Treasury Agencies Issue Virtual Currency Sanctions Compliance Guidance and Ransomware Trends Statistics

On October 15, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued its first-ever sanctions compliance guidance (the “OFAC Guidance” or “Guidance”) for the virtual currency industry. The Guidance represents a focused effort by OFAC to highlight sanctions risks present in the virtual currency industry, which has experienced tremendous growth in the past few years, and to suggest methods for ensuring compliance. The Guidance is a helpful compilation and distillation of OFAC’s guidance and resources relevant to virtual currency, as well as virtual currency-related enforcement actions and frequently asked questions, all designed to serve as a primer for those operating in the virtual currency sector who may be unfamiliar with OFAC and U.S. sanctions. OFAC suggests that many virtual currency businesses are launching products and services without making adequate provision for sanctions compliance, and the Guidance seems aimed at addressing this. The Guidance is the latest in a series of OFAC actions focused on the virtual currency sector, including a series of enforcement actions against virtual currency companies, updated guidance on ransomware attacks and designation of a virtual currency exchange. Industry participants should be aware of this history and the new guidance, and prepare for enhanced scrutiny and enforcement.

Also on October 15, the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) issued an analysis of suspected ransomware attacks (“Ransomware Analysis”) based on Bank Secrecy Act (“BSA”) reports filed from January 1, 2021 through June 30, 2021. 

OFAC’s Guidance and FinCEN’s Ransomware Analysis are part of the Biden administration’s recent efforts to address the sanctions and financial crimes risks associated with virtual currency, and to combat the serious and increasing threat posed by ransomware. In a release announcing issuing the Guidance, Deputy Secretary of the Treasury, Wally Adeyemo, remarked that Treasury’s aim is to stop ransomware attacks by making it difficult for criminals to profit from their crimes. He also emphasized the need for public/private partnerships to “disrupt and hold accountable ransomware actors and their money laundering networks.” 

OFAC’s Virtual Currency Guidance

The Guidance, consisting of 22 slides presented in a user-friendly format, explains the basics of U.S. sanctions as they apply to the industry, including “technology companies, exchangers, administrators, miners, and wallet providers, as well as more traditional financial institutions that may have exposure to virtual currencies or their service providers.” These include the sanctions obligations of U.S. and non-U.S. persons, what blocking means with respect to digital assets, related reporting and recordkeeping requirements, and the potential for a reasonable compliance program to mitigate any enforcement by the agency. 

OFAC’s Guidance encourages those operating in the virtual currency sector to develop and implement a tailored, risk-based sanctions compliance program, consistent with OFAC’s Framework for Compliance Commitments (the “Framework”). The Framework identifies the five key aspects of a sanctions compliance program as: (1) a management commitment to compliance; (2) a sanctions risk assessment; (3) internal controls to prevent, identify, and report potential sanctions violative conduct; (4) testing and auditing of a sanctions compliance program; and (5) sanctions training for relevant employees. The Guidance offers specific best practices for the virtual currency sector to consider with respect to these requirements:

• Consider sanctions risk and compliance at the outset: Companies operating in the virtual asset sector should understand their sanctions risks and exposure and implement a risk-based OFAC compliance program addressing those risks. In particular, OFAC notes that “members of the virtual currency industry implement OFAC sanctions policies and procedures months, or even years, after commencing operations.” The agency stresses that “companies should consider sanctions compliance during the testing and review process so that sanctions compliance can be accounted for as technologies are being developed and prior to launching a new product.” As part of such compliance, OFAC emphasizes that management should commit to sanctions compliance, including by implementing formal policies, providing adequate resources, and fostering a culture of compliance. 
• Include geo-blocking and other IP-blocking measures as part of sanctions compliance: OFAC highlights that geolocation restrictions are part of a strong sanctions compliance program, and that the lack of such measures may result in prohibited activity involving sanctioned persons or jurisdictions. As part of sanctions screening compliance, OFAC recommends that virtual currency companies evaluate all available information about a party’s location for sanctions risks, as discussed in OFAC’s prior virtual currency enforcement actions, including information collected from business lines for non-sanctions purposes, such as physical or email addresses or information in invoices. OFAC also recommends the use of analytic tools to identify “IP misattribution,” such as a party’s use of virtual private networks (“VPNs”) resulting in “improbable” login patterns (i.e., the user repeatedly logs in within a short time period from geographically distant locations).
• Utilize transaction monitoring and investigation software: OFAC notes that blockchain analytics tools can be used to screen for virtual currency addresses listed on OFAC’s Specially Designated National and Blocked Persons List (the “SDN List”), to identify related addresses that may provide sanctions risk, and otherwise to identify addresses or exchanges associated with sanctioned persons and jurisdictions.
• Sanctions screening should include Know Your Customer (“KYC”) procedures: As part of sanctions-screening procedures, OFAC recommends that digital assets businesses obtain customer information at onboarding and throughout the customer relationship to aid in the identification of sanctions risk. OFAC suggests that this might include collection of, for individual customers: “date of birth, physical and email address, nationality, IP addresses associated with transactions and logins, bank information, and government identification and residency documents” and, for entity customers: “entity name (including trade and legal name), line of business, ownership information, physical and email address, location information, IP addresses associated with transactions and logins, information about where the entity does business, bank information, and any relevant government documents.” OFAC recommends screening all of these data points as well as geolocation information for sanctions compliance purposes.
• Remediate weaknesses and root causes of violations: OFAC discusses how the targets of recent OFAC enforcement actions against virtual currency companies have improved weaknesses in their internal controls in response to those actions. These include measures such as implementing IP address blocking and email-related restrictions for sanctioned jurisdictions, using city names from sanctioned jurisdictions to screen against customer address information, and expanding sanctions compliance programs. OFAC also provides a limited selection of red flags relating to customer onboarding and activity that may indicate sanctions risk. 

FinCEN’s Ransomware Analysis

Key takeaways from FinCEN’s analysis of suspicious activity and other BSA reporting from financial institutions relating to ransomware include:

• The total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds by 42% the total value reported for the entirety of 2020 ($416 million).
• FinCEN projects that, if current trends continue, ransomware-related transaction values reported in SARs are projected to exceed the entire transaction value reported for the past 10 years combined, highlighting the trend of significant increases in reported year-over-year ransomware activity.
• Non-U.S. centralized exchanges are preferred cash-out points for virtual currency ransomware ransoms, but FinCEN notes that some ransomware-related payments are also being converted through decentralized exchanges or other decentralized finance (“DeFi”) applications.
• The majority of ransomware-related payments reported to FinCEN involved Bitcoin (BTC), but FinCEN also observed reports involving Monero (XMR), an “anonymity-enhanced” cryptocurrency, are expected to increase slightly in 2021 compared to 2020.
• Illicit actors are using “chain hopping”—the practice of converting a virtual currency on one blockchain into another virtual currency on a different blockchain at least once before moving the funds to a different service or platform, to obfuscate the origin of funds. Such practices are in addition to the use of mixing services (also called “tumblers”), websites, or software designed to conceal the source or owner of virtual currency.

Takeaways

OFAC’s and FinCEN’s publications, as well as OFAC’s recent enforcement actions against digital assets businesses, signal the Treasury Department’s continued focus on sanctions and anti-money laundering (“AML”) compliance in the industry. FinCEN also separately has telegraphed its belief in the need for increased enforcement against digital assets businesses.

Participants in the virtual currency industry may wish to perform risk assessments with these announcements in mind, consider any “lessons learned” from such actions, and remediate any related weaknesses they identify in their programs.

Companies in the digital assets sector should heed these recent announcements from Treasury and consider conducting sanctions risk assessments and developing appropriate sanctions compliance program, recognizing in particular OFAC’s concern that many companies are taking digital asset products to market without first considering sanctions risk or implementing compliance programs. When designing such programs, digital assets businesses should give special consideration to the aspects of such programs that OFAC has identified as important to the industry, such as the use of IP blocking and other geo-blocking measures to prevent account access and transactions by persons in sanctioned jurisdictions, the use of blockchain analytics to identify sanctioned blockchain addresses and addresses that otherwise present sanctions risk, the specific red flags that OFAC identifies relating to digital assets, and the ransomware risks and typologies that both agencies have identified. As noted in Treasury’s recent sanctions review, Treasury and OFAC have concluded that digital assets present new risks to the efficacy of sanctions, and intermediaries in the digital assets space, such as cryptocurrency exchanges, lenders, digital forensic incident response firms (“DFIRs”), and other actors “custodying” or transmitting cryptocurrencies, should prepare now for heightened scrutiny from OFAC and other regulators regarding sanctions and AML compliance.

Finally, all U.S. companies may wish to familiarize themselves with OFAC’s recent ransomware guidance and FinCEN’s recommendations for ransomware detection and mitigation from its Ransomware Analysis, as ransomware threat actors present a continued and serious threat across industries. Viewed together, the Guidance and the Ransomware Analysis illustrate the significant concern about ransomware threat actors using virtual currency platforms for illicit purposes. As virtual currency entities consider these recent guidance materials, they should work to develop tailored sanctions compliance programs and ransomware incident response plans.