Click to open contact form.
Your Global Partners in the Business of Innovation

OFAC Guidance: Best Compliance Practices for Virtual Currency Industry

Publications / November 04, 2021

Written by Oded Kadosh, Guy Milhalter, and Austin Ochoa

Introduction

On October 15, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published an industry-specific brochure, “Sanctions Compliance Guidance for the Virtual Currency Industry,” to help members of the virtual currency industry navigate and comply with OFAC sanctions. Generally, OFAC administers and enforces economic sanctions programs against designated foreign governments, individuals, and entities.[1]

As outlined in OFAC’s guidance, members of the virtual currency industry that facilitate or engage in online commerce, or process transactions using digital currency, are responsible for ensuring they do not engage in transactions that involve sanctioned persons.[2]

This means that once an entity determines it holds virtual currency required to be blocked, such as by facilitating a sanctioned person’s digital wallet, that entity must block access to the currency and ensure it complies with OFAC regulations related to the holding and reporting of blocked assets and implement controls that align with a risk-based approach.[3]

Virtual Currency Guidance

OFAC’s guidance emphasizes the importance of implementing a tailored, risk-based approach to sanctions compliance and is directed to members of the virtual currency industry, including “technology companies, exchangers, miners, and wallet providers.”[4] This article will assist members of the virtual currency industry in:

  • Evaluating sanctions-related risks in their lines of business;
  • Building a risk-based sanction compliance program;
  • Protecting businesses from sanctions violations and misuse of virtual currencies by malicious actors; and
  • Understanding OFAC’s recordkeeping, reporting, licensing, and enforcement process.[5]

Digital Currency vs. Virtual Currency

The terms “Digital Currency” and “Virtual Currency” have the following meaning for the purposes of OFAC sanctions:

  • Digital Currency: A sovereign cryptocurrency, virtual currency and a digital representation of fiat currency (e.g., U.S. dollars). Importantly, OFAC’s definition of Digital Currency covers all forms of Virtual Currency.
  • Virtual Currency: A digital representation of value that functions as: (i) a medium of exchange; (ii) a unit of account; and/or (iii) a store of value; and is neither issued nor guaranteed by any jurisdiction.[6] In addition, OFAC sanctions equally apply to transactions involving digital tokens, which include non-fungible tokens (“NFTs”).

Who Must Comply with OFAC Sanctions?

Generally, all U.S. persons must comply with OFAC regulations, including: (i) all U.S. citizens and lawful permanent residents, wherever located; (ii) all persons and entities within the U.S.; and (iii) all entities organized in the U.S. and their foreign branches.[7] Thus, members of the U.S. virtual currency industry should be aware of OFAC sanctions requirements.

Strict Liability for Sanctions Violations

OFAC may impose civil penalties for sanctions violations “based on a strict liability legal standard.”[8] Meaning, an entity may be held liable for sanctions violations even without having knowledge or reason to know it was engaging in such a violation.

OFAC does not require companies to maintain a compliance program. However, OFAC will consider a company’s implementation of a risk-based compliance program and remedial measures taken in response to an apparent violation when determining its enforcement response.[9] This is important given OFAC’s strict liability standard.

Sanctions Compliance Obligations

OFAC sanctions compliance obligations are the same for all industries and apply equally to transactions involving digital and fiat currency.[10]

Members of the virtual currency industry that facilitate or engage in online commerce, or process transactions using digital currency, are responsible for ensuring that they do not engage in transactions that involve sanctioned persons.[11] Currently, over 9,000 designated persons are targeted by OFAC sanctions.[12]

Generally, prohibited transactions include those that “evade or avoid, cause a violation of, or attempt to violate” OFAC restrictions.[13] Further, entities that “provide financial, material, or technological support for or to a sanctioned person” may be sanctioned by OFAC.[14]

How Do You “Block” Virtual Currency?

Entities must block property and interests in property from sanctioned persons or any entity owned, directly or indirectly, by a sanctioned person and ensure that “they do not engage in prohibited transactions with such persons.”[15]

This means that once an entity determines it holds virtual currency required to be blocked, such as by facilitating a sanctioned person’s digital wallet, that entity must block access to the currency and ensure it complies with OFAC regulations related to the holding and reporting of blocked assets and implement controls that align with a risk-based approach.[16]

OFAC maintains an online search tool called the “Sanctions List Search” to make it easier to screen and use OFAC’s sanctions lists for compliance purposes.

In addition, while entities are not obligated to convert blocked virtual currency into traditional fiat currency or hold such blocked property in an interest-bearing account, blocked virtual currency “must be reported to OFAC within 10 business days,” and thereafter on an annual basis, so long as “the virtual currency remains blocked.”[17]

OFAC’s Recommended Best Practices

The growing prominence of virtual currency as a payment method brings greater exposure to OFAC sanctions risks.

On September 21, 2021, in a first-of-its-kind action, OFAC imposed sanctions on SUEX OTC, S.R.O., a Russian virtual currency exchange, for allegedly facilitating transactions that involved illicit proceeds from at least eight different ransomware cyber-attacks.[18]

OFAC’s guidance summarizes its sanctions requirements and offers examples of recommended best practices to help members of the virtual currency industry establish adequate compliance programs and avoid sanctions violations and potential enforcement actions. Specifically, OFAC encourages a risk-based approach to sanctions compliance for the virtual currency industry.[19]

An adequate compliance program will depend on a variety of unique risk factors, including “the type of business involved, its size and sophistication, products and services offered, customers and counterparties, and geographic locations served.”[20]

As described in OFAC’s guidance, each program should be predicated on and incorporate the following components of compliance: (i) management commitment; (ii) risk assessment; (iii) internal controls; (iv) testing and auditing; and (v) training.[21]

Management Commitment

Management of entities in the virtual currency industry can demonstrate commitment to sanctions compliance by: (i) reviewing and endorsing sanctions compliance policies and procedures early in the development process; (ii) ensuring adequate resources support compliance; (iii) delegating sufficient authority to the compliance unit; and (iv) appointing a dedicated sanctions compliance officer with the requisite technical expertise.[22]

Risk Assessment

Generally, in the virtual currency industry, sanctions risks are technological vulnerabilities that, if mishandled, can lead to violations of OFAC’s regulations and subsequent enforcement actions. OFAC encourages companies developing a compliance program to “conduct a routine and ongoing risk assessment to identify potential sanctions issues it is likely to encounter prior to providing services or products to customers.”[23]

A virtual currency company’s risk assessment process should reflect its “potential customer or client base, products, services, supply chain, counterparties, transactions, and geographic locations,” and may also include “evaluating whether counterparties and partners have adequate compliance procedures.”[24]

Internal Controls

An effective compliance program will include controls to “identify, report, and maintain records for transactions prohibited by OFAC sanctions.”[25]

Adequately implemented internal controls should enable a company to conduct sufficient due diligence on customers, business partners, and transactions using industry-specific: (i) Geolocation Tools; (ii) Know Your Customer (“KYC”) Procedures; (iii) Sanctions Screening; (iv) Investigation; and (v) Transaction Monitoring Software to identify “red flags.”[26] Red flags are indications that compliance breakdowns may be occurring.

Internal controls should be enforced, and weaknesses identified, through root cause analysis of compliance breaches, and remediated to prevent activity that might violate sanctions. OFAC has encouraged the use of in-house or third-party software as tools for an effective compliance program.[27]

Testing and Auditing

The best way to ensure a compliance program is working is to test the effectiveness of the program. Recommended best practices for testing compliance programs include: (i) sanctions list screening to ensure screening is appropriately flagging transactions for further review; (ii) keyword screening to ensure screening tools are flagging geographic keywords in connection with transaction screening; and (iii) IP blocking to ensure IP address software is preventing users from sanctioned jurisdictions from accessing products and services.[28]

Training

OFAC training should be provided to all employees, including “compliance, management, and customer service personnel,” and should be conducted on a periodic basis, and, at a minimum, annually.[29] Specifically, OFAC training for the virtual currency industry should account for updates to sanctions programs and emerging technologies.

OFAC Updates

OFAC issues frequent Sanctions List Updates and Enforcement Action Settlements. Entities who engage in financial transactions with non-U.S. persons may find it useful to sign up for OFAC Recent Action Notifications to receive updates to existing guidance.

 

Oded Kadosh Guy Milhalter Austin Ochoa
okadosh@pearlcohen.com gmilhalter@pearlcohen.com aochoa@pearlcohen.com

 

[1] OFAC, Frequently Asked Questions, Topic 1.

[2] OFAC, Frequently Asked Questions, Topic 560.

[3] OFAC, Frequently Asked Questions, Topic 646.

[4] OFAC, Sanctions Compliance Guidance for the Virtual Currency Industry (October 15, 2021), at 1.

[5] Id.

[6] OFAC, Frequently Asked Questions, Topic 559.

[7] OFAC, Frequently Asked Questions, Topic 11.

[8] OFAC, Sanctions Compliance Guidance for the Virtual Currency Industry (October 15, 2021), at 6.

[9] Id. at 16.

[10] OFAC, Frequently Asked Questions, Topic 560.

[11] Id.

[12] OFAC, Sanctions Compliance Guidance for the Virtual Currency Industry (October 15, 2021), at 4.

[13] OFAC, Frequently Asked Questions, Topic 560.

[14] Id.

[15] Id.

[16] OFAC, Frequently Asked Questions, Topic 646.

[17] Id.

[18] U.S. Department of the Treasury, Press Release: Treasury Takes Robust Actions to Counter Ransomware.

[19] OFAC, Sanctions Compliance Guidance for the Virtual Currency Industry (October 15, 2021), at 1.

[20] Id. at 10.

[21] Id.

[22] Id. at 11.

[23] Id. at 12.

[24] Id.

[25] Id. at 13.

[26] Id. at 13-17.

[27] Id.

[28] Id. at 18.

[29] Id. at 19.

MEDIA HIGHLIGHTS