OFAC issued its “Sanctions Compliance Guidance for the Virtual Currency Industry”

On October 15, 2021, the Treasury Department’s Office of Foreign Assets Control (OFAC) issued its “Sanctions Compliance Guidance for the Virtual Currency Industry” (“Guidance”) to identify their sanction requirements and to provide the virtual currency industry — which includes technology companies, exchanges, miners, wallet providers, service providers and users — and traditional financial institutions with best practices in how to structure their compliance programs to avoid potential violations and enforcement actions. 

Sanction Requirements

Standard OFAC requirements and procedures — including reporting and recordkeeping requirements, licensing procedures   will be applicable to this sanction program.

Reporting Requirements

• Initial Blocked Property Reports must be filed within 10 business days following the date that property is blocked.

• Annual Blocked Property Reports on all blocked property held as of June 30 of the current year must be filed annually no later than September 30 of each year.

• Rejected Transaction Reports must be filed within 10 business days of the date the transaction was rejected due to sanctions requirements.

• On Demand Reports of information related to transactions or property subject to OFAC’s regulations may be required by OFAC at any time, through an administrative subpoena. (See 31 C.F.R. § 501.602 for more information.)

Recordkeeping Requirements

• Every person engaging in transactions subject to OFAC’s regulations, and holders of blocked property, must keep records and make those records available for examination.

• Full and accurate records are required for each transaction subject to OFAC’s regulations, including transactions processed pursuant to a license (whether a general license or a specific license), and of blocked property held.

• Required records must be maintained for five years after the date of the transaction or, with respect to blocked property, five years after property is unblocked

Licensing Procedures 

• OFAC may make exceptions to permit activity prohibited by sanctions or not otherwise exempt and may issue specific licenses to authorize the applicant to engage in specific transactions or activities that otherwise would be prohibited, or individualized interpretive guidance, if appropriate, to help clarify how regulatory requirements apply to a specific transaction.

Enforcement Procedures 

• OFAC’s sanctions enforcement process is governed by the procedures described in OFAC’s Economic Sanctions Enforcement Guidelines.

• OFAC may take a variety of actions in response to apparent violations, including

  • requesting additional information from involved parties;

  • issuing either a “No Action” letter, “Cautionary” letter, “Finding of Violation,” or a civil monetary penalty to resolve apparent violations;

  • entering into a settlement with involved parties; or

  • referring the matter to other government agencies, if appropriate, for a criminal investigation.

For further information on these requirements and procedures, consult 31 C.F.R. Part 501, Reporting, Procedures and Penalties Regulation (RPPR), and OFAC’s answers to frequently asked questions (FAQs) on reporting requirements.

Best Practices

Despite the provision of the Guidance’s outlined best practices, OFAC did not require companies to maintain an OFAC compliance program. However, when a company is faced with enforcement action, in determining their response OFAC will consider a company’s implementation of a risk based OFAC compliance program and the remedial measures taken by the company in response to an apparent violation.

OFAC’s recommendations for building an adequate sanctions compliance program include the following:

Management Commitment

• Senior management’s commitment to and support regarding the program is considered to be “one of the most important factors to a program’s success,” as they will set the tone for the company’s compliance efforts.

• Senior management may take the following steps to demonstrate their commitment:

  • Review and endorse sanctions compliance policies and procedures;

  • Ensure adequate resources — including human capital, expertise, information technology, and other resources — support the compliance function;

  • Delegate sufficient autonomy and authority to the compliance unit; and

  • Appoint a dedicated sanctions compliance officer with the requisite technical expertise.

Risk Assessment

• To prevent any negative repercussions from an ignored or mishandled risk, companies should conduct a routine — and, if appropriate, ongoing — risk assessment. OFAC instructs that this assessment should generally include a review of all of a company’s touchpoints to foreign jurisdictions or persons and may also include evaluating the compliance procedures of partners and counterparties.

Internal Controls

• Companies should implement controls to “identify, interdict, escalate, report (as appropriate), and maintain records for transactions or activities prohibited by OFAC-administered sanctions.” These controls enable companies to conduct due diligence on customers, partners and transactions to identify “red flags” with these relationships.

• OFAC recommends several specific controls, including:

  • Geolocation and IP address blocking controls, which can prevent access by persons in sanctioned jurisdictions. Notably, the guidance suggests the use of analytics tools to implement screening processes to prevent IP misattribution via a virtual private network (VPN), a common tool used to circumvent geographic restrictions.

  • Know Your Customer (KYC) procedures, which involve gathering identity-verifying information such as date of birth, bank information, and government identification and documents.

  • Transaction monitoring and investigation software, which can identify, flag and block transactions with persons or entities on OFAC’s sanctions lists, including by referring to OFAC’s list of known virtual currency addresses of sanctioned persons.

  • Sanctions screening tools, which compare customer information against sanctions lists to discover potential links to sanctioned persons, and may also involve risk-based re-screening to account for updated customer information and changes to sanctions lists and regulatory requirements.

  • Monitoring for red flags, which includes, among other things, new users providing incomplete KYC information (and non-responsiveness following a prompt for more information), attempts to access a virtual currency from an IP address or VPN connected to a sanctioned jurisdiction, attempts to transact with a virtual currency address associated with a sanctioned person or jurisdiction, and any behavior that indicates money laundering.

Testing and Auditing

• Companies should incorporate a comprehensive, independent, and objective testing or audit function within their sanctions compliance to review the functionality of implemented internal controls.

Training

• Compliance training be conducted annually, at a minimum. During these trainings, companies should communicate the sanctions compliance responsibilities for each employee and hold employees accountable for meeting training requirements through the use of assessments.