Office of Foreign Assets Control (“OFAC”) Sanctions Compliance Guidance for the Virtual Currency Industry
In mid-October 2021, OFAC issued sanctions compliance guidance (the “OFAC Guidance”) for the virtual currency industry, including tech companies, exchanges, administrators, miners, crypto wallet providers, and even users. OFAC issued the guidance to help the virtual currency industry mitigate the risks of transacting cryptocurrencies with a sanctioned country, entity, or individual.
OFAC is the office within the U.S. Department of the Treasury that is responsible for administering and enforcing economic sanctions against targeted foreign countries, geographic regions, entities, and individuals to further U.S. foreign policy and national security goals. OFAC administers over 35 different sanctions programs designed to respond to specific threats and to further U.S. foreign policy and national security goals. OFAC’s sanctions generally fit into one of four categories:
OFAC Sanctions Categories
- Broad Trade-Based Sanctions or Embargoes
Broad trade-based sanctions or embargoes prohibit transactions with entire countries or geographic regions. Prohibited transactions include both export and import of goods and services to or from the prohibited jurisdiction. Current sanctioned jurisdictions include Cuba, Iran, North Korea, Syria, and the Crimea.
- Government or Regime Sanctions
Government or regime sanctions require the blocking of all property and interests of a foreign government or regime that come within the U.S. or the possession or control of a U.S. person; or prohibit specific types of transactions and activities involving foreign governments or regimes. Virtual currencies constitute property and interests of a foreign government or regime for purposes of the OFAC Guidance.
- List Based Sanctions
List based sanctions are target specific lists of individuals and entities. These sanctions require the blocking of all property and interests in property that come within the U.S. or the possession or control of a U.S. person of those individuals and entities on OFAC’s sanctions list. List based sanctions also ban specific types of transactions and activities with listed individuals and entities. Virtual currencies constitute property and interests of targeted individuals and entities. OFAC’s sanctions lists are searchable and available here.
- Sectoral Sanctions
Sectoral sanctions target individuals and entities operating in specific sectors of a foreign country’s economy as well as the activities of those operating within those same sectors of a foreign country’s economy.
The OFAC Guidance focuses on virtual currency, which it identifies as a subset of digital currency. Excluded from the definition of virtual currency are sovereign cryptocurrencies and digital representations of fiat currency. OFAC defines virtual currency as a digital representation of value that functions as: 1) a medium of exchange; 2) a unit of account; and/or 3) a store of value that is not guaranteed by any jurisdiction. OFAC’s guidance is clearly meant to encompass Bitcoin and other cryptocurrencies like it and avoids the long-standing debate about whether cryptocurrencies are a store of value or a medium of exchange. This definition also encompasses utility tokens, which are used as a medium of exchange and a unit of account.
OFAC Guidance Categories
Under the OFAC Guidance, compliance should take a variety of forms depending on the entity doing business. OFAC recommends taking a risk-based approach to compliance to ensure conformity with the law. A risk-based compliance approach involves commitment from management to be compliant with law and regulations, assessing your organization’s risk factors, putting in place internal controls, testing and auditing those controls, and ensuring personnel are trained to recognize and report violations. The OFAC Guidance can be broken down into a few categories:
- Implementing Internal Controls to Detect Sanctioned Virtual Currency
OFAC encourages organizations to implement compliance programs with adequate internal controls to detect sanctioned virtual currency. The OFAC Guidance recommends a system that can monitor incoming cryptocurrency transactions against OFAC’s various sanction lists, including, OFAC’s Specially Designated Nationals and Blocked Persons List. These lists should be searchable against specific crypto wallet addresses. The OFAC Guidance also strongly encourages organizations to investigate any transactions that are suspicious in nature (e.g., reviewing historical transactions from sanctioned accounts and determining whether non-sanctioned accounts have historically worked in conjunction with the sanctioned accounts).
Additionally, the OFAC Guidance recommends monitoring the IP addresses of incoming cryptocurrency transactions to determine if the transactions originate from a sanctioned country or geographic region (geolocating these transactions). This includes monitoring transactions that are coming from VPNs (Virtual Private Networks) to detect patterns and abnormal behavior. One example from the OFAC Guidance is “screening IP addresses against known [VPN] IP addresses and identifying improbable logins (such as the same user logging in with an IP address in the United States, and then shortly after with an IP address in Japan).”
Beyond monitoring transactions, OFAC also recommends completing investigations, blocking sanctioned virtual currency, and several other measures to screen for sanctions. These include implementing KYC (“Know Your Customer”) measures and utilizing a screening tool’s “fuzzy logic” capabilities to account for name variations and misspellings.
The OFAC Guidance strongly suggests that effective corporate compliance requires systems to monitor transactions and conducting investigations to ensure that your organization is not doing business with individuals and entities attempting to skirt sanctions. Particularly for larger, mature organizations, compliance with the OFAC Guidance will entail a good faith effort to review and investigate numerous historical transactions. Virtual currency companies should implement remedial measures if a historical investigation uncovers prohibited transactions. Failure to conduct a thorough historical review and implement remedial measures could result in OFAC enforcement actions.
- Blocking Virtual Currency
If an organization or individual discovers that they in fact possess virtual currency that originated from a sanctioned source, then the OFAC Guidance requires that organization or individual to block all parties from accessing that virtual currency, follow OFAC regulations for the holding and reporting of blocked assets, and implement controls aligned with a risk-based compliance approach. The blocked currency must be reported to OFAC within 10 business days of receipt and must also be reported on an annual basis for as long as the currency remains blocked. The virtual currency company must hold the blocked asset until it officially becomes unblocked.
This OFAC Guideline has the potential for serious business disruption, especially if the blocked assets are for a significant amount. Organizations should enact proactive measures to identify and reject transactions from sanctioned origins to avoid blocked assets entering their system in the first place. Additionally, organizations can apply for a license that may allow them to take part in transactions that may otherwise be prohibited.
- Reporting Requirements
As discussed above, individuals and organizations must report blocked property within 10 business days and on an annual basis. Additionally, individuals and organizations must report rejected transactions within 10 business days of rejection and must be able to provide OFAC with on demand reports in the case of a subpoena.
Every individual or organization completing transactions subject to OFAC’s regulations must keep transaction records that are full and accurate for a period of five years after a rejected transaction and five years after property becomes unblocked.
Recordkeeping is an essential factor in good compliance. For individual virtual currency users and small businesses, these requirements may be somewhat burdensome; however, for larger organizations, these recordkeeping requirements should be a standard part of their compliance program.
OFAC can initiate enforcement investigations for suspected failures to comply with its regulations. If found to be in violation of its regulations, OFAC can take a number of actions against individuals and organizations, to include requesting additional information from involved parties; issuing either a “No Action” letter, “Cautionary” letter, “Finding of Violation,” or a civil monetary penalty to resolve apparent violations; entering into a settlement with involved parties; or referring the matter to other government agencies, if appropriate, for a criminal investigation.
The OFAC Guidance is a clear and practical document that should help individuals and organizations adopt compliance measures to avoid violating OFAC regulations. The OFAC Guidance recognizes that compliance will take many forms depending on the entity. In many places, the OFAC Guidance strongly encourages virtual currency participants to conduct investigations and perform a historical analysis of their transactions. Given the wide range of industry participants the OFAC Guidance is addressed to, it is likely that larger and more sophisticated organizations will be expected to implement compliance programs that conduct historical investigations and be prepared to show proactive, good faith efforts to prevent prohibited transactions.
Ward & Berry has been following the U.S. Government’s guidance on blockchain and cryptocurrency for some time. If you are in this industry, or will be integrating these technologies into your operations, please contact us. We can help you navigate the developing federal regulations in this field to keep you on the right side of the law.