Recent enforcement notices and public disclosures have underscored the need for U.S. blockchain and cybercurrency companies to ensure compliance with U.S. economic sanctions implemented by the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC).
- On December 30, 2020, OFAC entered into a settlement agreement with BitGo, Inc. (BitGo), for apparent violations of multiple sanctions programs related to digital currency transactions. BitGo is a Palo Alto, California-based technology company that offers secure and scalable platforms for digital assets as well as secure digital wallet management services. This includes its “hot wallet” service, which is an online wallet through which users can send digital currency via public blockchain. OFAC calculated the base civil monetary penalty amount applicable to these digital currency transactions to be $183,000, although the total value of those transactions was less than $10,000. After applying mitigating factors, OFAC settled for a $93,830 penalty.
- On February 18, 2021, OFAC entered into another settlement agreement for apparent violations of multiple sanctions programs resulting from digital currency transactions, this time with BitPay, Inc. (BitPay). BitPay is an Atlanta-based company that offers payment processing services for U.S.- and foreign-based merchants so they can accept digital currency in exchange for goods and services. OFAC calculated the base civil monetary penalty amount applicable to be $2.3 million, although the total value of those transactions was only $129,000, and after applying mitigating factors, ultimately settled with BitPay for a penalty of $507,375.
- In its preliminary offering circular submitted to the U.S. Securities and Exchange Commission on February 26, 2021, Exodus Movement, Inc. (Exodus), an Omaha, Nebraska-based developer of software to secure, manage, and use cryptoassets, disclosed that OFAC had initiated an investigation in December 2018 of apparent Iran sanctions violations.
Here are the main takeaways for investors and service providers in the blockchain sector.
1. Companies that collect internet protocol (IP) addresses must integrate this information into their due diligence on users.
OFAC found that both BitPay and BitGo had reason to know individuals in sanctioned jurisdictions were being their services because both companies collected users’ IP address information, which allowed the companies to identify users’ locations. BitGo collected users’ IP address data upon account login, and, even though BitGo used this information to ensure secure logins, it did not incorporate this information into its sanctions screening program. Instead, it relied on a user’s attestation about his or her location. BitPay’s transaction review process failed to fully analyze the IP address information collected as well as information available in merchants’ invoices.
BitGo and BitPay remediated by implementing measures that blocked IP addresses originating in sanctioned jurisdictions from signing onto their platforms or accessing their websites and payment instructions, while BitGo also instituted email-related restrictions. In both cases, OFAC took these remedial steps into account in negotiating the settlements. Similarly, Exodus reported that it implemented geoblocking technology to block parties with IP addresses associated with embargoed countries and territories from accessing its software or services.
Companies transacting in digital currency and that collect IP address data on their users should consider implementing similar measures to ensure compliance with OFAC sanctions.
2. OFAC is not distinguishing between fintech companies that send money by wire transfer/ACH and those that send money via blockchain.
BitGo’s platform sends digital currency via public blockchain, demonstrating that OFAC does not confine its enforcement actions to traditional methods of transferring currency.
Because U.S. persons are strictly liable for U.S. economic sanctions violations, and OFAC imposes a constructive knowledge standard, companies transacting business via blockchain should verify the information in structured data and, as a further risk mitigation measure, should verify underlying documents and unstructured data to ensure there is no nexus with a sanctioned jurisdiction.
3. Companies using digital currencies should conduct due diligence on both sides of the transaction, merchant and buyer, to ensure there is no nexus with a sanctioned jurisdiction.
Although BitPay conducted due diligence on the merchants using its platform, including by screening merchants against OFAC’s List of Specially Designated Nationals and Blocked Persons to ensure they were not located in sanctioned jurisdictions, BitPay did not conduct such diligence on persons purchasing goods or services from its merchants.
Exodus reported that the transactions it had identified in its response to OFAC’s administrative subpoena and in its voluntary self-disclosure consisted of free downloads in Iran of its unhosted and noncustodial software wallet for cryptocurrencies and cryptographic assets.
Companies engaging in digital currency-related services should therefore establish screening and due diligence measures appropriate to all potential transactions and not just to transactions related to individuals and entities (and those individuals’ and entities’ property) the company considers to be its “direct” clients.