Background

On Oct. 15, 2021, the Treasury Department’s Office of Foreign Assets Control (OFAC) published sanctions compliance guidance for the virtual currency industry.[1] OFAC acknowledged that virtual currencies are playing an increasingly prominent role in the global economy and that their recurrent use as payment methods poses sanctions risks. OFAC’s guidance is intended to assist industry participants in mitigating the risks that sanctioned actors will exploit these currencies, which would “undermine U.S. foreign policy and national security interests.” The effectiveness of OFAC’s sanctions depends upon the compliance of industry participants, including “technology companies, exchangers, administrators, miners, wallet providers and users[.]”

The Financial Crimes Enforcement Network (FinCEN) also released a report, in conjunction with OFAC’s guidance, on ransomware trends between January 2021 and June 2021.[2] FinCEN described a sharp increase in suspicious activity reports concerning ransomware in the first half of 2021. FinCEN also identified bitcoin as the most common payment method in ransomware transactions, further highlighting the need for companies to adopt compliance measures.

OFAC’s guidance falls within the government’s broader effort to regulate the virtual currency industry. In September 2021, OFAC sanctioned SUEX OTC, S.R.O., a virtual currency exchange, for facilitating ransomware payments.[3] On Oct. 6, 2021, the Department of Justice (DOJ) announced the creation of a National Cryptocurrency Enforcement Team “to tackle complex investigations and prosecutions of criminal misuses of cryptocurrency” and “to dismantle the financial entities that enable criminal actors to flourish ... from abusing cryptocurrency platforms[.]”[4] OFAC’s guidance provides greater clarity to industry participants concerning their compliance obligations and recommends steps to mitigate risks and avoid enforcement actions.

OFAC’s Sanctions Compliance Guidance

OFAC’s sanctions apply to “all U.S. citizens and lawful permanent residents, wherever located; all individuals and entities within the United States; and all entities organized under the laws of the United States or any jurisdiction within the United States, including any foreign branches[.]” They also apply to transactions involving both virtual and traditional fiat currencies.

OFAC provides for a strict liability standard so that it may impose civil penalties for sanctions violations even when an actor did not know of or intend to commit a violation. Accordingly, participants in the virtual currency industry must remain apprised of OFAC’s sanctions requirements and ensure they do not engage in unauthorized transactions. This includes transactions with parties on OFAC’s Specially Designated Nationals and Blocked Persons List (the SDN List), a list of sanctioned individuals and entities that OFAC has developed as part of its enforcement efforts.[5] Additionally, individuals who determine that they hold virtual currency that is blocked by OFAC’s regulations must report their finding to OFAC within 10 business days and deny all parties access to the currency. OFAC advises, however, that blocked currency does not need to be converted into fiat currency or held in an interest-bearing account.

OFAC encourages a risk-based approach to sanctions compliance and recognizes that there is no one-size-fits-all compliance program. A compliance program will depend upon a variety of factors, including “the type of business involved, its size and sophistication, [the] products and services offered, customers and counterparties, and [the] geographic locations served.” OFAC highlights five essential components to any compliance policy: (i) management commitment; (ii) risk assessment; (iii) internal controls; (iv) testing/auditing; and (v) training.

OFAC recommends that a company’s senior management evaluate sanctions risks early in the company’s development, noting that some members of the industry have implemented sanctions policies and procedures months or even years after commencing operations. When companies delay the development of their compliance programs, they expose themselves unnecessarily to a wide variety of sanctions risks. A company’s risk assessment should include a review of its connections to foreign persons and jurisdictions and demonstrate an understanding about who is accessing the company’s platform and services.

The internal controls a company should implement will depend upon “the products and services the company offers, where the company operates, the locations of its users, and [the] sanctions-specific risks the company identifies during its risk assessment process.” OFAC recommends certain best practices, including the use of geolocation tools, know your customer (KYC) procedures, transaction monitoring and investigation, and sanctions screening.

Geolocation tools can be used to identify and prevent IP addresses in sanctioned jurisdictions from accessing a company’s platform and services. KYC procedures allow companies to gather information about individuals or entities before transacting, including their possible connections to sanctioned jurisdictions. Transaction monitoring and investigation software can be used to identify transactions involving virtual currency addresses associated with sanctioned individuals. OFAC encourages companies to screen transactions and customers against OFAC’s SDN List, which includes known virtual currency addresses for sanctioned actors. Companies additionally should familiarize themselves with common red flags that indicate a potential sanctions risk, such as an individual or entity failing to provide accurate and complete KYC information upon request.[6]

OFAC emphasizes that an effective compliance program entails testing, auditing and training. Companies should test their screening procedures to ensure that they are properly flagging transactions and users from sanctioned jurisdictions. Companies should also conduct trainings on a periodic basis, and at a minimum annually, so that employees are aware of their compliance responsibilities and any updates or changes to OFAC’s sanctions guidance.

Implications

Companies that operate in the virtual currency industry should consult OFAC’s guidance and implement compliance controls early to prevent sanctions violations. OFAC’s guidance places companies on notice that they may be subject to enforcement actions and penalties if they fail to mitigate sanctions risks or commit violations, even unknowingly. As the government enhances its regulation of this developing industry, industry participants should adapt to OFAC’s compliance requirements.


[1] U.S. Department of the Treasury, Office of Foreign Assets Control, Sanctions Compliance Guidance for the Virtual Currency Industry (Oct. 15, 2021), https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf.

[2] U.S. Department of the Treasury, Financial Crimes Enforcement Network, Financial Trend Analysis, Ransomware Trends in Bank Secrecy Act Data Between January 2021 and June 2021 (Oct. 15, 2021), https://www.fincen.gov/sites/default/files/2021-10/Financial%20Trend%20Analysis_Ransomware%20508%20FINAL.pdf.

[3] U.S. Department of the Treasury, Treasury Takes Robust Actions to Counter Ransomware
(Sept. 21, 2021), https://home.treasury.gov/news/press-releases/jy0364.

[4] U.S. Department of Justice, Deputy Attorney General Lisa O. Monaco Announces National Cryptocurrency Enforcement Team (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-national-cryptocurrency-enforcement-team. 

[5] U.S. Department of Treasury, Specially Designated Nationals List – Data Formats & Data Schemas (Oct. 26, 2021), https://home.treasury.gov/policy-issues/financial-sanctions/specially-designated-nationals-list-data-formats-data-schemas.

[6] Sanctions Compliance Guidance for the Virtual Currency Industry, at 17.