Increased use of virtual currency as a payment method brings greater exposure to sanctions risks, whether in respect of UN and trade sanctions or listed individuals and entities. The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has published an industry-specific brochure, "Sanctions Compliance Guidance for the Virtual Currency Industry," as a resource to help those engaged in crypto-asset transactions comply with OFAC sanctions. Whilst OFAC’s analysis is directed to liability in the US, these considerations will inform good compliance practices under the United Kingdom's autonomous sanctions regime.
OFAC identify crypto exchanges and wallet providers as having a role in preventing sanctioned persons from exploiting virtual currencies to evade sanctions and undermine U.S. foreign policy and national security interests – and a consequential liability if they do not.
The brochure provides an overview of OFAC sanctions requirements and procedures, including licensing and enforcement processes, and highlights sanctions compliance best practices tailored for the crypto-asset sector applying the five essential components of OFAC’s preferred sanctions compliance programme. These comprise:
1. Management Commitment
OFAC regards management’s commitment to a company’s risk-based sanctions compliance program to be the same in the virtual currency industry as it is in any other. In many cases, however OFAC has observed that members of the virtual currency industry implement OFAC sanctions policies and procedures months, or even years, after commencing operations. It recommends that companies should consider sanctions compliance during the testing and review process so that sanctions compliance can be accounted for as technologies are being developed and prior to launching a new product.
2. Risk Assessment
In addition to potential violations of OFAC’s regulations and subsequent enforcement actions, the guidance notes the negative impact on a company’s reputation and business from getting this wrong. A risk assessment exercise should generally include an assessment of “touchpoints” to foreign jurisdictions or persons, which may also include evaluating whether counterparties and partners have adequate compliance procedures.
3. Internal Controls
In the virtual currency industry, the internal controls a company implements will depend on, among other things, the products and services the company offers, where the company operates, the locations of its users, and what sanctions-specific risks the company identifies during its risk assessment process. Internal controls often involve the use of industry-specific tools, such as screening, investigation, and transaction monitoring.
Since 2018, OFAC has included certain known virtual currency addresses as identifying information for persons listed on the SDN List. These virtual currency addresses can be searched using the “ID #” field in OFAC’s Sanctions List Search tool. OFAC recommends as part of CDD/KYC controls the use of:
- Geolocation tools
- Transaction monitoring and investigation software
- Sanctions Screening
OFAC has taken enforcement actions against companies in the virtual currency industry that have engaged in prohibited activity because they failed to prevent users in sanctioned jurisdictions from accessing and using their platforms. This was due, in part, to a failure to use the geolocation information in their possession.
4. Testing and Auditing
Best practices for testing and audit procedures in sanctions compliance programs for the virtual currency industry include:
- Sanctions List Screening Ensure screening of the SDN List and other sanctions lists is functioning effectively and is appropriately flagging transactions for further review;
- Keyword Screening Ensure that screening tools are appropriately flagging geographic keywords in connection with KYC-related screening or other transaction screening;
- IP Blocking Ensure IP address software is properly preventing users from sanctioned jurisdictions from accessing its products and services.
OFAC considers that effective training for the virtual currency industry should account for frequent changes and updates to sanctions programs, as well as new and emerging technologies in the virtual currency space.
This guidance is not merely advisory, but carries a stark warning to crypto-asset business that are not pro-active in managing risk associated with their business. The use of specialist screening applications and geo-location tools to identify all participants in a transaction may place a costly burden on the sector, but the consequences of not doing so, as the cited settlement cases make clear, is not a price worth paying.