BitPay offers payment processing solutions to merchant customers so they can accept digital currency payments for goods and services. For example, when BitPay receives a digital currency payment on behalf of a customer from that customer’s buyer, BitPay converts the digital currency to fiat currency and remits the fiat currency to its merchant customer. BitPay screened its merchant customers against OFAC’s List of Specially Designated Nationals and Blocked Persons and performed due diligence to make sure they were not located in embargoed jurisdictions. Though BitPay sometimes received information such as physical addresses, email addresses, and internet protocol (“IP”) addresses for its customers’ buyers, BitPay did not fully analyze this information to ascertain whether those buyers were located in embargoed jurisdictions. OFAC determined that between June 10, 2013 and September 16, 2018, more than 2,100 digital currency transactions processed by BitPay were from customers’ buyers that, according to information available to BitPay, were located in the Crimea region of Ukraine, Cuba, North Korea, Iran, Syria, or Sudan.⁴

OFAC concluded that BitPay’s conduct resulted in apparent violations of multiple sanctions programs.⁵ The transactions totaled approximately $129,000, and BitPay faced a statutory maximum civil monetary penalty of $619,689,816 and a base civil monetary penalty of $2,255,000. Under OFAC’s Economic Sanctions Enforcement Guidelines,⁶ OFAC considered that BitPay did not voluntarily self-disclose the apparent violations and that the case was non-egregious. OFAC and BitPay agreed to a settlement amount of $507,375 — less than 23% of the base penalty and less than 0.1% of the statutory maximum.

OFAC identified two aggravating factors. First, BitPay allowed persons in embargoed jurisdictions to transact with its customers for approximately five years despite the availability of sufficient data to screen them; and second, the violations harmed the integrity of OFAC’s sanctions programs in conveying approximately $129,000 in economic benefit to individuals in several embargoed jurisdictions.

OFAC identified six mitigating factors. First, BitPay had a compliance program with screening practices in place during the relevant time period. Second, BitPay’s employee training program clearly prohibited working with sanctioned parties or parties in embargoed jurisdictions. Third, BitPay was a small business with no previous violations. Fourth, BitPay cooperated in the investigation. Fifth, BitPay undertook several measures to mitigate future risk of sanctions violations. These measures included blocking IP addresses originating in embargoed jurisdictions from connecting to its website or viewing its payment instructions; reviewing physical and email addresses of its customers’ buyers to prevent completion of invoices if an address or top-level email domain indicates an embargoed jurisdiction; and launching a mandatory customer identification tool for buyers wishing to pay an invoice of $3,000 or more, which requires an email address, photo identification or other proof of identification, and a selfie photo. Sixth, BitPay committed to continue implementing these and other compliance commitments.

What It Means For You

In 2019, OFAC published a comprehensive compliance framework identifying five essential parts of a compliance program, which we discussed here. Those elements are: (1) management commitment, (2) risk assessment, (3) internal controls, (4) testing and auditing, and (5) training. The framework strongly encourages an enterprise-specific, risk-based approach to developing, implementing, and updating sanctions compliance programs. The Enforcement Release emphasizes the application of OFAC’s regulations to digital currency transactions and encourages those providing digital currency services to use a risk-based approach, underscoring OFAC’s ongoing commitment to its compliance framework.

The BitPay enforcement also reminds organizations to update their compliance programs regularly to ensure that they comply with their obligations under the sanctions regulations enforced by OFAC. Organizations should analyze the unique risks presented by their specific businesses and take steps to mitigate those risks. For example, organizations dealing with digital currency transactions should not only consider the relationships they have with their direct customers but should also identify and screen other individuals or entities involved in those transactions if that information is available.

The BitPay settlement follows on the heels of the BitGo, Inc. (“BitGo”) settlement in late December 2020, which was OFAC’s first digital currency enforcement. Similar to BitPay, BitGo settled for an amount that was less than 0.2% of the statutory maximum despite not having voluntarily disclosed its violations. While the BitPay and BitGo enforcement releases state that companies providing digital currency services are like all financial service providers, in its two digital currency enforcements so far, OFAC seems to be giving these providers a break for violations related to financial services relative to large and sophisticated financial institutions.⁷ It remains to be seen whether the BitPay and BitGo settlements signal that OFAC will treat digital currency transactions more leniently than other types of financial transactions or whether other factors are at play in explaining these small settlements.

¹ Enforcement Release, U.S. Dep’t of Treasury, OFAC Enters Into $507,375 Settlement with BitPay, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions (Feb. 18, 2021) [hereinafter “Enforcement Release”].

² OFAC is one of many agencies tasked with enforcing regulations related to digital currency transactions, as we previously discussed here. We have also discussed other developments related to digital currently transactions, such as a recent enforcement action by another regulator here, and cryptocurrencies and anti-money laundering standards addressing them here.

³ As described below, BitPay’s direct customers are merchants that accept digital currency payments and use BitPay to process the digital currency transactions. See Enforcement Release at 1. A “customer’s buyer,” therefore, is an individual or entity that purchases something from a merchant (BitPay’s customer) using digital currency but is not BitPay’s direct customer. See id.

⁴ Sudan is no longer under a comprehensive sanctions regime effective October 12, 2017. See id. at 2 n.1. OFAC, however, still undertakes enforcement investigations and actions related to apparent violations of the Sudanese Sanctions Regulations that occurred before October 12, 2017. See id.

⁵ The Enforcement Release refers to “Apparent Violations of Executive Order 13685 of December 19, 2014, ‘Blocking Property of Certain Persons and Prohibiting Certain Transactions with Respect to the Crimea Region of Ukraine’; the Cuban Assets Control Regulations, 31 C.F.R. § 515.201; the North Korea Sanctions Regulations, 31 C.F.R. § 510.206; the Iranian Transactions and Sanctions Regulations, 31 C.F.R. § 560.204; the Sudanese Sanctions Regulations, 31 C.F.R. § 538.205 (SSR); and the Syrian Sanctions Regulations, 31 C.F.R. § 542.207.” See id. at 1-2 (footnote omitted).

⁶ See 31 C.F.R. Part 501, Appendix A, Economic Sanctions Enforcement Guidelines.

⁷ For example, in late December 2020, OFAC settled with the National Commercial Bank, a bank headquartered in Saudi Arabia, for an amount representing nearly 5.4% of the statutory maximum penalty despite the bank having voluntarily disclosed some of the violations.