OFAC's First Enforcement Actions Against Digital Currency Service Providers

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently announced settlements with two virtual currency service providers, Bit Pay, Inc. (Bit Pay) and BitGo, Inc. (BitGo), for alleged sanctions violations. Separately, Coinbase Global Inc., (Coinbase) the largest virtual currency exchange in the U.S., has disclosed that its services may have been used in violation of U.S. sanctions, and that the case remains pending under OFAC’s review. The BitGo and Bit Pay settlements involved failures to use Internet Protocol (IP) location data to detect transactions with persons in sanctions jurisdictions (in addition to other alleged failures in the case of BitGo), and build on previous guidance that OFAC has provided to money transmitters (which includes many virtual currency businesses) about its expectation that they will use such services to aid compliance with sanctions. Together, these settlements and investigation suggest a concerted effort by OFAC to remind virtual currency businesses of their OFAC obligations and to encourage broader implementation of appropriate compliance programs.

The Settlements

BitPay, Inc. Settlement

On February 18, 2021, OFAC announced a $507,375 settlement with BitPay, a cryptocurrency payment service provider that provides participating merchants the ability to have their customers pay with virtual currency through BitPay’s platform and the merchants receive fiat currency. The alleged violations involved 2,102 transactions between June 10, 2013, and September 16, 2018, including violations of jurisdictional sanctions against Crimea, Cuba, North Korea, Iran, Sudan and Syria. Although BitPay screened participating merchants against OFAC sanctions lists and conducted other diligence to ensure that they were not located in sanctioned jurisdictions, it failed to do the same with its merchants’ customers. In particular, it failed to use data available to the company about the IP addresses of customers making purchases through the service to identify persons conducting the transactions from sanctioned jurisdictions. According to OFAC, this failure enabled customers in sanctioned jurisdictions to use virtual currency on BitPay’s platform and pay, collectively, $129,000 to merchants in the United States and other countries.

BitGo, Inc. Settlement

On December 30, 2020, OFAC announced a $98,830 settlement with BitGo, a digital asset and security company that offers a non-custodial, secure digital “hot wallet” service that allows users to send digital currency to other wallets via public blockchain. The alleged violations involved BitGo processing 183 transactions for individuals located in Crimea, Cuba, Iran, Sudan and Syria, totaling $9,127.79.

To open an account, BitGo initially required that new users provide only a name and email address. In 2018, the company required users to verify the country in which they were located, but did not independently confirm the self-reported information. BitGo also failed to use IP address data that suggested that users were accessing their wallets from sanctioned jurisdictions. According to OFAC, these failures allowed individuals in Sanctioned Jurisdictions (excluding North Korea) to open “hot wallet” accounts and use BitGo’s platform to complete transactions using digital currency.

OFAC Factors Considered in Both Settlements

In both settlements, OFAC noted as an aggravating factor that both companies had access to information that users or counterparties of the companies were engaging in prohibited transactions, but failed to use it to comply with OFAC sanctions. This information included that of the participating merchants’ customers, including name, address, email address, phone number, and IP addresses. These settlements build on previous guidance from 2004 that OFAC provided to money transmitters, a type of financial institution that includes many virtual currency exchangers and wallet providers, to screen against IP addresses and to take other measures to identify their customers.

Several mitigating factors reduced the civil monetary penalties for both companies from the base penalty that would otherwise apply. In both cases, OFAC cited the small size of the companies, the fact that neither company had received a penalty notice or Finding of Violation from OFAC in the previous five years, and the companies’ cooperation with OFAC’s investigation as reasons for the reduced penalties.

Further, OFAC noted as an additional mitigating factor that both companies have since committed to remedial measures. According to the settlement, BitPay now blocks IP addresses for Cuba, Iran, North Korea, and Syria from connecting to its website and verifies physical and email addresses of its merchants’ customers. BitPay also requires that the merchants’ customers use an identification tool for transactions of $3,000 or more, where the merchants’ customers must provide their email address, proof of identification, and an individual photo.

BitGo implemented a new company “OFAC Policy” that provides for a compliance officer for U.S. sanctions laws, blocking IP addresses of sanctioned jurisdictions, and implementing recordkeeping procedures. The company also retroactively screened all users, and now screens all accounts against OFAC’s Specially Designated Nationals and Blocked Persons List.

Key Takeaways

• Similar Enforcement Ahead. We anticipate that these cases are the start of a trend in which OFAC will increasingly investigate compliance by non-traditional financial service providers with sanctions, including digital assets companies, and hold them to the same standards as traditional financial institutions. Just as it did with the traditional financial institutions, we expect that OFAC is using the comparatively low penalties in these settlements to encourage companies to evaluate their sanctions compliance programs and as a warning to industry to improve compliance. We expect future enforcement actions against digital assets companies that fail to heed the warnings OFAC has articulated in these settlements, and that these are likely to involve substantially larger numbers.
• Now Is the Time to Enhance or Build Your OFAC Sanctions Compliance Program. Administrators, exchangers, and other providers of digital asset services in the U.S., or those providing services with any touchpoint to U.S., should develop or update their OFAC sanctions compliance program to ensure that it is commensurate with their risk profile. These programs should be built on the five pillars set forth in OFAC’s Framework for Compliance, published in May 2019: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training, tailored to the business and unique risks presented by each individual company.
• Use of IP Data for OFAC Compliance Expected. Companies should incorporate customer information in their OFAC sanctions screening. In addition to expecting companies to use IP address data where this is available, OFAC’s reference to BitGo’s previous provision of services based only on a name and email address, or unverified physical address information, suggests that OFAC may expect companies to obtain such information for sanctions compliance purposes, at least with respect to customers, even where digital assets otherwise may not be required to obtain it (as is the case with certain low-dollar transactions by money transmitters under anti-money laundering rules).