On October 15, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued tailored sanctions compliance guidance for those operating in the virtual currency industry, including technology companies, exchanges, administrators, miners, wallet providers and users. OFAC published “Sanctions Compliance Guidance for the Virtual Currency Industry” alongside two new FAQs (559 and 646) on definitions and procedures for blocking virtual currency. The new guidance summarizes OFAC’s compliance expectations for those transacting in virtual currency.
Days later, on October 18, 2021, the U.S. Treasury released its 2021 Sanctions Review on the overall efficacy of U.S. sanctions programs. That report contended that, “technological innovations such as digital currencies, alternative payment platforms, and new ways of hiding cross-border transactions all potentially reduce the efficacy of American sanctions.”
These are the latest in a series of pronouncements by the U.S. Treasury regarding digital transactions. Last month, OFAC issued an updated advisory on the sanctions risks associated with paying ransomware actors. (Fenwick’s report on that advisory, with recommendations for how companies should respond, can be found here.)
The key takeaway is that virtual currencies are a point of emphasis for sanctions enforcement, and companies engaging in the space should evaluate whether they have appropriate internal compliance resources, processes and technologies.
Key Points from OFAC’s Virtual Currency Industry Guidance:
- OFAC has high expectations of the technological compliance capabilities of companies in the virtual currency sector. OFAC’s approach here has mirrored the one it has taken with respect to payment technologies, SaaS, other web and cloud-based services, and mobile apps.
- While OFAC does not require the use of any particular compliance software, automated sanctions screening tools are typically an effective way to manage risk in this strict liability regime. For instance, automated screening tools benefit from utilizing fuzzy logic capabilities to account for variations in spelling, capitalization, spacing or punctuation.
- OFAC’s guidance describes certain best practices that can help strengthen internal controls as part of a risk-based compliance program, including geolocation tools, KYC (Know Your Customer) procedures, transaction monitoring and investigation, control weakness remediations, sanctions screening and red flag monitoring. OFAC noted that IP address filtering can help prevent prohibited transactions involving sanctioned countries or territories and points to analytic tools that can identify IP address misattribution or improbable logins (e.g., screening IP addresses against known virtual private network IP addresses or flagging users logging in from different IP addresses).
The use of these tools and availability of this data vary among business types, and such measures should be considered carefully to appropriately reflect the risks and practices associated with the products, business models, customers, technologies and geographic scope of the business.
- OFAC expects companies to screen all available transaction and identifying data collected on counterparties to prevent transactions with sanctioned parties and regions. To the extent that companies collect such information, they should screen physical addresses, wallet addresses, IP addresses associated with transactions and logins, email addresses, bank information, other KYC due diligence (e.g., ownership information) and information collected for anti-money laundering (AML) programs.
Note: the collection and processing of personal data can create some tension with data privacy and financial regulatory obligations. Companies should consult with sanctions, financial regulatory and privacy experts to ensure this is carried out in compliance with all applicable laws.
- The Specially Designated Nationals and Blocked Persons (SDN) List includes known virtual currency wallet addresses for SDNs. This information field can assist companies in identifying potential sanctions risks.
- Once a U.S. person determines that they hold virtual currency that is required to be blocked pursuant to OFAC’s regulations, that person must deny all parties access to the virtual currency. Any blocked property must be reported to OFAC within 10 business days, and thereafter on an annual basis if the virtual currency remains blocked.
- It is never too soon to evaluate potential sanctions risks. Virtual currency companies should exercise caution during early-stage development prior to launching their products and services to reflect OFAC’s regulatory obligations.
A Good Time to Review Your Company’s Sanctions Compliance Programs
OFAC’s latest guidelines on sanctions compliance involving virtual currency clarify the office’s expectations, with practical suggestions to facilitate compliance. With virtual currency becoming a more regular feature of business across all sectors, all companies should review their existing sanctions compliance programs in light of OFAC’s guidance and consider any necessary improvements with respect to screening tools, use of compiled data for compliance purposes, geolocation blocking, KYC protocols and other controls appropriate for their industry and risk-profile.