OFAC Enforcement Actions Target Digital Asset Companies

26 March 2021
View the Debrief

In the past few months, the U.S. Treasury Department’s Office of Foreign Assets and Control (“OFAC”) has announced settlements of enforcement actions for apparent violations of multiple U.S. sanctions programs with two digital asset companies, Palo Alto-based BitGo, Inc. (“BitGo”) and Atlanta-based BitPay, Inc. (“BitPay”). The settlements represent OFAC’s first enforcement actions targeting digital asset companies, and media reports and securities disclosures suggest that OFAC also may be investigating others operating in the digital currency space.

The settlements, details of which follow, highlight OFAC’s position that firms providing digital currency services, just like financial institutions dealing with traditional fiat currency, are expected to comply with U.S. sanctions requirements and should adopt and implement compliance programs to address their sanctions risks. The settlements also highlight digital and fiat currency companies’ responsibility to use all available information, including IP addresses and other customer and counterparty data, that is provided to them for sanctions compliance purposes.

BitPay Settlement. OFAC announced its settlement agreement with BitPay on February 18, 2021. BitPay offers a payment processing service to merchants that permits merchants to accept digital currency as payment for goods and services. Specifically, BitPay receives digital currency payments on behalf of its merchant customers from those merchants’ buyers and converts the digital currency to fiat form, which BitPay then relays to the merchants.

According to OFAC, BitPay appropriately screened its merchant customers against OFAC’s List of Specially Designated Nationals and confirmed that none were located in sanctioned jurisdictions. BitPay, however, failed to “screen location data that it obtained about its merchant buyers.” Specifically, BitPay had access to information, such as name and physical, email and IP addresses, about its merchants’ buyers, but BitPay “failed to analyze fully this identification and location data.” As a result, BitPay processed digital currency transactions on behalf of individuals located in sanctioned jurisdictions, including the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan and Syria. The transactions, which occurred between 2013 and 2018, totaled approximately $129,000.

BitPay agreed to pay $507,000 to settle the matter. OFAC noted that the settlement amount was well below the statutory maximum of $619 million and reflected a number of mitigating factors, including BitPay’s adoption of a sanctions compliance program in 2014, its cooperation with OFAC’s investigation, its lack of prior violations and its status as a “small business.” BitPay also received credit for taking steps to minimize the risk of recurrence of similar issues in the future, including implementing IP address-blocking for Cuba, Iran, North Korea and Syria, screening physical and email addresses of merchants’ buyers when available and launching a new customer identification program that requires buyers engaging in transactions of at least $3,000 to provide an email address, proof of photo identification and a selfie photo.

BitGo Settlement. OFAC entered into a settlement with BitGo earlier on December 30, 2020, whereby BitGo agreed to pay $98,830 to settle potential civil liability for processing 183 digital currency transactions on behalf of individuals located in sanctioned jurisdictions, including the Crimea region of Ukraine, Cuba, Iran, Sudan and Syria. The transactions totaled $9,127.79 and occurred between 2015 and 2019.

BitGo offers a “hot wallet” non-custodial service used by individuals to send digital currency to other wallets via the public blockchain. Until 2018, BitGo allowed users to open “hot wallet” accounts with only a name and an email address; after 2018, BitGo required users to attest to their location but did not make any efforts to verify these attestations even though it had access to information (such as IP addresses) that could have been used to verify users’ locations. OFAC noted that BitGo tracked its users’ IP addresses for security purposes related to account logins but failed to use this information for sanctions compliance purposes. OFAC cited this failure as an aggravating factor in determining the settlement amount.

BitGo’s settlement reflected a substantial reduction from the statutory maximum. Among other mitigating factors OFAC considered, it noted that BitGo took a number of steps to remediate its failures, including implementing IP address-blocking for sanctioned jurisdictions, hiring a chief compliance officer, screening all new accounts, conducting periodic retroactive batch screening of existing accounts, updating end-user agreements to ensure customer awareness of and compliance with U.S. sanctions requirements and increasing personnel training requirements.

* * *

Although the BitGo and BitPay settlements represent OFAC’s first enforcement actions targeting crypto currency, they do not represent the first time that OFAC has focused on digital assets. For example, OFAC previously issued guidance warning that “technology companies; administrators, exchangers, and users of digital currencies; and other payment processors should develop a tailored, risk-based compliance program, which generally should include sanctions list screening and other appropriate measures.” OFAC has also expressed concern regarding digital currency transactions in other contexts, such as ransomware. We suspect that OFAC will continue to focus on sanctions threats posed by digital currencies and other emerging payments mechanisms, and firms operating in this space should ensure their compliance approaches are sufficiently robust.

* * *

We will continue to monitor additional sanctions developments related to digital assets. Please do not hesitate to contact us with any questions.