On October 15, 2021, the US Treasury Department’s Office of Foreign Assets Control (“OFAC”) published sanctions compliance guidance for the virtual currency industry (the “Guidance”), given that “the growing prevalence of virtual currency … brings greater exposure to sanctions risk.” This Guidance follows (1) the recent and first-ever designation of a virtual currency exchange (SUEX OTC, S.R.O) by the OFAC (see our recent post on this here), and (2) the launch of the National Cryptocurrency Enforcement Team (“NCET”) to tackle criminal misuses of cryptocurrency (see a description of this new team on our Blockchain blog, available here). This newly issued Guidance seeks to help the virtual currency industry comply with OFAC sanctions by providing an overview of OFAC sanctions requirements and procedures and setting out sanctions compliance best practices. On the same day, OFAC also updated two of its associated Frequently Asked Questions (“FAQs”), as further described below. The Guidance and FAQs are both available here.
The following are some key points from the Guidance:
Overview of OFAC Sanctions Requirements and Procedures
The Guidance first outlines the basics of US sanctions and makes clear that cryptocurrency companies conducting business in the United States are not treated any differently by OFAC than any other US company transacting in traditional currencies, and therefore must comply with OFAC sanctions when operating in US jurisdiction. The Guidance goes on to outline cryptocurrency companies’ obligations with respect to blocking, rejecting, and reporting transactions where sanctioned parties (e.g., Specially Designated Nationals), are involved. The Guidance explains that failure to comply could lead to penalties, while emphasizing that cooperation with OFAC and efforts to build a compliance program are mitigating factors when determining penalties for potential violations.
OFAC also updated two FAQs. FAQ 559 provides definitions of various virtual currency terms (e.g., “digital currency,” “digital currency wallet,” etc.). FAQ 646 provides instructions on how US persons that come into possession of virtual currency should block that currency in compliance with OFAC’s blocking requirements. Specifically, OFAC provides that a virtual currency company may either opt to block each currency wallet or consolidate wallets that contain blocked virtual currency, either of which is consistent with blocking requirements so long as there are controls that allow the virtual currency to eventually be unblocked and returned upon OFAC authorization or when no longer blocked. OFAC provides also that such blocked virtual currency is not required to be converted into traditional fiat currency.
We note this is not the first time the US Government has issued guidance in connection with cryptocurrencies and terrorist financing. We previously outlined OFAC’s guidance on ransomware advisories earlier this year on this blog here and here.
Sanctions Compliance Best Practices for the Virtual Currency Industry
The Guidance provides best practices for the industry, stating that all companies in the virtual currency industry, including technology companies, exchangers, administrators, miners, and wallet providers, as well as more traditional financial institutions that may have exposure to virtual currencies should have a risk-based sanctions compliance program.
The Guidance offers a five-pronged approach when developing an adequate compliance program which mirrors the OFAC Framework issued in May of 2019 and includes the following basic components, each of which are described in some detail in the Guidance: (i) Management Commitment, (ii) Risk Assessment, (iii) Internal Controls, (iv) Testing/Auditing, and (v) Training. Key notes for the industry include recommendations that such sanctions compliance programs should include sanctions list screening, keyword screening, IP blocking, transaction monitoring, and any other measures as appropriate depending on the company’s risk profile.
In light of the increasingly critical role virtual currency plays in the market and the consequences for sanctions non-compliance, members of the virtual currency industry should evaluate their sanctions risk and minimize risk by taking steps to develop a compliance program, including implementing the best practices recommended in the Guidance.
For further guidance on how to navigate this complex landscape and build appropriate compliance programs, we encourage you to join Deciphering Data, Baker McKenzie’s global webinar series on data privacy and security, which aims to help companies decode global developments in cybersecurity, data protection, workplace privacy, regulatory updates, litigation and enforcement. More information can be found here.
The authors thank Vivian Tse for assistance with this blog post.