To print this article, simply register or connect to Mondaq.com.
On October 15, 2021, the Treasury Department’s Office of Foreign Assets Control (OFAC) released sanctions compliance guidelines for the virtual currency industry.1 OFAC has recognized that virtual currencies are playing an increasingly important role in the global economy and that their recurring use as payment methods poses risks of sanctions. OFAC’s guidance is intended to help industry players mitigate the risks of sanctioned players exploiting these currencies, which “would undermine US foreign policy and national security interests.” The effectiveness of OFAC sanctions depends on the compliance of industry participants, including “technology companies, exchangers, administrators, minors, wallet providers and users.[.]”
The Financial Crimes Enforcement Network (FinCEN) also published a report, in conjunction with OFAC guidance, on ransomware trends between January 2021 and June 2021.2 FinCEN described a sharp increase in reports of suspicious activity regarding ransomware during the first half of 2021. FinCEN also identified bitcoin as the most common payment method in ransomware transactions, further highlighting the need for ransomware transactions. companies to adopt compliance measures.
OFAC’s guidance is part of the government’s broader effort to regulate the virtual currency industry. In September 2021, OFAC sanctioned SUEX OTC, SRO, a virtual bureau de change, for facilitating ransomware payments.3 On October 6, 2021, the Department of Justice (DOJ) announced the creation of a National Cryptocurrency Enforcement Team “to tackle complex investigations and prosecutions of criminal cryptocurrency abuses” and ” to dismantle the financial entities that allow criminal actors to thrive … to abuse cryptocurrency platforms[.]”4 OFAC guidelines provide greater clarity to industry participants regarding their compliance obligations and recommend actions to mitigate risk and avoid enforcement action.
OFAC Sanctions Compliance Guidelines
OFAC sanctions apply to âall US citizens and lawful permanent residents, wherever they are; all individuals and entities in the United States; and all entities organized under the laws of the United States or any jurisdiction in the United States, including any foreign branch[.]âThey also apply to transactions involving both virtual and traditional fiat currencies.
OFAC provides a strict liability standard so that it can impose civil penalties for violation of the penalties even when an actor was unaware of or did not intend to commit a violation. Accordingly, participants in the virtual currency industry should remain informed of OFAC’s sanctioning requirements and ensure that they do not engage in unauthorized transactions. This includes transactions with parties appearing on OFAC’s Specially Designated Nationals and Blocked Persons List (the SDN List), a list of sanctioned individuals and entities that OFAC has developed as part of its enforcement efforts.5 Additionally, individuals who determine they hold a virtual currency blocked by OFAC regulations must report their discovery to OFAC within 10 business days and deny all parties access to the currency. OFAC indicates, however, that blocked currency does not need to be converted into fiat currency or held in an interest-bearing account.
OFAC encourages a risk-based approach to sanctions compliance and recognizes that there is no single compliance program. A compliance program will depend on various factors, including “the type of business involved, its size and sophistication, [the] products and services offered, customers and counterparties, and [the] geographic locations served. OFAC highlights five essential elements of any compliance policy: (i) management commitment; (ii) risk assessment; (iii) internal controls; (iv) tests / audits; and (v) training.
OFAC recommends that a company’s senior management assess the risk of sanctions early in the company’s development, noting that some members of the industry have implemented sanctions policies and procedures for months or even years after the start of operations. When companies delay the development of their compliance programs, they unnecessarily expose themselves to a wide variety of sanction risks. A company’s risk assessment should include an examination of its relationships with foreign individuals and jurisdictions and demonstrate an understanding of who is accessing the company’s platform and services.
The internal controls that a company must implement will depend on the “products and services offered by the company, where the company operates, the location of its users and [the]risks specific to the sanctions that the company identifies during its risk assessment process. OFAC recommends certain best practices, including the use of geolocation tools, Know Your Customer (KYC) procedures, transaction monitoring and investigation, and sanction filtering.
Geolocation tools can be used to identify and prevent IP addresses in sanctioned jurisdictions from accessing a company’s platform and services. KYC procedures allow businesses to gather information about individuals or entities before making transactions, including their possible links to sanctioned jurisdictions. Transaction monitoring and investigation software can be used to identify transactions involving virtual currency addresses associated with sanctioned individuals. OFAC encourages businesses to filter transactions and customers against OFAC’s SDN list, which includes known virtual currency addresses for sanctioned actors. Companies should also be familiar with common red flags that indicate a potential risk of sanctions, such as an individual or entity failing to provide accurate and complete KYC information upon request.6
OFAC emphasizes that an effective compliance program involves testing, auditing and training. Businesses should test their screening procedures to ensure that they correctly report transactions and users from sanctioned jurisdictions. Companies should also conduct training on a periodic basis, and at least once a year, so that employees are aware of their responsibilities for compliance and any updates or changes to OFAC guidelines on sanctions. .
Companies operating in the virtual currency industry should consult OFAC guidelines and implement compliance checks early to avoid sanctions violations. OFAC guidelines warn companies that they may be subject to coercive action and sanctions if they do not mitigate the risk of sanctions or commit violations, even without knowing it. As the government improves its regulation of this developing industry, industry participants are expected to adjust to OFAC’s compliance requirements.
1 United States Department of the Treasury, Office of Foreign Assets Control, Sanctions Compliance Guide for the Virtual Currency Industry (October 15, 2021), https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf.
2 US Department of the Treasury, Financial Crimes Enforcement Network, Financial Trend Analysis, Ransomware trends in bank secrecy law data between January 2021 and June 2021 (October 15, 2021), https://www.fincen.gov/sites/default/files/2021-10/Financial%20Trend%20Analysis_Ransomware%20508%20FINAL.pdf.
3 US Department of the Treasury, Treasury takes strong action to tackle ransomware(September 21, 2021), https://home.treasury.gov/news/press-releases/jy0364.
4 US Department of Justice, Deputy Attorney General Lisa O. Monaco Announces National Cryptocurrency Enforcement Team (October 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-national-cryptocurrency-enforcement-team.
5 US Department of the Treasury, List of Specially Designated Nationals – Data Formats and Data Schemas (October 26, 2021), https://home.treasury.gov/policy-issues/financial-sanctions/specially-designated-nationals-list-data-formats-data-schemas.
6 Sanctions Compliance Guide for the Virtual Currency Industry, at 17 years old.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.