Recently, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) issued its “Sanctions Compliance Guidance for Virtual Currency” (the “Guidance”). The purpose of this Guidance is to promote understanding of, and compliance with, sanctions requirements and due diligence processes by actors in the virtual currency industry, including technology companies, exchangers, administrators, miners, wallet providers, as well as traditional financial institutions.
The Guidance confirms that “sanctions compliance obligations apply equally to transactions involving virtual currencies and those involving traditional fiat currencies.” For OFAC, virtual currency is “a digital representation of value that functions as (i) a medium of exchange; (ii) a unit of account; and/or (iii) a store of value” and is not issued or guaranteed by any jurisdiction. Those engaging in any of these transactions are now responsible for ensuring that they do not, directly or indirectly, deal with individuals or entities sanctioned by OFAC or otherwise violate OFAC Sanctions. The Guidance points out that failure to comply with OFAC Sanctions may lead to substantial civil and/or criminal penalties depending on the nature of the violation. Notably, individuals or organizations may be held civilly liable for violations of OFAC Sanctions even without knowledge of the noncompliance or violation. The Guidance also discusses companies’ reporting and recordkeeping obligations upon identifying transactions that potentially violate OFAC Sanctions.
OFAC’s Guidance recommends that companies in the virtual currency industry develop and implement a risk-based sanctions compliance program (“SCP”) with the following components: (i) Management Commitment, (ii) Risk Assessment, (iii) Internal Controls, (iv) Testing/Auditing, and (v) Training. OFAC further recommends that companies monitor and evaluate their SCPs and update them on a regular basis to ensure effectiveness. Failure to do so can make an SCP vulnerable and, as a result, subject a company to liability.
DRT Commentary
The Guidance follows a number of enforcement actions showing that OFAC is determined to investigate and penalize violations of sanctions in the virtual currency industry.
For example, in March of 2020, OFAC sanctioned two Chinese nationals for receiving millions of dollars in virtual currency stolen during cyber intrusions against two virtual currency exchanges. In that same year, OFAC entered into a settlement agreement with a U.S. virtual currency payment service provider for processing virtual currency transactions between the company’s customers and persons located in sanctioned jurisdictions. While the company’s compliance program included screening its direct customers, the company failed to screen available information about the individuals who used its payment processing platform to buy products from the company’s direct customers.
Notably, OFAC released this Guidance shortly after it had added a Russian virtual currency exchange (SUEX OTC, S.R.O) to the List of Specially Designated Nationals and Blocked Persons (SDN List) for facilitating financial transactions with ransomware actors. This marked OFAC’s first-ever designation of a virtual currency exchange on the SDN Listand coincided with the U.S. government’s efforts to counter ransomware attacks, which have increased in scale, sophistication, and frequency during the Covid-19 pandemic. As many ransomware attacks involve payment in virtual currency, the Guidance demonstrates the U.S. government’s heightened enforcement posture in these areas.
Given OFAC’s increased focus on the virtual currency industry, organizations in this industry should update their risk profile to determine where vulnerabilities exist. They should also enhance their OFAC Sanctions compliance programs, including through the addition of customer and third-party due diligence procedures. An ineffective compliance program could subject companies to civil or criminal liability.
Organizations in this industry should also be mindful that there are legal nuances in complying with OFAC Sanctions involving the virtual currency. For example, as noted in OFAC’s Guidance, there is a difference between virtual currency and digital currency; and what might fall within the definition of digital currency does not necessarily fall within that of virtual currency. As well, reporting and recordkeeping requirements under the Guidance may at first glance appear to be convoluted. Nevertheless, it is critically important for organizations to fully understand such requirements and procedures and seek professional legal advice to ensure compliance with applicable laws and regulations.
DRT has extensive experience in counseling individuals and organizations, including companies from the virtual currency industry, in their efforts to secure compliance with OFAC Sanctions. This work has included transaction screening, OFAC compliance assessments, design, and implementation of SCPs, or requesting OFAC’s interpretive guidance or specific licenses if needed. We look forward to working with you to navigate this novel, complex virtual currency legal regime.
* By Michael Diaz, Jr, Marta Colomar Garcia, Gary E. Davidson, Javier Coronado Diaz, Zhen Pan.
** This newsletter is not intended to serve as legal advice. No legal opinions are intended, nor should any be inferred. You are welcome to contact us to discuss legal solutions tailored to your needs and the specific circumstances of your situation.
Info: Michael Diaz, Jr., Javier Coronado
Tel: +1 (305) 375-9220
mdiaz@diazreus.com, jcoronado@diazreus.com