On July 21, 2022, the SEC filed insider trading charges in federal court against a former Coinbase product manager and two others for trading ahead of multiple announcements that certain crypto assets would be made available for trading on the platform.[1] The SEC alleged that the defendants traded ahead of listing announcements for at least 25 crypto assets, “at least nine” of which the Commission asserted are investment contracts under the federal securities laws. The complaint includes a Howey[2] analysis for the nine crypto assets that serve as the basis for the SEC’s jurisdiction in this matter. In a parallel action, the Department of Justice charged the same individuals for wire fraud, notably not pursuant to a securities fraud theory.[3]

The charges against the individuals, should the alleged activity prove to be true, are deserved, and evidently resulted from internal efforts by Coinbase to detect frontrunning of listings. The DOJ’s wire fraud case therefore has a high likelihood of success, again should the allegations prove to be true, because wire fraud can occur regardless of whether the assets at issue are securities. The trouble for the industry comes from the fact that the SEC has made allegations in its civil complaint against nine token projects that are not parties to the action, and in at least some cases, had not previously been subject to a direct investigation by the SEC. Moreover, the SEC’s investment contract allegations are jurisdictional; that is, the SEC must obtain a holding that at least one of the tokens is in fact a security for its insider trading case, based on frontrunning securities listings under US securities laws, to succeed. This creates strong incentives for the SEC to drive the case towards such a finding, and gives little opportunity for the projects at issue—or the industry at large—to effectively refute the SEC’s claims or to contest the SEC’s methods.

Industry problem number one, therefore, is a seeming casting aside of due process considerations with respect to SEC determinations concerning specific tokens or projects. Unarguably, the parties in the best position to defend against the charge that the crypto assets are securities are the projects that launched the crypto assets and the platforms that list them. These entities are not parties to the lawsuit, and at least some were never aware of any investigation by the SEC nor were they solicited for information or legal positions. Moreover, five of the nine projects do not appear to be based in the U.S. and therefore may have little incentive to attempt to intervene or engage with U.S. courts on the matter, since the SEC may not even have jurisdiction over them as entities. Accordingly, the action has placed one platform and nine entities—and by extension, the industry—in a corner, subject to a potentially adverse legal decision without the ability to mount a defense.

The fact that this is an industry problem is illustrated by industry problem number two: the relatively generic nature of the crypto assets that the SEC chose to name in the complaint. Strike out the names of the tokens and their issuers and read only the descriptions of the projects, and the nine tokens sound a lot like representatives of classes or categories of sub-assets within the digital asset ecosystem: payment tokens; native platform tokens; governance tokens, etc. The projects also seemingly represent various sectors of the digital asset industry: payment platforms; decentralized liquidity pools and automated market makers; and projects governed via decentralized autonomous organizations (DAOs). As a result, the complaint portends trouble for the entire digital asset industry, as the SEC uses various factors—some listed in its 2019 FinHub guidance,[4] some not—to support elements of its Howey analysis that are common to many projects across the industry.

As specific examples, the SEC’s Howey analysis for the nine projects reveals the SEC’s views on several common features in DeFi:

Governance TokensThree of the crypto assets identified by the Commission may be characterized as governance tokens. While governance tokens are intended to be a vehicle through which projects can achieve true decentralization, the SEC’s complaint suggests that it will not be persuaded by such efforts, regardless of the level of decentralization via the governance token, when a core development team holds governance tokens and can therefore both vote and derive economic benefit from those tokens. As a result, should the SEC prevail, any governance token could be characterized by the SEC as a security where a core development team (either as individuals or as members of unrelated development companies or labs) holds more than a de minimis number of the tokens.

Staking, Liquidity Pool Tokens, Yield Farming – Decentralized platforms often feature native tokens that enable decentralized liquidity pool trading and automated market making, and often permit (or even require) the staking of a certain number of those tokens in order to access the features of the platform. These functions of the native tokens are commonly considered to represent their utility, and they enable decentralization. However, the SEC relies on these activities and features across a number of the identified crypto assets in order to establish the existence of a common enterprise and a reasonable expectation of profits (two elements of the Howey test). As a result, the complaint is tantamount to an SEC assertion that these common features of DeFi protocols irrevocably taint these tokens as securities.

Offshore DAO StructuresThe SEC’s complaint summarily and repeatedly describes organizational structures consisting of some combination of a U.S.-based company providing software development services, an offshore foundation company, and an offshore unincorporated DAO, as a single entity. The SEC paints with a broad brush, collapsing corporate structures without consideration of applicable provisions of corporate law, ignoring jurisdictional considerations, and conflating platforms and protocols with for-profit corporations and LLCs, foundation and other non-stock entities, and unincorporated entities. While there are no details about the arrangements between these entities, the complaint signals that the SEC may be skeptical of the separation of offshore structures from a U.S. development team, and will not hesitate to make assumptions and allegations concerning the relationship of corporate entities without examination of underlying corporate structures and relationships.

Secondary Market Trading – While the SEC has long represented that the presence of a secondary market for tokens is a factor to consider in determining whether a reasonable expectation of profits exists, the SEC’s complaint focuses on this factor to an unusual degree. The complaint declares that statements emphasizing the ability of purchasers to resell tokens in secondary markets is “a crucial inducement to investors and essential to the market”[5] for crypto assets, and focuses much of its arguments for the nine crypto assets on this factor. As a result, the SEC announces almost a de facto finding of an investment contract if there is secondary market trading of the asset.

It is also worth noting that the Commission’s Howey analysis in this complaint marks an important shift from prior actions. In prior cases like those involving Kik, Telegram, and Ripple, the entities were the subjects of SEC investigations, had the opportunity to provide evidence in their own defense, and had the ability to submit a written legal justification prior to any action being filed (called a Wells submission) presenting its arguments against the security status of the asset. Here, the nine analyses are formulaic: the Commission identifies statements intended to establish that the token issuers promoted (1) the value of the token, (2) the ability for purchasers to engage in secondary trading of the token, and (3) the expertise of the token issuers, at both the time of the sale of tokens to the public and on an ongoing basis. No evidence from the company is included, and in at least some cases, none was ever solicited, nor were the companies provided the ability to advocate their own positions.

In sum, the outcome of the SEC’s complaint is likely to reverberate beyond not only the defendants in the case, the nine crypto asset issuers identified in the complaint, and the platforms that list the nine tokens. Many other DeFi protocols and participants in the larger crypto ecosystem engage in similar activities to the projects identified in the complaint. Many have not had engagement with the SEC, or to the extent that they have, they may believe these interactions to not have reached a point where the SEC would make an allegation concerning their asset in court. To the extent the SEC is successful in obtaining a favorable judgment finding these nine crypto assets to be securities, such a finding will likely be used to underpin additional enforcement actions against larger and more established players in the industry.

Civil insider trading cases are often stayed pending the outcome of the criminal proceeding, so there is time for the industry to react. However, criminal wire fraud cases tend to have the effect of focusing individual defendants’ attention, and there is a real risk that the SEC will attempt to leverage that criminal case to secure the defendants’ agreement to the language of a settlement of the SEC’s civil claims that could be ratified by the court and used as a cudgel against the industry.

For more information on how to assess the potential impact of the SEC’s complaint to your entity, platform, asset, or fund, please contact a member of Steptoe’s Blockchain & Cryptocurrency practice.

 

Endnotes

[1] Complaint, SEC v. Wahi, et al., 2:22-cv-01009 (W.D. Wash. Jul. 21, 2022), available at https://www.sec.gov/litigation/complaints/2022/comp-pr2022-127.pdf (hereinafter “SEC Complaint”).

[2] SEC v. W.J. Howey Co., 328 U.S. 293 (1946).

[3] Indictment, U.S. v. Wahi, et al., (S.D.N.Y. Jul, 21, 2022), available at https://www.justice.gov/usao-sdny/press-release/file/1521186/download.

[4] SEC FinHub Staff, Framework for “Investment Contract” Analysis of Digital Assets (Apr. 3, 2019), https://www.sec.gov/corpfin/framework-investment-contract-analysis-digital-assets.

[5] SEC Complaint at 22.

On June 7, 2022, Senator Cynthia Lummis (R-WY) and Senator Kirsten Gillibrand (D-NY) introduced the Responsible Financial Innovation Act (RFIA), which seeks to create a complete regulatory framework for digital assets. This is the second in a series of blogs on this groundbreaking bipartisan legislation. Click here for a general overview of the bill and a summary of the tax provisions included in the RFIA.

The RFIA attempts to create a clear standard for determining which digital assets are securities and which are commodities, and draws clear jurisdictional lines between the SEC and CFTC. The SEC would retain jurisdiction over the sale of investment contracts, while the CFTC would gain jurisdiction over the digital asset spot markets. CFTC Chairman Rostin Benham quickly declared his support of the proposed division of labor, while SEC Chairman Gary Gensler has expressed concerns that the legislation may undermine existing market regulations for stock exchanges, mutual funds, and public companies.[1] The policy debate over which of the two agencies is best situated to regulate the crypto markets will likely grow louder in the wake of this proposal.

With respect to securities laws, the RFIA seeks to solve the long-standing problem of the application of the Howey test to digital assets: how long does the security label attach to a digital asset that was initially sold as an investment contract? Application of the full panoply of securities laws to every transaction in a digital asset can stifle the growth of a network and create headaches for entities seeking to comply with complex rules that don’t always fit the underlying conduct.

This update provides a summary of the securities law provisions and obligations placed upon the SEC in the RFIA.

Continue Reading Securities Law Implications of Lummis-Gillibrand Bill

On June 7, 2022, Senator Cynthia Lummis (R-WY) and Senator Kirsten Gillibrand (D-NY) introduced the Responsible Financial Innovation Act (RFIA). This highly anticipated legislation is the first attempt at developing a comprehensive regulatory framework for cryptocurrency and digital assets.

The RFIA builds off proposals introduced this Congress and includes a number of provisions related to securities and commodities regulation. In addition, the RFIA amends the Internal Revenue Code to address and clarify issues related to the taxation and reporting of cryptocurrency and digital assets. Interestingly, the RFIA adopts one of the substantive provisions relating to digital assets in the Biden Administration’s “General Explanation of the Administration’s Fiscal Year 2023 Revenue Proposals,” known as the “Greenbook,” but not the other provision. Specifically, the RFIA adopts the provision permitting tax-free loans of digital assets, but not the provision permitting mark-to-market tax accounting for digital asset traders and dealers.

While this legislation attempts to address some of the largest outstanding questions related to the regulation and taxation of cryptocurrency and digital assets, it faces an uphill battle to be signed into law before the end of the 117th Congress. Heading into the 2022 mid-term elections, a number of Biden Administration and Democratic priorities are still awaiting action and will likely take priority this summer and fall over legislation like the RFIA. Further, this legislation will likely need to overcome the 60-vote threshold in the Senate to end a filibuster. However, the introduction of the RFIA in the Senate sets a new marker and will likely serve as a starting point in the next Congress for any legislation to regulate and tax cryptocurrency and other digital assets.

This update provides a summary of the tax provisions included in the RFIA.

Continue Reading New Bipartisan Senate Legislation Seeks to Address Cryptocurrency and Digital Asset Tax Issues

On March 7, 2022, the Financial Crimes Enforcement Network (FinCEN) of the US Department of the Treasury published guidance (Guidance) for US financial institutions warning about: (1) efforts of foreign actors to evade expanding US economic sanctions and trade restrictions related to the Russian Federation and Belarus and (2) increased risk of malicious cyber-attacks and related ransomware campaigns, following the invasion of and continued military action in Ukraine. The Guidance provides instructive red flags and related advice for all US financial institutions to evaluate, and provides information of particular relevance for Money Services Businesses (MSBs) and other FinCEN-regulated institutions undertaking transactions in what the agency calls “convertible virtual currency” (CVC).

Most notably, FinCEN strongly encourages US financial institutions that have information about CVC flows, including exchangers or administrators of CVC to: (1) be mindful of efforts to evade expanded US sanctions and export controls related to Russia and Belarus, summarized by Steptoe here; (2) submit Suspicious Activity Reports (SARs) as soon as possible regarding such conduct; (3) undertake appropriate risk-based due diligence of customers, and where required, enhanced due diligence; (4) voluntarily share information with other financial institutions consistent with Section 314(b) of the USA PATRIOT Act; and (5) consider using tools to identify assets that must be blocked or frozen under applicable sanctions.

Continue Reading What US Financial Institutions Need to Know about FinCEN’s Russian Sanctions Evasion and Ransomware Guidance

On November 1, 2021, the President’s Working Group on Financial Markets (PWG), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued a joint report that, among other things, calls on Congress to adopt legislation to enable federal oversight of stablecoin issuers, custodial wallet providers that hold stablecoins, and others (e.g., certain DeFi products, services, and arrangements related to stablecoins).

The report highlights the agencies’ views on risks related to consumer protection, payments and settlements, “runs” due to price fluctuations, illicit finance, and other perceived risks to the US financial system. Specifically, the report calls for legislation that would:

  • Require stablecoin issuers to operate as insured depository institutions subject to federal oversight at both the depository institution and holding company levels;
  • Subject custodial wallet providers holding stablecoins on behalf of users to federal oversight and empower federal supervisors to impose risk-management standards on “any entity that performs activities that are critical to the functioning of [a] stablecoin arrangement.”
  • Limit the ability of stablecoin issuers’ and custodial wallet providers that hold stablecoins to affiliate with commercial entities (e.g., non-financial companies with access to consumer data) to discourage the “concentration of economic power” or to use users’ transaction data and empower federal agencies to promote interoperability among stablecoins.

In the meantime, the report states that “federal financial agencies are committed to taking action to address risks falling within each agency’s jurisdiction,” including through existing investor and market protection measures. The report also calls on the Financial Stability Oversight Council to take steps which could include designating certain stablecoin activities as systemically important payment, clearing, and settlement activities, allowing for additional federal oversight.

According to the report, US federal agencies will continue to cooperate with international groups such as the Financial Action Task Force (FATF) to promote global standards for regulation of stablecoins.

Several days earlier, on October 28, 2021, the FATF issued  updated guidance on risk-based regulation of virtual assets and virtual asset service providers for anti-money laundering and counter-financing of terrorism purposes. The updated guidance affirms that stablecoins fall within the scope of the FATF recommendations, whether a country treats them as virtual assets or financial assets (e.g., securities) under national regulation.

For more information on how these developments could impact your company, contact a member of Steptoe’s Blockchain & Cryptocurrency practice.

The House Rules Committee recently released the latest version of HR 5376, the Build Back Better Act. This proposal would amend Internal Revenue Code section 1091 (“loss from wash sales of stock or securities”) to apply to a much broader range of assets, including foreign currency, commodities, and digital assets, in addition to stocks and securities. The legislation would also apply the wash sale rule to acquisitions of substantially identical assets by related parties, such as a spouse, dependent, corporation, partnership, trust, or estate which controls, or is controlled by the taxpayer, as well as certain types of accounts (including IRAs, health savings accounts, section 529 accounts, Coverdell education savings accounts, and qualified retirement plan accounts).

Click here to read the full client advisory.

On October 15, 2021, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued anticipated Sanctions Compliance Guidance for the Virtual Currency Industry and updated two related Frequently Asked Questions (FAQs 559 and 646). OFAC has published industry-specific guidance for only a handful of other industries in the past two decades; the new guidance demonstrates the agency’s increasing focus on the virtual currency (VC) sector. It also clarifies US sanctions compliance practices in ways that could lay a foundation for future OFAC enforcement actions.

OFAC’s guidance was announced as part of broader US government enforcement priorities to combat ransomware, money laundering, and other financial crimes in the virtual currency sector, as noted in the Department of Justice’s recent announcement of a National Cryptocurrency Enforcement Team. The OFAC guidance was published in tandem with a Financial Crimes Enforcement Network (FinCEN) analysis of ransomware trends in suspicious activity reporting, but the guidance is directed at the VC industry in general and is not specific to ransomware. A ransomware actor who demands VC may or may not be a target of OFAC sanctions, and sanctioned actors may engage in a wide variety of VC transactions that do not involve ransomware. The recommended compliance practices in OFAC’s new guidance are focused on the full range of sanctions risks that arise from virtual currencies.

The guidance maintains OFAC’s longstanding recommendation for risk-based compliance programs, and builds on the May 2019 Framework for OFAC Compliance Commitments. The guidance also provides notable examples of compliance controls that are tailored to the unique risk and control environments of the VC sector.

Continue Reading OFAC Issues Compliance Guidance for the Virtual Currency Industry

On May 20, 2021, the U.S. Department of the Treasury (“Treasury”) released the American Families Plan Tax Compliance Agenda, a report detailing the Biden administration’s proposed measures to raise $700 billion in additional tax revenue over the next decade through the Internal Revenue Service (“IRS”) and its enforcement-related efforts (the “Report”).  Additional detail about these proposals will likely be available in Treasury’s “General Explanations of the Administration’s Fiscal Year 2022 Revenue Proposals,” the so-called Greenbook, which is expected to be released on May 28.

The Report finds that one of the best ways to increase the overall tax compliance rate is by increasing third-party reporting requirements.  The Report notes that, when income is subject to both third-party information reporting and withholding (such as wages), compliance is around 99%; when the income is subject to substantial information reporting but no withholding, compliance is around 95%; when the income is subject to limited information reporting, compliance is around 83%; but when income is not subject to information reporting (such as proprietorship or rental income), compliance drops to around 45%.[1]

The proposed new reporting regime would require two new filings related to cryptocurrency transactions.  In fact, the Report specifically states that the growth of virtual currency is a significant concern as it “already poses a significant detection problem by facilitating illegal activity broadly including tax evasion.”[2]

The first proposed new filing would build on the existing framework of IRS Form 1099-INT, which requires financial institutions to report interest income paid to U.S. persons in amounts of $10 or more, by expanding the reported data to include “gross inflows and outflows on all business and personal accounts from financial institutions, including bank, loan, and investment accounts . . . .”[3]  The Report further clarifies for purposes of this reporting regime, the term “account” includes those at “cryptoasset exchanges and custodians.”[4]

It is not clear how much this proposed new information reporting requirement will add.  The IRS is already working on regulations to implement an information reporting regime for cryptocurrency exchanges (and potentially other intermediaries) under its already-existing statutory authority to require information reporting by brokers.[5]  The financial account reporting in some ways seems narrower (in terms of the information that must be reported) than broker reporting, and in some ways (in terms of which intermediaries it applies to) potentially broader.

The second proposed new filing would expand the reporting of cash transactions[6] to include cryptocurrency transactions.  As such, businesses that accept cryptocurrencies would be required to report transactions that involve cryptoassets with a fair market value of more than $10,000.  Such a requirement might deter the use of cryptocurrency to make larger consumer purchases.  For example, if consumers use cryptocurrency to make large purchases (e.g., Overstock, Expedia, Christie’s), the transaction would be reported, but if they use a credit card, it wouldn’t.

If you have any questions about these proposals, please contact a member of Steptoe’s Blockchain & Cryptocurrency Group.

[1] The American Families Plan Tax Compliance Agenda, U.S. Dep’t of Treas., at 5 (May 2021), https://home.treasury.gov/system/files/136/The-American-Families-Plan-Tax-Compliance-Agenda.pdf (last visited May 21, 2021).

[2] Id. at 20-21.

[3] Id. at 19.

[4] Id.

[5] See I.R.C. § 6045.

[6] See IRS Form 8300, Report of Cash Payments Over $10,000 Received in a Trade or Business, available at: https://www.irs.gov/pub/irs-pdf/f8300.pdf.

On March 19, 2021, the Financial Action Task Force (FATF), the global anti-money laundering standards-setting body, released draft guidance to clarify and supplement its 2019 guidance on a Risk-Based-Approach (RBA) to Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs). While FATF’s guidance is not technically binding on member countries, it is broadly followed by such jurisdictions, in part to avoid inclusion on FATF’s lists of jurisdictions with deficiencies in their anti-money laundering (AML) and countering the financing of terrorism (CFT) regimes. For example, FATF’s recommendation that the so-called “travel rule” be applied to VASPs is being widely implemented by jurisdictions around the globe, although the pace of such implementation varies considerably. Therefore, the draft guidance, which incorporates a number of substantial changes and additions, may have a significant impact on industry going forward.

As described in a FATF press release, there are six main areas of focus for the draft guidance:

  1. “clarify the definitions of VA and VASP to make clear that these definitions are expansive and there should not be a case where a relevant financial asset is not covered by the FATF Standards (either as a VA or as a traditional financial asset);
  2. provide guidance on how the FATF Standards apply to so-called stablecoins;
  3. provide additional guidance on the risks and potential risk mitigants for peer-to-peer transactions;
  4. provide updated guidance on the licensing and registration of VASPs;
  5. provide additional guidance for the public and private sectors on the implementation of the ‘travel rule;’ and
  6. include Principles of Information-Sharing and Co-operation Amongst VASP Supervisors.”

Of particular note are the implications for decentralized exchanges (DEXs) and decentralized applications (DApps), peer-to-peer (P2P) transactions, and implementation of the travel rule.

Continue Reading FATF Releases Draft Guidance on a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers

On February 18, 2021, the US Department of the Treasury’s Office of Foreign Assets control (OFAC) announced a $507,375 settlement with BitPay, Inc. (BitPay). This civil settlement resolved apparent violations of multiple sanctions programs related to digital currency transactions, and is the second OFAC enforcement case brought against a business in the blockchain industry. This case follows OFAC’s December 2020 civil enforcement action against another blockchain industry company, BitGo, Inc. (BitGo), for alleged violations of multiple US sanctions programs related to digital currency transactions. See our prior blog post on the BitGo action here.

BitPay, based in Atlanta, Georgia, offers a payment processing solution for merchants to accept digital currency as payment for goods and services. The apparent sanctions violations relate to digital currency transactions on the BitPay platform between individuals located in Cuba, North Korea, Iran, Sudan, Syria, and the Crimea region of Ukraine (annexed by Russia) and merchants in the United States and elsewhere. OFAC acknowledged that BitPay screened its customers, the merchants, against US sanctions lists, but stated that BitPay had reason to know that purchasers dealing with the merchants were located in comprehensively sanctioned jurisdictions because the company had location information, including Internet Protocol (IP) address data, about those persons. This case was not voluntarily disclosed, but OFAC found that the violations were not egregious.

According to OFAC, BitPay allowed persons in comprehensively sanctioned jurisdictions to conduct approximately $129,000 worth of digital currency transactions with BitPay’s merchant customers. As described in OFAC’s enforcement release, between approximately June 10, 2013, and September 16, 2018, BitPay processed 2,102 transactions from individuals with IP addresses located in the sanctioned jurisdictions. The transactions related to BitPay’s payment processing service. BitPay allegedly received digital currency payments on behalf of its merchant customers from those merchants’ buyers, who were located in sanctioned jurisdictions. BitPay then converted the digital currency into fiat, and then relayed that currency to its merchant customers.

BitPay collected certain pieces of information on the buyers including the buyers’ name, address, email address, and, starting in November 2017, the buyer’s IP addresses. However, BitPay’s transaction review process did not appropriately analyze this location and identification information, resulting in persons located in the comprehensively sanctioned jurisdictions making purchases from US merchants.

OFAC has previously cited companies for violations based, at least in part, on a failure to implement IP geo-blocking in a number of non-blockchain contexts, including actions targeting Amazon, Toronto-Dominion Bank, and Standard Chartered Bank, and in the BitGo action noted above.

Pursuant to OFAC’s Enforcement Guidelines, OFAC identified two factors that it determined to be aggravating factors:

  • BitPay failed to exercise “due caution or care for its sanctions compliance obligations” by allowing persons in sanctioned jurisdictions to transact with BitPay’s merchants using digital currency for approximately five years, while BitPay allegedly had sufficient location information to screen those customers; and
  • BitPay conveyed $128,582.61 in economic benefit to individuals located in several sanctioned jurisdictions, thereby damaging the integrity of those sanctions programs.

However, OFAC also found a number of mitigating factors:

  • BitPay implemented certain sanctions compliance controls as early as 2013, including due diligence and sanctions screening efforts on its merchant customers, and formalized its sanctions compliance program in 2014;
  • BitPay provided employee training, including to senior management, that merchant sign-ups from Cuba, Iran, Syria, North Korea, and Crimea, as well as trade with sanctioned individuals and entities, were prohibited;
  • BitPay is a small business and had not received a penalty notice or Finding of Violation from OFAC in the previous five years from the date of the earliest apparent violation;
  • BitPay cooperated with OFAC’s investigation into the apparent violations and terminated the conduct that led to the violations; and
  • BitPay implemented a series of measures intended to minimize the risk of a recurrence of the conduct in question. The controls included blocking IP addresses that appear to originate in comprehensively sanctioned jurisdictions, checking physical and email addresses of merchants’ buyers to prevent completion of an invoice if BitPay identifies a sanctioned jurisdiction address or email domain associated with a sanctioned jurisdiction, and launching BitPay ID, a customer identification tool that is mandatory for merchants’ buyers who wish to pay a BitPay invoice of $3,000 or above.

The company could have faced a statutory maximum civil monetary penalty of $619,689,816, but the penalty was reduced to $507,375 in accordance with OFAC’s Enforcement Guidelines.

The enforcement release highlighted the importance of having an appropriate risk-based compliance program and emphasized that companies providing digital asset services should take steps to mitigate sanctions risks associated with such services. The agency’s Framework for OFAC Compliance Commitments lays out factors it looks for when reviewing such programs. With respect to sanctions screening, OFAC noted that this case “emphasizes the importance of screening all available information, including IP addresses and other location data of customers and counterparties, to mitigate sanctions risks in connection with digital currency services.” Taken together, OFAC’s recent actions against BitGo and BitPay suggest the agency is placing increased focused on the blockchain industry and that companies that have not adopted and implemented a robust OFAC compliance program may be at risk in future enforcement actions.