Those involved in cryptocurrencies – from Bitcoin to Dogecoin, and all points in between – should be aware that crypto exchanges appear to be the U.S. Department of Treasury's next big target. In recent statements, Treasury officials reported that crypto exchanges that are in the business of furthering cyber criminals are squarely in the U.S. Government's sights. This includes not only virtual currency exchanges involved in laundering ransoms from ransomware attacks, as discussed in Treasury guidance released last month, but also U.S.-based virtual currency service providers that fail to implement adequate sanctions compliance controls.
In recent years, the Treasury Department's Office of Foreign Assets Control (OFAC), the agency charged with enforcing economic sanctions, has targeted individuals and companies in the virtual currency industry in connection with illegal activity such as money laundering and facilitating financial transactions for ransomware actors. On September 21, 2021, for example, OFAC designated its first virtual currency exchange, SUEX OTC, S.R.O. (SUEX), as a Specially Designated National (SDN) for its part in facilitating financial transactions for ransomware actors. This SDN designation blocks U.S. persons from engaging with the SUEX exchange, effectively prohibiting it from operating in the U.S. financial market. Additionally, this year OFAC has also increasingly focused on U.S.-based virtual currency service providers that have allegedly failed to implement controls necessary to prevent sanctioned users from accessing their services. In particular, earlier this year OFAC announced settlements of more than $500,000 and nearly $100,000 with BitPay, Inc. and BitGo, Inc., respectively. Reportedly, the largest U.S.-based cryptocurrency exchange, Coinbase Global Inc., is currently under review by OFAC after voluntarily disclosing potential sanctions violations to the agency.
Given growing industry concerns, OFAC published new guidance and additional FAQs on sanctions compliance and risk mitigation best practices for virtual currencies on October 15, 2021. According to OFAC, sanctions obligations under U.S. law apply equally to transactions involving virtual currencies and those involving traditional fiat currencies. A few days later, on October 18, 2021, Treasury sent another warning signal to the industry when it published its 2021 sanctions review where digital currencies were specifically identified as a technological innovation that could be used to hide cross-border transactions and potentially reduce the efficacy of U.S. sanctions. In light of the focus and heightened enforcement, cryptocurrency and crypto exchange companies and their investors should heed this latest guidance from the Treasury Department to ensure they do not inadvertently show up on OFAC's enforcement radar.
The OFAC guidance reinforced the agency's authority to administer sanctions on U.S. persons and the general requirements for reporting, recordkeeping and obtaining licenses. It went on to also provide recommendations for best practices specific to the virtual currency industry, advising the industry to do the following:
Implement and Enhance Your Sanctions Compliance Program
Enhance your compliance programs where they may be lacking. As with other industries, per OFAC's sanctions compliance framework, consider enhancing a new or existing compliance program with management's commitment to the sanctions compliance program, performing risk assessments, imposing internal controls, and conducting auditing and training.
Use Geolocation Tools and IP Address Blocking Controls
Incorporate tools to identify IP addresses originating from sanctioned jurisdictions and prevent them from accessing your company's website and engaging in prohibited activity. Automated tools can be very helpful in mitigating sanctions risk, such as by identifying IP misattribution and other red flags. According to the settlement agreement between OFAC and the payment processer and virtual currency provider BitPay, Inc., OFAC found the company had location information, including IP addresses, for users of its platform, but failed to use that data to block its platform from persons apparently located in Crimea, Cuba, North Korea, Iran, Sudan, and Syria. Likewise, in the case of BitGo, Inc., OFAC determined the company had reason to know some users were located in Crimea, Cuba, Iran, Sudan, and Syria based on IP address data, but nevertheless allowed those users to open and use its digital wallet service.
Adopt Know Your Customer (KYC) Procedures
Obtain customer information throughout the business relationship supply chain. Conduct due diligence reviews of person and entity names or trade names, dates of birth, email addresses, nationality, IP addresses, bank information, government identification, residency documents, line of business, ownership information, and any other relevant government data. This customer information may be gathered at various points in the business relationship and for various purposes. In short, it is critical to understand who is accessing your company's platform and services.
Transaction Monitoring and Investigation Software
Use software to identify transactions involving virtual currency addresses or other information associated with sanctioned individuals and entities listed on OFAC's Specially Designated Nationals (SDN) List and other restricted lists, or located in sanctioned jurisdictions.
Implementing Remedial Measures
Identify and compensate for any weaknesses in new or existing sanctions compliance internal controls. Examine and enhance your own compliance weaknesses but also learn from other companies in the cryptocurrency industry, as described in other recent enforcement actions conducted by OFAC.
As part of its guidance, OFAC notes several remedial measures in its guidance. While these measures are not unique to the virtual currency industry, they are certainly worth considering in the context of crypto.
- Implementing IP address blocking and email-related restrictions for sanctioned jurisdictions;
- Creating a keywords list of a sanctioned jurisdiction's cities and regions to be used when screening KYC information;
- Reviewing and updating end-user agreements to include information about U.S. sanctions requirements;
- Conducting retroactive batch screening of all users;
- Implementing an OFAC-related training program for employees;
- Conducting additional sanctions compliance training for all relevant personnel; and
- Hiring additional compliance staff and a dedicated chief or sanctions compliance officer.
If you have any questions as to how these recent developments may affect your business, please reach out to Venable's Trade and Logistics Group for guidance.