On October 15, 2021, the U.S. Department of the Treasury's Office of Foreign Assets Control (“OFAC”) published a “Sanctions Compliance Guidance for the Virtual Currency Industry” to explicitly address sanctions-related risks in the virtual currency industry. This booklet sets out on the one side the basics of OFAC regulations, such as OFAC requirements and procedures, on the other side specific best practices for the virtual currency industry.
OFAC, among a range of regulators and standard-setting organizations, is paying more attention to the virtual currency industry as it’s gaining prominence in the global financial sector. Starting from 2018, OFAC has included certain virtual currency addresses as identifying information for persons listed on the SDN List. In September 2021, OFAC designated a virtual currency exchange for facilitating financial transactions for ransomware actors. This was the first time that OFAC puts a virtual currency exchange on the SDN List. It demonstrates OFAC’s dissertation of combating cybersecurity threats such as ransomware attacks.
Against this background, we recommend participants in the virtual currency industry quickly respond to the new guidance. Non-compliance to OFAC regulations could cause severe civil and criminal penalties depending on the violation. Also, OFAC points out that it “may consider as mitigating factors a virtual currency company’s implementation of a risk-based OFAC compliance program and remedial measures taken in response to an apparent violation.”
As the first step, management in the virtual currency industry should develop a Sanctions Compliance Program (“SCP”) in accordance with the framework published by OFAC in May 2019. This framework sets the cornerstone of an SCP in five dimensions – management commitment, risk assessment, internal controls, testing and auditing, as well as training. Secondly, the virtual currency companies may consider introducing industry-specific best practices recommended in the new guidance. This includes:
- Incorporation of geolocation tools and IP address blocking controls.
- Deployment of transaction monitoring and investigation software (such as blockchain analytics tools) to identify transactions associated with SDNs and especially those associated with virtual currency addresses included in the SDN List.
- A historic lookback of transactions and customer information after OFAC designates a virtual currency address on the SDN List to identify potential connections to the listed address.
- Ongoing and risk-based sanctions screening with appropriate fuzzy logic capabilities to reveal potential nexus to SDNs based on all available information including IP addresses.
Sanctions programs comprise a dynamic regulatory environment, which requires specific expertise and continuous monitoring. It might be helpful for virtual currency companies to look for expert support when designing and assessing their SCPs.