February 28, 2021
By: Alejandro Leáñez, ACSS
With hundreds of billions of dollars in transactions over recent years, virtual currencies are becoming a major player in the global economy. Some cryptocurrencies, like Bitcoin, can even fetch a price of over $48,000 per coin. Not surprisingly, their importance and rapid evolvement are increasingly catching the eye of regulators with a focus on rogue actors and strong compliance programs.
In addition, sanctioned actors are increasingly using cryptocurrencies to channel and hide the source of their financial transactions. In fact, the UN Security Council determined that North Korea may have obtained over $500 million in cryptocurrencies by using exchange hacks and various methods. Also, the government of Venezuela in an attempt to circumvent US sanctions created its own national cryptocurrency the ‘Petro’, which was later subject to US sanctions.
At the February 2021 Financial Sector Innovation Policy Roundtable, a public-private forum focused on the technology solutions to protect the integrity of the US financial system, Secretary Yellen said: “The misuse of cryptocurrencies and virtual assets is a growing problem, too. I see the promise of these new technologies, but I also see the reality: cryptocurrencies have been used to launder the profits of online drug traffickers; they’ve been a tool to finance terrorism.”
Compliance officers need to adapt to these trends and be alert to the likelihood of increased exposure to rogue actors in the cryptocurrency market.
Tracking Cryptocurrency Transactions
Generally, transactions in cryptocurrency add a record of the transaction within the blockchain database. While the physical address, name, and other common information are not saved in the transaction, other transaction details are publicly stored on the blockchain and can be reviewed by anyone.
Government agencies, like the US Department of Treasury Office of Foreign Assets Control (OFAC) began targeting the cryptocurrency world in November 2018 by listing digital currency addresses linked with the Specially Designated Nationals and Blocked Persons List (SDN list). For the first time, OFAC used its cyber-related sanctions authorities and targeted digital currency addresses that were channeling prohibited transactions in financial institutions.
However, rogue actors also make use of privacy coins or other external privacy mechanisms in order to hide their illicit transactions. Compared to the public ledger operated by Bitcoin and Ethereum, privacy coins are designed to provide users with another level of anonymity that makes the fund’s source tracking and the performing of due diligence even more difficult.
OFAC Best Practices for Cryptocurrency Compliance
As the world of cryptocurrency continues to make life for compliance suites more challenging, OFAC has published a few FAQs on the blocking of digital assets. OFAC now makes clear that, whether the transaction in question involves regular currency or digital assets, the compliance obligations are the same.
As such, each compliance department must take into consideration that:
- A simple check on whether they have made any direct transactions with cryptocurrency addresses on the sanctions lists is not enough. A tracing of the funds should be done across the blockchain to guarantee that there is no type of interaction with these addresses.
- Any searches done by the compliance team must look beyond the sanctions lists’ specific addresses. There could be other addresses and transactions within the same wallets controlled by the same parties.
- The compliance team should also look for any direct or indirect transactions, with parties located in sanctioned jurisdictions, even where the specific cryptocurrency addresses of those parties are not subject to sanctions.
Steps to Incorporate Crypto-Risk into your Compliance Program
Compliance suites may want to consider the following steps to assist in making their cryptocurrency compliance program successful:
- Screening Tech: Transaction tools that enable effective risk-based monitoring alongside accurate data that can discover connections to sanctioned actors. For instance, to detect in the same wallet as the OFAC-listed addresses two additional Bitcoin addresses, that OFAC did not plainly mention in its sanctions designation.
- Risky Jurisdictions: Identify potential exposure to entities located in or near jurisdictions subject to sanctions. For example, dealing between Iranian financial institutions and US financial institutions is generally prohibited by US sanctions, the cryptocurrency business needs to look for Iran-based SDNs and for possible connections with cryptocurrency exchanges and other services in Iran not listed by OFAC.
- Proper Training: The compliance team should know the red flags and suspicious indicators that could lead to sanctions risks. Usually, numerous red flags should alert the compliance team to possible sanctions, which will require a closer look.
- Clear Compliance Methodology: To have a clear investigative strategy, when risks are identified the compliance team should be able to investigate sanctions violations and be able to report such violations to the competent authorities. An investigative strategy should include trained staff, procedures and recordkeeping policies, network analysis, case management tools, internal escalation processes, and the documentation of investigation findings.
- Risk Framework: The company should also have a risk management framework that is able to quickly identify the overall risk exposure level, and with clear processes and procedures for risk mitigation. The framework should be able to determine the potentials sanctions risk exposure, effectively use sanctions screening tools, training programs for staff, policies and procedures that clearly establish the staff responsibilities and prohibited activities.
Recent Enforcement of Crypto-Compliance – BitPay & Final Considerations on Cryptocurrencies
OFAC is sending a clear message to the cryptocurrency space, they must be prepared to comply with the sanctions regime like other industries. Moreover, OFAC will aggressively pursue Iran and other rogue regimes that use cryptocurrency in order to circumvent sanctions.
Companies may also be subject to increased prosecution by OFAC if they assist such rogue regimes. On February 18, 2021, BitPay, Inc., an Atlanta based payment processing company that accepted cryptocurrencies as payment for goods and services for merchants, entered into a $507,375 settlement with OFAC for 2,102 apparent violations to multiple sanctions programs. BitPay allowed persons located in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria to transact with merchants in the US and elsewhere using digital currency on BitPay’s platform.
OFAC considered that among BitPay aggravating factors were the five years failure of its compliance program when, despite having enough customer information, it allowed persons in sanctioned jurisdictions to engage in digital currency transactions with BitPay’s merchants. Moreover, BitPay received a total of $128,582.61 in benefits from the transactions.
BitPay only screened the merchants against OFAC’s SDN and conducted due diligence on them to ensure they were not located in sanctioned jurisdictions. BitPay did not screen the location data from its customers’ customers, in this case the merchants’ buyers.
This was the second OFAC case in six weeks against a cryptocurrency company. In December 2020, OFAC released a settlement with California-based BitGo, Inc, also for apparent violations related to digital currency transactions. Companies involved in providing digital currency services should be aware of the sanctions risks and should have tailored, risk-based sanctions compliance programs to prevent this type of non-compliance actions by OFAC.
Outside the US, cryptocurrency companies should also take into account that they could be subject to secondary OFAC sanctions for facilitating business with US entities, and penalties for US sanctions violations.