The Treasury Department’s Office of Foreign Assets Control (“OFAC”) Sanctions Compliance Guidance for the Virtual Currency Industry (“Guidance”) alerts companies operating in that sector of the unique and growing risks that they face vis-à-vis both countries and persons targeted by US economic sanctions laws.
In the Guidance, OFAC recognizes that while virtual currencies play a growing role in legitimate transactions across the global economy, these currencies also play a prominent role in furthering illicit activity, such as through their use in the increasing frequency of ransomware attacks and transactions designed to evade sanctions laws. The Guidance is particularly useful to companies operating in this sector, as it signals OFAC’s expectations that virtual currency companies take these risks seriously by devoting appropriate resources to mitigate these risks. The Guidance’s discussion of specific compliance measures for this sector is also relevant and worthwhile reading for the broader corporate community, as it is far more detailed than any previously-issued OFAC guidance on economic sanctions compliance measures.
As the office charged with implementing and enforcing US economic sanctions laws (which includes laws targeting countries and governments, such as Iran, Venezuela and North Korea, as well as persons involved in illicit activity, such as terrorism, cybercrimes and narco-trafficking), OFAC has increased its efforts to issue advisories and guidance to particular industries or sectors at risk of engaging with sanctions targets. The virtual currency industry, which it defines to include “technology companies, exchangers, administrators, miners, wallet providers, and users” is one such sector of concern.
OFAC’s Guidance has three main features. First, it provides a comprehensive primer on how transactions in the virtual currency sector are held to the same standard as transactions involving traditional fiat currencies. Second, it alerts the sector to risks unique to virtual currency transactions. Third, it provides detailed guidance on compliance measures for mitigating these risks.
Transactions in Virtual and Fiat Currency are Subject to the Same Rules
Perhaps recognizing that participants in the digital or virtual currency sector consider virtual currency to be a different and alternative means to generate value and conduct business than fiat currency, OFAC painstakingly sets out the ways that virtual and fiat transactions are subject to the same rules, including the prohibition against facilitating transactions with sanctions targets and the requirement to “block” virtual currency in which a sanctioned target has a property interest, down to the mundane topic of recordkeeping responsibilities. OFAC also emphasizes that the virtual currency industry will be held to the same standards as more traditional financial institutions in any enforcement action.
Particular Risks Associated with Virtual Currency Transactions
The Guidance highlights the increasing use of virtual currency in illicit activity, with a particular focus on ransomware attacks. Echoing its previously issued and recently updated advisory on risks associated with ransomware payments (See O’Melveny’s October 9, 2020 client alert), and FinCEN’s October 15, 2021 Ransomware Report (See O’Melveny’s October 19, 2021 client alert), the Guidance highlights OFAC’s recent designation of the Russian digital currency exchange Suex OTC for facilitating transactions with ransomware actors.
OFAC’s discussion of compliance strategies is of most practical use. This discussion is relevant and worthwhile reading not only for companies in the virtual currency sector, but also for the broader corporate community, as it is far more detailed than any previously-issued OFAC guidance on economic sanctions compliance measures.
Moving beyond its general advice of adopting a “risk-based” approach to compliance, OFAC offers detailed guidance on the following:
- the essential features of an effective sanctions screening program, such as the use of “fuzzy” logic;
- the expectation that a strong compliance program will use geolocation and IP address blocking controls;
- know-your-customer procedures that will involve the review of all information gathered in the ordinary course of business;
- the expectation that higher risk transactions will be subject to heightened due diligence;
- the value of transaction monitoring software; and
- examples of red flag indicators.
All of these features are worthy reading by sanctions compliance officers in all sectors that have economic sanctions risk.