The Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury recently published sanctions compliance guidance for the virtual currency industry (the Guidance). The move was long anticipated, given the rapid industry growth and limited regulator guidance in this space. The Guidance provides an overview of OFAC sanctions requirements and procedures, including licensing and enforcement processes, and highlights sanctions compliance best practices tailored for the virtual currency industry, which includes technology companies, exchangers, administrators, miners, wallet providers, and users.
- The Trend
The publication of the Guidance is consistent with the government’s recent efforts to ramp up regulation of the virtual currency industry. By way of example, in December 2020 and February 2021, OFAC settled with two virtual currency organizations for sanctions violations based upon their failure to monitor and block transactions involving embargoed jurisdiction IP addresses. Then, in September 2021, for the first time, OFAC designated a virtual currency exchange for its role in laundering money to ransomware attackers. And, on that same day, OFAC issued an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. Shortly after publication of the Guidance, the U.S. Treasury released its 2021 Sanctions Review on the overall efficacy of U.S. sanctions programs, noting that “technological innovations such as digital currencies, alternative payment platforms, and new ways of hiding cross-border transactions all potentially reduce the efficacy of American sanctions.” And finally, the DOJ recently announced the creation of a National Cryptocurrency Enforcement Team responsible for investigating and prosecuting crimes related to virtual currency.
In light of the recent regulator focus on the virtual currency industry, the publication of the Guidance should serve as a key resource industry members by providing an overview of OFAC sanctions requirements and procedures and setting out both general and industry-specific sanctions compliance best practices.
- The Guidance
The Guidance mirrors the Framework for OFAC Compliance Commitments, published in May 2019, which describes the five essential components of a sanctions compliance program generally, while highlighting ways in which the virtual currency industry can think about sanctions risk and compliance. Those components are: (1) management commitment, (2) risk assessment, (3) internal controls, (4) testing/auditing, and (5) training.
- Best Practices
Members of the virtual currency industry are responsible for ensuring they do not engage in unauthorized transactions or dealings with sanctioned persons or jurisdictions. OFAC encourages a risk-based, rather than one-size fits all, approach, taking into account the type of business involved, its size and sophistication, products and services offered, customers and counterparties, and geographic locations served. Although the key components of an effective compliance program are universal, the Guidance does provide insight on the best practices in developing and implementing a sanctions compliance program in the virtual currency context.
- Management Commitment
As with any compliance program, senior management in the virtual currency world should be committed to sanctions compliance, and demonstrate that commitment by providing adequate resources to it, and fostering a culture of compliance company-wide. OFAC has observed that virtual currency enterprises often implement OFAC sanctions policies and procedures months, or even years, after commencing operations. Such a delay can expose virtual currency companies to a wide variety of potential sanctions risks. The Guidance encourages virtual currency enterprises to evaluate potential sanctions risks during the testing and review stages of their operations, rather than after products and technologies are already launched.
- Risk Assessment
The Guidance also recommends that companies conduct a routine and ongoing risk assessment to identify potential sanctions issues. In discussing risk assessments, the Guidance highlights a 2021 OFAC settlement with a US virtual currency payment service provider. Although that company conducted sanctions screenings of its direct customers, it failed to consider available information about the individuals who used its payment processing platform to buy products from those customers.
Accordingly, a comprehensive risk assessment in the virtual currency space should include an understanding of precisely who is accessing a company’s platform or services in order to develop appropriate screening standards.
- Internal Controls
The Guidance goes on to describe various ways that virtual currency companies can enhance their internal controls to identify, block, escalate, and report potential sanctioned activities. The highlighted best practices specific to virtual currency primarily relate to internal controls.
The Guidance recommends that virtual currency companies obtain sufficient Know Your Customer data from users to mitigate potential sanctions risks. Although companies often gather this data, they do not often screen that information for sanctions nexuses. For example, the Guidance emphasizes the importance of geolocation tools and IP address blocking controls, as well as analytic tools that can identify IP misattribution, to determine whether parties involved in a given transaction are based in embargoed jurisdictions. OFAC recommends that companies consider incorporating review of information such as email addresses, invoices, and other transaction information into its sanctions compliance program, even if it was obtained for a different reason.
In 2018, OFAC began including certain known virtual currency addresses as identifying information for persons listed on the Specially Designated Nationals (SDN) list. Virtual currency companies should screen transacting parties against those addresses using OFAC’s Sanctions List Search tool.
- Testing and Auditing
As with any sanctions compliance program, OFAC recommends that those in the virtual currency industry test the program’s effectiveness.
Finally, the Guidance highlights the importance of sanctions-specific training. Given the rapid industry growth, and constantly changing regulatory landscape, effective, frequent, and tailored sanctions training should occur.
The Guidance represents OFAC’s efforts to provide greater clarity regarding the applicability of U.S. sanctions laws to the virtual currency industry. When evaluating a company’s sanctions compliance program in an enforcement context, OFAC will likely look to the best practices outlined in the Guidance. As we expect the virtual currency industry to continue to be an enforcement priority for OFAC, industry participants should consider the Guidance in designing and implementing sanctions compliance policies and procedures specific to their particular risk profiles.