Recent OFAC Settlement Highlights Need to Consider IP Address Geolocation Data

Kelley Drye & Warren LLP

On December 30, 2020, the Office of Foreign Assets Control (“OFAC”) announced a settlement agreement with BitGo, Inc. (“BitGo”) for providing digital wallet services to users located in sanctioned jurisdictions, including Crimea, Cuba, Iran, Sudan, and Syria.  The case is notable because OFAC makes clear its expectation that companies consider Internet Protocol (“IP”) address geolocation data when assessing whether online customers are located in sanctioned jurisdictions.

BitGo processes digital currency transactions on behalf of users with “hot wallet” accounts, the company’s secure digital wallet service.  Prior to 2018, users could open a BitGo digital wallet account by providing only a name and an email address. In April 2018, BitGo began requiring new accountholders to self-report their location to the company.  Throughout this period, BitGo also tracked users’ IP addresses and related geolocation data for account security purposes, but did not use that information to identify users who may be located in sanctioned jurisdictions.

OFAC concluded that BitGo had reason to know that users were located in sanctioned jurisdictions based on the collected IP address data, even though the data was not actively screened by the company for sanctions compliance purposes.  Based on the IP address data, OFAC found that BitGo failed to prevent users in Crimea, Cuba, Iran, Sudan, and Syria from accessing its services in 183 instances and facilitated transactions with those users worth $9,127.79.

The maximum penalty in this case, which was not voluntarily self-disclosed to the agency, was over $53 million.  However, OFAC determined that the violations were “non-egregious”  in nature (e.g., they did not involve willful or reckless conduct and did not present serious harm to sanctions program objectives) and that substantial mitigating factors, including the adoption of a robust compliance program, warranted a settlement amount of $93,380.  OFAC specifically cited BitGo’s implementation of IP address blocking, email-related restrictions, and batch screening of users against the SDN List as sanctions compliance measures adopted by the company.

The BitGo settlement is another example in an emerging pattern of enforcement actions against companies – like Amazon – that fail to use all collected data, like IP addresses, as part of their sanctions compliance programs.  Fintech and other companies that conduct transactions online are on notice that reliance on self-reported location is not sufficient to identify users subject to sanctions.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kelley Drye & Warren LLP | Attorney Advertising

Written by:

Kelley Drye & Warren LLP

Kelley Drye & Warren LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.