On December 30, 2020, the US Department of the Treasury’s Office of Foreign Assets control (OFAC) announced a $98,380 settlement with BitGo, Inc. (BitGo). This civil settlement, regarding apparent violations of multiple sanctions programs related to digital currency transactions, is the first published OFAC enforcement action against a business in the blockchain industry.

BitGo, based in Palo Alto, California, is an “institutional digital asset custody, trading, and finance” company. The apparent sanctions violations relate to 183 instances in which BitGo failed to prevent individuals and/or entities located in Crimea, Cuba, Iran, Sudan, and Syria from using its non-custodial secure digital wallet management service. All of these jurisdictions were subject to comprehensive embargoes under OFAC regulations during at least part of the time that the transactions occurred. OFAC stated that BitGo had reason to know that users in these comprehensively sanctioned jurisdictions were using its services through Internet Protocol (IP) address data collected for security purposes, and allegedly had failed to implement controls to prevent users in such jurisdictions from accessing its services. (The violations and settlement did not involve enterprise or custodial services provided by BitGo Trust Company, Inc., an affiliate of BitGo, Inc.)

According to OFAC, between approximately March 10, 2015, and December 11, 2019, BitGo processed 183 digital currency transactions totaling $9,127.79 using its hot wallet management service for users in the comprehensively sanctioned jurisdictions who had signed up for hot wallet accounts.

At the time of the violations, BitGo tracked users’ IP addresses for security purposes. However, OFAC asserted that this same information was not also tracked for sanctions compliance purposes. As such, users with IP addresses located in Crimea, Cuba, Iran, Sudan, and Syria were able to create accounts and use BitGo’s digital currency wallet platform, despite BitGo having the ability to identify the location of these users. Moreover, before April 2018, BitGo required only a name and email address for users to open an account and access their services. After April 2018, BitGo also required users to identify the country in which they were located, but relied on customer-provided information and attestation rather than performing additional verification or diligence.

OFAC has previously cited companies for violations based, at least in part, on a failure to implement IP geo-blocking in a number of non-blockchain contexts, including civil settlements involving Amazon and Standard Chartered Bank. Although these settlements did not involve the handling or use of cryptocurrency, they could be viewed as falling under a similar theory of liability – that a US person exported services without authorization to OFAC sanctioned jurisdictions.

OFAC found that BitGo did not voluntarily self-disclose the apparent violations. Even though the circumstances did not constitute an egregious case, OFAC determined that the apparent violations warranted a public resolution and civil penalties. Pursuant to OFAC’s Enforcement Guidelines, OFAC identified two factors that it determined to be aggravating factors. First, BitGo failed to exercise “due caution or care for its sanctions compliance obligations” by not implementing “appropriate, risk-based sanctions compliance controls” to prevent persons in comprehensively sanctioned jurisdictions from opening accounts and using its platform to send digital currencies. Second, OFAC determined that BitGo had reason to know that some of its users were located in comprehensively sanctioned jurisdictions because it had already collected users IP addresses for security purposes.

However, OFAC also found a number of mitigating factors. BitGo is a relatively small company and had not received a penalty notice or Finding of Violation in the five years prior to the date of the earliest transactions subject to the enforcement action. BitGo also hired a Chief Compliance Officer and implemented a new OFAC compliance policy. Lastly, BitGo implemented a number of remedial measures in response to the apparent violations, including, among others, IP address blocking and “email-related restrictions” for sanctioned jurisdictions, screening all of its accounts, including “hot wallet” accounts, against OFAC’s Specially Designated Nationals and Blocked Persons List, and sanctions-related training for certain personnel.

OFAC determined that the statutory maximum civil monetary penalty and the base civil monetary penalty amount applicable in this case are $53,051,675 and $183,000, respectively, but based on the mitigating factors and other considerations that were taken into account, the civil penalty was reduced to $98,380.

Notably, OFAC’s announcement took the opportunity to highlight the importance of having an appropriate compliance program and the sanctions risks associated with providing digital currency services, and emphasized that companies providing such services should take steps to mitigate these risks. OFAC noted that companies that engage in online commerce or transaction processing using digital currency are responsible for ensuring they do not engage in dealings prohibited by OFAC, including “dealings with blocked persons or property, or engaging in prohibited trade or investment-related transactions.”  OFAC states that in order to mitigate these risks, exchangers, administrators, and users of digital currencies “should develop a tailored, risk-based sanctions compliance program.”  While such compliance programs will vary depending on the company’s size and sophistication, products and services offered, customers, and geographic location, they should be based on and incorporate at least five essential components of compliance outlined in OFAC’s A Framework for OFAC Compliance Commitments, including: 1) management commitment; 2) risk assessment; 3) internal controls; 4) testing and auditing; and 5) training. OFAC added that the BitGo enforcement action “emphasizes the importance of implementing technical controls, such as sanctions list screening and IP blocking mechanisms” as one element within the framework.

While this is the first enforcement action against a digital asset company, the US has taken a number of other measures related to digital currency, including banning transactions involving the Venezuelan petro and identifying wallet addresses associated with sanctioned persons. The BitGo enforcement action, coupled with OFAC’s past blockchain-related actions, highlight the importance of digital asset companies having a robust US sanctions compliance program and ensuring such programs are fully and effectively implemented.