Beau Barnes and Jake Chervinsky of Kobre & Kim LLP are litigators and government enforcement defense attorneys who specialize in disputes and investigations related to digital assets. This article is not intended to provide legal advice.
For the past year, the cryptocurrency industry's attention has focused on the Securities and Exchange Commission's deliberations over how to enforce U.S. securities laws. But the past two months have seen important developments on a new regulatory front: the application of U.S. sanctions laws by the Treasury Department's Office of Foreign Assets Control (OFAC).
Last week, OFAC sanctioned two Iranian individuals for cyberattacks against U.S. networks. For the first time ever, OFAC targeted both the individuals who committed the offense and their associated bitcoin addresses.
OFAC is announcing a clear message to the industry: comply with sanctions laws or pay the price.
Crypto industry, meet OFAC
Economic sanctions result from U.S. government policy decisions that certain countries, governments, individuals, or companies shouldn't be allowed to transact with "U.S. persons." The category of "U.S. persons" is expansive: it includes U.S. citizens and permanent residents anywhere in the world, non-U.S. nationals within the United States, and entities incorporated under U.S. law (as well as their foreign branches).
OFAC has broad authority to impose sanctions based on perceived threats to U.S. national security. OFAC typically imposes "primary sanctions" by prohibiting U.S. persons from directly or indirectly transacting with a sanctioned party, in addition to "secondary sanctions" based on a non-U.S. person's transactions with other sanctioned parties.
Some sanctions are nearly absolute, such as those prohibiting almost all transactions with countries like Iran, while other sanctions are nuanced, like those prohibiting certain transactions with Venezuela related to certain debt transactions. Sanctions violations are punishable as civil or criminal offenses and can result in steep fines.
OFAC compliance and enforcement
Unlike many regulatory agencies, OFAC doesn't impose formal compliance obligations. Instead, it oversees a "strict liability" regime: even unintentional sanctions violations are punishable under the law, no matter the time or resources a company devotes to compliance. That said, those with a strong compliance program will have better odds of convincing OFAC to take a lenient approach toward potential violations.
To help companies build out their sanctions compliance programs, OFAC publishes a variety of policy statements, FAQs, brochures, advisories, and press releases. OFAC also offers compliance suggestions for stakeholders in specific industries.
For example, OFAC advises companies involved in online commerce to "develop a tailored, risk-based compliance program" including the use of sanctions list screening software. Similarly, OFAC recommends that money transmitters block IP addresses from sanctioned jurisdictions, gather detailed customer identification information, and record a "purpose of payment" for every transaction.
To fill the gaps left by its public statements, OFAC also engages in "guidance by enforcement," detailing specific violations and the mitigating and aggravating factors that it considered in determining an appropriate fine.
In 2015, for example, OFAC announced a settlement with PayPal over approximately $44,000 in transactions that violated various sanctions programs. The settlement described numerous compliance missteps, including PayPal's failure to screen accountholders against the sanctions list. It required PayPal to pay over $7 million and underscored to payment processors and money transmitters the importance of compliance – even for relatively low-value transactions.
OFAC on crypto
While other U.S. federal agencies have been commenting on the rise of cryptocurrencies for years, OFAC long remained silent despite requests from crypto industry stakeholders for clarity on U.S. sanctions laws. This year, OFAC began to weigh in.
In March, OFAC responded to the Venezuelan government's launch of its own cryptocurrency–the Petro–by prohibiting U.S. persons from engaging in transactions with that asset. OFAC also issued FAQs noting that U.S. persons' sanctions obligations are the same "regardless of whether a transaction is denominated in a digital currency or traditional fiat currency" and flagging that it may add cryptocurrency addresses to the sanctions list in the future.
In October, in light of the U.S. government's decision to withdraw from the Iran nuclear deal and re-impose certain sanctions against Iran, the Treasury Department issued an advisory warning businesses about Iran's efforts to fund illicit activities abroad. The advisory described the Iranian regime's practice of circumventing financial restrictions by transacting in precious metals, misusing exchange houses, counterfeiting currency, and transacting in "virtual currencies."
In warning about the risks of cryptocurrencies, the advisory recommended specific compliance steps for crypto companies, including "reviewing blockchain ledgers for activity that may originate or terminate in Iran," using software to "monitor open blockchains," and screening customers against the sanctions list.
Last week's designation of two Iranians who executed ransomware attacks on U.S. companies was OFAC's first action in direct relation to crypto. In a press release, OFAC trumpeted the designation, highlighting that it had identified those individuals' bitcoin addresses "for the first time" in order to "assist those in the compliance and digital currency communities in identifying transactions and funds that must be blocked and investigating any connections to these addresses."
OFAC also released additional FAQs addressing crypto companies' obligations to block sanctioned persons and Treasury Under Secretary Sigal Mandelker said the Department "will aggressively pursue Iran and other rogue regimes attempting to exploit digital currencies."
Get ready for more
OFAC's recent actions illustrate the U.S. government's renewed focus on stopping authoritarian regimes–Venezuela, Iran, North Korea, and others–from using cryptocurrencies to evade U.S. sanctions. The crypto industry now finds itself caught in the middle of several intense geopolitical conflicts.
So, what's a crypto company to do?
First, take compliance seriously. As OFAC has noted, all the compliance obligations are the same regardless of whether a transaction involves digital or fiat currency.
Second, understand the risks. Because OFAC doesn't require specific compliance efforts, companies aren't obligated to screen customers against the sanctions list or restrict user access in certain environments. But, companies should know that they ignore these risks at their peril.
Third, expect enforcement. OFAC, like many government agencies, provides guidance in part by publicizing its enforcement actions. It will be no surprise when OFAC begins to bring enforcement actions in 2019 against those who transact in cryptocurrencies without respecting U.S. sanctions.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.