The Guidance comes on the heels of the September 2021 designation of a Russian virtual currency exchange for facilitating transactions on behalf of ransomware actors, and marks an attempt to counter ransomware and promote sanctions compliance in the virtual currency industry. This first-ever designation forms part of a set of actions taken by the U.S. government to counter ransomware payments, which includes, among others, the release of an updated advisory on potential sanctions risks for companies facilitating ransomware payments, which supersedes the prior ransomware advisory of October 2020. The Guidance dovetails with a more general policy review conducted by the Department of Treasury on October 18, 2021, which raises concerns that the growing prevalence of digital currencies as a payment method poses a threat to the U.S. sanctions program.
Regulator focus on virtual currency as a way of evading sanctions has increased significantly over the past two years, both in the United States and internationally. The UK Office of Financial Sanctions Implementation (OFSI) in its maritime guidance of December 2020, for example, devoted a section to the issue and made clear that crypto-assets are covered by the definition of “funds” or “economic resources.” OFSI therefore recommended that maritime actors adapt their due diligence practices to respond to the threat.
Consistent with OFAC’s existing sanctions regulations, the Guidance first provides an overview of sanctions compliance requirements and highlights that these conditions apply equally to transactions involving virtual currencies and those involving traditional financial institutions.
OFAC requires that U.S. persons deny sanctioned entities and individuals access to virtual currencies and exercise controls consistent with a risk-based approach. It also reminds non-U.S. persons that they should adhere to OFAC sanctions requirements, particularly with respect to programs in Cuba, Iran, and North Korea.
Seemingly recognizing the inherent anonymity associated with digital currency and the potential issues involved in screening involved parties, OFAC reminds the industry that sanctions violations are strict liability offenses carrying civil and criminal penalties in case of noncompliance – that is, persons may be held liable even if they have no knowledge or reasons to believe that they have committed such a violation. However, OFAC has discretion in determining the appropriate enforcement it will implement against those failing to adhere to sanctions regulations. Voluntary self-disclosure, cooperation with law enforcement authorities, or implementation of a compliance program may be looked at favorably and considered mitigating factors by OFAC in enforcement actions.
Finally, the Guidance sets out suggestions as to how best tailor a company’s sanctions compliance policies and provides examples of best practices for the virtual currency industry. Some key suggestions include:
- Adopting a risk-based approach to sanctions compliance. Companies in the virtual currency industry must tailor the risk assessment process to their particular business model and needs.
- Ensuring senior management’s commitment to compliance programs. Senior management must review and endorse sanctions compliance policies, ensure that adequate resources exist to support the compliance function, delegate sufficient authority to the compliance unit, and appoint an internal specialized sanctions compliance officer with the required technical expertise.
- Implementing robust internal controls to identify and report transactions or activities prohibited under OFAC sanctions regulations. These controls could include the use of geolocation tools and IP address blocking controls, KYC procedures, transaction monitoring and investigations, sanctions screenings, and also the implementation of remedial measures in response to a sanctions violation.
- Conducting testing and auditing to ensure the effectiveness of their sanctions compliance programs.
- Providing sanctions training programs to all appropriate employees on a periodic basis, and, at a minimum, annually.
While the Guidance does not represent a departure from previous advisories (general or specific to the maritime community) it evidences a heightened focus on this issue and a need to revisit compliance policies to ensure that they adequately address the threat. As OFAC has once again highlighted, adopting a risk-based sanctions policy can be a powerful mitigant to any inadvertent breach.
Client Alert 2021-276