On February 17, 2021, the US Department of Justice (DOJ) unsealed charges against three North Koreans accused of conspiring to steal and extort more than $1.3 billion in cash and cryptocurrency from banks and businesses. These “operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, have become the world’s leading bank robbers,” said John C. Demers, the US Assistant Attorney General for National Security. The charges highlight the extent to which cash-starved territories targeted by sanctions – and whose economic woes have been exacerbated by the COVID-19 pandemic – may resort to financial cybertheft and cryptocurrency as a means of accessing a financial lifeline outside of the traditional international financial system.
In light of this growing risk, companies that deal in or otherwise handle digital currencies should exercise caution when transactions might involve individuals in sanctioned territories. Implementing effective risk-based sanctions compliance controls that are tailored to the risks embedded in cryptocurrency-based dealings – including utilizing all information available to identify high-risk customers, counterparties, and transactions – is not only good for compliance but also critical for managing business risk in this space.
Sanctioned Territories and Digital Currency
Sanctions are intended to exert pressure through economic isolation measures. The harsher and more prolonged the sanctions, however, the greater incentive there is for individuals and governments targeted by the restrictions to pursue creative new methods to participate in financial transactions. In recent years, these new methods have increasingly involved some form of digital currency.
Other countries, such as Venezuela, Russia, and Iran, have also turned to cryptocurrency in an effort to evade sanctions: Venezuela attempted to create its own oil-backed cryptocurrency, the “petro,” and has relied on Bitcoin as of late, with an estimated $8 million worth of Bitcoin traded each week; similarly, Russia created the “cryptorouble,” which, according to Russian officials, will help Russia “settle accounts with [its] counterparties all over the world with no regard for sanctions”; and Iran is one of the top ten countries with the most Bitcoin mining capacity in the world – the Iranian government has even allowed imports to be funded with cryptocurrency.
OFAC Enforcement and Digital Currency Transactions
As individuals and governments targeted by sanctions continue to take advantage of digital forms of payment, companies in the cryptocurrency space face increased sanctions risks. For example, on February 18, 2021, the US Treasury Department’s Office of Foreign Assets Control (OFAC), which administers most US sanctions, released details of its $507,375 settlement with BitPay, Inc. (BitPay), a bitcoin payment processor, for apparent violations of multiple sanctions programs related to digital currency transactions. The BitPay enforcement action follows a smaller-scale $98,830 OFAC settlement with BitGo, Inc., a digital wallet company, in December 2020, and references 2018 OFAC FAQs on OFAC’s use of sanctions to combat the use of digital currencies for illicit purposes, including through the addition of digital currency addresses to the Specially Designated Nationals and Blocked Persons List (SDN List) to flag specific digital currency identifiers associated with a blocked person.
In the recent BitPay settlement, OFAC found that between June 2013 and September 2018, BitPay processed 2,102 transactions for individuals who were located in sanctioned territories, including the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan, and Syria. BitPay acted as a payment processor for merchants by receiving digital currency as payment for goods and services from the merchants’ buyers, converting the digital currency into fiat currency, and transmitting the converted currency to the merchants. According to OFAC, BitPay received digital currency payments from persons in sanctioned territories, and “allowed” them to transact with its merchants, for approximately five years.
Notably, while BitPay conducted diligence on its direct customers (i.e., the merchants), OFAC found that the company failed to exercise due caution or care for its sanctions compliance obligations by neglecting to take steps to screen its indirect customers (i.e., the merchants’ buyers), despite having name and location data that would have allowed it to identify sanctioned persons or persons located in sanctioned territories. OFAC settled for $507,375 after determining that BitPay conveyed an economic benefit to individuals in several jurisdictions subject to OFAC sanctions, thereby undermining the efficacy of those sanctions programs.
Takeaways for Companies
As the COVID-19 pandemic continues to wreak economic havoc, individuals in territories targeted by sanctions are likely to step up efforts to exploit digital currencies to avoid the restrictions that bar them from accessing the mainstream international financial system. Accordingly, companies that operate in the digital currency space should take steps to protect themselves from related sanctions risk exposure.
Companies should ensure they understand the sanctions risks associated with providing digital currency services, as well as take steps to mitigate those risks. The recent digital currency-related OFAC settlements and DOJ indictment demonstrate that regulators are closely scrutinizing – and channelling enforcement resources to address – the use of cryptocurrency for illicit activities. As is clear from the BitPay settlement, companies should not ignore potential sanctions-related risk areas, and should ensure that compliance controls are designed to protect against those risks.
It is essential, therefore, that digital currency service companies and other companies that deal in cryptocurrency develop a tailored, risk-based sanctions compliance program that encompasses, at a minimum, (1) management commitment; (2) risk assessment; (3) effective internal controls; (4) testing and auditing; and (5) regular compliance training. Companies should also ensure that their compliance programs are calibrated to evaluate all available information (such as IP addresses and other location data of customers and counterparties), and to immediately take action on a transaction when that information reveals a potential sanctions concern.