1 US Department of the Treasury’s Office of Foreign Assets Control, Sanctions Compliance Guidance for the Virtual Currency Industry, available at https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf.
2 US Department of the Treasury, Sanctions Programs and Information FAQ 559, available at https://home.treasury.gov/policy-issues/financial-sanctions/faqs/559.
3 The Guidance, available at https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf.
4 US Department of the Treasury, Sanctions Programs and Information FAQ 646, available at https://home.treasury.gov/policy-issues/financial-sanctions/faqs/646.
5 The Guidance, available at https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf.
10 "Red flags" indicative of money laundering or other illicit financial activity may also be indicative of potential sanctions evasion.
11 The Guidance, available at https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf.
Evan Shaver (Law Clerk, White & Case, Washington, DC) contributed to the creation of this article.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2021 White & Case LLP