- Because digital currencies allow for high-value transactions outside of the traditional U.S. banking system, OFAC has rigorously investigated whether digital currency service businesses may be facilitating transactions that are prohibited under various sanctions programs.
Recent settlements have shown that OFAC will take into account whether digital currency services businesses have OFAC compliance programs in place that are routinely reviewed and, as appropriate, updated to take advantage of new technological developments.
Last month, the U.S. Department of the Treasury’s Office of Foreign Assets Control ("OFAC") announced a $507,375 settlement of potential civil claims against BitPay, Inc. (“BitPay”), a company based in Atlanta, Georgia which operates as a payment processor for digital currencies. The settled claims related to allegations that BitPay unknowingly processed digital currency payments to U.S.-based vendors on behalf of individuals located in sanctioned jurisdictions, including Cuba, North Korea, and Iran. The settlement demonstrates OFAC’s commitment to rigorous enforcement of U.S. sanctions laws, screening expectations, and the need for all U.S. businesses – and digital currency processors in particular – to implement appropriate risk-based compliance measures to ensure that their services are not used to facilitate financial transactions in violation of U.S. sanctions laws.
BitPay's Violations of U.S. Sanctions Laws
BitPay operates a digital currency payment service through a web portal and a mobile app. At a high level, it allows merchants and service providers to accept payment in digital currencies such as Bitcoin (BTC) and Ethereum (ETH), among others. According to OFAC’s Enforcement Release, over a five-year period running from June 2013 to September 2018, BitPay’s IT systems did not prevent individuals located in sanctioned jurisdictions from using the company’s platform to purchase goods and services from U.S. persons. During that time, BitPay engaged in approximately 2,100 violations of OFAC sanctions by processing approximately $129,000 worth of digital currency-related payments involving persons located in Crimea, Cuba, North Korea, Iran, Sudan, and Syria – all of which were subject to comprehensive U.S. sanctions at the time of the alleged violations.
While BitPay did perform customer screening to ensure that none of its merchant customers (i.e., businesses who received payments through BitPay) were named on OFAC’s List of Specially Designated Nationals (“SDN List”) or located in a sanctioned jurisdiction, it did not implement reasonable measures to assure that payors were not located in sanctioned jurisdictions. While OFAC noted that BitPay at times would receive information about the merchants’ buyers at the time of a transaction – including a buyer’s name, address, email address, and phone number – OFAC specifically faulted BitPay for failing to use IP address information to bar individuals located in Crimea, North Korea, Iran, Sudan, and Syria from transacting business through their system.
Key Considerations in Settlement Amount
Violations of U.S. sanctions programs administered by OFAC typically can result in: (i) civil penalties of up to approximately $300,000 per violation or twice the value of the underlying transaction; or (ii) criminal penalties of up to $1 million per violation and/or up to 20 years imprisonment. To moderate the potentially draconian civil penalties that may result from inadvertent violations of OFAC’s sanctions rules, OFAC has issued Economic Sanctions Enforcement Guidelines, 50 C.F.R. App. A, that provide “a general framework for the enforcement of all economic sanctions programs” administered by OFAC.
The Guidelines make clear the OFAC will consider, among other things, whether a violation was willful, whether it involved a “pattern or practice of conduct,” whether high-level management was involved, whether the violator knew or should have known about the violations, whether the violations caused harm to the objectives of the sanctions program, and whether the violator is commercially sophisticated. Importantly, the Guidelines also take into account “the existence, nature and adequacy” of the violator’s compliance program, whether the violator took corrective action in response to the violation, and whether the violation was self-reported.
In BitPay’s case, the statutory maximum civil monetary penalty that could have been imposed was approximately $620 million. OFAC only imposed a civil penalty of $507,375, however, after taking into the account the various factors identified in the Guidelines. In addition to noting that the apparent violations were not voluntarily disclosed, OFAC identified two key aggravating factors – that BitPay failed to exercise due caution nor care for its sanctions compliance obligations when it failed to screen and identify consumers in sanctioned jurisdictions when it had sufficient information to do so and that the economic benefit conveyed to those consumers harmed the integrity of U.S. sanctions programs.
OFAC also identified several mitigating factors, however, including that BitPay:
- Had a sanctions compliance program in place as early as 2013;
- Specifically trained its employees that transactions with sanctioned jurisdictions were prohibited;
- Is a small business with no history of prior violations;
- Cooperated with OFAC’s investigation; and
- Undertook corrective measures to enhance its compliance program following the apparent violations, including by:
- Blocking IP addresses from Cuba, Iran, North Korea, and Syria from connecting to the BitPay website or from viewing any instructions on how to make payments;
- Checking physical and email addresses of merchants’ buyers when provided by the merchants to prevent completion of an invoice from the merchant if BitPay identifies a sanctioned jurisdiction address or email top-level domain; and
- Implementing a requirement that all buyers seeking to make a payment exceeding $3,000 provide photographic identification, an email address, and a selfie photograph to complete the transaction.
OFAC’s Focus on Digital Currencies and Screening Expectations
Many recent enforcement actions have involved failures in companies’ sanctions screening processes, including failures to account for different spellings of sanctioned persons or jurisdictions. The BitPay action is notable, however, as it involves a failure by BitPay to screen its customers’ customers – buyers who used BitPay’s platform to process payments with BitPay’s direct customers, online merchants. As discussed above, OFAC noted that BitPay at times would receive information about the merchants’ buyers at the time of a transaction – including a buyer’s name, address, email address, and phone number – and that starting in July 2017, BitPay received IP address information about such buyers. It appears that OFAC was particularly concerned with BitPay’s failure to use IP location information to identify transaction parties located in sanctioned jurisdictions.
IP location information is not always entirely reliable as persons located in sanctioned countries can use proxy servers or other methods to disguise their true location. The BitPay action demonstrates an expectation from OFAC, however, that companies that have IP data about persons involved in transactions being facilitated by the company using their services should screen such data to identify potentially sanctioned persons. In effect, OFAC will apply a presumption that an IP address associated with a particular territory by the Internet Assigned Numbers Authority (the global coordinator for assigning IP addresses) are indicative of an Internet user's actual location for sanctions purposes. The limited information does not provide much detail regarding OFAC’s expectations with respect to screening of transaction parties where companies might have incomplete data, such as only the name or address but not more easily obtainable information such as IP location data. It is clear, however, that OFAC expects payment processors in particular (for both digital and traditional currencies) to screen all available information regarding transactions parties to identify sanctioned persons, even if the party at issue is not the direct customer of the processor.
OFAC also has identified digital currency businesses as an important area of focus for its enforcement efforts going forward. In December 2020, OFAC brought an enforcement action against BitGo, Inc., a California-based entity that provides non-custodial secure digital wallet management services (among other services). BitGo agreed to pay a penalty of $98,830 for alleged violations resulting from permitting individuals in sanctioned jurisdictions to use BitGo’s services despite having reason to know that such individuals were located in sanctioned jurisdictions based on IP address information. The alleged violations therefore generally were similar to those alleged in the BitPay action with the key difference that BitGo’s alleged violations involved their own direct customers as opposed to BitPay’s alleged violations which involved its customers’ customers. In both cases, however, OFAC specifically cited the failure to screen IP location data of users.
As noted by OFAC, this action demonstrates that companies involved in providing digital currency services and other financial services providers should “understand the sanctions risks associated with providing digital currency services and should take steps necessary to mitigate those risks.” These companies should conduct risk assessments to identify their specific exposure and develop a tailored, risk-based sanctions compliance program pursuant to the factors set forth in the Framework for OFAC Compliance Commitments, which focuses on elements including management commitment, risk assessments, internal controls, testing and auditing, and training. The existence of such a compliance program can lead to significant mitigation of penalties in an enforcement context, as demonstrated by the substantial reduction in penalties involved in the BitPay action.