Article

OFAC Issues Sanctions Compliance Guidance for the Virtual Currency Industry

On October 15, 2021, the US Department of the Treasury's Office of Foreign Assets Control (OFAC) published a compliance guide for the virtual currency industry and updated the answers to frequently asked questions (FAQs) 559 and 646. OFAC acknowledged that it released the guidance because virtual currencies are playing an increasingly prominent role in the global economy and in payments.

 

What's New?

The publication consolidates guidance that OFAC previously provided in answers to FAQs, enforcement actions, and other statements. Most of the guide is dedicated to the general regulatory framework for sanctions, which applies to all US financial institutions. Accordingly, in this alert, we outline the framework and provide more detail regarding the material specific to virtual currency.

 

General Regulatory Framework for Sanctions

OFAC implements and administers economic sanctions under applicable US laws.

 

US economic sanctions cover all “US persons,” which includes any US citizen, permanent resident alien, entity organized under the laws of the United States, or any person in the United States. In the case of some OFAC sanctions programs, the prohibitions also apply to non-US entities that are owned or controlled by US persons. OFAC also maintains secondary sanctions to deter non-US persons from engaging in a range of activities, even if the activities do not involve any US elements.

 

US economic sanctions generally fall into four categories:

  • Broad trade-based sanctions or embargoes, which prohibit almost all dealings with an entire country or geographic region (e.g., Cuba, Iran, North Korea, Syria, and the Crimea region of Ukraine).
  • Targeted government or regime sanctions.
  • List-based sanctions, which prohibit almost all transactions related to the individuals and entities found on the list of Specially Designated Nationals (SDNs) and Blocked Persons.
    Sectoral sanctions, which target limited, specific transactions with listed entities associated with a foreign country’s economy. 

Generally, OFAC imposes civil penalties for sanctions violations using a “strict liability” legal standard (i.e., without regard for whether a person has knowledge or reason to know of the violation).

OFAC’s virtual currency guidance reinforces its long-held position that all US persons have the same sanctions compliance obligations, regardless of whether they engage in transactions or services that involve traditional fiat currency or virtual/digital currency. This view, however, is problematic for the virtual currency industry because the almost instantaneous transfer does not permit the parties involved to reject (refuse to process) transactions. Most members of the industry only can block the virtual currency following the transfer into its possession.

 

Guidance Specific to the Virtual Currency Industry

Definitions. To fully understand their compliance obligations, members of the virtual currency industry should be aware of how OFAC defines applicable terms in the guidance:

  • The virtual currency industry—technology companies, exchangers, administrators, miners, wallet providers, and users.
  • Virtual currency—digital representation of value that functions as:
    - A medium of exchange.
    - A unit of account.
    - A store of value and is neither issued nor guaranteed by any jurisdiction.
  • Digital currency—sovereign cryptocurrency, virtual currency (non-fiat), and a digital representation of fiat currency.

In its updated answer to FAQ 559, OFAC provides the definitions for the terms digital currency, virtual currency, digital currency wallet, and digital currency address.

 

Blocking virtual currency. OFAC’s guidance and its answer to FAQ 646 explain the key steps in blocking virtual currency:

  • Deny all parties access.
  • Hold and report in accordance with regulation.
    - A company that maintains multiple virtual currency wallets in which a blocked person has an interest may choose to block each virtual currency wallet or to consolidate them into a single wallet (similar to an omnibus account).
    - A company is not obligated to convert the virtual currency to fiat and is not obligated to hold it in an interest-bearing account.
    - A company must report the blocked virtual currency to OFAC within 10 business days, and thereafter on an annual basis, so long as it remains blocked.
  • Implement controls aligned with a risk-based approach. The controls must allow the virtual currency to be unblocked and returned to its owner only pursuant to an OFAC authorization or when the legal prohibition requiring the blocking of the virtual currency ceases to apply.

 

Best practices in developing and implementing a sanctions compliance program. In the guidance, OFAC provides an overview of the five major parts of a sanctions compliance program: management commitment, risk assessment, internal controls, testing and auditing, and training. The best practices specific to virtual currency, detailed below, fall primarily into the area of internal controls.

Know your customer procedures

  • Obtain the physical and email address, location information, and Internet Protocol (IP) addresses associated with transactions and logins from all customers at onboarding.
  • For higher risk customers, consider examining the transaction history for connections to sanctioned jurisdictions or to virtual currency addresses that have been linked to sanctioned actors.

Sanctions screening

  • Screen all persons that use or have access to the virtual currency company’s services, including customers and their counterparties/beneficiaries, as well as transaction information.
  • Use all relevant and available information in your possession, whether derived from the customer or a customer’s counterparty or originally collected for a different purpose than sanctions screening (such as a user’s IP address collected for security purposes).
  • Screen all virtual currency addresses against those addresses that OFAC began in 2018 to include in the listings for certain SDNs.
  • Consider screening all historical transactions for the virtual currency addresses listed for certain SDNs to identify other virtual currency addresses and digital wallets posing a heightened sanctions risk.

Technology tools
Use a geolocation tool to: 

  • Identify and prevent IP addresses that originate in sanctioned jurisdictions from accessing a company’s website and services for activity that is prohibited by OFAC’s regulations, and not authorized or exempt.
  • Identify a user’s attempt to obfuscate its true location with IP misattribution by, for example:
    - Screening IP addresses against known virtual private network (VPN) IP addresses.
    - Identifying improbable logins (such as the same user logging in with an IP address in the US and then shortly after with an IP address in Japan).

Use transaction monitoring and investigation software to:

  • Determine which transactions are associated with sanctioned persons on the SDN or other sanctions list or located in sanctioned jurisdictions, by leveraging virtual currency addresses or other identifying information (e.g., originator, beneficiary, originating and beneficiary exchanges, and underlying transactional data).
  • Continually review historical information for virtual currency addresses or other identifying information to better understand the company’s sanctions risk exposure and to pinpoint compliance program deficiencies.


How Can Guidehouse Help?

Guidehouse can help members of the virtual currency industry and more traditional financial institutions assess their compliance programs to navigate regulatory risks, including developing and implementing updates to operations, policies, procedures, controls, and technology systems.

Our areas of relevant expertise include the following:

  • Sanctions
  • Anti-money laundering (AML)
  • Sanctions and AML program management outsourcing
  • Strategic planning
  • Risk management
  • Vendor sourcing and governance
  • Executive training 

Contact Guidehouse’s experts today for an assessment of your sanctions and AML compliance programs or training on cryptocurrency-related compliance tools, including blockchain tracing and analytics. We are well-equipped to make an individualized assessment of your organization’s unique circumstances and offer innovative advice and solutions for responding to the heightened regulatory requirements applicable to the virtual currency industry.


Let Us Guide You

Guidehouse is a global consultancy providing advisory, digital, and managed services to the commercial and public sectors. Purpose-built to serve the national security, financial services, healthcare, energy, and infrastructure industries, the firm collaborates with leaders to outwit complexity and achieve transformational changes that meaningfully shape the future.

Stay ahead of the curve with news, insights and updates from Guidehouse about issues relevant to your organization and its work.