As virtual currencies grow in use and importance, those who operate in the industry must ensure they have compliance measures in place to ensure that their operations do not violate applicable economic sanctions. In recent years, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) has increasingly imposed sanctions on individuals that have used virtual currency in connection with criminal activity, and the Financial Crimes Enforcement Network (“FinCEN”) has identified virtual currency as a preferred payment method for ransomware perpetrators. Moreover, in 2021, OFAC entered into a settlement agreement with a U.S.-based virtual currency payment service provider for processing transactions with persons located in sanctioned countries.
In light of the increased risk and regulatory focus, OFAC has earlier this month published “Sanctions Compliance Guidance for the Virtual Currency Industry” (the "guidance") which provides an overview of OFAC sanctions and guidance for an effective sanctions compliance programme, seeking to contextualize this information and provide specific risk indicators for the virtual currency industry.
Overview
According to the OFAC guidance, US sanctions apply to virtual currency in the same measure as fiat currency. The Guidance notes that, as with other companies subject to US sanctions jurisdiction, virtual currency companies should ensure their compliance programs incorporate the five essential components of a sanctions compliance programme as set out in OFAC’s “Framework for OFAC Compliance Commitments”: risk assessment, internal controls, management commitment, training, and testing/auditing. For more information on the Framework, see our prior article here.
The guidance clarifies that OFAC has jurisdiction over “anyone engaging in virtual currency activities in the United States, or that involve U.S. individuals or entities”. OFAC’s jurisdiction also extends to foreign entities owned or controlled by U.S. persons for purposes of its sanctions targeting Cuba and Iran, and in limited cases to certain foreign financial institutions for purpose of its sanctions targeting North Korea. The Guidance also stresses that virtual currency operators should also be aware of facilitation risks and breaches where a non-US person causes a US person to violate sanctions.
While much of the guidance summarises (and restates) general sanctions compliance guidance, it also seeks to provide specific guidance on what these elements mean for virtual currency companies. Below are some of the key takeaways for the virtual currency industry.
Risk-based sanctions compliance programme
The guidance states that “all companies in the virtual currency industry, including technology companies, exchangers, administrators, miners, and wallet providers, as well as more traditional financial institutions that may have exposure to virtual currencies or their service providers, are encouraged to develop, implement, and routinely update, a tailored, risk-based sanctions compliance program.” This should “generally include” screening against sanctions lists, geographies, and “other appropriate measures as determined by the company’s unique risk profile.”
OFAC notes that many in the virtual currency industry are at different stages of maturity, and in some cases have not implemented policies even years after commencing operations. OFAC warns that virtual currency companies should not delay implementing a sanctions compliance programme. Although US sanctions create offences of strict liability, having a sanctions compliance programme in place can significantly mitigate penalties or even contribute to a resolution without penalty.
Risk assessments are the first step to identify sanctions risks and should reflect factors such as the customer/client base, products and services offered, supply chain, counterparties and geographic locations related to those factors.
In the virtual currency industry, a particular risk is with users located in sanctioned jurisdictions seeking to access virtual currency products and services. The guidance highlights this point by citing a 2020 settlement between a US company with OFAC for processing virtual currency transactions with persons located in sanctioned jurisdictions. In that case, the company tracked IP information, but did not use the information to screen for sanctions risks, which OFAC considered to be an aggravating factor in determining the appropriate penalty.
While OFAC advise that, in general, internal controls such as screening and due diligence should be tailored to the particular sanctions risks the company identifies in its risk assessment, some examples particular to the industry may include using geolocation tools and IP address blocking controls to prevent prohibited activity and alert for potential breaches.
In 2018, OFAC began including certain known virtual currency addresses as identifying information for persons listed on the specially designated nationals (“SDN”) List. OFAC advices that these virtual currency addresses should be incorporated into transaction monitoring and investigation software. OFAC further stresses in the guidance that virtual currency companies should pay attention to unlisted virtual currency addresses and consider historic lookbacks to test transactions for connections to the OFAC SDN list. The addresses can be searched using the “ID #” field in OFAC’s Sanctions List Search tool.
Blocking and reporting
Where banks receive funds in which a sanctioned person has an interest, they are required to block the funds. Virtual currency providers equally need to put procedures in place to “deny all parties access to that virtual currency” where an SDN has an interest. Companies are not required to convert it to fiat currency or hold the blocked property in an interest-bearing account. It must be reported to OFAC within ten business days, and on an annual basis while the property remains blocked. Therefore, those in the virtual currency industry must ensure they have appropriate reporting procedures in place and recordkeeping to manage ongoing reporting.
Particular root causes and red flags
The guidance helpfully summarises some of the remedial measures and red flags that have been identified in previous enforcement cases.
For virtual currency companies in particular it may be useful to:
- use IP address blocking and email-related restrictions for sanctioned jurisdictions, and
- monitor attempts to:
- transact using a virtual currency address associated with a blocked person or sanctioned jurisdiction, or
- access a virtual currency exchange from an IP address or VPN connected to a sanctioned jurisdiction
Additionally, “red flags” indicative of money laundering or other illicit financial activity may also be indicative of potential sanctions evasion.
Frequently Asked Questions
Virtual currency companies should also review the FAQs on virtual currency topics summarised at the end of the OFAC guidance, including Venezuela-related sanctions, definitions of “digital currency” and “virtual currency”, guidance on identifying digital currency addresses on the SDN list, and blocking virtual currency.
Conclusion
Virtual currency companies should now be on alert that they are expected to implement sanctions compliance programs in line with OFAC guidance and monitor transactions for suspicious activity and indications of sanctions evasion.
Contact us if you have any questions about the guidance, the application of OFAC sanctions to virtual currencies, or designing or testing the effectiveness of your sanctions compliance program.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.