On October 15, 2021, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued anticipated Sanctions Compliance Guidance for the Virtual Currency Industry and updated two related Frequently Asked Questions (FAQs 559 and 646). OFAC has published industry-specific guidance for only a handful of other industries in the past two decades; the new guidance demonstrates the agency’s increasing focus on the virtual currency (VC) sector. It also clarifies US sanctions compliance practices in ways that could lay a foundation for future OFAC enforcement actions.
OFAC’s guidance was announced as part of broader US government enforcement priorities to combat ransomware, money laundering, and other financial crimes in the virtual currency sector, as noted in the Department of Justice’s recent announcement of a National Cryptocurrency Enforcement Team. The OFAC guidance was published in tandem with a Financial Crimes Enforcement Network (FinCEN) analysis of ransomware trends in suspicious activity reporting, but the guidance is directed at the VC industry in general and is not specific to ransomware. A ransomware actor who demands VC may or may not be a target of OFAC sanctions, and sanctioned actors may engage in a wide variety of VC transactions that do not involve ransomware. The recommended compliance practices in OFAC’s new guidance are focused on the full range of sanctions risks that arise from virtual currencies.
The guidance maintains OFAC’s longstanding recommendation for risk-based compliance programs, and builds on the May 2019 Framework for OFAC Compliance Commitments. The guidance also provides notable examples of compliance controls that are tailored to the unique risk and control environments of the VC sector.
The guidance states that, “All companies in the virtual currency industry, including technology companies, exchangers, administrators, miners, and wallet providers, as well as more traditional financial institutions that may have exposure to virtual currencies” should consider incorporating the controls outlined in OFAC’s guidance into their sanctions compliance programs. OFAC’s language casts a broad net with respect to the types of entities covered by its guidance, particularly with respect to “technology companies,” which may include, for example, software and protocol developers. However, the guidance does not address some of the more complex questions related to the industry, such as the degree of responsibility that developers have for decentralized protocols, the applicability of OFAC rules to miners who may validate blocks containing transactions subject to OFAC sanctions, or the feasibility of operationalizing certain of the compliance practices. Nor does the guidance address how to implement sanctions compliance concerning staking or voting in a proof-of-stake consensus and validation blockchain mechanism, which does not involve “mining” in a proof-of-work protocol model, and has become increasingly popular for decentralized security, efficiency, and environmental reasons, among others.
“Never Too Soon” to Address Sanctions Risks
OFAC’s guidance reminds readers that its sanctions regimes are generally based on a “strict liability” legal standard, and that they can apply to both US and non-US persons. In discussing the importance of a management commitment to sanctions compliance, the OFAC guidance notes with disapproval that “in many cases” members of the VC industry have not implemented sanctions compliance programs until “months, or even years, after commencing operations.” The guidance recommends that VC companies should instead evaluate potential sanctions risks as early as the beta testing stage of their operations, and should develop an appropriate sanctions compliance program before providing products or services to customers.
Blocking of Virtual Currency
The guidance and updated FAQ 646 provide practical advice on how VC companies can carry out their obligation to block (i.e., freeze) VC in which an individual or entity included on OFAC’s Specially Designated Nationals List (SDN List) or another blocked person or government has an interest. A US person who holds VC that is subject to OFAC blocking sanctions must deny all parties access to the VC and implement controls that align with a risk-based approach to ensure the VC is not inadvertently transferred, released, or otherwise dealt in. FAQ 646 also explains that blocked VC need not be converted into fiat currency or held in an interest-bearing account, though it must be reported to OFAC. The FAQ further clarifies that if a US person maintains multiple VC wallets in which a blocked person has an interest, no specific authorization from OFAC would be needed for the US person to consolidate the currency into a single blocked wallet.
The guidance describes OFAC’s views on how geolocation tools, which allow an operator to infer the location of a user online, can be used as part of a sanctions compliance control framework. In addition to recommending that internet protocol (IP) address data should be used to prevent unauthorized transactions involving IP addresses that originate in sanctioned jurisdictions, the guidance also observes that IP misattribution can be detected with analytic tools that screen IP addresses against known virtual private network (VPN) IP addresses. It points out that analytic tools can also be deployed to identify improbable logins, such as the same user’s logging in from IP addresses associated with two different jurisdictions within a short time.
Although the guidance does not explicitly state that VC companies should prohibit the use of VPNs when interacting with their platforms, it suggests that use of VPNs may undermine sanctions compliance geolocation tools, even if there are legitimate reasons to use VPNs. Indeed, VPNs are used widely by persons acting online for a variety of reasons such as privacy, security, and avoiding censorship. Therefore, companies in the VC sector will need to carefully consider how they approach the use of VPNs and the degree to which utilization of such applications should be considered as part of a risk assessment under their sanctions compliance programs.
OFAC also encourages companies to consider using all data at their disposal – including data collected for onboarding, business, or security purposes – to conduct sanctions compliance screening.
Transaction Monitoring and Use of Virtual Currency Addresses Included on SDN List
OFAC also uses the guidance to address the particular challenges of transaction monitoring in the VC sector, where the identifying information that enables sanctions screening of fiat currency transactions (such as the names of accountholders and transaction parties) may be absent. The guidance describes several ways in which VC addresses included on the SDN List might be used in a compliance program, beyond the baseline obligation to identify and block transactions associated with those addresses. For example, OFAC encourages industry participants to identify other VC addresses that “share a wallet” with an address published on the SDN List, since the shared wallet could be an indicator of sanctions risk. The guidance also suggests that VC companies consider conducting a lookback of transactional activity after OFAC adds a VC address to the SDN List, to identify prior transactions involving the newly blocked address. OFAC encourages companies in the VC industry to employ blockchain analytics tools to assist in this effort.
As noted above, a number of important questions about the application of OFAC regulations to the VC sector are still unanswered. Nonetheless, the guidance reflects a significant effort by OFAC to engage with the VC sector, and industry participants are well advised to consider the controls recommended by OFAC in the design and implementation of their risk-based compliance programs.