[co-author: Jonathan Wang*]
Last Friday, the Office of Foreign Assets Control (OFAC) published more targeted guidance for digital asset companies related to compliance with sanctions and best practices for mitigating risks. This guide comes on the heels of OFAC’s first enforcement action against a cryptocurrency exchange, SUEX (which we discussed in our blog here). Given the rise of ransomware threats from malicious cyber-actors that are often linked to sanctioned countries and persons, the lack of very robust regulatory oversight of the virtual currency world, the emerging nature of the technologies, and the growth of the market, it is clear that OFAC hopes crypto companies will pay more attention to sanctions risks and compliance with the issuance of this guidance. While the guide covers a lot of familiar territory, we outline a few key takeaways below.
What’s in the Guide and Why You Should Care
At a high level, the guide reiterates OFAC’s 2019 guidance on sanctions compliance programs (found here) in the context of virtual currencies, including OFAC’s expectation that a company’s program should include, at a minimum: (1) management commitment; (2) risk assessments; (3) internal controls; (4) testing/auditing; and (5) training.
Every company’s risk profile when it comes to sanctions varies. For virtual currency companies that have international users and where KYC and associated diligence is trickier than with other traditional financial institutions, having a risk-based sanctions compliance program will not only help you prevent and detect potential violations, but also mitigate penalties if you face enforcement. Because sanctions violations are essentially strict liability offenses, it is in every virtual currency company’s best interest to assess its risk and implement controls, especially in light of OFAC’s recent scrutiny of the virtual currency industry, the government beefing up its staff for enforcement, and, more broadly, the Administration’s interest in curtailing ransomware threats (see our post, here). For new companies dabbling in the virtual currency world, the guide recommends developing sanctions compliance during the beta testing stage so that compliance can be accounted for as the technology is being developed before its launch.
Nuggets of Useful Information for the Virtual Currency Industry
Though the guidance largely follows OFAC’s 2019 guidance provided to companies with international touchpoints, it does provide some nuggets of useful information for companies dealing in the virtual currency industry (e.g., technology companies, exchangers, administrators, miners, wallet providers, and other traditional financial institutions dealing with virtual currency).
- Block Virtual Currency: U.S. persons holding virtual currency deemed to be blocked by OFAC regulations must deny all parties to that virtual currency. Notably, there is no need to convert the virtual currency to fiat currency or put it in an interest-bearing account. Blocked virtual currency must be reported to OFAC within 10 business days, and thereafter on an annual basis, so long as the virtual currency remains blocked.
- Screen Internet Protocol (IP) Addresses: Companies should screen for IP addresses that originate in sanctioned jurisdictions and block any users there. The guide notes OFAC’s settlement with a company that did not prevent its services from being used by individuals with IP addresses located in sanctioned jurisdictions.
- Use Geolocation Tools: Geolocation tools enable companies to identify IP addresses that may originate in sanctioned jurisdictions. This can help companies prevent persons in sanctioned jurisdictions to access their platform and services. Other analytic tools can recognize IP misattribution by identifying users who may be hiding behind a different IP address (i.e. VPN users).
- Screen for Virtual Currency Addresses Listed on SDN List: In 2018, OFAC began listing virtual currency addresses on the SDN list. The guide encourages companies to screen for such addresses when screening SDNs and block any related transaction. Unlisted virtual currency addresses that share a “wallet” with a listed virtual currency address may also pose a sanctions risk and further diligence may be needed to ensure that the transaction does not involve an SDN.
*Jonathan Wang is a law clerk in Sheppard Mullin’s Washington, D.C. office.